teslacrypt | b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29N.exe
Size

376KB
MD5

b09aca00a8dcded70eeac6ec2b497e60
SHA1

9247ba9335b88b4fc1d8febed66e92e4aad8317c
SHA256

b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29
SHA512

f3c2a80cb592a721f454773f8aed5ba09b96641325effaa92821be9a3d80e99522100610c10ce9d4dd8ab97a60f182b9e9a3a7d1dd18505658858dcb30ccef02
SSDEEP

6144:J+lMnaN9yLmfyoZjcbxstF8cIxnTYI4LVmKJ7t2AQeRi:8TN9xyomFstF8conTCLVzTZRi

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+khwmh.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/2DEAA8594E43CB47 2. http://tes543berda73i48fsdfsd.keratadze.at/2DEAA8594E43CB47 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/2DEAA8594E43CB47 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/2DEAA8594E43CB47 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/2DEAA8594E43CB47 http://tes543berda73i48fsdfsd.keratadze.at/2DEAA8594E43CB47 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/2DEAA8594E43CB47 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/2DEAA8594E43CB47

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/2DEAA8594E43CB47

http://tes543berda73i48fsdfsd.keratadze.at/2DEAA8594E43CB47

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/2DEAA8594E43CB47

http://xlowfznrg4wf7dli.ONION/2DEAA8594E43CB47

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (871) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	aieekmglkvka.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+khwmh.png	aieekmglkvka.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+khwmh.txt	aieekmglkvka.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+khwmh.html	aieekmglkvka.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+khwmh.png	aieekmglkvka.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+khwmh.txt	aieekmglkvka.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+khwmh.html	aieekmglkvka.exe

Executes dropped EXE 2 IoCs

pid	Process
3640	aieekmglkvka.exe
2352	aieekmglkvka.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eahkngdhuuau = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\aieekmglkvka.exe\""	aieekmglkvka.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2124 set thread context of 3076	2124	b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29N.exe	98
PID 3640 set thread context of 2352	3640	aieekmglkvka.exe	103

