teslacrypt | e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/01/2025, 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe
Size

371KB
MD5

c192a273a786b569df2056914faf8327
SHA1

87f24f470d678deae2cade1d3fd12255e796c091
SHA256

e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced
SHA512

8e036f23c66fbd545fd03aba423a47bf422cee52204fc3a2fb2682fd00a31c2f3e6dc982d01fa30ab2f8ba0b3463a763e403b212f00fe9488b2791dd03629427
SSDEEP

6144:QtttRvGxiRcePUSrcTQ+Yd6v6AlYhZ+ddp5GuZEE86Yrp0eWIxQO6kUUecBlzJbu:EttRveivPrcqd26A+hcdp5GYEE8D3WIe

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_RECoVERY_+hrehg.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://yyre45dbvn2nhbefbmh.begumvelic.at/C0716909F59A9C3 2. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/C0716909F59A9C3 3. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/C0716909F59A9C3 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/C0716909F59A9C3 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://yyre45dbvn2nhbefbmh.begumvelic.at/C0716909F59A9C3 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/C0716909F59A9C3 http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/C0716909F59A9C3 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/C0716909F59A9C3

URLs

http://yyre45dbvn2nhbefbmh.begumvelic.at/C0716909F59A9C3

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/C0716909F59A9C3

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/C0716909F59A9C3

http://xlowfznrg4wf7dli.ONION/C0716909F59A9C3

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (876) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	cdxnmauxndwm.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+hrehg.png	cdxnmauxndwm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+hrehg.txt	cdxnmauxndwm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+hrehg.html	cdxnmauxndwm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+hrehg.png	cdxnmauxndwm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+hrehg.txt	cdxnmauxndwm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+hrehg.html	cdxnmauxndwm.exe

Executes dropped EXE 2 IoCs

pid	Process
3172	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fmtutyxfcqid = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\cdxnmauxndwm.exe\""	cdxnmauxndwm.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1132 set thread context of 1312	1132	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe	98
PID 3172 set thread context of 5008	3172	cdxnmauxndwm.exe	104

