teslacrypt | 51891bb83422eeeb7873bc94657fff21cece16419e0ceed67a25b318b33302cf

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
18-07-2022 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51891bb83422eeeb7873bc94657fff21cece16419e0ceed67a25b318b33302cf.exe
Size

424KB
MD5

3dd36cf8bf728d5b1810c99042fbe1c5
SHA1

a053513f4baacbe8cf8c9d637a19a5a08a3300ea
SHA256

51891bb83422eeeb7873bc94657fff21cece16419e0ceed67a25b318b33302cf
SHA512

17487df6e4c8796eff4371fb9205fc63e40ec9d481226089e7170b467f25bb96803c30f196b5a24f2a0730b0bd7915f68dbf98da5befc9bdfb4caaa9340ecec2

Score

10^/10

teslacrypt persistence ransomware spyware stealer suricata

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-2783062828-828903012-4218294845-1000\_RECoVERY_+ncctx.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://yyre45dbvn2nhbefbmh.begumvelic.at/C5161E3042667B7A 2. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/C5161E3042667B7A 3. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/C5161E3042667B7A If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/C5161E3042667B7A 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://yyre45dbvn2nhbefbmh.begumvelic.at/C5161E3042667B7A http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/C5161E3042667B7A http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/C5161E3042667B7A *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/C5161E3042667B7A

URLs

http://yyre45dbvn2nhbefbmh.begumvelic.at/C5161E3042667B7A

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/C5161E3042667B7A

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/C5161E3042667B7A

http://xlowfznrg4wf7dli.ONION/C5161E3042667B7A

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\_RECoVERY_+ncctx.html

Ransom Note

NOT YOUR LANGUAGE? USE Google Translate What happened to your files? of your files were protected by a strong encryption with AES More information about the encryption AES can be found https://en.wikipedia.org/wiki/AES at does this mean? his means that the structure and data within your files have been irrevocably changed, you will not be able work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them How did this happen? Especially for you, on our SERVER was generated the secret key All your files were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program which is on our Secret Server!!! at do I do? do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed If you really need your data, then we suggest you do not waste valuable time searching for other solutions becausen they do not exist. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://yyre45dbvn2nhbefbmh.begumvelic.at/C5161E3042667B7A 2 - http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/C5161E3042667B7A 3 - http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/C5161E3042667B7A If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser and wait for initialization. 3 - Type in the tor-browser address bar: xlowfznrg4wf7dli.onion/C5161E3042667B7A 4 - Follow the instructions on the site. !!! IMPORTANT INFORMATION: Your Personal PAGES : http://yyre45dbvn2nhbefbmh.begumvelic.at/C5161E3042667B7A http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/C5161E3042667B7A http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/C5161E3042667B7A Your Personal TOR-Browser page : xlowfznrg4wf7dli.onion/C5161E3042667B7A Your personal ID (if you open the site directly):

URLs

http://yyre45dbvn2nhbefbmh.begumvelic.at/C5161E3042667B7A

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/C5161E3042667B7A

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/C5161E3042667B7A

http://xlowfznrg4wf7dli.onion/C5161E3042667B7A

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 1 IoCs

Processes:

tfnsceiycgyb.exe

pid	Process
4288	tfnsceiycgyb.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

tfnsceiycgyb.exe

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\BackupComplete.raw => C:\Users\Admin\Pictures\BackupComplete.raw.mp3	tfnsceiycgyb.exe
File renamed	C:\Users\Admin\Pictures\BlockSplit.png => C:\Users\Admin\Pictures\BlockSplit.png.mp3	tfnsceiycgyb.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

51891bb83422eeeb7873bc94657fff21cece16419e0ceed67a25b318b33302cf.exetfnsceiycgyb.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2783062828-828903012-4218294845-1000\Control Panel\International\Geo\Nation	51891bb83422eeeb7873bc94657fff21cece16419e0ceed67a25b318b33302cf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2783062828-828903012-4218294845-1000\Control Panel\International\Geo\Nation	tfnsceiycgyb.exe