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\Recovery+khwmh.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\Recovery+khwmh.html	aieekmglkvka.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\Recovery+khwmh.txt	aieekmglkvka.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Recovery+khwmh.txt	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarLargeTile.scale-200.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\Recovery+khwmh.html	aieekmglkvka.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\Recovery+khwmh.html	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupWideTile.scale-100.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\FileAssociation\FileAssociation.targetsize-64.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\Recovery+khwmh.html	aieekmglkvka.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\Recovery+khwmh.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-40_altform-unplated.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-30_altform-unplated.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Google.scale-200.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\MedTile.scale-100.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-100_contrast-white.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-60_contrast-white.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageBadgeLogo.scale-150_contrast-white.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-400_contrast-black.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\Recovery+khwmh.txt	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.contrast-white_scale-200.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\Recovery+khwmh.html	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-125_contrast-black.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\fonts\Recovery+khwmh.html	aieekmglkvka.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Recovery+khwmh.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Recovery+khwmh.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Recovery+khwmh.html	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSplashLogo.scale-100.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-lightunplated_devicefamily-colorfulunplated.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\Recovery+khwmh.txt	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_MouseNose.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteReplayCrossHairIcon-1.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_altform-unplated_contrast-white.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Fonts\Recovery+khwmh.html	aieekmglkvka.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\Recovery+khwmh.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\Recovery+khwmh.txt	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-100_contrast-black.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-96.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Dark.scale-100.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\LargeTile.scale-100.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	aieekmglkvka.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\Recovery+khwmh.html	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\Recovery+khwmh.html	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\mk-MK\Recovery+khwmh.txt	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-20.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderSplashScreen.contrast-white_scale-100.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\System\Recovery+khwmh.txt	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-32_altform-lightunplated.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\LargeTile.scale-100.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-20.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_contrast-white.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\modules\Recovery+khwmh.txt	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe\Recovery+khwmh.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSplashLogo.scale-300.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\Recovery+khwmh.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\en-US\Recovery+khwmh.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageBadgeLogo.scale-400.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\FileAssociation\FileAssociation.targetsize-32.png	aieekmglkvka.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\Recovery+khwmh.txt	aieekmglkvka.exe
File opened for modification	C:\Program Files\Windows Media Player\Visualizations\Recovery+khwmh.txt	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Recovery+khwmh.html	aieekmglkvka.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square71x71\PaintSmallTile.scale-100.png	aieekmglkvka.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\aieekmglkvka.exe	b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29N.exe
File opened for modification	C:\Windows\aieekmglkvka.exe	b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29N.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aieekmglkvka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aieekmglkvka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29N.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	aieekmglkvka.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1260	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe
2352	aieekmglkvka.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3076	b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29N.exe
Token: SeDebugPrivilege	2352	aieekmglkvka.exe
Token: SeIncreaseQuotaPrivilege	3652	WMIC.exe
Token: SeSecurityPrivilege	3652	WMIC.exe
Token: SeTakeOwnershipPrivilege	3652	WMIC.exe
Token: SeLoadDriverPrivilege	3652	WMIC.exe
Token: SeSystemProfilePrivilege	3652	WMIC.exe
Token: SeSystemtimePrivilege	3652	WMIC.exe
Token: SeProfSingleProcessPrivilege	3652	WMIC.exe
Token: SeIncBasePriorityPrivilege	3652	WMIC.exe
Token: SeCreatePagefilePrivilege	3652	WMIC.exe
Token: SeBackupPrivilege	3652	WMIC.exe
Token: SeRestorePrivilege	3652	WMIC.exe
Token: SeShutdownPrivilege	3652	WMIC.exe
Token: SeDebugPrivilege	3652	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3652	WMIC.exe
Token: SeRemoteShutdownPrivilege	3652	WMIC.exe
