teslacrypt | 5343947829609f69e84fe7e8172c38ee018ede3c9898d4895275f596ac54320d

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ce01dfbf25dfea778e57d8274675d6f.exe
Size

360KB
MD5

9ce01dfbf25dfea778e57d8274675d6f
SHA1

1bd767beb5bc36b396ca6405748042640ad57526
SHA256

5343947829609f69e84fe7e8172c38ee018ede3c9898d4895275f596ac54320d
SHA512

d6ba89c1f221a94e3061bc4da896760d99935a7c766b8e4e30146266cf3356acd883835e75dbb86574bc869c83d381c8f63f23392101f6062bba4343af49978b
SSDEEP

6144:4qZbqZToxIizLBZ6R56VkGM4ceLJ5vs5JGJceO/QCErIiuNAvwu:4qZb8oR3D6R5QHXZJy/Q50imAvB

Score

10^/10

teslacrypt persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\PerfLogs\_RECOVERY_+jxvtu.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/11BDC7714099EF7C 2. http://tes543berda73i48fsdfsd.keratadze.at/11BDC7714099EF7C 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/11BDC7714099EF7C If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/11BDC7714099EF7C 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/11BDC7714099EF7C http://tes543berda73i48fsdfsd.keratadze.at/11BDC7714099EF7C http://tt54rfdjhb34rfbnknaerg.milerteddy.com/11BDC7714099EF7C *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/11BDC7714099EF7C

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/11BDC7714099EF7C

http://tes543berda73i48fsdfsd.keratadze.at/11BDC7714099EF7C

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/11BDC7714099EF7C

http://xlowfznrg4wf7dli.ONION/11BDC7714099EF7C

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (885) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9ce01dfbf25dfea778e57d8274675d6f.exeblwopxrmbnsx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	9ce01dfbf25dfea778e57d8274675d6f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	blwopxrmbnsx.exe

Drops startup file 6 IoCs

Processes:

blwopxrmbnsx.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+jxvtu.html	blwopxrmbnsx.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+jxvtu.png	blwopxrmbnsx.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+jxvtu.txt	blwopxrmbnsx.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+jxvtu.html	blwopxrmbnsx.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+jxvtu.png	blwopxrmbnsx.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+jxvtu.txt	blwopxrmbnsx.exe

Executes dropped EXE 1 IoCs

Processes:

blwopxrmbnsx.exe

pid process

5856 blwopxrmbnsx.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

blwopxrmbnsx.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faylpocefbie = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\blwopxrmbnsx.exe\""	blwopxrmbnsx.exe

Drops file in Program Files directory 64 IoCs

Processes:

blwopxrmbnsx.exe

description	ioc	process
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_RECOVERY_+jxvtu.txt	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_RECOVERY_+jxvtu.html	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_RECOVERY_+jxvtu.html	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-96_altform-unplated_contrast-white.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\_RECOVERY_+jxvtu.txt	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\_RECOVERY_+jxvtu.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECOVERY_+jxvtu.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-140.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-16_altform-lightunplated.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.scale-200.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-100_contrast-white.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\_RECOVERY_+jxvtu.txt	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteSmallTile.scale-400.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-140.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\_RECOVERY_+jxvtu.html	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-64_altform-unplated_contrast-black.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-200_contrast-white.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FetchingMail.scale-400.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\AppxMetadata\_RECOVERY_+jxvtu.txt	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\_RECOVERY_+jxvtu.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_scale-100.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-black\_RECOVERY_+jxvtu.txt	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\28.jpg	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-32_altform-fullcolor.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\_RECOVERY_+jxvtu.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\_RECOVERY_+jxvtu.html	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteLargeTile.scale-150.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_contrast-white.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\ADOMD.NET\_RECOVERY_+jxvtu.txt	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_RECOVERY_+jxvtu.txt	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\_RECOVERY_+jxvtu.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notificationsUI\_RECOVERY_+jxvtu.txt	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailLargeTile.scale-200.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_NinjaCat.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECOVERY_+jxvtu.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\LargeTile.scale-125.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-150_contrast-white.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\images\Square310x310Logo.scale-100.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-20_altform-unplated.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\_RECOVERY_+jxvtu.txt	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MicrosoftLogo.scale-200.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\Simple\_RECOVERY_+jxvtu.html	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\_RECOVERY_+jxvtu.txt	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\_RECOVERY_+jxvtu.html	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\_RECOVERY_+jxvtu.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\7.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\hi-IN\View3d\_RECOVERY_+jxvtu.html	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionWideTile.scale-100.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeWideTile.scale-100_contrast-black.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\_RECOVERY_+jxvtu.txt	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\10.jpg	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\_RECOVERY_+jxvtu.txt	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECOVERY_+jxvtu.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.scale-200.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\SmallTile.scale-125.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\_RECOVERY_+jxvtu.txt	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\FileAssociation\FileAssociation.targetsize-64.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\_RECOVERY_+jxvtu.txt	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\SmallTile.scale-100.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\204.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionWideTile.scale-400.png	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\_RECOVERY_+jxvtu.html	blwopxrmbnsx.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\_RECOVERY_+jxvtu.png	blwopxrmbnsx.exe