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\Paint3D.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\Spider.Medium.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\_RECoVERY_+hrehg.txt	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\150.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-150_contrast-white.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-125.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-16.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\meBoot.min.js	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\webviewBoot.min.js	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\_RECoVERY_+hrehg.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.scale-100_contrast-white.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\_RECoVERY_+hrehg.html	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\MicrosoftLogo.scale-200.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+hrehg.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\MoviesAnywhereLogoWithTextDark.scale-125.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\snooze.contrast-white.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-40_contrast-white.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-16.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_contrast-white.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-400_contrast-white.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\_RECoVERY_+hrehg.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-16_altform-lightunplated.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\LargeTile.scale-100.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\_RECoVERY_+hrehg.txt	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\microsoft-logo-white.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-MX\_RECoVERY_+hrehg.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\_RECoVERY_+hrehg.txt	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_RECoVERY_+hrehg.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\_RECoVERY_+hrehg.html	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\5.jpg	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-125_contrast-black.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-100.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\et.pak	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\_RECoVERY_+hrehg.html	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+hrehg.html	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\_RECoVERY_+hrehg.html	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailBadge.scale-100.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\_RECoVERY_+hrehg.html	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_RECoVERY_+hrehg.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_RECoVERY_+hrehg.html	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailMediumTile.scale-125.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\_RECoVERY_+hrehg.txt	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Simple\_RECoVERY_+hrehg.txt	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lv-LV\View3d\_RECoVERY_+hrehg.txt	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\strings\en-us\_RECoVERY_+hrehg.txt	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\_RECoVERY_+hrehg.txt	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\_RECoVERY_+hrehg.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\_RECoVERY_+hrehg.html	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\_RECoVERY_+hrehg.txt	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\_RECoVERY_+hrehg.html	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\LargeTile.scale-200.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\images\_RECoVERY_+hrehg.txt	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleLargeTile.scale-125.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\FileAssociation\FileAssociation.targetsize-256.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-GoogleCloudCacheMini.scale-150.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailLargeTile.scale-150.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\_RECoVERY_+hrehg.html	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\_RECoVERY_+hrehg.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\_RECoVERY_+hrehg.html	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_contrast-white.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxSmallTile.scale-200.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\_RECoVERY_+hrehg.png	cdxnmauxndwm.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\_RECoVERY_+hrehg.txt	cdxnmauxndwm.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\cdxnmauxndwm.exe	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe
File opened for modification	C:\Windows\cdxnmauxndwm.exe	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdxnmauxndwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdxnmauxndwm.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	cdxnmauxndwm.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4360	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe
5008	cdxnmauxndwm.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3796	msedge.exe
3796	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1312	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe
Token: SeDebugPrivilege	5008	cdxnmauxndwm.exe
Token: SeIncreaseQuotaPrivilege	3712	WMIC.exe
Token: SeSecurityPrivilege	3712	WMIC.exe
Token: SeTakeOwnershipPrivilege	3712	WMIC.exe
Token: SeLoadDriverPrivilege	3712	WMIC.exe
Token: SeSystemProfilePrivilege	3712	WMIC.exe
Token: SeSystemtimePrivilege	3712	WMIC.exe
Token: SeProfSingleProcessPrivilege	3712	WMIC.exe
Token: SeIncBasePriorityPrivilege	3712	WMIC.exe
Token: SeCreatePagefilePrivilege	3712	WMIC.exe
Token: SeBackupPrivilege	3712	WMIC.exe
Token: SeRestorePrivilege	3712	WMIC.exe
Token: SeShutdownPrivilege	3712	WMIC.exe
Token: SeDebugPrivilege	3712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3712	WMIC.exe
Token: SeRemoteShutdownPrivilege	3712	WMIC.exe