Token: SeUndockPrivilege	3652	WMIC.exe
Token: SeManageVolumePrivilege	3652	WMIC.exe
Token: 33	3652	WMIC.exe
Token: 34	3652	WMIC.exe
Token: 35	3652	WMIC.exe
Token: 36	3652	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3652	WMIC.exe
Token: SeSecurityPrivilege	3652	WMIC.exe
Token: SeTakeOwnershipPrivilege	3652	WMIC.exe
Token: SeLoadDriverPrivilege	3652	WMIC.exe
Token: SeSystemProfilePrivilege	3652	WMIC.exe
Token: SeSystemtimePrivilege	3652	WMIC.exe
Token: SeProfSingleProcessPrivilege	3652	WMIC.exe
Token: SeIncBasePriorityPrivilege	3652	WMIC.exe
Token: SeCreatePagefilePrivilege	3652	WMIC.exe
Token: SeBackupPrivilege	3652	WMIC.exe
Token: SeRestorePrivilege	3652	WMIC.exe
Token: SeShutdownPrivilege	3652	WMIC.exe
Token: SeDebugPrivilege	3652	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3652	WMIC.exe
Token: SeRemoteShutdownPrivilege	3652	WMIC.exe
Token: SeUndockPrivilege	3652	WMIC.exe
Token: SeManageVolumePrivilege	3652	WMIC.exe
Token: 33	3652	WMIC.exe
Token: 34	3652	WMIC.exe
Token: 35	3652	WMIC.exe
Token: 36	3652	WMIC.exe
Token: SeBackupPrivilege	2004	vssvc.exe
Token: SeRestorePrivilege	2004	vssvc.exe
Token: SeAuditPrivilege	2004	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1052	WMIC.exe
Token: SeSecurityPrivilege	1052	WMIC.exe
Token: SeTakeOwnershipPrivilege	1052	WMIC.exe
Token: SeLoadDriverPrivilege	1052	WMIC.exe
Token: SeSystemProfilePrivilege	1052	WMIC.exe
Token: SeSystemtimePrivilege	1052	WMIC.exe
Token: SeProfSingleProcessPrivilege	1052	WMIC.exe
Token: SeIncBasePriorityPrivilege	1052	WMIC.exe
Token: SeCreatePagefilePrivilege	1052	WMIC.exe
Token: SeBackupPrivilege	1052	WMIC.exe
Token: SeRestorePrivilege	1052	WMIC.exe
Token: SeShutdownPrivilege	1052	WMIC.exe
Token: SeDebugPrivilege	1052	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1052	WMIC.exe
Token: SeRemoteShutdownPrivilege	1052	WMIC.exe
Token: SeUndockPrivilege	1052	WMIC.exe
Token: SeManageVolumePrivilege	1052	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 3076	2124	b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29N.exe	98
PID 2124 wrote to memory of 3076	2124	b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29N.exe	98
PID 2124 wrote to memory of 3076	2124	b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29N.exe	98
PID 2124 wrote to memory of 3076	2124	b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29N.exe	98
PID 2124 wrote to memory of 3076	2124	b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29N.exe	98
PID 2124 wrote to memory of 3076	2124	b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29N.exe	98
PID 2124 wrote to memory of 3076	2124	b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29N.exe	98
PID 2124 wrote to memory of 3076	2124	b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29N.exe	98
PID 2124 wrote to memory of 3076	2124	b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29N.exe	98
PID 2124 wrote to memory of 3076	2124	b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29N.exe	98
PID 3076 wrote to memory of 3640	3076	b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29N.exe	99
PID 3076 wrote to memory of 3640	3076	b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29N.exe	99
PID 3076 wrote to memory of 3640	3076	b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29N.exe	99
PID 3076 wrote to memory of 3876	3076	b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29N.exe	100
PID 3076 wrote to memory of 3876	3076	b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29N.exe	100
PID 3076 wrote to memory of 3876	3076	b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29N.exe	100
PID 3640 wrote to memory of 2352	3640	aieekmglkvka.exe	103
PID 3640 wrote to memory of 2352	3640	aieekmglkvka.exe	103
PID 3640 wrote to memory of 2352	3640	aieekmglkvka.exe	103
PID 3640 wrote to memory of 2352	3640	aieekmglkvka.exe	103
PID 3640 wrote to memory of 2352	3640	aieekmglkvka.exe	103
PID 3640 wrote to memory of 2352	3640	aieekmglkvka.exe	103
PID 3640 wrote to memory of 2352	3640	aieekmglkvka.exe	103
PID 3640 wrote to memory of 2352	3640	aieekmglkvka.exe	103
PID 3640 wrote to memory of 2352	3640	aieekmglkvka.exe	103
PID 3640 wrote to memory of 2352	3640	aieekmglkvka.exe	103
PID 2352 wrote to memory of 3652	2352	aieekmglkvka.exe	104
PID 2352 wrote to memory of 3652	2352	aieekmglkvka.exe	104
PID 2352 wrote to memory of 1260	2352	aieekmglkvka.exe	110
PID 2352 wrote to memory of 1260	2352	aieekmglkvka.exe	110
PID 2352 wrote to memory of 1260	2352	aieekmglkvka.exe	110
PID 2352 wrote to memory of 1160	2352	aieekmglkvka.exe	111
PID 2352 wrote to memory of 1160	2352	aieekmglkvka.exe	111
PID 1160 wrote to memory of 4388	1160	msedge.exe	112
PID 1160 wrote to memory of 4388	1160	msedge.exe	112
PID 2352 wrote to memory of 1052	2352	aieekmglkvka.exe	113
PID 2352 wrote to memory of 1052	2352	aieekmglkvka.exe	113
PID 1160 wrote to memory of 2252	1160	msedge.exe	116
PID 1160 wrote to memory of 2252	1160	msedge.exe	116
PID 1160 wrote to memory of 2252	1160	msedge.exe	116
PID 1160 wrote to memory of 2252	1160	msedge.exe	116
PID 1160 wrote to memory of 2252	1160	msedge.exe	116
PID 1160 wrote to memory of 2252	1160	msedge.exe	116
PID 1160 wrote to memory of 2252	1160	msedge.exe	116
PID 1160 wrote to memory of 2252	1160	msedge.exe	116
PID 1160 wrote to memory of 2252	1160	msedge.exe	116
PID 1160 wrote to memory of 2252	1160	msedge.exe	116
PID 1160 wrote to memory of 2252	1160	msedge.exe	116
PID 1160 wrote to memory of 2252	1160	msedge.exe	116
PID 1160 wrote to memory of 2252	1160	msedge.exe	116
PID 1160 wrote to memory of 2252	1160	msedge.exe	116
PID 1160 wrote to memory of 2252	1160	msedge.exe	116
PID 1160 wrote to memory of 2252	1160	msedge.exe	116
PID 1160 wrote to memory of 2252	1160	msedge.exe	116
PID 1160 wrote to memory of 2252	1160	msedge.exe	116
PID 1160 wrote to memory of 2252	1160	msedge.exe	116
PID 1160 wrote to memory of 2252	1160	msedge.exe	116
PID 1160 wrote to memory of 2252	1160	msedge.exe	116
PID 1160 wrote to memory of 2252	1160	msedge.exe	116
PID 1160 wrote to memory of 2252	1160	msedge.exe	116
PID 1160 wrote to memory of 2252	1160	msedge.exe	116
PID 1160 wrote to memory of 2252	1160	msedge.exe	116
PID 1160 wrote to memory of 2252	1160	msedge.exe	116
PID 1160 wrote to memory of 2252	1160	msedge.exe	116