Drops startup file 6 IoCs

Processes:

tfnsceiycgyb.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+ncctx.txt	tfnsceiycgyb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+ncctx.html	tfnsceiycgyb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+ncctx.png	tfnsceiycgyb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+ncctx.txt	tfnsceiycgyb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+ncctx.html	tfnsceiycgyb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+ncctx.png	tfnsceiycgyb.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exetfnsceiycgyb.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2783062828-828903012-4218294845-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2783062828-828903012-4218294845-1000\Software\Microsoft\Windows\CurrentVersion\Run	tfnsceiycgyb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2783062828-828903012-4218294845-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unokycipnehv = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\tfnsceiycgyb.exe\""	tfnsceiycgyb.exe

Drops file in Program Files directory 64 IoCs

Processes:

tfnsceiycgyb.exe

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp2.scale-100.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\_RECoVERY_+ncctx.html	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\_RECoVERY_+ncctx.html	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Wide310x150\PaintWideTile.scale-400.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-150_contrast-white.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailSmallTile.scale-100.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-250.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\AttachmentPlaceholder-Dark.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeLargeTile.scale-100.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-36_altform-lightunplated.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\_RECoVERY_+ncctx.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchStoreLogo.scale-125_contrast-black.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\SmallTile.scale-125.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\MapLightTheme.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\_RECoVERY_+ncctx.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxSmallTile.scale-100.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\_RECoVERY_+ncctx.txt	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\_RECoVERY_+ncctx.txt	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GameBar_SmallTile.scale-125.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoFrameExtractor\UserControls\_RECoVERY_+ncctx.html	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptySearch.scale-400.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Dark.scale-150.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\SmallTile.scale-100.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notetagsUI\styles.css	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketchAppService\_RECoVERY_+ncctx.html	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+ncctx.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.White.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_RECoVERY_+ncctx.html	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+ncctx.html	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-40_altform-unplated.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-32_contrast-white.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\_RECoVERY_+ncctx.html	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\fmui\_RECoVERY_+ncctx.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyShare.scale-125.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\_RECoVERY_+ncctx.txt	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\_RECoVERY_+ncctx.txt	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Config\_RECoVERY_+ncctx.html	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+ncctx.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupLargeTile.scale-150.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\_RECoVERY_+ncctx.txt	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\_RECoVERY_+ncctx.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-400.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-GoogleCloudCacheMini.scale-200.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarBadge.scale-200.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\_RECoVERY_+ncctx.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-96_contrast-white.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Eye.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\_RECoVERY_+ncctx.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tet\_RECoVERY_+ncctx.html	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-32_altform-lightunplated.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-96_altform-lightunplated.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeWideTile.scale-125.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Dark.scale-300.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\MedTile.scale-125_contrast-black.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\WideTile.scale-125.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\189.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\Assets\_RECoVERY_+ncctx.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\_RECoVERY_+ncctx.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\Bundle\_RECoVERY_+ncctx.png	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\_RECoVERY_+ncctx.html	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+ncctx.html	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	tfnsceiycgyb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.AdomdClient\13.0.0.0__89845DCD8080CC91\_RECoVERY_+ncctx.png	tfnsceiycgyb.exe

Drops file in Windows directory 2 IoCs

Processes:

51891bb83422eeeb7873bc94657fff21cece16419e0ceed67a25b318b33302cf.exe

description	ioc	Process
File created	C:\Windows\tfnsceiycgyb.exe	51891bb83422eeeb7873bc94657fff21cece16419e0ceed67a25b318b33302cf.exe
File opened for modification	C:\Windows\tfnsceiycgyb.exe	51891bb83422eeeb7873bc94657fff21cece16419e0ceed67a25b318b33302cf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 2 IoCs

Processes:

tfnsceiycgyb.exemsedge.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2783062828-828903012-4218294845-1000_Classes\Local Settings	tfnsceiycgyb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
4900	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

tfnsceiycgyb.exe

pid	Process
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe
4288	tfnsceiycgyb.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid	Process
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

