teslacrypt | 828cd60f0928c571477a4e351b0d98d0d03abe48f0b67a9ed605a2eb8dab5c4c

Analysis

max time kernel
141s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2024 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe
Size

384KB
MD5

546fe4e8d28a6c67a1047286eb57d773
SHA1

19a807a5fe6f1974ea4ba5f2bafb5cf4edb56f23
SHA256

828cd60f0928c571477a4e351b0d98d0d03abe48f0b67a9ed605a2eb8dab5c4c
SHA512

702ac5cd5e84d6157ab79fc6e41fa4fc1075e72318459345e7e75db200c07d09bf20d7f5b759c53e1207f80d0bbc2f5ab2c464b3cd8c8b8d4ffbc1b32707e5f2
SSDEEP

6144:7tguKU1XD9oEmWMF6L2IzjAqXuxoaqHwdfOUavNJ3en9THb3IA/OYILI:+uRBoOc4js11GUfVsNJ3entMAWp

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+erglr.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/90F05DF4807DC9E2 2. http://tes543berda73i48fsdfsd.keratadze.at/90F05DF4807DC9E2 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/90F05DF4807DC9E2 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/90F05DF4807DC9E2 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/90F05DF4807DC9E2 http://tes543berda73i48fsdfsd.keratadze.at/90F05DF4807DC9E2 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/90F05DF4807DC9E2 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/90F05DF4807DC9E2

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/90F05DF4807DC9E2

http://tes543berda73i48fsdfsd.keratadze.at/90F05DF4807DC9E2

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/90F05DF4807DC9E2

http://xlowfznrg4wf7dli.ONION/90F05DF4807DC9E2

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (868) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exevbkdkvlcaflw.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	vbkdkvlcaflw.exe

Drops startup file 6 IoCs

Processes:

vbkdkvlcaflw.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+erglr.png	vbkdkvlcaflw.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+erglr.txt	vbkdkvlcaflw.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+erglr.html	vbkdkvlcaflw.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+erglr.png	vbkdkvlcaflw.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+erglr.txt	vbkdkvlcaflw.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+erglr.html	vbkdkvlcaflw.exe

Executes dropped EXE 2 IoCs

Processes:

vbkdkvlcaflw.exevbkdkvlcaflw.exe

pid	Process
1876	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

vbkdkvlcaflw.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vubpvnvlbnrs = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\vbkdkvlcaflw.exe\""	vbkdkvlcaflw.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exevbkdkvlcaflw.exe

description	pid	Process	procid_target
PID 2252 set thread context of 4020	2252	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe	95
PID 1876 set thread context of 4480	1876	vbkdkvlcaflw.exe	100

Drops file in Program Files directory 64 IoCs

Processes:

vbkdkvlcaflw.exe

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Recovery+erglr.txt	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\hu.pak	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Recovery+erglr.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44LogoExtensions.targetsize-256.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\Recovery+erglr.txt	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Recovery+erglr.txt	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-black\Recovery+erglr.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-125.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\Recovery+erglr.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-48.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Recovery+erglr.txt	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-48_altform-unplated_contrast-white.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\beeps\beeps\Recovery+erglr.html	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\Recovery+erglr.txt	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-200_contrast-high.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\8.0.2\Recovery+erglr.html	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\Recovery+erglr.html	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\Recovery+erglr.txt	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-32_altform-unplated_contrast-white.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-140.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lo-LA\Recovery+erglr.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-72_altform-unplated.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\pages\Recovery+erglr.txt	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-36_altform-unplated.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2019.807.41.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\Recovery+erglr.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\Assets\xbox_live_logo_black.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\iheart-radio.scale-200_contrast-black.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ka\Recovery+erglr.html	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\Windows NT\Recovery+erglr.html	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\Recovery+erglr.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\66.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxBadge.scale-200.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-60_altform-unplated_contrast-black.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxWideTile.scale-400.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\MobileUpsellImage-light.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Recovery+erglr.txt	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-80_altform-unplated.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Fonts\Recovery+erglr.txt	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Document Parts\Recovery+erglr.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\Recovery+erglr.html	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Recovery+erglr.html	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OrientationControlInnerCircle.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OrientationSensorCalibrationFigure.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-256.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeMediumTile.scale-400.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\Recovery+erglr.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\contrast-white\Recovery+erglr.html	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\ADOMD.NET\Recovery+erglr.txt	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\Recovery+erglr.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_altform-unplated_contrast-black.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-48_altform-lightunplated_devicefamily-colorfulunplated.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\management\Recovery+erglr.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-200_contrast-white.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\te-IN\Recovery+erglr.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-48_altform-unplated.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-30_altform-unplated_contrast-white.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PlaceCard\Error.svg	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppValueProp.svg	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\Recovery+erglr.txt	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\Recovery+erglr.txt	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailLargeTile.scale-400.png	vbkdkvlcaflw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+erglr.png	vbkdkvlcaflw.exe