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	aieekmglkvka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	aieekmglkvka.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29N.exe
"C:\Users\Admin\AppData\Local\Temp\b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29N.exe
  "C:\Users\Admin\AppData\Local\Temp\b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29N.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3076
- - C:\Windows\aieekmglkvka.exe
    C:\Windows\aieekmglkvka.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3640
  - - C:\Windows\aieekmglkvka.exe
      C:\Windows\aieekmglkvka.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2352
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3652
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:1260
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1160
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffccc0046f8,0x7ffccc004708,0x7ffccc004718
        6⤵
        
        PID:4388
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,3374344901798590102,8728050091857338868,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
        6⤵
        
        PID:2252
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,3374344901798590102,8728050091857338868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
        6⤵
        
        PID:1108
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,3374344901798590102,8728050091857338868,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
        6⤵
        
        PID:2824
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,3374344901798590102,8728050091857338868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
        6⤵
        
        PID:1408
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,3374344901798590102,8728050091857338868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
        6⤵
        
        PID:3260
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,3374344901798590102,8728050091857338868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 /prefetch:8
        6⤵
        
        PID:4708
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,3374344901798590102,8728050091857338868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 /prefetch:8
        6⤵
        
        PID:4420
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,3374344901798590102,8728050091857338868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
        6⤵
        
        PID:3008
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,3374344901798590102,8728050091857338868,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
        6⤵
        
        PID:3876
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,3374344901798590102,8728050091857338868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
        6⤵
        
        PID:3772
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,3374344901798590102,8728050091857338868,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2952 /prefetch:1
        6⤵
        
        PID:308
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\AIEEKM~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:428
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\B45AE8~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3876

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2612

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\Recovery+khwmh.html

Filesize
11KB

MD5
1fcfe9a2e958f7027bfa2b3637fb3130

SHA1
38403bbfc4f3d0cd62e91f2824f3d3ae70048b0a

SHA256
e9322c893d8efa6836c8860e315086a41f98645b8797f36c58ba67700dd0023b

SHA512
0131a24c2b8aa54adfe3c4a5ccebeaa772a6bb5a36093d48c3281b036eeab23eda57465744fdaec7c3eae1acfe9a50096d7e1a76143970a8744af983634db0f3

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+khwmh.png

Filesize
64KB

MD5
b42a22b95232685e062ea2c0aded3b9d

SHA1
8f0b4418d4523b007d3deebeee2952a643633796

SHA256
4c38897ed6e4252e14fc0f14ccd19507c16c50a6254eeb79c075cda4a8e83be9

SHA512
4e12c2d89c137878d7bced60a19ea6cea0ec2682ae6f8b8caba11d8b9c8da2b00328a2d262779218c59792e91a32b3d025e3cf1690756d6cb0d959d934e609d6

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+khwmh.txt

Filesize
1KB

MD5
588de7159ec45c37824fc4726a766647

SHA1
97bee2cb12cd5893028501a93b8f4cd678ccd8ef

SHA256
7b100bd451b1c367fcc7c66f1c0543e0b9bfa0379905efaf6e7d582fbc86e11f

SHA512
24d526fd40d2e40a169883ece11955ae2809acd47954b81062ac23adc437092758c654777e7e05828da3b6d2512e5ca7af5267208d4484102c1a391097c37861

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
447527cd555d7884d0741a4749b663cd

SHA1
165177c964f4fc63e5a8a04074a75f103510ca8c

SHA256
6df421f27f3bdc1893bb9f19f2d6b6c8bc02d165d9101d95b499ed2e5243b35a

SHA512
142e8a590c2ef99600f25ad6f4835fe8c9d9fda9494745a590374df57a79069d43e9eb14a53cc65db512a49176f8288526489826cbd038d7f7aa44fed41713ed