Drops file in Windows directory 2 IoCs

Processes:

9ce01dfbf25dfea778e57d8274675d6f.exe

description	ioc	process
File created	C:\Windows\blwopxrmbnsx.exe	9ce01dfbf25dfea778e57d8274675d6f.exe
File opened for modification	C:\Windows\blwopxrmbnsx.exe	9ce01dfbf25dfea778e57d8274675d6f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

blwopxrmbnsx.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings blwopxrmbnsx.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

5948 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	blwopxrmbnsx.exe

pid	process
5948	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

blwopxrmbnsx.exe

pid	process
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe
5856	blwopxrmbnsx.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

5360 msedge.exe
5360 msedge.exe
5360 msedge.exe
5360 msedge.exe
5360 msedge.exe
5360 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

9ce01dfbf25dfea778e57d8274675d6f.exeblwopxrmbnsx.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1336	9ce01dfbf25dfea778e57d8274675d6f.exe
Token: SeDebugPrivilege	5856	blwopxrmbnsx.exe
Token: SeIncreaseQuotaPrivilege	4632	WMIC.exe
Token: SeSecurityPrivilege	4632	WMIC.exe
Token: SeTakeOwnershipPrivilege	4632	WMIC.exe
Token: SeLoadDriverPrivilege	4632	WMIC.exe
Token: SeSystemProfilePrivilege	4632	WMIC.exe
Token: SeSystemtimePrivilege	4632	WMIC.exe
Token: SeProfSingleProcessPrivilege	4632	WMIC.exe
Token: SeIncBasePriorityPrivilege	4632	WMIC.exe
Token: SeCreatePagefilePrivilege	4632	WMIC.exe
Token: SeBackupPrivilege	4632	WMIC.exe
Token: SeRestorePrivilege	4632	WMIC.exe
Token: SeShutdownPrivilege	4632	WMIC.exe
Token: SeDebugPrivilege	4632	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4632	WMIC.exe
Token: SeRemoteShutdownPrivilege	4632	WMIC.exe
Token: SeUndockPrivilege	4632	WMIC.exe
Token: SeManageVolumePrivilege	4632	WMIC.exe
Token: 33	4632	WMIC.exe
Token: 34	4632	WMIC.exe
Token: 35	4632	WMIC.exe
Token: 36	4632	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4632	WMIC.exe
Token: SeSecurityPrivilege	4632	WMIC.exe
Token: SeTakeOwnershipPrivilege	4632	WMIC.exe
Token: SeLoadDriverPrivilege	4632	WMIC.exe
Token: SeSystemProfilePrivilege	4632	WMIC.exe
Token: SeSystemtimePrivilege	4632	WMIC.exe
Token: SeProfSingleProcessPrivilege	4632	WMIC.exe
Token: SeIncBasePriorityPrivilege	4632	WMIC.exe
Token: SeCreatePagefilePrivilege	4632	WMIC.exe
Token: SeBackupPrivilege	4632	WMIC.exe
Token: SeRestorePrivilege	4632	WMIC.exe
Token: SeShutdownPrivilege	4632	WMIC.exe
Token: SeDebugPrivilege	4632	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4632	WMIC.exe
Token: SeRemoteShutdownPrivilege	4632	WMIC.exe
Token: SeUndockPrivilege	4632	WMIC.exe
Token: SeManageVolumePrivilege	4632	WMIC.exe
Token: 33	4632	WMIC.exe
Token: 34	4632	WMIC.exe
Token: 35	4632	WMIC.exe
Token: 36	4632	WMIC.exe
Token: SeBackupPrivilege	3756	vssvc.exe
Token: SeRestorePrivilege	3756	vssvc.exe
Token: SeAuditPrivilege	3756	vssvc.exe
Token: SeIncreaseQuotaPrivilege	5316	WMIC.exe
Token: SeSecurityPrivilege	5316	WMIC.exe
Token: SeTakeOwnershipPrivilege	5316	WMIC.exe
Token: SeLoadDriverPrivilege	5316	WMIC.exe
Token: SeSystemProfilePrivilege	5316	WMIC.exe
Token: SeSystemtimePrivilege	5316	WMIC.exe
Token: SeProfSingleProcessPrivilege	5316	WMIC.exe
Token: SeIncBasePriorityPrivilege	5316	WMIC.exe
Token: SeCreatePagefilePrivilege	5316	WMIC.exe
Token: SeBackupPrivilege	5316	WMIC.exe
Token: SeRestorePrivilege	5316	WMIC.exe
Token: SeShutdownPrivilege	5316	WMIC.exe
Token: SeDebugPrivilege	5316	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5316	WMIC.exe
Token: SeRemoteShutdownPrivilege	5316	WMIC.exe
Token: SeUndockPrivilege	5316	WMIC.exe
Token: SeManageVolumePrivilege	5316	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe
5360	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9ce01dfbf25dfea778e57d8274675d6f.exeblwopxrmbnsx.exemsedge.exe

