teslacrypt | 3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f

Analysis

max time kernel
119s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3fN.exe
Size

371KB
MD5

76b0182e3dc2f368facd1446a78d2ae0
SHA1

6e6f6df8ef1a845e335995fbfa48dab3526cea29
SHA256

3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f
SHA512

e301da3a0a9d211c239675c78f727ccc73e633fcd223b3cd26ba486f1fd3ffb8e2acb021b6596460a4660c2eac647f213212b989d33687cb45fcdfef2648d03a
SSDEEP

6144:QtttRvGxiRcePUSrcTQ+Yd6v6AlYhZ+ddp5GuZEE86Yrp0eWIxQO6kUUecBlzJbu:EttRveivPrcqd26A+hcdp5GYEE8D3WIe

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_RECoVERY_+qsvqc.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://yyre45dbvn2nhbefbmh.begumvelic.at/77641749CBB1D8B 2. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/77641749CBB1D8B 3. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/77641749CBB1D8B If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/77641749CBB1D8B 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://yyre45dbvn2nhbefbmh.begumvelic.at/77641749CBB1D8B http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/77641749CBB1D8B http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/77641749CBB1D8B *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/77641749CBB1D8B

URLs

http://yyre45dbvn2nhbefbmh.begumvelic.at/77641749CBB1D8B

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/77641749CBB1D8B

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/77641749CBB1D8B

http://xlowfznrg4wf7dli.ONION/77641749CBB1D8B

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (888) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3fN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	bnkpflnvvahk.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+qsvqc.png	bnkpflnvvahk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+qsvqc.txt	bnkpflnvvahk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+qsvqc.html	bnkpflnvvahk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+qsvqc.png	bnkpflnvvahk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+qsvqc.txt	bnkpflnvvahk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+qsvqc.html	bnkpflnvvahk.exe

Executes dropped EXE 2 IoCs

pid	Process
3232	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rndudahnigkc = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\bnkpflnvvahk.exe\""	bnkpflnvvahk.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2804 set thread context of 1624	2804	3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3fN.exe	90
PID 3232 set thread context of 3500	3232	bnkpflnvvahk.exe	95