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
525311799225cda9f82e85ecc290aede

SHA1
f12ab8b8c9ea921cdbb94232daae405d882d2274

SHA256
2128b258d552ff107ea68789d35f8e709cb1fbf2711b1ad71b179b45cf2793d1

SHA512
4e548e770ca4e518428f342afdc2a32326a766275be5263846cc2a549b0d3d9667cde17f86e4c2c22717f72219e1a7d629b0f10f8746e6f29e0b867627bb5f5c

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
f8e409f852148383e908c9b7d01abb8a

SHA1
4de3b44ad75c99fc80206457349b46880728632d

SHA256
5b762edee7a6ccd219a69c2479a871a8636c623452486dfeba2a6ade12b105e7

SHA512
dfcbfcb772cdd371ea7f6d31f7275c3477b673b809245b8704ae5b5d7c2012125334536657c1affe16fb9c55862f6ad0f70cb3a0b3c433c47338cdba991342a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4defb9d647fbc950f899a9476750abe7

SHA1
00bbc8894711d2be69b358f735e1d468c24df597

SHA256
e8f19b79463fad01e14a953f3ba7651ef9e13181b767c1e5c549436e0c537a08

SHA512
d162b642ed850aabc6f5d22e1a51a0b5e46d1c9bb5cb7517cd840f20f400c82ed529faa0aa1a017784e8ab191eca8644b6a0b27731eb8871ffaf5838ab9f591b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662192103813.txt

Filesize
77KB

MD5
8145f5228fd1cc78bd311d251e75bd02

SHA1
851bd2b08425ac5badcc21cbaf3ccc1a5165172d

SHA256
3c25d49b038a2edfe02551639b94f4e96fe50431f44f1745386bde36b5ff9364

SHA512
d26b950c310869f6f621c7f441df9ec57d7c1bd088d6c224c9d8d3e5ca184b94b97ae521cbfa648e4834a298116bc8dd72ceb0d3d273ea20f4d368bd9ab5bb86

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727663401899668.txt

Filesize
47KB

MD5
cea313ad815ee69c34c306aa92dfa52e

SHA1
6484d91df6f74105c5465c610b89e43b6717a837

SHA256
d418782eaee2ed76a437b2df7de9a6c9d4a1e95e821db958a7ec0b369b04b3ed

SHA512
3c3445d0a3063c7e6757628fdcd3d4e210d3015cd9ae79d770490a4acc37c7ef47513b1d25bbebb481729a98403430260f9619cd3de7b4d1e27924e0b4588f1a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727670771168387.txt

Filesize
74KB

MD5
181e627d4a5826dcf71de6b07fb920dc

SHA1
5db535e1bb48f488904fc50fd9bf936a2d31b269

SHA256
7a08e65d0a91e5d7f39b3f05d31445f64677f4ac4d35364a5f5141358e4c8efa

SHA512
915b8ce5ccaf911fd5dbc8cf17cab3d603409400fa5e1ba666753083af19626184ccceb9af79b0feb9f1439359d44458515772f74aea8e012a2fab227fe152bc

Download Submit
C:\Windows\aieekmglkvka.exe

Filesize
376KB

MD5
b09aca00a8dcded70eeac6ec2b497e60

SHA1
9247ba9335b88b4fc1d8febed66e92e4aad8317c

SHA256
b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29

SHA512
f3c2a80cb592a721f454773f8aed5ba09b96641325effaa92821be9a3d80e99522100610c10ce9d4dd8ab97a60f182b9e9a3a7d1dd18505658858dcb30ccef02

Download Submit
memory/2124-0-0x0000000000B70000-0x0000000000B73000-memory.dmp

Filesize
12KB

Download
memory/2124-5-0x0000000000B70000-0x0000000000B73000-memory.dmp

Filesize
12KB

Download
memory/2124-1-0x0000000000B70000-0x0000000000B73000-memory.dmp

Filesize
12KB

Download
memory/2352-17-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2352-9069-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2352-22-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2352-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2352-2078-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2352-2661-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2352-2668-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2352-5544-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2352-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2352-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2352-10803-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2352-24-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2352-10731-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2352-10732-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2352-10740-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2352-10741-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3076-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3076-4-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3076-3-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3076-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3076-13-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3640-12-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download