teslacrypt | 5075657466a1d05e21228391263d456c16046128bf713e95d861c6a8b38048e2

Analysis

max time kernel
112s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5075657466a1d05e21228391263d456c16046128bf713e95d861c6a8b38048e2.exe
Size

352KB
MD5

c3dc59cd9625a3c67ff26039c876899f
SHA1

b9be42fe8318e7c20aa0e08e70b129949a2a6dad
SHA256

5075657466a1d05e21228391263d456c16046128bf713e95d861c6a8b38048e2
SHA512

d17c9d48d5b0340fd5f67c356917c7c56b646e6d911362c2035151983985386d9e622f42ddce72eaca01554d315472ea0d16688b69cfd8b5ba410cf833c1f4f1
SSDEEP

6144:QMeb/EDtpBx1aRXJub19pf3gOURaJmf+ubexB3wLaYZSzvF2:QTb/wtN1aRXJg1f3gO9Jm+u2BgeYkzvk

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+vibno.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/987B76A9F82A1C71 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/987B76A9F82A1C71 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/987B76A9F82A1C71 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/987B76A9F82A1C71 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/987B76A9F82A1C71 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/987B76A9F82A1C71 http://yyre45dbvn2nhbefbmh.begumvelic.at/987B76A9F82A1C71 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/987B76A9F82A1C71

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/987B76A9F82A1C71

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/987B76A9F82A1C71

http://yyre45dbvn2nhbefbmh.begumvelic.at/987B76A9F82A1C71

http://xlowfznrg4wf7dli.ONION/987B76A9F82A1C71

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (880) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	5075657466a1d05e21228391263d456c16046128bf713e95d861c6a8b38048e2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	bcnxhidvbaly.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+vibno.png	bcnxhidvbaly.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+vibno.txt	bcnxhidvbaly.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+vibno.html	bcnxhidvbaly.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+vibno.png	bcnxhidvbaly.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+vibno.txt	bcnxhidvbaly.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+vibno.html	bcnxhidvbaly.exe