description	pid	process	target process
PID 1336 wrote to memory of 5856	1336	9ce01dfbf25dfea778e57d8274675d6f.exe	blwopxrmbnsx.exe
PID 1336 wrote to memory of 5856	1336	9ce01dfbf25dfea778e57d8274675d6f.exe	blwopxrmbnsx.exe
PID 1336 wrote to memory of 5856	1336	9ce01dfbf25dfea778e57d8274675d6f.exe	blwopxrmbnsx.exe
PID 1336 wrote to memory of 5012	1336	9ce01dfbf25dfea778e57d8274675d6f.exe	cmd.exe
PID 1336 wrote to memory of 5012	1336	9ce01dfbf25dfea778e57d8274675d6f.exe	cmd.exe
PID 1336 wrote to memory of 5012	1336	9ce01dfbf25dfea778e57d8274675d6f.exe	cmd.exe
PID 5856 wrote to memory of 4632	5856	blwopxrmbnsx.exe	WMIC.exe
PID 5856 wrote to memory of 4632	5856	blwopxrmbnsx.exe	WMIC.exe
PID 5856 wrote to memory of 5948	5856	blwopxrmbnsx.exe	NOTEPAD.EXE
PID 5856 wrote to memory of 5948	5856	blwopxrmbnsx.exe	NOTEPAD.EXE
PID 5856 wrote to memory of 5948	5856	blwopxrmbnsx.exe	NOTEPAD.EXE
PID 5856 wrote to memory of 5360	5856	blwopxrmbnsx.exe	msedge.exe
PID 5856 wrote to memory of 5360	5856	blwopxrmbnsx.exe	msedge.exe
PID 5360 wrote to memory of 4352	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 4352	5360	msedge.exe	msedge.exe
PID 5856 wrote to memory of 5316	5856	blwopxrmbnsx.exe	WMIC.exe
PID 5856 wrote to memory of 5316	5856	blwopxrmbnsx.exe	WMIC.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 5388	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 3020	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 3020	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 560	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 560	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 560	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 560	5360	msedge.exe	msedge.exe
PID 5360 wrote to memory of 560	5360	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

