teslacrypt | 569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2024 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be.exe
Size

384KB
MD5

58318b59b9d87cadcc48fee7e58614f2
SHA1

869a4893f9e7776af555055000aa44d3f9dd3f70
SHA256

569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be
SHA512

d0b4799619766cb8997245d72ab0d014bc5de742757cd0d55343c8f5822499b006fc88f213b5ad7f72f873f6ba533eea5ca50b5be67f72839a093cadd0cd27ab
SSDEEP

6144:mMfrtVY40toxxNoPawoJX0RwPRuWp2rzL04lBqiQIxMTuuNAvwuE:mMfrg4OoxwPW0mpuWp2rzdKlIxMTumAq

Score

10^/10

teslacrypt persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_RECoVERY_+aehgv.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://yyre45dbvn2nhbefbmh.begumvelic.at/18BD3783C4E0CD85 2. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/18BD3783C4E0CD85 3. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/18BD3783C4E0CD85 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/18BD3783C4E0CD85 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://yyre45dbvn2nhbefbmh.begumvelic.at/18BD3783C4E0CD85 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/18BD3783C4E0CD85 http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/18BD3783C4E0CD85 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/18BD3783C4E0CD85

URLs

http://yyre45dbvn2nhbefbmh.begumvelic.at/18BD3783C4E0CD85

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/18BD3783C4E0CD85

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/18BD3783C4E0CD85

http://xlowfznrg4wf7dli.ONION/18BD3783C4E0CD85

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (870) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be.exeypthbeilumbg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	ypthbeilumbg.exe

Drops startup file 6 IoCs

Processes:

ypthbeilumbg.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+aehgv.html	ypthbeilumbg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+aehgv.png	ypthbeilumbg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+aehgv.txt	ypthbeilumbg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+aehgv.html	ypthbeilumbg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+aehgv.png	ypthbeilumbg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+aehgv.txt	ypthbeilumbg.exe

Executes dropped EXE 1 IoCs

Processes:

ypthbeilumbg.exe

pid process

1424 ypthbeilumbg.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ypthbeilumbg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kalminuwfejp = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\ypthbeilumbg.exe\""	ypthbeilumbg.exe

Drops file in Program Files directory 64 IoCs

Processes:

ypthbeilumbg.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-180.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\gui\_RECoVERY_+aehgv.html	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerSmallTile.contrast-black_scale-125.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+aehgv.txt	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_In_App_Notification.m4a	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\2876_20x20x32.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSmallTile.scale-125.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\_RECoVERY_+aehgv.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\_RECoVERY_+aehgv.txt	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.scale-125.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Google.scale-150.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-200.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Dark.scale-250.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\_RECoVERY_+aehgv.html	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\it-IT\_RECoVERY_+aehgv.txt	ypthbeilumbg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\is\_RECoVERY_+aehgv.txt	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageBadgeLogo.scale-125_contrast-black.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-72_altform-unplated.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\es-MX\_RECoVERY_+aehgv.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailLargeTile.scale-125.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+aehgv.txt	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LibrarySquare71x71Logo.scale-200.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\_RECoVERY_+aehgv.html	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\_RECoVERY_+aehgv.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-96.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-30.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\_RECoVERY_+aehgv.txt	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSmallTile.scale-125.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-256_altform-unplated.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\_RECoVERY_+aehgv.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\DMR_120.jpg	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-64_altform-unplated.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-16.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\applet\_RECoVERY_+aehgv.html	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-200.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FlagToastQuickAction.scale-80.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_altform-unplated_contrast-black_devicefamily-colorfulunplated.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\_RECoVERY_+aehgv.html	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\SmartSelect\_RECoVERY_+aehgv.html	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageMedTile.scale-100.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\landing_page_share_profile_v1.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\_RECoVERY_+aehgv.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\_RECoVERY_+aehgv.html	ypthbeilumbg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kk\_RECoVERY_+aehgv.html	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreBadgeLogo.scale-200.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PlaylistMediumTile.scale-100.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\HoloAssets\_RECoVERY_+aehgv.html	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp10.scale-200.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\_RECoVERY_+aehgv.html	ypthbeilumbg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\_RECoVERY_+aehgv.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\ContactPhoto.scale-140.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\_RECoVERY_+aehgv.html	ypthbeilumbg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\id\_RECoVERY_+aehgv.txt	ypthbeilumbg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\_RECoVERY_+aehgv.html	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-400_contrast-white.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-64_altform-unplated.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\_RECoVERY_+aehgv.html	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\_RECoVERY_+aehgv.txt	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-16_altform-unplated_contrast-white.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_~_8wekyb3d8bbwe\_RECoVERY_+aehgv.txt	ypthbeilumbg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office15\_RECoVERY_+aehgv.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubAppList.scale-125_contrast-white.png	ypthbeilumbg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\LargeTile.scale-100_contrast-black.png	ypthbeilumbg.exe