Executes dropped EXE 1 IoCs

pid	Process
5088	bcnxhidvbaly.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eejpkoc = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\bcnxhidvbaly.exe"	bcnxhidvbaly.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\29.jpg	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\_ReCoVeRy_+vibno.html	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\FileAssociation\FileAssociation.targetsize-48.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-36.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-32.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ImmersiveVideoPlayback\Content\Shaders\_ReCoVeRy_+vibno.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\_ReCoVeRy_+vibno.html	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\km-KH\_ReCoVeRy_+vibno.html	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-256_altform-lightunplated.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-60_contrast-black.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageStoreLogo.scale-100.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-60_altform-unplated.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-32_altform-colorize.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.targetsize-256.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\SplashScreen.scale-100.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\en-us\_ReCoVeRy_+vibno.html	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraLargeTile.scale-125.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Fonts\_ReCoVeRy_+vibno.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\_ReCoVeRy_+vibno.txt	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-125.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pl\_ReCoVeRy_+vibno.txt	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\Movie-TVStoreLogo.scale-125_contrast-black.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\landing_page_start_a_coversation_v2.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_2019.430.2026.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+vibno.html	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeTile.scale-200.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\Internet Explorer\_ReCoVeRy_+vibno.txt	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-64.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\_ReCoVeRy_+vibno.txt	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-96_altform-lightunplated.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\_ReCoVeRy_+vibno.html	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\_ReCoVeRy_+vibno.html	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\uk-UA\_ReCoVeRy_+vibno.txt	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteMedTile.scale-400.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-24_altform-unplated.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StoreLogo.scale-125.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsMedTile.contrast-white_scale-200.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-64_altform-unplated_contrast-white.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeWideTile.scale-150.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\AppTiles\_ReCoVeRy_+vibno.txt	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\StartScreen\_ReCoVeRy_+vibno.html	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\WideTile.scale-100.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_ReCoVeRy_+vibno.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-200_contrast-black.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\sd\_ReCoVeRy_+vibno.html	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\meetings-chat-upsell.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-80.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\IC_WelcomeBanner.scale-200.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-200_contrast-white.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-36_altform-unplated_contrast-white.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\_ReCoVeRy_+vibno.txt	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\el-GR\_ReCoVeRy_+vibno.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\ThirdPartyNotices\_ReCoVeRy_+vibno.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailLargeTile.scale-400.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\_ReCoVeRy_+vibno.txt	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-20.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Login.m4a	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_contrast-white.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\BI-Report.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.JPG	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENFR\_ReCoVeRy_+vibno.txt	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-48.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\_ReCoVeRy_+vibno.txt	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxMediumTile.scale-125.png	bcnxhidvbaly.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\Win10\MicrosoftSolitaireMedTile.scale-125.jpg	bcnxhidvbaly.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\bcnxhidvbaly.exe	5075657466a1d05e21228391263d456c16046128bf713e95d861c6a8b38048e2.exe
File opened for modification	C:\Windows\bcnxhidvbaly.exe	5075657466a1d05e21228391263d456c16046128bf713e95d861c6a8b38048e2.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5075657466a1d05e21228391263d456c16046128bf713e95d861c6a8b38048e2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcnxhidvbaly.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	bcnxhidvbaly.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
620	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe
5088	bcnxhidvbaly.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3172	5075657466a1d05e21228391263d456c16046128bf713e95d861c6a8b38048e2.exe
Token: SeDebugPrivilege	5088	bcnxhidvbaly.exe
Token: SeIncreaseQuotaPrivilege	4776	WMIC.exe
Token: SeSecurityPrivilege	4776	WMIC.exe
Token: SeTakeOwnershipPrivilege	4776	WMIC.exe
Token: SeLoadDriverPrivilege	4776	WMIC.exe
Token: SeSystemProfilePrivilege	4776	WMIC.exe
Token: SeSystemtimePrivilege	4776	WMIC.exe
Token: SeProfSingleProcessPrivilege	4776	WMIC.exe
Token: SeIncBasePriorityPrivilege	4776	WMIC.exe
Token: SeCreatePagefilePrivilege	4776	WMIC.exe
Token: SeBackupPrivilege	4776	WMIC.exe
Token: SeRestorePrivilege	4776	WMIC.exe
Token: SeShutdownPrivilege	4776	WMIC.exe
Token: SeDebugPrivilege	4776	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4776	WMIC.exe
Token: SeRemoteShutdownPrivilege	4776	WMIC.exe
Token: SeUndockPrivilege	4776	WMIC.exe
Token: SeManageVolumePrivilege	4776	WMIC.exe
Token: 33	4776	WMIC.exe
Token: 34	4776	WMIC.exe
Token: 35	4776	WMIC.exe
Token: 36	4776	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4776	WMIC.exe
Token: SeSecurityPrivilege	4776	WMIC.exe
Token: SeTakeOwnershipPrivilege	4776	WMIC.exe
Token: SeLoadDriverPrivilege	4776	WMIC.exe
Token: SeSystemProfilePrivilege	4776	WMIC.exe
Token: SeSystemtimePrivilege	4776	WMIC.exe
Token: SeProfSingleProcessPrivilege	4776	WMIC.exe
Token: SeIncBasePriorityPrivilege	4776	WMIC.exe
Token: SeCreatePagefilePrivilege	4776	WMIC.exe
Token: SeBackupPrivilege	4776	WMIC.exe
Token: SeRestorePrivilege	4776	WMIC.exe
Token: SeShutdownPrivilege	4776	WMIC.exe
Token: SeDebugPrivilege	4776	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4776	WMIC.exe
Token: SeRemoteShutdownPrivilege	4776	WMIC.exe
Token: SeUndockPrivilege	4776	WMIC.exe
Token: SeManageVolumePrivilege	4776	WMIC.exe
Token: 33	4776	WMIC.exe
Token: 34	4776	WMIC.exe
Token: 35	4776	WMIC.exe
Token: 36	4776	WMIC.exe
Token: SeBackupPrivilege	4988	vssvc.exe
Token: SeRestorePrivilege	4988	vssvc.exe
Token: SeAuditPrivilege	4988	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1540	WMIC.exe
Token: SeSecurityPrivilege	1540	WMIC.exe
Token: SeTakeOwnershipPrivilege	1540	WMIC.exe
Token: SeLoadDriverPrivilege	1540	WMIC.exe
Token: SeSystemProfilePrivilege	1540	WMIC.exe
Token: SeSystemtimePrivilege	1540	WMIC.exe
Token: SeProfSingleProcessPrivilege	1540	WMIC.exe
Token: SeIncBasePriorityPrivilege	1540	WMIC.exe
Token: SeCreatePagefilePrivilege	1540	WMIC.exe
Token: SeBackupPrivilege	1540	WMIC.exe
Token: SeRestorePrivilege	1540	WMIC.exe
Token: SeShutdownPrivilege	1540	WMIC.exe
Token: SeDebugPrivilege	1540	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1540	WMIC.exe
Token: SeRemoteShutdownPrivilege	1540	WMIC.exe
Token: SeUndockPrivilege	1540	WMIC.exe
Token: SeManageVolumePrivilege	1540	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 5088	3172	5075657466a1d05e21228391263d456c16046128bf713e95d861c6a8b38048e2.exe	86
PID 3172 wrote to memory of 5088	3172	5075657466a1d05e21228391263d456c16046128bf713e95d861c6a8b38048e2.exe	86
PID 3172 wrote to memory of 5088	3172	5075657466a1d05e21228391263d456c16046128bf713e95d861c6a8b38048e2.exe	86
PID 3172 wrote to memory of 2824	3172	5075657466a1d05e21228391263d456c16046128bf713e95d861c6a8b38048e2.exe	87
PID 3172 wrote to memory of 2824	3172	5075657466a1d05e21228391263d456c16046128bf713e95d861c6a8b38048e2.exe	87
PID 3172 wrote to memory of 2824	3172	5075657466a1d05e21228391263d456c16046128bf713e95d861c6a8b38048e2.exe	87
PID 5088 wrote to memory of 4776	5088	bcnxhidvbaly.exe	89
PID 5088 wrote to memory of 4776	5088	bcnxhidvbaly.exe	89
PID 5088 wrote to memory of 620	5088	bcnxhidvbaly.exe	109
PID 5088 wrote to memory of 620	5088	bcnxhidvbaly.exe	109
PID 5088 wrote to memory of 620	5088	bcnxhidvbaly.exe	109
PID 5088 wrote to memory of 2484	5088	bcnxhidvbaly.exe	110
PID 5088 wrote to memory of 2484	5088	bcnxhidvbaly.exe	110
PID 2484 wrote to memory of 2296	2484	msedge.exe	111
PID 2484 wrote to memory of 2296	2484	msedge.exe	111
PID 5088 wrote to memory of 1540	5088	bcnxhidvbaly.exe	113
PID 5088 wrote to memory of 1540	5088	bcnxhidvbaly.exe	113
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 3752	2484	msedge.exe	115
PID 2484 wrote to memory of 4504	2484	msedge.exe	116
PID 2484 wrote to memory of 4504	2484	msedge.exe	116
PID 2484 wrote to memory of 3464	2484	msedge.exe	117
PID 2484 wrote to memory of 3464	2484	msedge.exe	117
PID 2484 wrote to memory of 3464	2484	msedge.exe	117
PID 2484 wrote to memory of 3464	2484	msedge.exe	117
PID 2484 wrote to memory of 3464	2484	msedge.exe	117

