teslacrypt | 843c8d5bebe93aeaebeb940267b6b9fb4d8ddb392a316be0f6d58e0bcf940109

Analysis

max time kernel
145s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 00:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe
Size

369KB
MD5

2c6e8b55ec2beb6ed16874e3e809573b
SHA1

221f4a333fffd85f544c71949661f73b62eed173
SHA256

843c8d5bebe93aeaebeb940267b6b9fb4d8ddb392a316be0f6d58e0bcf940109
SHA512

8c48aa13e678ef8988d16198aa0dd767e6255e75f56c405fee03f1ea99852243b83c8e99bca703b7046eed97cf1ee8ffdce55580375805266b536d4dae3f9bce
SSDEEP

6144:2o07Ev9jgh+J0J+l/moekR1MlvlMa0FIe03ncsCMYZx/FqDN6TETpspvQrMX1r9:2tQVG+JIe/mGzMNlMVFC3Xi/YwOi

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_RECOVERY_+dmkeb.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/63E5B8DDAD0F08 2. http://tes543berda73i48fsdfsd.keratadze.at/63E5B8DDAD0F08 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/63E5B8DDAD0F08 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/63E5B8DDAD0F08 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/63E5B8DDAD0F08 http://tes543berda73i48fsdfsd.keratadze.at/63E5B8DDAD0F08 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/63E5B8DDAD0F08 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/63E5B8DDAD0F08

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/63E5B8DDAD0F08

http://tes543berda73i48fsdfsd.keratadze.at/63E5B8DDAD0F08

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/63E5B8DDAD0F08

http://xlowfznrg4wf7dli.ONION/63E5B8DDAD0F08

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (856) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exexfjyccquwgvu.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	xfjyccquwgvu.exe

Drops startup file 6 IoCs

Processes:

xfjyccquwgvu.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+dmkeb.txt	xfjyccquwgvu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+dmkeb.html	xfjyccquwgvu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+dmkeb.png	xfjyccquwgvu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+dmkeb.txt	xfjyccquwgvu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+dmkeb.html	xfjyccquwgvu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+dmkeb.png	xfjyccquwgvu.exe

Executes dropped EXE 2 IoCs

Processes:

xfjyccquwgvu.exexfjyccquwgvu.exe

pid process

808 xfjyccquwgvu.exe
4904 xfjyccquwgvu.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
808	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

xfjyccquwgvu.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdlhyengjibe = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\xfjyccquwgvu.exe\""	xfjyccquwgvu.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exexfjyccquwgvu.exe

description	pid	process	target process
PID 2992 set thread context of 3164	2992	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe
PID 808 set thread context of 4904	808	xfjyccquwgvu.exe	xfjyccquwgvu.exe

Drops file in Program Files directory 64 IoCs

Processes:

xfjyccquwgvu.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Document Parts\_RECOVERY_+dmkeb.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.contrast-white_scale-125.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_RECOVERY_+dmkeb.txt	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-40_altform-unplated_contrast-black.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Call_Reconnected.m4a	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\_RECOVERY_+dmkeb.txt	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\_RECOVERY_+dmkeb.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\_RECOVERY_+dmkeb.html	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\hi-IN\View3d\_RECOVERY_+dmkeb.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Light.scale-100.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-129.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\_RECOVERY_+dmkeb.txt	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyShare.scale-150.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxMediumTile.scale-200.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarMediumTile.scale-400.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\THMBNAIL.PNG	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\_RECOVERY_+dmkeb.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-60_altform-unplated.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_2019.430.2026.0_neutral_~_8wekyb3d8bbwe\_RECOVERY_+dmkeb.txt	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageSmallTile.scale-400_contrast-white.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Dark.scale-150.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\images\splashscreen.scale-125.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeBadge.scale-125.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Views\Utilities\Styling\_RECOVERY_+dmkeb.html	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\_RECOVERY_+dmkeb.txt	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\ADOMD.NET\_RECOVERY_+dmkeb.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square310x310Logo.scale-150.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECOVERY_+dmkeb.html	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_2019.305.632.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECOVERY_+dmkeb.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-20_altform-lightunplated.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailMediumTile.scale-400.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSmallTile.scale-400.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\AppxMetadata\_RECOVERY_+dmkeb.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\ja-JP\_RECOVERY_+dmkeb.txt	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\_RECOVERY_+dmkeb.html	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\_RECOVERY_+dmkeb.txt	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-72.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeMedTile.scale-200_contrast-white.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\MapLightTheme.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-96_contrast-high.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\_RECOVERY_+dmkeb.html	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ar-SA\View3d\_RECOVERY_+dmkeb.txt	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\jscripts\wefgallery_strings.js	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_RECOVERY_+dmkeb.html	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\_RECOVERY_+dmkeb.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECOVERY_+dmkeb.txt	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteWideTile.scale-150.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\THMBNAIL.PNG	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\HelpAndFeedback\_RECOVERY_+dmkeb.html	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\1850_24x24x32.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-100.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-40_altform-unplated_contrast-white.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\_RECOVERY_+dmkeb.html	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeMediumTile.scale-100.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\_RECOVERY_+dmkeb.html	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\_RECOVERY_+dmkeb.html	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-64_altform-unplated_contrast-black.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-100_contrast-black.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\AppxMetadata\_RECOVERY_+dmkeb.txt	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-72_altform-lightunplated.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\_RECOVERY_+dmkeb.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\_RECOVERY_+dmkeb.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_altform-unplated_contrast-white_devicefamily-colorfulunplated.png	xfjyccquwgvu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_scale-200.png	xfjyccquwgvu.exe