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-24.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\1033\_RECoVERY_+qsvqc.html	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\te\_RECoVERY_+qsvqc.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\LargeTile.scale-125.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.targetsize-256_altform-unplated_contrast-white.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorSmallTile.contrast-white_scale-125.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\ImagePlaceholder.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\people\_RECoVERY_+qsvqc.html	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+qsvqc.html	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+qsvqc.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\_RECoVERY_+qsvqc.html	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailMediumTile.scale-400.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-400_contrast-black.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.scale-100.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-100_contrast-white.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\te\_RECoVERY_+qsvqc.txt	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-40_altform-unplated_contrast-black.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7d3.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\_RECoVERY_+qsvqc.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\_RECoVERY_+qsvqc.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailMediumTile.scale-200.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\_RECoVERY_+qsvqc.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-100_contrast-white.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_~_8wekyb3d8bbwe\_RECoVERY_+qsvqc.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+qsvqc.html	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+qsvqc.html	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\_RECoVERY_+qsvqc.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-100.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_RECoVERY_+qsvqc.html	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\_RECoVERY_+qsvqc.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\_RECoVERY_+qsvqc.txt	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageSmallTile.scale-100.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewCommentRTL.White.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-36.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\_RECoVERY_+qsvqc.txt	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.targetsize-36_altform-unplated_contrast-white.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\subscription_intro\auto-renew.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\Icons\jit_moments.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\_RECoVERY_+qsvqc.txt	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\_RECoVERY_+qsvqc.html	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\_RECoVERY_+qsvqc.html	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedLargeTile.scale-100_contrast-black.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\msapp-error.css	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageMedTile.scale-150.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+qsvqc.html	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-20_altform-unplated.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\_RECoVERY_+qsvqc.html	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\SuggestionsService\PushpinLight.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ta\_RECoVERY_+qsvqc.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\lua\_RECoVERY_+qsvqc.html	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\_RECoVERY_+qsvqc.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_neutral_~_8wekyb3d8bbwe\_RECoVERY_+qsvqc.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\de\_RECoVERY_+qsvqc.html	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailSmallTile.scale-150.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\_RECoVERY_+qsvqc.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-100_contrast-white.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.scale-200.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-us\View3d\_RECoVERY_+qsvqc.html	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_~_8wekyb3d8bbwe\_RECoVERY_+qsvqc.png	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\_RECoVERY_+qsvqc.txt	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_RECoVERY_+qsvqc.html	bnkpflnvvahk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketchAppService\ReadMe.txt	bnkpflnvvahk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\bnkpflnvvahk.exe	3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3fN.exe
File opened for modification	C:\Windows\bnkpflnvvahk.exe	3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3fN.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bnkpflnvvahk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bnkpflnvvahk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	bnkpflnvvahk.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2124	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe
3500	bnkpflnvvahk.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1624	3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3fN.exe
Token: SeDebugPrivilege	3500	bnkpflnvvahk.exe
Token: SeIncreaseQuotaPrivilege	1984	WMIC.exe
Token: SeSecurityPrivilege	1984	WMIC.exe
Token: SeTakeOwnershipPrivilege	1984	WMIC.exe
Token: SeLoadDriverPrivilege	1984	WMIC.exe
Token: SeSystemProfilePrivilege	1984	WMIC.exe
Token: SeSystemtimePrivilege	1984	WMIC.exe
Token: SeProfSingleProcessPrivilege	1984	WMIC.exe
Token: SeIncBasePriorityPrivilege	1984	WMIC.exe
Token: SeCreatePagefilePrivilege	1984	WMIC.exe
Token: SeBackupPrivilege	1984	WMIC.exe
Token: SeRestorePrivilege	1984	WMIC.exe
Token: SeShutdownPrivilege	1984	WMIC.exe
Token: SeDebugPrivilege	1984	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1984	WMIC.exe
Token: SeRemoteShutdownPrivilege	1984	WMIC.exe
Token: SeUndockPrivilege	1984	WMIC.exe