Drops file in Windows directory 2 IoCs

Processes:

546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe

description	ioc	Process
File created	C:\Windows\vbkdkvlcaflw.exe	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe
File opened for modification	C:\Windows\vbkdkvlcaflw.exe	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

vbkdkvlcaflw.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	vbkdkvlcaflw.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
540	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

vbkdkvlcaflw.exe

pid	Process
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe
4480	vbkdkvlcaflw.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid	Process
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exevbkdkvlcaflw.exeWMIC.exevssvc.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	4020	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe
Token: SeDebugPrivilege	4480	vbkdkvlcaflw.exe
Token: SeIncreaseQuotaPrivilege	4320	WMIC.exe
Token: SeSecurityPrivilege	4320	WMIC.exe
Token: SeTakeOwnershipPrivilege	4320	WMIC.exe
Token: SeLoadDriverPrivilege	4320	WMIC.exe
Token: SeSystemProfilePrivilege	4320	WMIC.exe
Token: SeSystemtimePrivilege	4320	WMIC.exe
Token: SeProfSingleProcessPrivilege	4320	WMIC.exe
Token: SeIncBasePriorityPrivilege	4320	WMIC.exe
Token: SeCreatePagefilePrivilege	4320	WMIC.exe
Token: SeBackupPrivilege	4320	WMIC.exe
Token: SeRestorePrivilege	4320	WMIC.exe
Token: SeShutdownPrivilege	4320	WMIC.exe
Token: SeDebugPrivilege	4320	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4320	WMIC.exe
Token: SeRemoteShutdownPrivilege	4320	WMIC.exe
Token: SeUndockPrivilege	4320	WMIC.exe
Token: SeManageVolumePrivilege	4320	WMIC.exe
Token: 33	4320	WMIC.exe
Token: 34	4320	WMIC.exe
Token: 35	4320	WMIC.exe
Token: 36	4320	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4320	WMIC.exe
Token: SeSecurityPrivilege	4320	WMIC.exe
Token: SeTakeOwnershipPrivilege	4320	WMIC.exe
Token: SeLoadDriverPrivilege	4320	WMIC.exe
Token: SeSystemProfilePrivilege	4320	WMIC.exe
Token: SeSystemtimePrivilege	4320	WMIC.exe
Token: SeProfSingleProcessPrivilege	4320	WMIC.exe
Token: SeIncBasePriorityPrivilege	4320	WMIC.exe
Token: SeCreatePagefilePrivilege	4320	WMIC.exe
Token: SeBackupPrivilege	4320	WMIC.exe
Token: SeRestorePrivilege	4320	WMIC.exe
Token: SeShutdownPrivilege	4320	WMIC.exe
Token: SeDebugPrivilege	4320	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4320	WMIC.exe
Token: SeRemoteShutdownPrivilege	4320	WMIC.exe
Token: SeUndockPrivilege	4320	WMIC.exe
Token: SeManageVolumePrivilege	4320	WMIC.exe
Token: 33	4320	WMIC.exe
Token: 34	4320	WMIC.exe
Token: 35	4320	WMIC.exe
Token: 36	4320	WMIC.exe
Token: SeBackupPrivilege	2816	vssvc.exe
Token: SeRestorePrivilege	2816	vssvc.exe
Token: SeAuditPrivilege	2816	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3492	WMIC.exe
Token: SeSecurityPrivilege	3492	WMIC.exe
Token: SeTakeOwnershipPrivilege	3492	WMIC.exe
Token: SeLoadDriverPrivilege	3492	WMIC.exe
Token: SeSystemProfilePrivilege	3492	WMIC.exe
Token: SeSystemtimePrivilege	3492	WMIC.exe
Token: SeProfSingleProcessPrivilege	3492	WMIC.exe
Token: SeIncBasePriorityPrivilege	3492	WMIC.exe
Token: SeCreatePagefilePrivilege	3492	WMIC.exe
Token: SeBackupPrivilege	3492	WMIC.exe
Token: SeRestorePrivilege	3492	WMIC.exe
Token: SeShutdownPrivilege	3492	WMIC.exe
Token: SeDebugPrivilege	3492	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3492	WMIC.exe
Token: SeRemoteShutdownPrivilege	3492	WMIC.exe
Token: SeUndockPrivilege	3492	WMIC.exe
Token: SeManageVolumePrivilege	3492	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	Process
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	Process
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exevbkdkvlcaflw.exevbkdkvlcaflw.exemsedge.exe