Drops file in Windows directory 2 IoCs

Processes:

2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\xfjyccquwgvu.exe	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe
File opened for modification	C:\Windows\xfjyccquwgvu.exe	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

xfjyccquwgvu.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings xfjyccquwgvu.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3880 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	xfjyccquwgvu.exe

pid	process
3880	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

xfjyccquwgvu.exe

pid	process
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe
4904	xfjyccquwgvu.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

4020 msedge.exe
4020 msedge.exe
4020 msedge.exe
4020 msedge.exe
4020 msedge.exe
4020 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exexfjyccquwgvu.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3164	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe
Token: SeDebugPrivilege	4904	xfjyccquwgvu.exe
Token: SeIncreaseQuotaPrivilege	1564	WMIC.exe
Token: SeSecurityPrivilege	1564	WMIC.exe
Token: SeTakeOwnershipPrivilege	1564	WMIC.exe
Token: SeLoadDriverPrivilege	1564	WMIC.exe
Token: SeSystemProfilePrivilege	1564	WMIC.exe
Token: SeSystemtimePrivilege	1564	WMIC.exe
Token: SeProfSingleProcessPrivilege	1564	WMIC.exe
Token: SeIncBasePriorityPrivilege	1564	WMIC.exe
Token: SeCreatePagefilePrivilege	1564	WMIC.exe
Token: SeBackupPrivilege	1564	WMIC.exe
Token: SeRestorePrivilege	1564	WMIC.exe
Token: SeShutdownPrivilege	1564	WMIC.exe
Token: SeDebugPrivilege	1564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1564	WMIC.exe
Token: SeRemoteShutdownPrivilege	1564	WMIC.exe
Token: SeUndockPrivilege	1564	WMIC.exe
Token: SeManageVolumePrivilege	1564	WMIC.exe
Token: 33	1564	WMIC.exe
Token: 34	1564	WMIC.exe
Token: 35	1564	WMIC.exe
Token: 36	1564	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1564	WMIC.exe
Token: SeSecurityPrivilege	1564	WMIC.exe
Token: SeTakeOwnershipPrivilege	1564	WMIC.exe
Token: SeLoadDriverPrivilege	1564	WMIC.exe
Token: SeSystemProfilePrivilege	1564	WMIC.exe
Token: SeSystemtimePrivilege	1564	WMIC.exe
Token: SeProfSingleProcessPrivilege	1564	WMIC.exe
Token: SeIncBasePriorityPrivilege	1564	WMIC.exe
Token: SeCreatePagefilePrivilege	1564	WMIC.exe
Token: SeBackupPrivilege	1564	WMIC.exe
Token: SeRestorePrivilege	1564	WMIC.exe
Token: SeShutdownPrivilege	1564	WMIC.exe
Token: SeDebugPrivilege	1564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1564	WMIC.exe
Token: SeRemoteShutdownPrivilege	1564	WMIC.exe
Token: SeUndockPrivilege	1564	WMIC.exe
Token: SeManageVolumePrivilege	1564	WMIC.exe
Token: 33	1564	WMIC.exe
Token: 34	1564	WMIC.exe
Token: 35	1564	WMIC.exe
Token: 36	1564	WMIC.exe
Token: SeBackupPrivilege	4572	vssvc.exe
Token: SeRestorePrivilege	4572	vssvc.exe
Token: SeAuditPrivilege	4572	vssvc.exe
Token: SeIncreaseQuotaPrivilege	5040	WMIC.exe
Token: SeSecurityPrivilege	5040	WMIC.exe
Token: SeTakeOwnershipPrivilege	5040	WMIC.exe
Token: SeLoadDriverPrivilege	5040	WMIC.exe
Token: SeSystemProfilePrivilege	5040	WMIC.exe
Token: SeSystemtimePrivilege	5040	WMIC.exe
Token: SeProfSingleProcessPrivilege	5040	WMIC.exe
Token: SeIncBasePriorityPrivilege	5040	WMIC.exe
Token: SeCreatePagefilePrivilege	5040	WMIC.exe
Token: SeBackupPrivilege	5040	WMIC.exe
Token: SeRestorePrivilege	5040	WMIC.exe
Token: SeShutdownPrivilege	5040	WMIC.exe
Token: SeDebugPrivilege	5040	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5040	WMIC.exe
Token: SeRemoteShutdownPrivilege	5040	WMIC.exe
Token: SeUndockPrivilege	5040	WMIC.exe
Token: SeManageVolumePrivilege	5040	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exexfjyccquwgvu.exexfjyccquwgvu.exemsedge.exe