Token: SeManageVolumePrivilege	1984	WMIC.exe
Token: 33	1984	WMIC.exe
Token: 34	1984	WMIC.exe
Token: 35	1984	WMIC.exe
Token: 36	1984	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1984	WMIC.exe
Token: SeSecurityPrivilege	1984	WMIC.exe
Token: SeTakeOwnershipPrivilege	1984	WMIC.exe
Token: SeLoadDriverPrivilege	1984	WMIC.exe
Token: SeSystemProfilePrivilege	1984	WMIC.exe
Token: SeSystemtimePrivilege	1984	WMIC.exe
Token: SeProfSingleProcessPrivilege	1984	WMIC.exe
Token: SeIncBasePriorityPrivilege	1984	WMIC.exe
Token: SeCreatePagefilePrivilege	1984	WMIC.exe
Token: SeBackupPrivilege	1984	WMIC.exe
Token: SeRestorePrivilege	1984	WMIC.exe
Token: SeShutdownPrivilege	1984	WMIC.exe
Token: SeDebugPrivilege	1984	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1984	WMIC.exe
Token: SeRemoteShutdownPrivilege	1984	WMIC.exe
Token: SeUndockPrivilege	1984	WMIC.exe
Token: SeManageVolumePrivilege	1984	WMIC.exe
Token: 33	1984	WMIC.exe
Token: 34	1984	WMIC.exe
Token: 35	1984	WMIC.exe
Token: 36	1984	WMIC.exe
Token: SeBackupPrivilege	4908	vssvc.exe
Token: SeRestorePrivilege	4908	vssvc.exe
Token: SeAuditPrivilege	4908	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1992	WMIC.exe
Token: SeSecurityPrivilege	1992	WMIC.exe
Token: SeTakeOwnershipPrivilege	1992	WMIC.exe
Token: SeLoadDriverPrivilege	1992	WMIC.exe
Token: SeSystemProfilePrivilege	1992	WMIC.exe
Token: SeSystemtimePrivilege	1992	WMIC.exe
Token: SeProfSingleProcessPrivilege	1992	WMIC.exe
Token: SeIncBasePriorityPrivilege	1992	WMIC.exe
Token: SeCreatePagefilePrivilege	1992	WMIC.exe
Token: SeBackupPrivilege	1992	WMIC.exe
Token: SeRestorePrivilege	1992	WMIC.exe
Token: SeShutdownPrivilege	1992	WMIC.exe
Token: SeDebugPrivilege	1992	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1992	WMIC.exe
Token: SeRemoteShutdownPrivilege	1992	WMIC.exe
Token: SeUndockPrivilege	1992	WMIC.exe
Token: SeManageVolumePrivilege	1992	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 1624	2804	3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3fN.exe	90
PID 2804 wrote to memory of 1624	2804	3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3fN.exe	90
PID 2804 wrote to memory of 1624	2804	3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3fN.exe	90
PID 2804 wrote to memory of 1624	2804	3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3fN.exe	90
PID 2804 wrote to memory of 1624	2804	3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3fN.exe	90
PID 2804 wrote to memory of 1624	2804	3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3fN.exe	90
PID 2804 wrote to memory of 1624	2804	3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3fN.exe	90
PID 2804 wrote to memory of 1624	2804	3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3fN.exe	90
PID 2804 wrote to memory of 1624	2804	3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3fN.exe	90
PID 1624 wrote to memory of 3232	1624	3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3fN.exe	91
PID 1624 wrote to memory of 3232	1624	3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3fN.exe	91
PID 1624 wrote to memory of 3232	1624	3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3fN.exe	91
PID 1624 wrote to memory of 4448	1624	3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3fN.exe	92
PID 1624 wrote to memory of 4448	1624	3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3fN.exe	92
PID 1624 wrote to memory of 4448	1624	3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3fN.exe	92
PID 3232 wrote to memory of 3500	3232	bnkpflnvvahk.exe	95
PID 3232 wrote to memory of 3500	3232	bnkpflnvvahk.exe	95
PID 3232 wrote to memory of 3500	3232	bnkpflnvvahk.exe	95
PID 3232 wrote to memory of 3500	3232	bnkpflnvvahk.exe	95
PID 3232 wrote to memory of 3500	3232	bnkpflnvvahk.exe	95
PID 3232 wrote to memory of 3500	3232	bnkpflnvvahk.exe	95
PID 3232 wrote to memory of 3500	3232	bnkpflnvvahk.exe	95
PID 3232 wrote to memory of 3500	3232	bnkpflnvvahk.exe	95
PID 3232 wrote to memory of 3500	3232	bnkpflnvvahk.exe	95
PID 3500 wrote to memory of 1984	3500	bnkpflnvvahk.exe	96
PID 3500 wrote to memory of 1984	3500	bnkpflnvvahk.exe	96
PID 3500 wrote to memory of 2124	3500	bnkpflnvvahk.exe	101
PID 3500 wrote to memory of 2124	3500	bnkpflnvvahk.exe	101
PID 3500 wrote to memory of 2124	3500	bnkpflnvvahk.exe	101
PID 3500 wrote to memory of 4092	3500	bnkpflnvvahk.exe	102
PID 3500 wrote to memory of 4092	3500	bnkpflnvvahk.exe	102
PID 4092 wrote to memory of 4256	4092	msedge.exe	103
PID 4092 wrote to memory of 4256	4092	msedge.exe	103
PID 3500 wrote to memory of 1992	3500	bnkpflnvvahk.exe	104
PID 3500 wrote to memory of 1992	3500	bnkpflnvvahk.exe	104
PID 4092 wrote to memory of 3008	4092	msedge.exe	106
PID 4092 wrote to memory of 3008	4092	msedge.exe	106
PID 4092 wrote to memory of 3008	4092	msedge.exe	106
PID 4092 wrote to memory of 3008	4092	msedge.exe	106
PID 4092 wrote to memory of 3008	4092	msedge.exe	106
PID 4092 wrote to memory of 3008	4092	msedge.exe	106
PID 4092 wrote to memory of 3008	4092	msedge.exe	106
PID 4092 wrote to memory of 3008	4092	msedge.exe	106
PID 4092 wrote to memory of 3008	4092	msedge.exe	106
PID 4092 wrote to memory of 3008	4092	msedge.exe	106
PID 4092 wrote to memory of 3008	4092	msedge.exe	106
PID 4092 wrote to memory of 3008	4092	msedge.exe	106
PID 4092 wrote to memory of 3008	4092	msedge.exe	106
PID 4092 wrote to memory of 3008	4092	msedge.exe	106
PID 4092 wrote to memory of 3008	4092	msedge.exe	106
PID 4092 wrote to memory of 3008	4092	msedge.exe	106
PID 4092 wrote to memory of 3008	4092	msedge.exe	106
PID 4092 wrote to memory of 3008	4092	msedge.exe	106
PID 4092 wrote to memory of 3008	4092	msedge.exe	106
PID 4092 wrote to memory of 3008	4092	msedge.exe	106
PID 4092 wrote to memory of 3008	4092	msedge.exe	106
PID 4092 wrote to memory of 3008	4092	msedge.exe	106
PID 4092 wrote to memory of 3008	4092	msedge.exe	106
PID 4092 wrote to memory of 3008	4092	msedge.exe	106
PID 4092 wrote to memory of 3008	4092	msedge.exe	106
PID 4092 wrote to memory of 3008	4092	msedge.exe	106
PID 4092 wrote to memory of 3008	4092	msedge.exe	106
PID 4092 wrote to memory of 3008	4092	msedge.exe	106
PID 4092 wrote to memory of 3008	4092	msedge.exe	106