Drops file in Windows directory 2 IoCs

Processes:

569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be.exe

description	ioc	process
File created	C:\Windows\ypthbeilumbg.exe	569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be.exe
File opened for modification	C:\Windows\ypthbeilumbg.exe	569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

ypthbeilumbg.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings ypthbeilumbg.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3160 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings	ypthbeilumbg.exe

pid	process
3160	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ypthbeilumbg.exe

pid	process
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe
1424	ypthbeilumbg.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

3240 msedge.exe
3240 msedge.exe
3240 msedge.exe
3240 msedge.exe
3240 msedge.exe
3240 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be.exeypthbeilumbg.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3184	569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be.exe
Token: SeDebugPrivilege	1424	ypthbeilumbg.exe
Token: SeIncreaseQuotaPrivilege	4512	WMIC.exe
Token: SeSecurityPrivilege	4512	WMIC.exe
Token: SeTakeOwnershipPrivilege	4512	WMIC.exe
Token: SeLoadDriverPrivilege	4512	WMIC.exe
Token: SeSystemProfilePrivilege	4512	WMIC.exe
Token: SeSystemtimePrivilege	4512	WMIC.exe
Token: SeProfSingleProcessPrivilege	4512	WMIC.exe
Token: SeIncBasePriorityPrivilege	4512	WMIC.exe
Token: SeCreatePagefilePrivilege	4512	WMIC.exe
Token: SeBackupPrivilege	4512	WMIC.exe
Token: SeRestorePrivilege	4512	WMIC.exe
Token: SeShutdownPrivilege	4512	WMIC.exe
Token: SeDebugPrivilege	4512	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4512	WMIC.exe
Token: SeRemoteShutdownPrivilege	4512	WMIC.exe
Token: SeUndockPrivilege	4512	WMIC.exe
Token: SeManageVolumePrivilege	4512	WMIC.exe
Token: 33	4512	WMIC.exe
Token: 34	4512	WMIC.exe
Token: 35	4512	WMIC.exe
Token: 36	4512	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4512	WMIC.exe
Token: SeSecurityPrivilege	4512	WMIC.exe
Token: SeTakeOwnershipPrivilege	4512	WMIC.exe
Token: SeLoadDriverPrivilege	4512	WMIC.exe
Token: SeSystemProfilePrivilege	4512	WMIC.exe
Token: SeSystemtimePrivilege	4512	WMIC.exe
Token: SeProfSingleProcessPrivilege	4512	WMIC.exe
Token: SeIncBasePriorityPrivilege	4512	WMIC.exe
Token: SeCreatePagefilePrivilege	4512	WMIC.exe
Token: SeBackupPrivilege	4512	WMIC.exe
Token: SeRestorePrivilege	4512	WMIC.exe
Token: SeShutdownPrivilege	4512	WMIC.exe
Token: SeDebugPrivilege	4512	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4512	WMIC.exe
Token: SeRemoteShutdownPrivilege	4512	WMIC.exe
Token: SeUndockPrivilege	4512	WMIC.exe
Token: SeManageVolumePrivilege	4512	WMIC.exe
Token: 33	4512	WMIC.exe
Token: 34	4512	WMIC.exe
Token: 35	4512	WMIC.exe
Token: 36	4512	WMIC.exe
Token: SeBackupPrivilege	4956	vssvc.exe
Token: SeRestorePrivilege	4956	vssvc.exe
Token: SeAuditPrivilege	4956	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2588	WMIC.exe
Token: SeSecurityPrivilege	2588	WMIC.exe
Token: SeTakeOwnershipPrivilege	2588	WMIC.exe
Token: SeLoadDriverPrivilege	2588	WMIC.exe
Token: SeSystemProfilePrivilege	2588	WMIC.exe
Token: SeSystemtimePrivilege	2588	WMIC.exe
Token: SeProfSingleProcessPrivilege	2588	WMIC.exe
Token: SeIncBasePriorityPrivilege	2588	WMIC.exe
Token: SeCreatePagefilePrivilege	2588	WMIC.exe
Token: SeBackupPrivilege	2588	WMIC.exe
Token: SeRestorePrivilege	2588	WMIC.exe
Token: SeShutdownPrivilege	2588	WMIC.exe
Token: SeDebugPrivilege	2588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2588	WMIC.exe
Token: SeRemoteShutdownPrivilege	2588	WMIC.exe
Token: SeUndockPrivilege	2588	WMIC.exe
Token: SeManageVolumePrivilege	2588	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be.exeypthbeilumbg.exemsedge.exe