51891bb83422eeeb7873bc94657fff21cece16419e0ceed67a25b318b33302cf.exetfnsceiycgyb.exeWMIC.exevssvc.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	5068	51891bb83422eeeb7873bc94657fff21cece16419e0ceed67a25b318b33302cf.exe
Token: SeDebugPrivilege	4288	tfnsceiycgyb.exe
Token: SeIncreaseQuotaPrivilege	4436	WMIC.exe
Token: SeSecurityPrivilege	4436	WMIC.exe
Token: SeTakeOwnershipPrivilege	4436	WMIC.exe
Token: SeLoadDriverPrivilege	4436	WMIC.exe
Token: SeSystemProfilePrivilege	4436	WMIC.exe
Token: SeSystemtimePrivilege	4436	WMIC.exe
Token: SeProfSingleProcessPrivilege	4436	WMIC.exe
Token: SeIncBasePriorityPrivilege	4436	WMIC.exe
Token: SeCreatePagefilePrivilege	4436	WMIC.exe
Token: SeBackupPrivilege	4436	WMIC.exe
Token: SeRestorePrivilege	4436	WMIC.exe
Token: SeShutdownPrivilege	4436	WMIC.exe
Token: SeDebugPrivilege	4436	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4436	WMIC.exe
Token: SeRemoteShutdownPrivilege	4436	WMIC.exe
Token: SeUndockPrivilege	4436	WMIC.exe
Token: SeManageVolumePrivilege	4436	WMIC.exe
Token: 33	4436	WMIC.exe
Token: 34	4436	WMIC.exe
Token: 35	4436	WMIC.exe
Token: 36	4436	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4436	WMIC.exe
Token: SeSecurityPrivilege	4436	WMIC.exe
Token: SeTakeOwnershipPrivilege	4436	WMIC.exe
Token: SeLoadDriverPrivilege	4436	WMIC.exe
Token: SeSystemProfilePrivilege	4436	WMIC.exe
Token: SeSystemtimePrivilege	4436	WMIC.exe
Token: SeProfSingleProcessPrivilege	4436	WMIC.exe
Token: SeIncBasePriorityPrivilege	4436	WMIC.exe
Token: SeCreatePagefilePrivilege	4436	WMIC.exe
Token: SeBackupPrivilege	4436	WMIC.exe
Token: SeRestorePrivilege	4436	WMIC.exe
Token: SeShutdownPrivilege	4436	WMIC.exe
Token: SeDebugPrivilege	4436	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4436	WMIC.exe
Token: SeRemoteShutdownPrivilege	4436	WMIC.exe
Token: SeUndockPrivilege	4436	WMIC.exe
Token: SeManageVolumePrivilege	4436	WMIC.exe
Token: 33	4436	WMIC.exe
Token: 34	4436	WMIC.exe
Token: 35	4436	WMIC.exe
Token: 36	4436	WMIC.exe
Token: SeBackupPrivilege	4232	vssvc.exe
Token: SeRestorePrivilege	4232	vssvc.exe
Token: SeAuditPrivilege	4232	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4888	WMIC.exe
Token: SeSecurityPrivilege	4888	WMIC.exe
Token: SeTakeOwnershipPrivilege	4888	WMIC.exe
Token: SeLoadDriverPrivilege	4888	WMIC.exe
Token: SeSystemProfilePrivilege	4888	WMIC.exe
Token: SeSystemtimePrivilege	4888	WMIC.exe
Token: SeProfSingleProcessPrivilege	4888	WMIC.exe
Token: SeIncBasePriorityPrivilege	4888	WMIC.exe
Token: SeCreatePagefilePrivilege	4888	WMIC.exe
Token: SeBackupPrivilege	4888	WMIC.exe
Token: SeRestorePrivilege	4888	WMIC.exe
Token: SeShutdownPrivilege	4888	WMIC.exe
Token: SeDebugPrivilege	4888	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4888	WMIC.exe
Token: SeRemoteShutdownPrivilege	4888	WMIC.exe
Token: SeUndockPrivilege	4888	WMIC.exe
Token: SeManageVolumePrivilege	4888	WMIC.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid	Process
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