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bnkpflnvvahk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	bnkpflnvvahk.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3fN.exe
"C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3fN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3fN.exe
  "C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3fN.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\bnkpflnvvahk.exe
    C:\Windows\bnkpflnvvahk.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3232
  - - C:\Windows\bnkpflnvvahk.exe
      C:\Windows\bnkpflnvvahk.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3500
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:2124
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4092
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99ffe46f8,0x7ff99ffe4708,0x7ff99ffe4718
        6⤵
        
        PID:4256
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,13557770294624756432,11251566618376639923,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2
        6⤵
        
        PID:3008
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,13557770294624756432,11251566618376639923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
        6⤵
        
        PID:4612
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,13557770294624756432,11251566618376639923,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
        6⤵
        
        PID:112
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,13557770294624756432,11251566618376639923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
        6⤵
        
        PID:232
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,13557770294624756432,11251566618376639923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
        6⤵
        
        PID:4008
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,13557770294624756432,11251566618376639923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
        6⤵
        
        PID:2008
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,13557770294624756432,11251566618376639923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
        6⤵
        
        PID:2120
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,13557770294624756432,11251566618376639923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
        6⤵
        
        PID:4892
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,13557770294624756432,11251566618376639923,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
        6⤵
        
        PID:2436
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,13557770294624756432,11251566618376639923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
        6⤵
        
        PID:840
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,13557770294624756432,11251566618376639923,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
        6⤵
        
        PID:1572
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\BNKPFL~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2560
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\3AA3EE~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4448

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_RECoVERY_+qsvqc.html

Filesize
9KB

MD5
ea2b9a939ac179d88095bf21b711233c

SHA1
d466a1f9402fa8d85acec3b5afe1e0a773276a2a

SHA256
5dc14fefdc5612610192f9aef51b0c296ec16d90bf073d48685340459dc8599c

SHA512
edfede7ffe92f4d0c07d79b7dfc6aa0b0a0d6ea2bf5da0be388756df254dc42894a8dd11f4bb5cc06f2f2c4e1aa81f2a2d7af9fa906cd34778f6686e7de59834

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+qsvqc.png

Filesize
63KB

MD5
3c81267ab217745186da4504b974ec8e

SHA1
79a9925c7e9ba4ebc58cd07f582b5c36971e1790

SHA256
75be2384911ba2a63196966215d819748665ecc9142f84a5af4b5a7ba6c7366b

SHA512
ab66620b46012a363f7d5f1252b187487229b5b57e3eed6b96abdbfe20a7a2d2643268a445364bd958ea9e6f8a7c5b2fdf7213a1d9208f653e3edfdbf63ca160