description	pid	process	target process
PID 2992 wrote to memory of 3164	2992	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe
PID 2992 wrote to memory of 3164	2992	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe
PID 2992 wrote to memory of 3164	2992	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe
PID 2992 wrote to memory of 3164	2992	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe
PID 2992 wrote to memory of 3164	2992	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe
PID 2992 wrote to memory of 3164	2992	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe
PID 2992 wrote to memory of 3164	2992	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe
PID 2992 wrote to memory of 3164	2992	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe
PID 2992 wrote to memory of 3164	2992	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe
PID 3164 wrote to memory of 808	3164	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe	xfjyccquwgvu.exe
PID 3164 wrote to memory of 808	3164	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe	xfjyccquwgvu.exe
PID 3164 wrote to memory of 808	3164	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe	xfjyccquwgvu.exe
PID 3164 wrote to memory of 1484	3164	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe	cmd.exe
PID 3164 wrote to memory of 1484	3164	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe	cmd.exe
PID 3164 wrote to memory of 1484	3164	2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe	cmd.exe
PID 808 wrote to memory of 4904	808	xfjyccquwgvu.exe	xfjyccquwgvu.exe
PID 808 wrote to memory of 4904	808	xfjyccquwgvu.exe	xfjyccquwgvu.exe
PID 808 wrote to memory of 4904	808	xfjyccquwgvu.exe	xfjyccquwgvu.exe
PID 808 wrote to memory of 4904	808	xfjyccquwgvu.exe	xfjyccquwgvu.exe
PID 808 wrote to memory of 4904	808	xfjyccquwgvu.exe	xfjyccquwgvu.exe
PID 808 wrote to memory of 4904	808	xfjyccquwgvu.exe	xfjyccquwgvu.exe
PID 808 wrote to memory of 4904	808	xfjyccquwgvu.exe	xfjyccquwgvu.exe
PID 808 wrote to memory of 4904	808	xfjyccquwgvu.exe	xfjyccquwgvu.exe
PID 808 wrote to memory of 4904	808	xfjyccquwgvu.exe	xfjyccquwgvu.exe
PID 4904 wrote to memory of 1564	4904	xfjyccquwgvu.exe	WMIC.exe
PID 4904 wrote to memory of 1564	4904	xfjyccquwgvu.exe	WMIC.exe
PID 4904 wrote to memory of 3880	4904	xfjyccquwgvu.exe	NOTEPAD.EXE
PID 4904 wrote to memory of 3880	4904	xfjyccquwgvu.exe	NOTEPAD.EXE
PID 4904 wrote to memory of 3880	4904	xfjyccquwgvu.exe	NOTEPAD.EXE
PID 4904 wrote to memory of 4020	4904	xfjyccquwgvu.exe	msedge.exe
PID 4904 wrote to memory of 4020	4904	xfjyccquwgvu.exe	msedge.exe
PID 4020 wrote to memory of 1360	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1360	4020	msedge.exe	msedge.exe
PID 4904 wrote to memory of 5040	4904	xfjyccquwgvu.exe	WMIC.exe
PID 4904 wrote to memory of 5040	4904	xfjyccquwgvu.exe	WMIC.exe
PID 4020 wrote to memory of 2872	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 2872	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 2872	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 2872	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 2872	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 2872	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 2872	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 2872	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 2872	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 2872	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 2872	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 2872	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 2872	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 2872	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 2872	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 2872	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 2872	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 2872	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 2872	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 2872	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 2872	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 2872	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 2872	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 2872	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 2872	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 2872	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 2872	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 2872	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 2872	4020	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

