teslacrypt | f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2

Analysis

max time kernel
144s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2024 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe
Size

404KB
MD5

bdd2a639e52983f0f43258adb81155fb
SHA1

2bc75f3f6ef2b5e3b27a2d19147b20419dae9e98
SHA256

f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2
SHA512

7932fe904ef26310f1751a79de9a6e3c9b994dbea9ff53789ca77ea8f3b5a918789abd77c4e0d02056f05176729ed5129fb92c7e6583134f1309e443b5da25db
SSDEEP

12288:0RLMuc1QJZwH2d1QkOOf7RkoBSQBDHtUCxS:0pu1Q9HlOOyUSQgCo

Score

10^/10

teslacrypt persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\PerfLogs\Recovery+wrdbm.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/9EDD64473A44BFAE 2. http://kkd47eh4hdjshb5t.angortra.at/9EDD64473A44BFAE 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/9EDD64473A44BFAE If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/9EDD64473A44BFAE 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/9EDD64473A44BFAE http://kkd47eh4hdjshb5t.angortra.at/9EDD64473A44BFAE http://ytrest84y5i456hghadefdsd.pontogrot.com/9EDD64473A44BFAE *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/9EDD64473A44BFAE

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/9EDD64473A44BFAE

http://kkd47eh4hdjshb5t.angortra.at/9EDD64473A44BFAE

http://ytrest84y5i456hghadefdsd.pontogrot.com/9EDD64473A44BFAE

http://xlowfznrg4wf7dli.ONION/9EDD64473A44BFAE

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (875) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exeufejxuckkccn.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	ufejxuckkccn.exe

Drops startup file 6 IoCs

Processes:

ufejxuckkccn.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+wrdbm.png	ufejxuckkccn.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+wrdbm.txt	ufejxuckkccn.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+wrdbm.html	ufejxuckkccn.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+wrdbm.png	ufejxuckkccn.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+wrdbm.txt	ufejxuckkccn.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+wrdbm.html	ufejxuckkccn.exe

Executes dropped EXE 2 IoCs

Processes:

ufejxuckkccn.exeufejxuckkccn.exe

pid process

4740 ufejxuckkccn.exe
1908 ufejxuckkccn.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4740	ufejxuckkccn.exe
1908	ufejxuckkccn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ufejxuckkccn.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wrcmdhjmugku = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\ufejxuckkccn.exe\""	ufejxuckkccn.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exeufejxuckkccn.exe

description	pid	process	target process
PID 4060 set thread context of 1712	4060	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe
PID 4740 set thread context of 1908	4740	ufejxuckkccn.exe	ufejxuckkccn.exe

Drops file in Program Files directory 64 IoCs

Processes:

ufejxuckkccn.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\Recovery+wrdbm.html	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+wrdbm.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsSplashScreen.contrast-white_scale-200.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxSmallTile.scale-125.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\Recovery+wrdbm.html	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeWideTile.scale-125.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Light\Cabinet.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-150.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\Recovery+wrdbm.html	ufejxuckkccn.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\Recovery+wrdbm.txt	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare150x150Logo.scale-200_contrast-white.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\Recovery+wrdbm.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\Recovery+wrdbm.html	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\MobileUpsellImage-light.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.scale-125.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\Recovery+wrdbm.html	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-48.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\offlineStrings.js	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Recovery+wrdbm.txt	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Recovery+wrdbm.txt	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-200_contrast-white.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-256.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_scale-100.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Store.Purchase\Resources\Recovery+wrdbm.html	ufejxuckkccn.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\Recovery+wrdbm.txt	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Tongue.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\Recovery+wrdbm.html	ufejxuckkccn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\Recovery+wrdbm.html	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\Recovery+wrdbm.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\tr-TR\Recovery+wrdbm.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-80.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\91.jpg	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\am-ET\View3d\Recovery+wrdbm.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\Recovery+wrdbm.txt	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosLogoExtensions.targetsize-24.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_contrast-white.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\Recovery+wrdbm.html	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Programmer.targetsize-64_contrast-black.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-32_altform-lightunplated.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionLargeTile.scale-400.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\AppxMetadata\Recovery+wrdbm.txt	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.scale-100_contrast-white.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-100_contrast-white.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sr-Latn-RS\Recovery+wrdbm.html	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SmallTile.scale-100_contrast-white.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_altform-unplated_contrast-white_devicefamily-colorfulunplated.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square71x71Logo.scale-400.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\is-IS\View3d\Recovery+wrdbm.txt	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\Recovery+wrdbm.txt	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-125_contrast-black.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Recovery+wrdbm.txt	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\LargeTile.scale-200.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageStoreLogo.scale-100_contrast-black.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\Recovery+wrdbm.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\System\Recovery+wrdbm.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PlaceCard\contrast-white\OfflineError.svg	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\Recovery+wrdbm.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\snooze.contrast-black.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\Recovery+wrdbm.txt	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Recovery+wrdbm.txt	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookWideTile.scale-125.png	ufejxuckkccn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\EnsoUI\id_arrow.png	ufejxuckkccn.exe