description	pid	process	target process
PID 3184 wrote to memory of 1424	3184	569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be.exe	ypthbeilumbg.exe
PID 3184 wrote to memory of 1424	3184	569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be.exe	ypthbeilumbg.exe
PID 3184 wrote to memory of 1424	3184	569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be.exe	ypthbeilumbg.exe
PID 3184 wrote to memory of 2476	3184	569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be.exe	cmd.exe
PID 3184 wrote to memory of 2476	3184	569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be.exe	cmd.exe
PID 3184 wrote to memory of 2476	3184	569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be.exe	cmd.exe
PID 1424 wrote to memory of 4512	1424	ypthbeilumbg.exe	WMIC.exe
PID 1424 wrote to memory of 4512	1424	ypthbeilumbg.exe	WMIC.exe
PID 1424 wrote to memory of 3160	1424	ypthbeilumbg.exe	NOTEPAD.EXE
PID 1424 wrote to memory of 3160	1424	ypthbeilumbg.exe	NOTEPAD.EXE
PID 1424 wrote to memory of 3160	1424	ypthbeilumbg.exe	NOTEPAD.EXE
PID 1424 wrote to memory of 3240	1424	ypthbeilumbg.exe	msedge.exe
PID 1424 wrote to memory of 3240	1424	ypthbeilumbg.exe	msedge.exe
PID 3240 wrote to memory of 4604	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 4604	3240	msedge.exe	msedge.exe
PID 1424 wrote to memory of 2588	1424	ypthbeilumbg.exe	WMIC.exe
PID 1424 wrote to memory of 2588	1424	ypthbeilumbg.exe	WMIC.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 3924	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 2440	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 2440	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 4952	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 4952	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 4952	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 4952	3240	msedge.exe	msedge.exe
PID 3240 wrote to memory of 4952	3240	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

ypthbeilumbg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ypthbeilumbg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	ypthbeilumbg.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be.exe
"C:\Users\Admin\AppData\Local\Temp\569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Windows\ypthbeilumbg.exe
  C:\Windows\ypthbeilumbg.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1424
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4512
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:3160
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff68e646f8,0x7fff68e64708,0x7fff68e64718
      4⤵
      PID:4604
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,8973873122562544037,8232748807496415392,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
      4⤵
      PID:3924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,8973873122562544037,8232748807496415392,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
      4⤵
      PID:2440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,8973873122562544037,8232748807496415392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
      4⤵
      PID:4952
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8973873122562544037,8232748807496415392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:1
      4⤵
      PID:2784
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8973873122562544037,8232748807496415392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
      4⤵
      PID:4572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,8973873122562544037,8232748807496415392,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
      4⤵
      PID:1452
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,8973873122562544037,8232748807496415392,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
      4⤵
      PID:4592
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8973873122562544037,8232748807496415392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
      4⤵
      PID:4408
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8973873122562544037,8232748807496415392,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
      4⤵
      PID:3028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8973873122562544037,8232748807496415392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
      4⤵
      PID:5392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8973873122562544037,8232748807496415392,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
      4⤵
      PID:5400
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\YPTHBE~1.EXE
    3⤵
    PID:5556
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\569301~1.EXE
  2⤵
  PID:2476