blwopxrmbnsx.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	blwopxrmbnsx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	blwopxrmbnsx.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\9ce01dfbf25dfea778e57d8274675d6f.exe
"C:\Users\Admin\AppData\Local\Temp\9ce01dfbf25dfea778e57d8274675d6f.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Windows\blwopxrmbnsx.exe
  C:\Windows\blwopxrmbnsx.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:5856
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4632
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:5948
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:5360
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,468651237557083553,4801418522189337858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
      4⤵
      PID:3020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,468651237557083553,4801418522189337858,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 /prefetch:2
      4⤵
      PID:5388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,468651237557083553,4801418522189337858,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2424 /prefetch:8
      4⤵
      PID:560
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,468651237557083553,4801418522189337858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:1
      4⤵
      PID:2432
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,468651237557083553,4801418522189337858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:1
      4⤵
      PID:2748
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,468651237557083553,4801418522189337858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
      4⤵
      PID:3832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,468651237557083553,4801418522189337858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
      4⤵
      PID:4120
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,468651237557083553,4801418522189337858,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
      4⤵
      PID:5772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,468651237557083553,4801418522189337858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:1
      4⤵
      PID:4640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,468651237557083553,4801418522189337858,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
      4⤵
      PID:5520
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,468651237557083553,4801418522189337858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
      4⤵
      PID:304
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\BLWOPX~1.EXE
    3⤵
    PID:5460
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\9CE01D~1.EXE
  2⤵
  PID:5012

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6ed746f8,0x7ffa6ed74708,0x7ffa6ed74718
1⤵
PID:4352

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2552

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\_RECOVERY_+jxvtu.txt

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
a175bacabbb58bdd2ee8b9e0c51d4719

SHA1
ef4bb7f490bbfe0479afb80a8b3421e7da3168fa

SHA256
56edbbfd263ddecf7fdb48696bf0a10de304c59ce6c6a00263aeb189ba0a85bf

SHA512
b03dedcea99123ba7e877119c0ac15e5e0d9e217fd92801c64bad18d0d92ecd4add7cad7b4953029ff37d5591570c45629147af53aedd5c12a10ee22bfdc0567

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
d39811c5c164a2ef92e934c07177f981

SHA1
45165c24aabb1bf7d9decf0c33c7643a1bd1a564

SHA256
c90cb6a35da8e2290122839a33ad8127bab3a0433b3dabcb72810f2d53a89e52

SHA512
cc502cd7451c62466ca51c1e4944b08fd3ef11d2bc7ce10a786aa31b29765708f1006d0ad0a043ce453e8f767ad217b8a9aecf6b71ff8db1fee26002be798aa7

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
1b370db94bed271918e4041a87b0f63b

SHA1
853d0b7614f1929faaa1fe58243b4d4ee58a2a65

SHA256
66df2e534eae652c300c34ba78c5d7a5d733b9e2f7aa29ec467f490ecc476eff

SHA512
3c138535d267012e6bccbfae45476d9eca0ec6248d8f66083ae53203ab5c90118a198de859b0be878d347e984518fccba336ea3f8ec7e2ffbcadaee60262dcda

Download Submit
C:\Windows\blwopxrmbnsx.exe

Filesize
360KB

MD5
9ce01dfbf25dfea778e57d8274675d6f

SHA1
1bd767beb5bc36b396ca6405748042640ad57526

SHA256
5343947829609f69e84fe7e8172c38ee018ede3c9898d4895275f596ac54320d

SHA512
d6ba89c1f221a94e3061bc4da896760d99935a7c766b8e4e30146266cf3356acd883835e75dbb86574bc869c83d381c8f63f23392101f6062bba4343af49978b

Download Submit
memory/1336-0-0x0000000002270000-0x00000000022F5000-memory.dmp

Filesize
532KB

Download
memory/1336-9-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1336-1-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1336-12-0x0000000002270000-0x00000000022F5000-memory.dmp

Filesize
532KB

Download
memory/5856-11-0x0000000002120000-0x00000000021A5000-memory.dmp

Filesize
532KB

Download
memory/5856-2520-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/5856-5273-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/5856-6198-0x0000000002120000-0x00000000021A5000-memory.dmp

Filesize
532KB

Download
memory/5856-8658-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/5856-10364-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/5856-10419-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/5856-10435-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download