xfjyccquwgvu.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	xfjyccquwgvu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	xfjyccquwgvu.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\AppData\Local\Temp\2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2c6e8b55ec2beb6ed16874e3e809573b_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3164
- - C:\Windows\xfjyccquwgvu.exe
    C:\Windows\xfjyccquwgvu.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:808
  - - C:\Windows\xfjyccquwgvu.exe
      C:\Windows\xfjyccquwgvu.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4904
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:3880
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4020
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd6f2546f8,0x7ffd6f254708,0x7ffd6f254718
        6⤵
        
        PID:1360
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,14663979139887990162,16991123686784501172,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
        6⤵
        
        PID:2872
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,14663979139887990162,16991123686784501172,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
        6⤵
        
        PID:404
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,14663979139887990162,16991123686784501172,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
        6⤵
        
        PID:2264
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14663979139887990162,16991123686784501172,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
        6⤵
        
        PID:2196
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14663979139887990162,16991123686784501172,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
        6⤵
        
        PID:992
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,14663979139887990162,16991123686784501172,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 /prefetch:8
        6⤵
        
        PID:400
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,14663979139887990162,16991123686784501172,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 /prefetch:8
        6⤵
        
        PID:4336
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14663979139887990162,16991123686784501172,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
        6⤵
        
        PID:1736
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14663979139887990162,16991123686784501172,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
        6⤵
        
        PID:5024
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14663979139887990162,16991123686784501172,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
        6⤵
        
        PID:696
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14663979139887990162,16991123686784501172,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
        6⤵
        
        PID:4408
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5040
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\XFJYCC~1.EXE
        5⤵
        
        PID:4420
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2C6E8B~1.EXE
    3⤵
    PID:1484

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_RECOVERY_+dmkeb.html

Filesize
11KB

MD5
e1e2bab244528d2c1b4acc3fe72776b7

SHA1
c222fcf4cf5e3144f591bd96493eee2fe7fcb2d2

SHA256
1b78d06bd996890efb1215fbde4e154ad990eeec628af79a0c91ddb94621a9a7

SHA512
6fdc3de9fec9a0d28c336226df16c1803c218c39bc5e21e2193fbf8451e43d78340e555024835eb62397f687078a3cdb1ac11d478aa51d655d7404ad9eb24806

Download Submit
C:\Program Files\7-Zip\Lang\_RECOVERY_+dmkeb.png

Filesize
62KB

MD5
004d04141a85d3c01aa1045c54c91853

SHA1
a8748ba0e0c74e4dc9147caf5d4776d3e0909612

SHA256
603b4a14df31ae2fadb36da21cbed8d6722e0b18d29fefd6a65f59c47fde9c4b

SHA512
d83f6aa267fe7fec09017f6adbf8b761f82a5818fade9e488a415064962fa96f1f878d9308a34f6ebcdc6ed6fc1cd71b5ecca131529b432ccfec58f2e7fc6dcb

Download Submit
C:\Program Files\7-Zip\Lang\_RECOVERY_+dmkeb.txt

Filesize
1KB

MD5
e4d8e2860eb93f964d73ff66b2aa7719

SHA1
19b9cd442b2cb8944a59caa917781c78ea98404d

SHA256
de70f4695556d253fafb07c794db3a96f9ade76ee1bad2cd598952ca6a6588fc

SHA512
318a0ca5e27c161ee7ba918de2df15605b0d5d12fe7aad22d03ed9f15bd75eb824a155627fe552f3217f4ac251cedb4618aa8b7f6af63795b8ff5be23c9b703e

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
490b5c3ca0111144df6aeb313a3f9958

SHA1
95f259042f5c47be2d7dd8fa022a07c1f48850fc

SHA256
24a5be751c56f4efbac4631eb6bd3f2bb194766baa6ac0a4702de4606fd2f837

SHA512
4b097da8bbe5860f6a62117b57bfef22034e9f599b49da51e72a4296b1bf098dee8377344d6793582616a7402ccbfd4122977d2016fb9dc58aaaf4b6cce5ccf5

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
34bbe9dedc44aa6c1f6bd0ae4f7013ca