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_RECoVERY_+aehgv.html

Filesize
9KB

MD5
fa13f4c9e16c475908e42ad5ca516e5f

SHA1
c4b2ed63415af11281e71010dd82fab93265f33d

SHA256
4029b2564def431ed494e41284ed927c476519869b29d16318079f315e3c7266

SHA512
9cde51fb09b36fd06430de43cbd270f505f502dbde105ddcc0e55dfa6aaf05692d06c9f8c550108d688d859523fab40e3d94108153841da89620e82740bc9ebe

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+aehgv.png

Filesize
63KB

MD5
4cedb9579065e3fe13d1565077a6dc24

SHA1
34629db17d3f747351cddc40a96e9597770a7633

SHA256
577f259d21b9878645413c6d7f9e32d46c0a6b698de5bb8971094745181f418a

SHA512
1e1f94c294c408cdd458bb01e2f681d7fd4aef53a804417d3fae4913bf8d5063861e5ccdee5795329cb52ab463c20b0dcdea5a29b28bb13f4045c858ab619143

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+aehgv.txt

Filesize
1KB

MD5
4a9488128c2d4090a4e7123ff6ee6073

SHA1
37fa59b9e00da2bc7600cafaf57e5ebe39cabd70

SHA256
b6f0bcd13b707fe2fe4744d921f1efdd034c47ec0aa8e2314650923044151212

SHA512
6c9988ff2a08a0522a6c92a57da93f431b39729581ee350930cb39b496439de0831e1da61f7bfa4cdb173fab92b0cd4400dd3a4e769065d4bdfac0caf2d13e74

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
2a3ac4a64494d2242d205ce092d3536a

SHA1
d2a879500a411cd02cc21ae0d27eb157de08256f

SHA256
a60fc63d7d4e79f6289e4bccfc7b7e7625e2637540905cb5b6891f57778b06fb

SHA512
166eade3cef0f67d794c9dd2c294eb9f58982e7193fd6de09cb85636e7fd32c3bb7e2df2274e13cc38dcdd0527494a5f579f998570017f8b03dec55e01de1f03

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
264e1ab6052f48b9e18ad82a0320a523

SHA1
837619f817b8219a4bbe4c00de12c96c9d067bd5

SHA256
c042d422b3ee0bf1f6a28f7297f8fe1ded47779e446c2f8ae356dbe5e9bc21c9

SHA512
9e7295114a02e2bf7a11ee9202b9d57bcd0f3b536b8aff812540d2cbbb75d10789966a730cf4e5b98b6d82a01dc812ea6f6b512b3a48c8bc61dd3ebcbdad5523

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
aa50cf2bd4f11e53d522e3e74e5954f3

SHA1
001882a87a307e7c752b3c3aacf33720bc588565

SHA256
3fab2ab57b4671f1a0d55488455131a5cf746ac70b70dff2fd29bc198fcf842a

SHA512
50e9b6a5c11321e48cb8bb996bc9e629905ce725510d93e8836182a010f765252410dd45baafa8ebdab1bf15192172b098d86dabcb9e1460796b4c99150e58fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7e0880992c640aca08737893588a0010

SHA1
6ceec5cb125a52751de8aeda4bab7112f68ae0fe

SHA256
8649a39877c190ec740a5422284ec5f9ff509b30b2d7896635476873dd8824e2

SHA512
52bd0a38ca7f43b26731966035045b1cbd8b60b2d81bdf9aad791cf444da8af8b722ebf3cb364a6e660bebdf23084eb0e30bc23562575b704801669817549f8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5e2f0fe48e7ee1aad1c24db5c01c354a