51891bb83422eeeb7873bc94657fff21cece16419e0ceed67a25b318b33302cf.exetfnsceiycgyb.exemsedge.exe

description	pid	Process	procid_target
PID 5068 wrote to memory of 4288	5068	51891bb83422eeeb7873bc94657fff21cece16419e0ceed67a25b318b33302cf.exe	79
PID 5068 wrote to memory of 4288	5068	51891bb83422eeeb7873bc94657fff21cece16419e0ceed67a25b318b33302cf.exe	79
PID 5068 wrote to memory of 4288	5068	51891bb83422eeeb7873bc94657fff21cece16419e0ceed67a25b318b33302cf.exe	79
PID 5068 wrote to memory of 4472	5068	51891bb83422eeeb7873bc94657fff21cece16419e0ceed67a25b318b33302cf.exe	80
PID 5068 wrote to memory of 4472	5068	51891bb83422eeeb7873bc94657fff21cece16419e0ceed67a25b318b33302cf.exe	80
PID 5068 wrote to memory of 4472	5068	51891bb83422eeeb7873bc94657fff21cece16419e0ceed67a25b318b33302cf.exe	80
PID 4288 wrote to memory of 4436	4288	tfnsceiycgyb.exe	82
PID 4288 wrote to memory of 4436	4288	tfnsceiycgyb.exe	82
PID 4288 wrote to memory of 4900	4288	tfnsceiycgyb.exe	87
PID 4288 wrote to memory of 4900	4288	tfnsceiycgyb.exe	87
PID 4288 wrote to memory of 4900	4288	tfnsceiycgyb.exe	87
PID 4288 wrote to memory of 2508	4288	tfnsceiycgyb.exe	88
PID 4288 wrote to memory of 2508	4288	tfnsceiycgyb.exe	88
PID 2508 wrote to memory of 1540	2508	msedge.exe	89
PID 2508 wrote to memory of 1540	2508	msedge.exe	89
PID 4288 wrote to memory of 4888	4288	tfnsceiycgyb.exe	90
PID 4288 wrote to memory of 4888	4288	tfnsceiycgyb.exe	90
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 3376	2508	msedge.exe	94
PID 2508 wrote to memory of 4580	2508	msedge.exe	95
PID 2508 wrote to memory of 4580	2508	msedge.exe	95
PID 2508 wrote to memory of 3368	2508	msedge.exe	97
PID 2508 wrote to memory of 3368	2508	msedge.exe	97
PID 2508 wrote to memory of 3368	2508	msedge.exe	97
PID 2508 wrote to memory of 3368	2508	msedge.exe	97
PID 2508 wrote to memory of 3368	2508	msedge.exe	97

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

tfnsceiycgyb.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	tfnsceiycgyb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	tfnsceiycgyb.exe

C:\Users\Admin\AppData\Local\Temp\51891bb83422eeeb7873bc94657fff21cece16419e0ceed67a25b318b33302cf.exe
"C:\Users\Admin\AppData\Local\Temp\51891bb83422eeeb7873bc94657fff21cece16419e0ceed67a25b318b33302cf.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Windows\tfnsceiycgyb.exe
  C:\Windows\tfnsceiycgyb.exe
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4288
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4436
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:4900
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Adds Run key to start application
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa1f8546f8,0x7ffa1f854708,0x7ffa1f854718
      4⤵
      PID:1540
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,16683718597827411866,3029878299708544858,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
      4⤵
      PID:3376
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,16683718597827411866,3029878299708544858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2440 /prefetch:3
      4⤵
      PID:4580
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,16683718597827411866,3029878299708544858,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 /prefetch:8
      4⤵
      PID:3368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16683718597827411866,3029878299708544858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3740 /prefetch:1
      4⤵
      PID:2220
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16683718597827411866,3029878299708544858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3756 /prefetch:1
      4⤵
      PID:2756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2124,16683718597827411866,3029878299708544858,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5224 /prefetch:8
      4⤵
      PID:4360
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2124,16683718597827411866,3029878299708544858,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5312 /prefetch:8
      4⤵
      PID:1188
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16683718597827411866,3029878299708544858,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
      4⤵
      PID:4092
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16683718597827411866,3029878299708544858,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
      4⤵
      PID:4200
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,16683718597827411866,3029878299708544858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 /prefetch:8
      4⤵
      PID:2440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      PID:3820
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6e16f5460,0x7ff6e16f5470,0x7ff6e16f5480
        5⤵
        