Drops file in Windows directory 2 IoCs

Processes:

f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe

description	ioc	process
File created	C:\Windows\ufejxuckkccn.exe	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe
File opened for modification	C:\Windows\ufejxuckkccn.exe	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

ufejxuckkccn.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings ufejxuckkccn.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1416 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	ufejxuckkccn.exe

pid	process
1416	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ufejxuckkccn.exe

pid	process
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe
1908	ufejxuckkccn.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

3636 msedge.exe
3636 msedge.exe
3636 msedge.exe
3636 msedge.exe
3636 msedge.exe
3636 msedge.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exeufejxuckkccn.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1712	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe
Token: SeDebugPrivilege	1908	ufejxuckkccn.exe
Token: SeIncreaseQuotaPrivilege	844	WMIC.exe
Token: SeSecurityPrivilege	844	WMIC.exe
Token: SeTakeOwnershipPrivilege	844	WMIC.exe
Token: SeLoadDriverPrivilege	844	WMIC.exe
Token: SeSystemProfilePrivilege	844	WMIC.exe
Token: SeSystemtimePrivilege	844	WMIC.exe
Token: SeProfSingleProcessPrivilege	844	WMIC.exe
Token: SeIncBasePriorityPrivilege	844	WMIC.exe
Token: SeCreatePagefilePrivilege	844	WMIC.exe
Token: SeBackupPrivilege	844	WMIC.exe
Token: SeRestorePrivilege	844	WMIC.exe
Token: SeShutdownPrivilege	844	WMIC.exe
Token: SeDebugPrivilege	844	WMIC.exe
Token: SeSystemEnvironmentPrivilege	844	WMIC.exe
Token: SeRemoteShutdownPrivilege	844	WMIC.exe
Token: SeUndockPrivilege	844	WMIC.exe
Token: SeManageVolumePrivilege	844	WMIC.exe
Token: 33	844	WMIC.exe
Token: 34	844	WMIC.exe
Token: 35	844	WMIC.exe
Token: 36	844	WMIC.exe
Token: SeIncreaseQuotaPrivilege	448	WMIC.exe
Token: SeSecurityPrivilege	448	WMIC.exe
Token: SeTakeOwnershipPrivilege	448	WMIC.exe
Token: SeLoadDriverPrivilege	448	WMIC.exe
Token: SeSystemProfilePrivilege	448	WMIC.exe
Token: SeSystemtimePrivilege	448	WMIC.exe
Token: SeProfSingleProcessPrivilege	448	WMIC.exe
Token: SeIncBasePriorityPrivilege	448	WMIC.exe
Token: SeCreatePagefilePrivilege	448	WMIC.exe
Token: SeBackupPrivilege	448	WMIC.exe
Token: SeRestorePrivilege	448	WMIC.exe
Token: SeShutdownPrivilege	448	WMIC.exe
Token: SeDebugPrivilege	448	WMIC.exe
Token: SeSystemEnvironmentPrivilege	448	WMIC.exe
Token: SeRemoteShutdownPrivilege	448	WMIC.exe
Token: SeUndockPrivilege	448	WMIC.exe
Token: SeManageVolumePrivilege	448	WMIC.exe
Token: 33	448	WMIC.exe
Token: 34	448	WMIC.exe
Token: 35	448	WMIC.exe
Token: 36	448	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exef848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exeufejxuckkccn.exeufejxuckkccn.exemsedge.exe