Token: SeUndockPrivilege	3712	WMIC.exe
Token: SeManageVolumePrivilege	3712	WMIC.exe
Token: 33	3712	WMIC.exe
Token: 34	3712	WMIC.exe
Token: 35	3712	WMIC.exe
Token: 36	3712	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3712	WMIC.exe
Token: SeSecurityPrivilege	3712	WMIC.exe
Token: SeTakeOwnershipPrivilege	3712	WMIC.exe
Token: SeLoadDriverPrivilege	3712	WMIC.exe
Token: SeSystemProfilePrivilege	3712	WMIC.exe
Token: SeSystemtimePrivilege	3712	WMIC.exe
Token: SeProfSingleProcessPrivilege	3712	WMIC.exe
Token: SeIncBasePriorityPrivilege	3712	WMIC.exe
Token: SeCreatePagefilePrivilege	3712	WMIC.exe
Token: SeBackupPrivilege	3712	WMIC.exe
Token: SeRestorePrivilege	3712	WMIC.exe
Token: SeShutdownPrivilege	3712	WMIC.exe
Token: SeDebugPrivilege	3712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3712	WMIC.exe
Token: SeRemoteShutdownPrivilege	3712	WMIC.exe
Token: SeUndockPrivilege	3712	WMIC.exe
Token: SeManageVolumePrivilege	3712	WMIC.exe
Token: 33	3712	WMIC.exe
Token: 34	3712	WMIC.exe
Token: 35	3712	WMIC.exe
Token: 36	3712	WMIC.exe
Token: SeBackupPrivilege	2112	vssvc.exe
Token: SeRestorePrivilege	2112	vssvc.exe
Token: SeAuditPrivilege	2112	vssvc.exe
Token: SeIncreaseQuotaPrivilege	748	WMIC.exe
Token: SeSecurityPrivilege	748	WMIC.exe
Token: SeTakeOwnershipPrivilege	748	WMIC.exe
Token: SeLoadDriverPrivilege	748	WMIC.exe
Token: SeSystemProfilePrivilege	748	WMIC.exe
Token: SeSystemtimePrivilege	748	WMIC.exe
Token: SeProfSingleProcessPrivilege	748	WMIC.exe
Token: SeIncBasePriorityPrivilege	748	WMIC.exe
Token: SeCreatePagefilePrivilege	748	WMIC.exe
Token: SeBackupPrivilege	748	WMIC.exe
Token: SeRestorePrivilege	748	WMIC.exe
Token: SeShutdownPrivilege	748	WMIC.exe
Token: SeDebugPrivilege	748	WMIC.exe
Token: SeSystemEnvironmentPrivilege	748	WMIC.exe
Token: SeRemoteShutdownPrivilege	748	WMIC.exe
Token: SeUndockPrivilege	748	WMIC.exe
Token: SeManageVolumePrivilege	748	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 1312	1132	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe	98
PID 1132 wrote to memory of 1312	1132	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe	98
PID 1132 wrote to memory of 1312	1132	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe	98
PID 1132 wrote to memory of 1312	1132	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe	98
PID 1132 wrote to memory of 1312	1132	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe	98
PID 1132 wrote to memory of 1312	1132	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe	98
PID 1132 wrote to memory of 1312	1132	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe	98
PID 1132 wrote to memory of 1312	1132	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe	98
PID 1132 wrote to memory of 1312	1132	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe	98
PID 1312 wrote to memory of 3172	1312	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe	99
PID 1312 wrote to memory of 3172	1312	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe	99
PID 1312 wrote to memory of 3172	1312	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe	99
PID 1312 wrote to memory of 4432	1312	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe	100
PID 1312 wrote to memory of 4432	1312	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe	100
PID 1312 wrote to memory of 4432	1312	e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe	100
PID 3172 wrote to memory of 5008	3172	cdxnmauxndwm.exe	104
PID 3172 wrote to memory of 5008	3172	cdxnmauxndwm.exe	104
PID 3172 wrote to memory of 5008	3172	cdxnmauxndwm.exe	104
PID 3172 wrote to memory of 5008	3172	cdxnmauxndwm.exe	104
PID 3172 wrote to memory of 5008	3172	cdxnmauxndwm.exe	104
PID 3172 wrote to memory of 5008	3172	cdxnmauxndwm.exe	104
PID 3172 wrote to memory of 5008	3172	cdxnmauxndwm.exe	104
PID 3172 wrote to memory of 5008	3172	cdxnmauxndwm.exe	104
PID 3172 wrote to memory of 5008	3172	cdxnmauxndwm.exe	104
PID 5008 wrote to memory of 3712	5008	cdxnmauxndwm.exe	105
PID 5008 wrote to memory of 3712	5008	cdxnmauxndwm.exe	105
PID 5008 wrote to memory of 4360	5008	cdxnmauxndwm.exe	111
PID 5008 wrote to memory of 4360	5008	cdxnmauxndwm.exe	111
PID 5008 wrote to memory of 4360	5008	cdxnmauxndwm.exe	111
PID 5008 wrote to memory of 3796	5008	cdxnmauxndwm.exe	112
PID 5008 wrote to memory of 3796	5008	cdxnmauxndwm.exe	112
PID 3796 wrote to memory of 3632	3796	msedge.exe	113
PID 3796 wrote to memory of 3632	3796	msedge.exe	113
PID 5008 wrote to memory of 748	5008	cdxnmauxndwm.exe	114
PID 5008 wrote to memory of 748	5008	cdxnmauxndwm.exe	114
PID 3796 wrote to memory of 3652	3796	msedge.exe	116
PID 3796 wrote to memory of 3652	3796	msedge.exe	116
PID 3796 wrote to memory of 3652	3796	msedge.exe	116
PID 3796 wrote to memory of 3652	3796	msedge.exe	116
PID 3796 wrote to memory of 3652	3796	msedge.exe	116
PID 3796 wrote to memory of 3652	3796	msedge.exe	116
PID 3796 wrote to memory of 3652	3796	msedge.exe	116
PID 3796 wrote to memory of 3652	3796	msedge.exe	116
PID 3796 wrote to memory of 3652	3796	msedge.exe	116
PID 3796 wrote to memory of 3652	3796	msedge.exe	116
PID 3796 wrote to memory of 3652	3796	msedge.exe	116
PID 3796 wrote to memory of 3652	3796	msedge.exe	116
PID 3796 wrote to memory of 3652	3796	msedge.exe	116
PID 3796 wrote to memory of 3652	3796	msedge.exe	116
PID 3796 wrote to memory of 3652	3796	msedge.exe	116
PID 3796 wrote to memory of 3652	3796	msedge.exe	116
PID 3796 wrote to memory of 3652	3796	msedge.exe	116
PID 3796 wrote to memory of 3652	3796	msedge.exe	116
PID 3796 wrote to memory of 3652	3796	msedge.exe	116
PID 3796 wrote to memory of 3652	3796	msedge.exe	116
PID 3796 wrote to memory of 3652	3796	msedge.exe	116
PID 3796 wrote to memory of 3652	3796	msedge.exe	116
PID 3796 wrote to memory of 3652	3796	msedge.exe	116
PID 3796 wrote to memory of 3652	3796	msedge.exe	116
PID 3796 wrote to memory of 3652	3796	msedge.exe	116
PID 3796 wrote to memory of 3652	3796	msedge.exe	116
PID 3796 wrote to memory of 3652	3796	msedge.exe	116
PID 3796 wrote to memory of 3652	3796	msedge.exe	116
PID 3796 wrote to memory of 3652	3796	msedge.exe	116