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+qsvqc.txt

Filesize
1KB

MD5
c06328639b50ac2c83c2ac58209e2ad0

SHA1
199fc7bf2184c7deb284d6060f26a13029cc1af8

SHA256
c50da4cbbe7b0e5d74140a96ec31f66de3d82ade9fcb4e5d69efd6ce9b96e59b

SHA512
0470ae0eb7d722ed730b285d27bae4536852da4f8baf6050851f919a69f374d6c0eb7ca5092f465206bb9556f8f3a18c0e74042a7df77eeaba027950ce317aab

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
8c55712dadac2ad2a8bab799bf421e88

SHA1
acfbce3ebc6432b727db6433c6461fabe0637111

SHA256
f68654bd0adbd53ecac9e5daf5f2eadffbd1337811c9b94aa6da4847a20aac03

SHA512
f25fefe704f4c5b45510145feb682e9dba454a1ef391bf363331bde813338428a8c2b75a3f1e26724384437f87888e3cab380eb52d1b56dbffe83b3ca10df515

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
a99114426e03c685514d5f902fd60f6e

SHA1
c9640179ca1536df71834679c8a5d6981d24f13e

SHA256
6501693a7c98338dd93bf556bc9ff87cc095122b68d3d31ecf134740b9b16944

SHA512
dcf866ae18234ea686bf9af0ccbe562631321cb48cdc4eec046132b2fa89eb2c94224360a31321505be9ff5bfdc1f56b7e7bc509f430fa836ac7f799e7033510

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
d9f0012d97db6cc4f4597cb53d40a265

SHA1
a0655c6cb85db06a120d04435f75f3291da0630c

SHA256
f1d57b091fbf367df0442971ca2d525466664d981d8e6e6797f7e15c09bb0bca

SHA512
f92576543424847d5e0a4ecf38ced1dc34f36716b630a58d49bf39004aa1d5876f94c2690eb7cd9c4eb41c4dc5846b2e5e1c2a457678e2410369e026d65e495f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c0776aa7923c9eb134a1c774b3bdc011

SHA1
1514988d69945b11f32b064d9c0948126b0a7bea

SHA256
23f28f2dbd5d54fba25df4cfc64318aa3cdef82b9796d73063ea6d0fea2b4226

SHA512
0bf8c861ee56c603a4c0cca1c06e8eaadb113c7c0d92ce3eecfefa9899f1c26253d08b356ead786723adf446361790d9213f754dda041946c4029c1f3d90b178

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727665766873969.txt

Filesize
74KB

MD5
dab4b4feb7f93d5fb5ed9a79ed7b719a

SHA1
a5208db9cd726bdd904756ee34ab60f7050a3eff

SHA256
1cbf75ff19f0f5f908322e674bceb8473d974d8d1b8e102c38b8ef94cbcfb258

SHA512
0d5c19721b7f6f5cbbab59db6910217c6d17f20778ab184d73fe8777ef02a3e4941ae21f6f754b0261410468619f1a3e570d87d05ca04a2c2d9e1bf97af6fa2d

Download Submit
C:\Windows\bnkpflnvvahk.exe

Filesize
371KB

MD5
76b0182e3dc2f368facd1446a78d2ae0

SHA1
6e6f6df8ef1a845e335995fbfa48dab3526cea29

SHA256
3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f

SHA512
e301da3a0a9d211c239675c78f727ccc73e633fcd223b3cd26ba486f1fd3ffb8e2acb021b6596460a4660c2eac647f213212b989d33687cb45fcdfef2648d03a

Download Submit
memory/1624-14-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1624-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1624-4-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1624-1-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1624-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2804-0-0x0000000000730000-0x0000000000733000-memory.dmp

Filesize
12KB

Download
memory/2804-3-0x0000000000730000-0x0000000000733000-memory.dmp

Filesize
12KB

Download
memory/3232-11-0x0000000000400000-0x000000000056E000-memory.dmp

Filesize
1.4MB

Download
memory/3500-17-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3500-3211-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3500-5591-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3500-2849-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3500-8965-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3500-10804-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3500-10805-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3500-10813-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3500-10814-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3500-2846-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3500-25-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3500-23-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3500-20-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3500-10856-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3500-19-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3500-18-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download