description	pid	process	target process
PID 4060 wrote to memory of 1712	4060	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe
PID 4060 wrote to memory of 1712	4060	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe
PID 4060 wrote to memory of 1712	4060	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe
PID 4060 wrote to memory of 1712	4060	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe
PID 4060 wrote to memory of 1712	4060	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe
PID 4060 wrote to memory of 1712	4060	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe
PID 4060 wrote to memory of 1712	4060	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe
PID 4060 wrote to memory of 1712	4060	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe
PID 4060 wrote to memory of 1712	4060	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe
PID 4060 wrote to memory of 1712	4060	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe
PID 1712 wrote to memory of 4740	1712	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe	ufejxuckkccn.exe
PID 1712 wrote to memory of 4740	1712	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe	ufejxuckkccn.exe
PID 1712 wrote to memory of 4740	1712	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe	ufejxuckkccn.exe
PID 1712 wrote to memory of 4668	1712	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe	cmd.exe
PID 1712 wrote to memory of 4668	1712	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe	cmd.exe
PID 1712 wrote to memory of 4668	1712	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe	cmd.exe
PID 4740 wrote to memory of 1908	4740	ufejxuckkccn.exe	ufejxuckkccn.exe
PID 4740 wrote to memory of 1908	4740	ufejxuckkccn.exe	ufejxuckkccn.exe
PID 4740 wrote to memory of 1908	4740	ufejxuckkccn.exe	ufejxuckkccn.exe
PID 4740 wrote to memory of 1908	4740	ufejxuckkccn.exe	ufejxuckkccn.exe
PID 4740 wrote to memory of 1908	4740	ufejxuckkccn.exe	ufejxuckkccn.exe
PID 4740 wrote to memory of 1908	4740	ufejxuckkccn.exe	ufejxuckkccn.exe
PID 4740 wrote to memory of 1908	4740	ufejxuckkccn.exe	ufejxuckkccn.exe
PID 4740 wrote to memory of 1908	4740	ufejxuckkccn.exe	ufejxuckkccn.exe
PID 4740 wrote to memory of 1908	4740	ufejxuckkccn.exe	ufejxuckkccn.exe
PID 4740 wrote to memory of 1908	4740	ufejxuckkccn.exe	ufejxuckkccn.exe
PID 1908 wrote to memory of 844	1908	ufejxuckkccn.exe	WMIC.exe
PID 1908 wrote to memory of 844	1908	ufejxuckkccn.exe	WMIC.exe
PID 1908 wrote to memory of 1416	1908	ufejxuckkccn.exe	NOTEPAD.EXE
PID 1908 wrote to memory of 1416	1908	ufejxuckkccn.exe	NOTEPAD.EXE
PID 1908 wrote to memory of 1416	1908	ufejxuckkccn.exe	NOTEPAD.EXE
PID 1908 wrote to memory of 3636	1908	ufejxuckkccn.exe	msedge.exe
PID 1908 wrote to memory of 3636	1908	ufejxuckkccn.exe	msedge.exe
PID 3636 wrote to memory of 4036	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4036	3636	msedge.exe	msedge.exe
PID 1908 wrote to memory of 448	1908	ufejxuckkccn.exe	WMIC.exe
PID 1908 wrote to memory of 448	1908	ufejxuckkccn.exe	WMIC.exe
PID 3636 wrote to memory of 3508	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 3508	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 3508	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 3508	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 3508	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 3508	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 3508	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 3508	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 3508	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 3508	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 3508	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 3508	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 3508	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 3508	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 3508	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 3508	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 3508	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 3508	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 3508	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 3508	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 3508	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 3508	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 3508	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 3508	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 3508	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 3508	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 3508	3636	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

ufejxuckkccn.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ufejxuckkccn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	ufejxuckkccn.exe

C:\Users\Admin\AppData\Local\Temp\f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe
"C:\Users\Admin\AppData\Local\Temp\f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Users\Admin\AppData\Local\Temp\f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe
  "C:\Users\Admin\AppData\Local\Temp\f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\ufejxuckkccn.exe
    C:\Windows\ufejxuckkccn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4740
  - - C:\Windows\ufejxuckkccn.exe
      C:\Windows\ufejxuckkccn.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1908
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:844
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:1416
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3636
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9cd4046f8,0x7ff9cd404708,0x7ff9cd404718
        6⤵
        