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bcnxhidvbaly.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	bcnxhidvbaly.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5075657466a1d05e21228391263d456c16046128bf713e95d861c6a8b38048e2.exe
"C:\Users\Admin\AppData\Local\Temp\5075657466a1d05e21228391263d456c16046128bf713e95d861c6a8b38048e2.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Windows\bcnxhidvbaly.exe
  C:\Windows\bcnxhidvbaly.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:5088
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4776
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:620
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdf5fa46f8,0x7ffdf5fa4708,0x7ffdf5fa4718
      4⤵
      PID:2296
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,15579485603186479860,5034454913945213600,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
      4⤵
      PID:3752
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,15579485603186479860,5034454913945213600,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
      4⤵
      PID:4504
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,15579485603186479860,5034454913945213600,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
      4⤵
      PID:3464
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15579485603186479860,5034454913945213600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
      4⤵
      PID:1956
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15579485603186479860,5034454913945213600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
      4⤵
      PID:3708
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,15579485603186479860,5034454913945213600,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
      4⤵
      PID:4436
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,15579485603186479860,5034454913945213600,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
      4⤵
      PID:4380
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15579485603186479860,5034454913945213600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
      4⤵
      PID:836
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15579485603186479860,5034454913945213600,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
      4⤵
      PID:3144
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15579485603186479860,5034454913945213600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
      4⤵
      PID:4392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15579485603186479860,5034454913945213600,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
      4⤵
      PID:968
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1540
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\BCNXHI~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4480
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\507565~1.EXE
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2824