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cdxnmauxndwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	cdxnmauxndwm.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe
"C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe
  "C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\cdxnmauxndwm.exe
    C:\Windows\cdxnmauxndwm.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3172
  - - C:\Windows\cdxnmauxndwm.exe
      C:\Windows\cdxnmauxndwm.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:5008
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3712
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:4360
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3796
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffdd7e46f8,0x7fffdd7e4708,0x7fffdd7e4718
        6⤵
        
        PID:3632
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,15045793499681320551,730266638985055113,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
        6⤵
        
        PID:3652
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,15045793499681320551,730266638985055113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
        6⤵
        
        PID:4804
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,15045793499681320551,730266638985055113,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2352 /prefetch:8
        6⤵
        
        PID:4900
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15045793499681320551,730266638985055113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:1
        6⤵
        
        PID:4936
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15045793499681320551,730266638985055113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
        6⤵
        
        PID:3372
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,15045793499681320551,730266638985055113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
        6⤵
        
        PID:3232
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:748
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\CDXNMA~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2256
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\E3ED21~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4432

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4792

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_RECoVERY_+hrehg.html

Filesize
9KB

MD5
1b78b85e42aed2f4e8159decab1ec819

SHA1
479f4d30be894ba9495d270094290f7bcff94f84

SHA256
b1bdc33175adff6089400d64922e47808f9b59181a6fe69504a48e9e71ab83ef

SHA512
c3f30a3e21d0c7cccf8e123774caef96b2328eda6e99bb37c84f8a9652ecc20ab96124f69b214dd29c9801a0c2ca3cb53662f2f93d68fa102a45a5b927f9c7d8

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+hrehg.png

Filesize
63KB

MD5
14b1317ab0dc245f3d4442c108ddaaf1

SHA1
07a562b5b2db6be1d282e17c7b3d5d1077542572

SHA256
f0eb1c3c0f67119764d8fa98a355b934ef015e78e075bc56975a5d72be2faa60

SHA512
24ef58d032cb9ad974eaab240554ce815cd27b59f07ee6d4a6fbdce6b2fff4d87fa7c74b686a0bfe999a675a1974b988af01fa3450460427fda915f43031b67b

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+hrehg.txt

Filesize
1KB

MD5
bfc580ab1e9f663c55ce4c0d6ac785fc

SHA1
559d268a13a5b6b1f484323685fac4e58d8b5a65

SHA256
f05afa6bd494fe218279450670b5007cefa3d4a3ce34818d9551f6e80f8c9efb

SHA512
d2c18e8e8a9a649352e87edb23edede5ea9c2bea03acad3cc8e88dd23d6b9ebdf912a6f19ddf86dcf9702250aab6288d7fdb325cd619553f8a297aa23034a086

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
dfea4a0ebadf07521723b12dbe809df7

SHA1
68b95f34bc8666bca44c695ce596625b82b0e05e

SHA256
9d4fbf692ebc6f8f204e0f3ea4943cde541c012e9308adf7db29202912394e8e

SHA512
1441c86b03e1ffbf19ada0b5f961a2df814f75c11589a82066cd03878b5a6f4015f07c7c6aeafcf0720aba0e4dee9dc13c8b38d453914b9c37eaacd6488bd4f1

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
5c00129a490f1c59b3aa9d45674fa9d6