        PID:4036
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,14511590084514490633,1335142650699931881,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
        6⤵
        
        PID:3508
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,14511590084514490633,1335142650699931881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
        6⤵
        
        PID:1540
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,14511590084514490633,1335142650699931881,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
        6⤵
        
        PID:2580
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14511590084514490633,1335142650699931881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
        6⤵
        
        PID:1728
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14511590084514490633,1335142650699931881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
        6⤵
        
        PID:3260
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,14511590084514490633,1335142650699931881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 /prefetch:8
        6⤵
        
        PID:2160
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,14511590084514490633,1335142650699931881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 /prefetch:8
        6⤵
        
        PID:4912
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14511590084514490633,1335142650699931881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
        6⤵
        
        PID:5016
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14511590084514490633,1335142650699931881,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
        6⤵
        
        PID:1364
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14511590084514490633,1335142650699931881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
        6⤵
        
        PID:4088
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14511590084514490633,1335142650699931881,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
        6⤵
        
        PID:3960
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:448
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\UFEJXU~1.EXE
        5⤵
        
        PID:2324
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\F848B2~1.EXE
    3⤵
    PID:4668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Recovery+wrdbm.html

Filesize
9KB

MD5
19cafe35e0aa93c454361ba4dcdf74f8

SHA1
ef47f3efb28d2cf1b18df9ebd7692a4fd3a64540

SHA256
3cee6620b7d2469edda7c3514b5293040216c8080991e8f17254c43af93488fc

SHA512
4dba29a0ed2dfec5ecfe18183d37d81179dce0b8c8fec709b9ef0abe5f6789065a6d78060840c2f4318bfb3ba9192efc014b53119922d6d9c86a589e4423908a

Download Submit
C:\PerfLogs\Recovery+wrdbm.png

Filesize
63KB

MD5
056585be8cf1988ac67b8dd3a3dcc74f

SHA1
15fd0a04f8d3ce0494527bd94b2362cb7b836835

SHA256
40dafeba771c015aed1b793047bd9fcbee6265a8aeaa9ed02cef3ee420a5ed30

SHA512
32272d8a6a93d263e30954d172c96a4d5f1c5169d93ad380260cfaeef14889660a31a4691751d1992533a40d267d6226adfe58adcdaf9b90fc8ad6b0397236b7

Download Submit
C:\PerfLogs\Recovery+wrdbm.txt

Filesize
1KB

MD5
af1ea7e35c293a6a0dcd84204a83a133

SHA1
4f5abc65d7bb02965d7f740f4db27a8b3cf172c5

SHA256
7919446c677a6285226e98bc4aa7647fc5f29829fe42e8a7a0ddacff09969755

SHA512
29f43670091ff4b3e202e344f6376e699a00e83e59d61f9d3593cd871d0dbd94921bb90dffeef597b5e064943b53a8f833481c764eefe0b4b384a9d287a78ec7

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
d88b1a2fec673748bf368da5209dc939

SHA1
f6e9a96fa63666e04a2652ab84ba7e3cb0485509

SHA256
d006c7be5e3acd9981ff881dd4021a9d81f53477cb55c186f569e2b9ce2cad4a

SHA512
54f734454d7d1f80a52a20a6e32879256e0e1482ee167d164845b76730320ef18b93941a3da79bea5cf6628dc6d8f4336be067b750917492ff38f64d702ebda3

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
19b5e741d96b76461739bdde04a2cf02

SHA1
40204b70e9854da822d88919607d775c982f873b

SHA256
3f45a7695c8fd901dda36d400da35bc418adf9bbef7ed3163e5bce1ab7ef6681

SHA512
a0ad022743dff2a0c320564e95dbcaf715cc75880574f67c5f95ff853fad59a564645cc16385aaa84942757499df7a3c78bb6002ed638e0da66fe10d0c26106a

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
98dc7a62c3fc4b79e4f5acc9c26f9eea

SHA1
4e975d01e05f642ed157cc9e1e71cfd9ea5c6423

SHA256
1bf5bac0fa40b83b171dc0799095870589ed704ac224416db4d21185fd8c5a33

SHA512
d8a3256696f2e2d049b12fd07808730afed6238ad321be7dca3c6c491824fe4d293240db0abaae200cfd92be82747eb64936d55cf37bbe428b2018f34a71f445