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+vibno.html

Filesize
12KB

MD5
0f867584f8cdb6955ec51a0397c7818e

SHA1
da8479d48d660107daa011b184efdad83b52f5a7

SHA256
c36cf7b59b7dd0f691e9c1def5848f2196299f0a41b1d490431f9971126cbe13

SHA512
f071061b49e167bbe12f6f7df56a09ded41ff06433a4eb283f586a713a67cbe3b920678a35d85808b3d0e37bed288e1ec09bbe9d83e5e3969f6bbca39456de0f

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+vibno.png

Filesize
65KB

MD5
52306dfede2e51b3a64742860b7315f3

SHA1
79beee228cc0f0b8704da80610b9e8dfe6c10ed3

SHA256
ac2b3ef97758c143a06a60f012826b9eedbe3992cfbb0f3cb36902ea4397263e

SHA512
95bcf513579a978c17baece0c7052dce009f11b8fcc7f6cb2a988c9e987dcbfcde9a13ba1a0e8d9df714b7c8c2680ff80be696e50a638ba96943a273a940d6e6

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+vibno.txt

Filesize
1KB

MD5
dc8ccc960b168ab192aac0000b9eaa51

SHA1
4f182a1bbe5c64224767ff5d907bb84b67dd05a5

SHA256
f66c46dc3d761e76a4e740d5e1b8954a80c7dd42ffbce442a591bb5d813859a8

SHA512
61edf73a3f2383f934b233d8c61be31a5c6448d77f7c4605a8a7ae4a77da1bce6a7bfa4bbfa3f1dd01c58f9dcc757107a2bc3aed5b831573ede295e6699e2a0b

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
23a1c7ce5d1e0cd4212a7cba513ac326

SHA1
e5124f57cae4ee5fa0710db2c8e78999bb75e14b

SHA256
7f2f1d14d2339fa41ba3711901b5ef87b1773b01ab343449d5e86c333a7517e7

SHA512
da8146fd496e97e7b03ebdd5620afbdcd79fafbf2d01ee2634936d73cb67db3fc5f27cd6442eb33d8cd2656d7ac1016921231a15cccc113e57224b1bdb34fc5c

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
2063ecf3cb12c9cb7abd88b225417c4e

SHA1
7d484a3b569e015c228cae6c0a866ea32e35868b

SHA256
ce685a255745e6310582d9ee3f9141b778975bb2d9d3275ec813b8bff7036621

SHA512
5d0c90431828d36f51e2bd03c2c4328be950f5817df099bf1b06c70ee0e7960ac775113d615bd49c2545349196cf8b33cb6021b0780451991dd74fb6c5f497a9

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
3f94aa2cf033416aab6d4a5a3438f4f9

SHA1
ef35ad122cc54fa2f96a2baf5d91b03d093a675d

SHA256
729d3f9fb1b8c71bf9c9017e07448a55ea9938f60c418480dea3386ac8cd5db8

SHA512
7067f4b050839bcf863049d33e55f53eac5a429a273efc8d3b14b86dbb930636c7741ed28a5407bfed510b3755e9e1551d4e7c41913074eb7e3f65df6902e88c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
37a6b33f2af71660905d0e1330c5b41d