SHA1
c2b19395e5775f4b3dd58694f8a370ef7ce69736

SHA256
df2fb3e1920d70832c5a2b178676945e61a104cbac8b64a9f0462e14de243d9c

SHA512
f5fd64511c5e09d4db0e16dfb432c5f1e0b96ab7d042354890b71516da3d98adeafa43150ab9d7ca18140633d1b9fb0ce16c41300260766dcaa215ad614ac20d

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
4455d37b1b1695b4530fba0e018d14d2

SHA1
ee2300b2bbcf2257023cd27cbb92d133305c1f11

SHA256
7e45a70c5b0bd46f8a3a1731a175b5918e966b008665ee3f972464aa8de40c5d

SHA512
35632cd9dbac69b9105f45c9b22c0a19b4c06961058475e66510c5ac683e714ba44ac20d668ce591b81077ea9b7ecf7d9dd16d7ac0263ab95a1e483cc36b0b56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dc6fc5e708279a3310fe55d9c44743d

SHA1
a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2

SHA256
a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8

SHA512
5874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c9c4c494f8fba32d95ba2125f00586a3

SHA1
8a600205528aef7953144f1cf6f7a5115e3611de

SHA256
a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b

SHA512
9d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
77e1e68d54a1d8e74b4f8428cac625f9

SHA1
854d62fad47c645d8c97961253519b8604fc6d4d

SHA256
9b12fbf369c23ea126a0158b623d46e56668d475c4163287c1e29b815a54d2ae

SHA512
fb04c11f93d2d8986dd7c444fe950b0fd691e65951f5126db1e191adb470e301e5e08618d785a48dc622bf90494ebf7816fd28b3dd5a0a41c57ba35cda491bad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
89838a7b6d316177cf18ec43b8142c38

SHA1
3c49aa54128404a01119a55284dc3e79a88a3e43

SHA256
b6e07a2d8803d00490196bc5b36f78b1f66239963e1780d09345cfee2ad4eb49

SHA512
29ce812f277f8647b7119116f027362151f9cd496c8c653ff5464036eb45b45e998e2402f79c529b4d1c9c2f84013306642d93e6df532ae4734521c575be211e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8702cd162b30d1592050ec3e8917b19b

SHA1
54ba8fd411adc3b31eea76492c5ce64625ef3e2b

SHA256
df11cc66ed9b2d05453aa3168406090215a53206faced387bab71f7b35e1d69b

SHA512
de0543f120defb58403cae74e0f86c63459d0805345242eca7020fe4ecce21b276b1a8533d0924c9fe3d4c7289a17bbaa0d6c7e2ef5dc2037db14cdfcc0f0222

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586097090598174.txt

Filesize
75KB

MD5
5c4597d972ff5858cee25bdbb50c9c8c

SHA1
923d46d239388622e7023261573f9eb5d938687c

SHA256
a72d2af0b74cf0ad60fb062aa5876820b11676a4bca24380b5fc09b24e5cb777

SHA512
6f3575ec8d804928931273134538438da3ad6e9a2ad097d77369bc9cb783e120f761cca763cecdda70dc5bf6b89b98cc00815c721cacd6998604e0143ce2acb0

Download Submit
C:\Windows\xfjyccquwgvu.exe

Filesize
369KB

MD5
2c6e8b55ec2beb6ed16874e3e809573b

SHA1
221f4a333fffd85f544c71949661f73b62eed173

SHA256
843c8d5bebe93aeaebeb940267b6b9fb4d8ddb392a316be0f6d58e0bcf940109

SHA512
8c48aa13e678ef8988d16198aa0dd767e6255e75f56c405fee03f1ea99852243b83c8e99bca703b7046eed97cf1ee8ffdce55580375805266b536d4dae3f9bce

Download Submit
\??\pipe\LOCAL\crashpad_4020_FZVNZVBFRPIQVDBX

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/808-12-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/2992-0-0x00000000006B0000-0x00000000006B3000-memory.dmp

Filesize
12KB

Download
memory/2992-4-0x00000000006B0000-0x00000000006B3000-memory.dmp

Filesize
12KB

Download
memory/2992-1-0x00000000006B0000-0x00000000006B3000-memory.dmp

Filesize
12KB

Download
memory/3164-13-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3164-6-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3164-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3164-3-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3164-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4904-17-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4904-6689-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4904-9229-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4904-10350-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4904-10351-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4904-10359-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4904-10360-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4904-3878-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4904-2124-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4904-1682-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4904-24-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4904-23-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4904-20-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4904-10430-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4904-18-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4904-19-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download