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4d6e17218d9a99976d1a14c6f6944c96

SHA1
9e54a19d6c61d99ac8759c5f07b2f0d5faab447f

SHA256
32e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93

SHA512
3fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9e41e8a844d48a075c3aa33e67a4efcd

SHA1
255728a72a3eb1fa670de53584bc5f788ef84da9

SHA256
7e0a7144005b6b1633a72e720d046ab5f3a18d27d43cd2e2abd334fa8706efd9

SHA512
a5af8d7cc5eed87a22ff60df1052ee9a27a03cdb88c6135a8a0035f5fdac9ee4e30521dc64bc02ad7699a325d39e7932fe8bef7e478fc3444ce59bc76b1add97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
83607d60abf09bebfc1bd464c5eb0b7f

SHA1
b4ab82b2a9ff8046d745707f92a2b8f4d5446683

SHA256
210416a0d75539a79445baeefecea885113e1ac297a09ae328cd3845b58decc6

SHA512
ee3d739dacae95ef895f7f70db64d836a97f50e3cee976e4766dacc6ca071cf3049c589c9ac763dc407d1e28701de2629f5aa884c9686644a1d1e851f7b0fecf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
c2ef1d773c3f6f230cedf469f7e34059

SHA1
e410764405adcfead3338c8d0b29371fd1a3f292

SHA256
185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521

SHA512
2ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
015974afef51be66f7bb306ae8d16492

SHA1
9675a5a25bc67e76cf5d3cda149d54314fa6c8b7

SHA256
4f7929dde3f41b6881ee54bc3dc0831e7680b9a5cffb226a3f9d2d3301f48ca6

SHA512
7e9610dc3741b6efcada0f2c0c158b870c1a1a8d55b0be6b5fc20f02c1dfcf9d41af0f5ba02140a947e5d1a06062a1ad7fa1f18041de75f7328c66c2ef4355d7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133471142896112263.txt

Filesize
74KB

MD5
10047f8f972aadd8bd0f51de868a2fb4

SHA1
4afad7c39a433a2f0302473604a5760119058210

SHA256
e954f774b0d6ea0a3f2158f6e24c2c1337bf1958bd1b5388f39ca50d596d8cb8

SHA512
86ef330a10a4898469c1d4021d59a1c9f254815afc87eb6f077dd3ad6cc59db292ed16ca7a15115c2a206cf6fe3688bb562938e86d7ed550ed0fb0ac922d0c7a

Download Submit
C:\Windows\ufejxuckkccn.exe

Filesize
404KB

MD5
bdd2a639e52983f0f43258adb81155fb

SHA1
2bc75f3f6ef2b5e3b27a2d19147b20419dae9e98

SHA256
f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2

SHA512
7932fe904ef26310f1751a79de9a6e3c9b994dbea9ff53789ca77ea8f3b5a918789abd77c4e0d02056f05176729ed5129fb92c7e6583134f1309e443b5da25db

Download Submit
\??\pipe\LOCAL\crashpad_3636_RCFAULTFFIDNWXEX

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1712-15-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1712-8-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1712-7-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1712-5-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1712-4-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1908-10353-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1908-10364-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1908-27-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1908-24-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1908-2814-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1908-3530-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1908-5507-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1908-22-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1908-8818-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1908-10429-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1908-10354-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1908-26-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1908-21-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1908-10362-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1908-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1908-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4060-0-0x0000000000400000-0x0000000000892000-memory.dmp

Filesize
4.6MB

Download
memory/4060-6-0x0000000000A80000-0x0000000000A83000-memory.dmp

Filesize
12KB

Download
memory/4060-3-0x0000000000A80000-0x0000000000A83000-memory.dmp

Filesize
12KB

Download
memory/4060-2-0x0000000000400000-0x0000000000892000-memory.dmp

Filesize
4.6MB

Download
memory/4060-1-0x0000000000A80000-0x0000000000A83000-memory.dmp

Filesize
12KB

Download
memory/4740-14-0x0000000000400000-0x0000000000892000-memory.dmp

Filesize
4.6MB

Download