        PID:684
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,16683718597827411866,3029878299708544858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 /prefetch:8
      4⤵
      PID:3952
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4888
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\TFNSCE~1.EXE
    3⤵
    PID:2160
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\51891B~1.EXE
  2⤵
  PID:4472

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\_RECoVERY_+ncctx.html

Filesize
11KB

MD5
35ea6aecb15bb0f64d491a8d09b57744

SHA1
39a02855e2cf407afb868050dfe7d813f461e992

SHA256
2a6190ec21cad39a003a1cda7ceb38c0bcf0996769658354fe212590c978c93b

SHA512
a06f62c98731b83b95d7dbd192113275c3f2ff30ad7728a73c7dd48dc457ea2283da8486f0557358b5b4301345215b8f2b0430f74efc6909e16515c5c126e42b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\_RECoVERY_+ncctx.png

Filesize
63KB

MD5
12f18c1abe375244f8190e20d79cbfe6

SHA1
d9474160ae3641c067883b3365604f1234371f1f

SHA256
f7146693f03920044012fa377eab653884db9ddd835a16b8f0160ce3d4dcaebb

SHA512
f4461022a932e80939e5adf748e43a944114bf1d5987ba9a3db64958731bc1f776574662e2bd61eae71317715f2e51616b5929999322be689f534715a2fbe51d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\_RECoVERY_+ncctx.txt

Filesize
1KB

MD5
2e08f5c69881b92ddc0624da6cf48d7a

SHA1
81d99c069a7b65f79101391927b30769eb601561

SHA256
8ad2a7cfa8227f6f94b0a4e1598ad07952cdb0b3efa2665097cc566d7c1d7c5c

SHA512
e48510d41c6fbdaccb95be61b64b1f2d8a004003c34d34c5608e8746fb2848227d9b2761b385d37e067452067d2258d9689c63d17c73aaf0d043934b24b45b12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\_RECoVERY_+ncctx.html

Filesize
11KB

MD5
35ea6aecb15bb0f64d491a8d09b57744

SHA1
39a02855e2cf407afb868050dfe7d813f461e992

SHA256
2a6190ec21cad39a003a1cda7ceb38c0bcf0996769658354fe212590c978c93b

SHA512
a06f62c98731b83b95d7dbd192113275c3f2ff30ad7728a73c7dd48dc457ea2283da8486f0557358b5b4301345215b8f2b0430f74efc6909e16515c5c126e42b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\_RECoVERY_+ncctx.png

Filesize
63KB

MD5
12f18c1abe375244f8190e20d79cbfe6

SHA1
d9474160ae3641c067883b3365604f1234371f1f

SHA256
f7146693f03920044012fa377eab653884db9ddd835a16b8f0160ce3d4dcaebb

SHA512
f4461022a932e80939e5adf748e43a944114bf1d5987ba9a3db64958731bc1f776574662e2bd61eae71317715f2e51616b5929999322be689f534715a2fbe51d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\_RECoVERY_+ncctx.txt

Filesize
1KB

MD5
2e08f5c69881b92ddc0624da6cf48d7a

SHA1
81d99c069a7b65f79101391927b30769eb601561

SHA256
8ad2a7cfa8227f6f94b0a4e1598ad07952cdb0b3efa2665097cc566d7c1d7c5c

SHA512
e48510d41c6fbdaccb95be61b64b1f2d8a004003c34d34c5608e8746fb2848227d9b2761b385d37e067452067d2258d9689c63d17c73aaf0d043934b24b45b12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\_RECoVERY_+ncctx.html

Filesize
11KB

MD5
35ea6aecb15bb0f64d491a8d09b57744

SHA1
39a02855e2cf407afb868050dfe7d813f461e992

SHA256
2a6190ec21cad39a003a1cda7ceb38c0bcf0996769658354fe212590c978c93b

SHA512
a06f62c98731b83b95d7dbd192113275c3f2ff30ad7728a73c7dd48dc457ea2283da8486f0557358b5b4301345215b8f2b0430f74efc6909e16515c5c126e42b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\_RECoVERY_+ncctx.png