SHA1
b74981401059188e80a62c59ab9ad2fcad912aff

SHA256
e7eead0d6a49c89331d20302cb5e13fd6975f95c8dc489590101bd13bb8ba1bc

SHA512
4e5f5177520a9d1e6b3c8dda960c9d0f6b706d99a35cc27296d232a7675d81fd9387f1f10ced245e7b4e4cf1ae679d3fb24086a0f2da3638e64afd7a0325d9b3

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
611993ae6f2843abe00011331578c44a

SHA1
8c211e333b508badb8f2ca4845adae2af25f5bca

SHA256
792e259bb12f658e3d041659de1112df4fece3a535235b6d475973096905e2be

SHA512
f739552c80b4bdbb8ece99917657d00c26ed880904aaec2c9a852aec952e4ac59de62076bc60e97986e1ca69aa298c815a68794e152b4e6eec901ce838104fb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e8adf384a640023017e67ce46b96cf5e

SHA1
9be592237283c3f115d8482a83bcdc22e33a6b85

SHA256
e309d7d151000a1c0659050408809186159f6055d72363d18b23a270aa36ca36

SHA512
e18d234c8346c0d9b319c1a07be528e168b46b27b913ae40eea0b7c4b371f973cde5dbc09814786b99eef06c07840441227ae2dd49dc566bd3877c3cf7fc0ac0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662192103813.txt

Filesize
77KB

MD5
0089a10fcb5c08347469b9ff8736d05b

SHA1
969d1e17cd9812c0bb6063f584d61ca4a0567126

SHA256
236b55b1d09b2bfe5d42685ba0b6c307fe07edb13a28c5f06184221245a2b7aa

SHA512
07314b52068012e8e5bb52a7ca8c3c7158259b85f4fc6fe689fe850f0258ecdfac398befcd81e90a2d97d952e859452680bc3a7ab6a99e556f55d6d4e24cdb7c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727663401899668.txt

Filesize
47KB

MD5
a8ebbc8426d2a55cb7e6ba84d986bd7d

SHA1
336fd816759f420b530b60aa9f85fa97f894c4f9

SHA256
bbf141633400dc69c1314839522cc9fbbfefa235cf6e7ab33d7ab23c9964ad15

SHA512
3235f5bc5c7469ec83f47b2d0cd1a0a8e4fd418f1059862b5d74b1f649ee314f3f32a526a50cf02c0f1984eaf34b533b4e2e2bc23146d8b5d8c1908b86b9c0a8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727670771168387.txt

Filesize
74KB

MD5
ca7ac5999ce50bb1bcbed911ef3351ed

SHA1
f3ba96187e6669e8e83d7fb5d501492c7e43dbbb

SHA256
58d9231755940e78c409c53c46a3ae92409478bb8d4a2458129f1bbf3d8354b0

SHA512
52bcdfccf3040e8723ae5288d11962a25ba5722ccbc8530f9917d3468f50d55674b3bc03d3dee0daf761e1a19da175c1c7869b59ac263776b4cdf4cf6ec6bd45

Download Submit
C:\Windows\cdxnmauxndwm.exe

Filesize
371KB

MD5
c192a273a786b569df2056914faf8327

SHA1
87f24f470d678deae2cade1d3fd12255e796c091

SHA256
e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced

SHA512
8e036f23c66fbd545fd03aba423a47bf422cee52204fc3a2fb2682fd00a31c2f3e6dc982d01fa30ab2f8ba0b3463a763e403b212f00fe9488b2791dd03629427

Download Submit
memory/1132-4-0x0000000000620000-0x0000000000623000-memory.dmp

Filesize
12KB

Download
memory/1132-1-0x0000000000620000-0x0000000000623000-memory.dmp

Filesize
12KB

Download
memory/1132-0-0x0000000000620000-0x0000000000623000-memory.dmp

Filesize
12KB

Download
memory/1312-15-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1312-6-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1312-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1312-3-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1312-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3172-12-0x0000000000400000-0x000000000056E000-memory.dmp

Filesize
1.4MB

Download
memory/5008-19-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/5008-4305-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/5008-7309-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/5008-2212-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/5008-2201-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/5008-995-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/5008-10321-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/5008-10545-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/5008-10546-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/5008-10556-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/5008-10554-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/5008-25-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/5008-23-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/5008-21-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/5008-18-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/5008-10596-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/5008-20-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download