SHA1
5bfeb862e107dd290d87385dc9369bd7a1006b36

SHA256
f13b3ebe8d71bd0086d5bb82364c35f59a95d32b39753af251e8639360e291a9

SHA512
140d026437fd5e8a874cd00b03950c8f010e1a0732a0a1cc5bdde477e7f8315ccb95790bb4c15b8dbaab9468ad532eb885b6c429300a64e39412d976d079324e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
71fac6a747f18b55baa3c717ca46cb29

SHA1
168e90da6661bcac4ee060957a4d7854c2928ff8

SHA256
77f202d94c4cb88fa3f801662b998f1bda74090b21b66bac1a5d60f6a3bcea1e

SHA512
07f6568ee96573468b469c48f8ce9ce5ce5222b249245ec638365889499b79083549f75101b1f8425432682f8f540e8ef0877103f95af35a358804408652e7a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d4348ebb2ac049ce954cffebe14bea88

SHA1
e63178b7a8b2eff1938a0629c597f93795ecbc98

SHA256
b02effd4ee51c23e157101d444dc43f258da5d7ce6cf3b3b585a63f945eac569

SHA512
ae72bc37b80775c59306d2f9c805ecd3bd9c73f8932f318db5c85ad8cf6e7a1e9ec78e875ca10bfeb2b2be45ff2674d561bbe50260f8c071e85c6c3a26c0833e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bda772f210902cdf61e9d17bbe9482cf

SHA1
fc0a983ba13d8d811a61067484deb6f988430cb2

SHA256
db0b6c963849ecbbc64f872ab5d256e8e0724eed4d88205f3eb29d955545d9be

SHA512
02fdeed169cc36401d049d2bdf643450f1ae0d756bfb38617f0bef065bc7fe566f996bf6bf21a49f2d08ab8b6d6f65278745b57c79f5891c47a51d7ba66e972c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133573953558487957.txt

Filesize
47KB

MD5
612c80358b1462825a371cc411ed4c06

SHA1
b31453dd7b486a1b10879c4b0d1ae740908526a5

SHA256
1bf80ad9087b99574aca1d6cf4146752fc3e2305c94e773abbde9a4e073630af

SHA512
dbbd7e051a79d9c97f5997784f068f83c1876cbf199f56af189e24e78c37517717955ecfa76e06808feddbece8aa2f8e6c657938f3ed49a47446bdd70fcdb8e8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133573962273348529.txt

Filesize
75KB

MD5
9b13d39d9a8a67d37b13cbefcaefa9a2

SHA1
37ee0898b798e4b290abedc76a8ef276b4f26e3e

SHA256
447cc51aeba81b9c7bd4e04ca37d027e2322084e08b85a6e2a248977f88986ac

SHA512
769326b81be6541855f2973a5ddd54a608b9a4fbc17df99f32d52bb2d8766d2425d49b7657b16bf49500f645617fb708667a8771c232fcbfc5046cc98a8cb20b

Download Submit
C:\Windows\ypthbeilumbg.exe

Filesize
384KB

MD5
58318b59b9d87cadcc48fee7e58614f2

SHA1
869a4893f9e7776af555055000aa44d3f9dd3f70

SHA256
569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be

SHA512
d0b4799619766cb8997245d72ab0d014bc5de742757cd0d55343c8f5822499b006fc88f213b5ad7f72f873f6ba533eea5ca50b5be67f72839a093cadd0cd27ab

Download Submit
\??\pipe\LOCAL\crashpad_3240_GDEINSFIYXHKEPCX

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1424-8992-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1424-1652-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1424-4298-0x00000000021D0000-0x0000000002256000-memory.dmp

Filesize
536KB

Download
memory/1424-10491-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1424-10391-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1424-11-0x00000000021D0000-0x0000000002256000-memory.dmp

Filesize
536KB

Download
memory/1424-3805-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1424-6189-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1424-3804-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1424-10437-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/3184-0-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/3184-2-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/3184-1-0x0000000002310000-0x0000000002396000-memory.dmp

Filesize
536KB

Download
memory/3184-14-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/3184-15-0x0000000002310000-0x0000000002396000-memory.dmp

Filesize
536KB

Download