Filesize
63KB

MD5
12f18c1abe375244f8190e20d79cbfe6

SHA1
d9474160ae3641c067883b3365604f1234371f1f

SHA256
f7146693f03920044012fa377eab653884db9ddd835a16b8f0160ce3d4dcaebb

SHA512
f4461022a932e80939e5adf748e43a944114bf1d5987ba9a3db64958731bc1f776574662e2bd61eae71317715f2e51616b5929999322be689f534715a2fbe51d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\_RECoVERY_+ncctx.txt

Filesize
1KB

MD5
2e08f5c69881b92ddc0624da6cf48d7a

SHA1
81d99c069a7b65f79101391927b30769eb601561

SHA256
8ad2a7cfa8227f6f94b0a4e1598ad07952cdb0b3efa2665097cc566d7c1d7c5c

SHA512
e48510d41c6fbdaccb95be61b64b1f2d8a004003c34d34c5608e8746fb2848227d9b2761b385d37e067452067d2258d9689c63d17c73aaf0d043934b24b45b12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\_RECoVERY_+ncctx.html

Filesize
11KB

MD5
35ea6aecb15bb0f64d491a8d09b57744

SHA1
39a02855e2cf407afb868050dfe7d813f461e992

SHA256
2a6190ec21cad39a003a1cda7ceb38c0bcf0996769658354fe212590c978c93b

SHA512
a06f62c98731b83b95d7dbd192113275c3f2ff30ad7728a73c7dd48dc457ea2283da8486f0557358b5b4301345215b8f2b0430f74efc6909e16515c5c126e42b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\_RECoVERY_+ncctx.png

Filesize
63KB

MD5
12f18c1abe375244f8190e20d79cbfe6

SHA1
d9474160ae3641c067883b3365604f1234371f1f

SHA256
f7146693f03920044012fa377eab653884db9ddd835a16b8f0160ce3d4dcaebb

SHA512
f4461022a932e80939e5adf748e43a944114bf1d5987ba9a3db64958731bc1f776574662e2bd61eae71317715f2e51616b5929999322be689f534715a2fbe51d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\_RECoVERY_+ncctx.txt

Filesize
1KB

MD5
2e08f5c69881b92ddc0624da6cf48d7a

SHA1
81d99c069a7b65f79101391927b30769eb601561

SHA256
8ad2a7cfa8227f6f94b0a4e1598ad07952cdb0b3efa2665097cc566d7c1d7c5c

SHA512
e48510d41c6fbdaccb95be61b64b1f2d8a004003c34d34c5608e8746fb2848227d9b2761b385d37e067452067d2258d9689c63d17c73aaf0d043934b24b45b12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\_RECoVERY_+ncctx.html

Filesize
11KB

MD5
35ea6aecb15bb0f64d491a8d09b57744

SHA1
39a02855e2cf407afb868050dfe7d813f461e992

SHA256
2a6190ec21cad39a003a1cda7ceb38c0bcf0996769658354fe212590c978c93b

SHA512
a06f62c98731b83b95d7dbd192113275c3f2ff30ad7728a73c7dd48dc457ea2283da8486f0557358b5b4301345215b8f2b0430f74efc6909e16515c5c126e42b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\_RECoVERY_+ncctx.png

Filesize
63KB

MD5
12f18c1abe375244f8190e20d79cbfe6

SHA1
d9474160ae3641c067883b3365604f1234371f1f

SHA256
f7146693f03920044012fa377eab653884db9ddd835a16b8f0160ce3d4dcaebb

SHA512
f4461022a932e80939e5adf748e43a944114bf1d5987ba9a3db64958731bc1f776574662e2bd61eae71317715f2e51616b5929999322be689f534715a2fbe51d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\_RECoVERY_+ncctx.txt

Filesize
1KB

MD5
2e08f5c69881b92ddc0624da6cf48d7a

SHA1
81d99c069a7b65f79101391927b30769eb601561

SHA256
8ad2a7cfa8227f6f94b0a4e1598ad07952cdb0b3efa2665097cc566d7c1d7c5c

SHA512
e48510d41c6fbdaccb95be61b64b1f2d8a004003c34d34c5608e8746fb2848227d9b2761b385d37e067452067d2258d9689c63d17c73aaf0d043934b24b45b12