SHA1
1bc888ce51b30681de122d2d01e0506e839cd76c

SHA256
5476a93bcf2d6876fdeac03996b0418fbb114c1c3322eb45e7d687d3b7e02a71

SHA512
654853a0c3ed414672ab34321b7e4b1b6633535d3636cda3b5968ae0035f1345a012df2b5f1c65ba165dbdf2a2a30f065d4012fbb5377a96a72bbf7861722fc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
923a1893e00c7a203662a62678cc7424

SHA1
41cecad36c3ce932267a339609c1a1139ba11974

SHA256
0ef2b9ac2b939ac3c5bb90ae81bac3a910f6f62e60b0fddf69987f2457651ebf

SHA512
d63924b81480ce380fe7d3c27584b3762cacfce6eca51f61181da9f65141715aa736c5f1ecaba0fcd96020ac1236350e28d19df2946fb4c7fd918dce4f9398ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f57556631da4c529b093c504f1457ac8

SHA1
fe80857ca34400d818b9272feb35d85777ebe72b

SHA256
1203589f8f3e58ab4ff71a2b963f09632e7b1cc9b3bdbc18bf3a6d05f1b27f14

SHA512
66683432bdd6020f36ecfe3565ffc7dea0dacfd0d58827da92c36ea0fec99599a61f331fd75a1bcd128d42d00266caeb9ae1785f56809db01015541ef3fdba58

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662360645001.txt

Filesize
77KB

MD5
0e34cf78759669a0aa7b816eda6a26a2

SHA1
84660773f03043da94efaea601629828565c4dd8

SHA256
3fcb6da0174833f2f3bd930a8eacc62467b0ccbab9e889bdcda4c1c3a29fe139

SHA512
bcaddd71633190189cb41ed89c334076271eff21231e1f1f1d3a0f91f94e215dcb3fe4c37814555bae3296228117e544b947705b5bac7a692e6859a45c2306fb

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727663623337830.txt

Filesize
47KB

MD5
595aa5a1a7ccca17a5f8e3005625e417

SHA1
28d8a62e65f9d3b93b5fc052310dad36dab352d7

SHA256
7a167a84b7dbb036beed6dfd1f629a22db399abc040d6e624c5ea88baef81aaf

SHA512
77bb5e2eb96d9a54c44d4cfae7e25c04c871a2baefc31aeff2d78a95f7b97b56df147864bbee1311edda90a5a6467962de485361e27a1ea0d2a218c7155b95f3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727671211214398.txt

Filesize
74KB

MD5
29bf94c34fe4314ff645ec3ccf5f535b

SHA1
34444462007657366f1f5738e1e4f15786704901

SHA256
6ec98964dc64319812f20c8065f32808f416df6db3dbc629831c9ec15b63201d

SHA512
75b557bcc25a51a572d67990b7c412eed7ace20ed98625db25dc99b763e666e521e00188bbeec2a213a480bfb9070143bd4ca238c7003630b756b50b66e74dda

Download Submit
C:\Windows\bcnxhidvbaly.exe

Filesize
352KB

MD5
c3dc59cd9625a3c67ff26039c876899f

SHA1
b9be42fe8318e7c20aa0e08e70b129949a2a6dad

SHA256
5075657466a1d05e21228391263d456c16046128bf713e95d861c6a8b38048e2

SHA512
d17c9d48d5b0340fd5f67c356917c7c56b646e6d911362c2035151983985386d9e622f42ddce72eaca01554d315472ea0d16688b69cfd8b5ba410cf833c1f4f1

Download Submit
memory/3172-0-0x0000000002150000-0x00000000021D6000-memory.dmp

Filesize
536KB

Download
memory/3172-10-0x0000000002150000-0x00000000021D6000-memory.dmp

Filesize
536KB

Download
memory/3172-9-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3172-2-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/5088-10829-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/5088-11-0x0000000002110000-0x0000000002196000-memory.dmp

Filesize
536KB

Download
memory/5088-6428-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/5088-1908-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/5088-1909-0x0000000002110000-0x0000000002196000-memory.dmp

Filesize
536KB

Download
memory/5088-10845-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/5088-10799-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/5088-9178-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/5088-3840-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download