Download Submit
C:\Users\Admin\Desktop\RECOVERY.HTM

Filesize
11KB

MD5
35ea6aecb15bb0f64d491a8d09b57744

SHA1
39a02855e2cf407afb868050dfe7d813f461e992

SHA256
2a6190ec21cad39a003a1cda7ceb38c0bcf0996769658354fe212590c978c93b

SHA512
a06f62c98731b83b95d7dbd192113275c3f2ff30ad7728a73c7dd48dc457ea2283da8486f0557358b5b4301345215b8f2b0430f74efc6909e16515c5c126e42b

Download Submit
C:\Users\Admin\Desktop\RECOVERY.TXT

Filesize
1KB

MD5
2e08f5c69881b92ddc0624da6cf48d7a

SHA1
81d99c069a7b65f79101391927b30769eb601561

SHA256
8ad2a7cfa8227f6f94b0a4e1598ad07952cdb0b3efa2665097cc566d7c1d7c5c

SHA512
e48510d41c6fbdaccb95be61b64b1f2d8a004003c34d34c5608e8746fb2848227d9b2761b385d37e067452067d2258d9689c63d17c73aaf0d043934b24b45b12

Download Submit
C:\Windows\tfnsceiycgyb.exe

Filesize
424KB

MD5
3dd36cf8bf728d5b1810c99042fbe1c5

SHA1
a053513f4baacbe8cf8c9d637a19a5a08a3300ea

SHA256
51891bb83422eeeb7873bc94657fff21cece16419e0ceed67a25b318b33302cf

SHA512
17487df6e4c8796eff4371fb9205fc63e40ec9d481226089e7170b467f25bb96803c30f196b5a24f2a0730b0bd7915f68dbf98da5befc9bdfb4caaa9340ecec2

Download Submit
C:\Windows\tfnsceiycgyb.exe

Filesize
424KB

MD5
3dd36cf8bf728d5b1810c99042fbe1c5

SHA1
a053513f4baacbe8cf8c9d637a19a5a08a3300ea

SHA256
51891bb83422eeeb7873bc94657fff21cece16419e0ceed67a25b318b33302cf

SHA512
17487df6e4c8796eff4371fb9205fc63e40ec9d481226089e7170b467f25bb96803c30f196b5a24f2a0730b0bd7915f68dbf98da5befc9bdfb4caaa9340ecec2

Download Submit
\??\pipe\LOCAL\crashpad_2508_YLQHYDDPFIUVLVEW

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/684-186-0x0000000000000000-mapping.dmp

Download
memory/1188-180-0x0000000000000000-mapping.dmp

Download
memory/1540-147-0x0000000000000000-mapping.dmp

Download
memory/2160-168-0x0000000000000000-mapping.dmp

Download
memory/2220-170-0x0000000000000000-mapping.dmp

Download
memory/2508-146-0x0000000000000000-mapping.dmp

Download
memory/2756-172-0x0000000000000000-mapping.dmp

Download
memory/3368-164-0x0000000000000000-mapping.dmp

Download
memory/3376-151-0x0000000000000000-mapping.dmp

Download
memory/3820-185-0x0000000000000000-mapping.dmp

Download
memory/3952-187-0x0000000000000000-mapping.dmp

Download
memory/4092-182-0x0000000000000000-mapping.dmp

Download
memory/4200-184-0x0000000000000000-mapping.dmp

Download
memory/4288-143-0x0000000000980000-0x0000000000A05000-memory.dmp

Filesize
532KB

Download
memory/4288-135-0x0000000000000000-mapping.dmp

Download
memory/4360-175-0x0000000000000000-mapping.dmp

Download
memory/4436-144-0x0000000000000000-mapping.dmp

Download
memory/4472-138-0x0000000000000000-mapping.dmp

Download
memory/4580-152-0x0000000000000000-mapping.dmp

Download
memory/4888-148-0x0000000000000000-mapping.dmp

Download
memory/4900-145-0x0000000000000000-mapping.dmp

Download
memory/5068-130-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/5068-134-0x0000000000A90000-0x0000000000B15000-memory.dmp

Filesize
532KB

Download