description	pid	Process	procid_target
PID 2252 wrote to memory of 4020	2252	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe	95
PID 2252 wrote to memory of 4020	2252	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe	95
PID 2252 wrote to memory of 4020	2252	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe	95
PID 2252 wrote to memory of 4020	2252	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe	95
PID 2252 wrote to memory of 4020	2252	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe	95
PID 2252 wrote to memory of 4020	2252	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe	95
PID 2252 wrote to memory of 4020	2252	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe	95
PID 2252 wrote to memory of 4020	2252	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe	95
PID 2252 wrote to memory of 4020	2252	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe	95
PID 2252 wrote to memory of 4020	2252	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe	95
PID 4020 wrote to memory of 1876	4020	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe	96
PID 4020 wrote to memory of 1876	4020	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe	96
PID 4020 wrote to memory of 1876	4020	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe	96
PID 4020 wrote to memory of 3708	4020	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe	97
PID 4020 wrote to memory of 3708	4020	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe	97
PID 4020 wrote to memory of 3708	4020	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe	97
PID 1876 wrote to memory of 4480	1876	vbkdkvlcaflw.exe	100
PID 1876 wrote to memory of 4480	1876	vbkdkvlcaflw.exe	100
PID 1876 wrote to memory of 4480	1876	vbkdkvlcaflw.exe	100
PID 1876 wrote to memory of 4480	1876	vbkdkvlcaflw.exe	100
PID 1876 wrote to memory of 4480	1876	vbkdkvlcaflw.exe	100
PID 1876 wrote to memory of 4480	1876	vbkdkvlcaflw.exe	100
PID 1876 wrote to memory of 4480	1876	vbkdkvlcaflw.exe	100
PID 1876 wrote to memory of 4480	1876	vbkdkvlcaflw.exe	100
PID 1876 wrote to memory of 4480	1876	vbkdkvlcaflw.exe	100
PID 1876 wrote to memory of 4480	1876	vbkdkvlcaflw.exe	100
PID 4480 wrote to memory of 4320	4480	vbkdkvlcaflw.exe	101
PID 4480 wrote to memory of 4320	4480	vbkdkvlcaflw.exe	101
PID 4480 wrote to memory of 540	4480	vbkdkvlcaflw.exe	113
PID 4480 wrote to memory of 540	4480	vbkdkvlcaflw.exe	113
PID 4480 wrote to memory of 540	4480	vbkdkvlcaflw.exe	113
PID 4480 wrote to memory of 756	4480	vbkdkvlcaflw.exe	114
PID 4480 wrote to memory of 756	4480	vbkdkvlcaflw.exe	114
PID 756 wrote to memory of 2272	756	msedge.exe	115
PID 756 wrote to memory of 2272	756	msedge.exe	115
PID 4480 wrote to memory of 3492	4480	vbkdkvlcaflw.exe	116
PID 4480 wrote to memory of 3492	4480	vbkdkvlcaflw.exe	116
PID 756 wrote to memory of 4148	756	msedge.exe	118
PID 756 wrote to memory of 4148	756	msedge.exe	118
PID 756 wrote to memory of 4148	756	msedge.exe	118
PID 756 wrote to memory of 4148	756	msedge.exe	118
PID 756 wrote to memory of 4148	756	msedge.exe	118
PID 756 wrote to memory of 4148	756	msedge.exe	118
PID 756 wrote to memory of 4148	756	msedge.exe	118
PID 756 wrote to memory of 4148	756	msedge.exe	118
PID 756 wrote to memory of 4148	756	msedge.exe	118
PID 756 wrote to memory of 4148	756	msedge.exe	118
PID 756 wrote to memory of 4148	756	msedge.exe	118
PID 756 wrote to memory of 4148	756	msedge.exe	118
PID 756 wrote to memory of 4148	756	msedge.exe	118
PID 756 wrote to memory of 4148	756	msedge.exe	118
PID 756 wrote to memory of 4148	756	msedge.exe	118
PID 756 wrote to memory of 4148	756	msedge.exe	118
PID 756 wrote to memory of 4148	756	msedge.exe	118
PID 756 wrote to memory of 4148	756	msedge.exe	118
PID 756 wrote to memory of 4148	756	msedge.exe	118
PID 756 wrote to memory of 4148	756	msedge.exe	118
PID 756 wrote to memory of 4148	756	msedge.exe	118
PID 756 wrote to memory of 4148	756	msedge.exe	118
PID 756 wrote to memory of 4148	756	msedge.exe	118
PID 756 wrote to memory of 4148	756	msedge.exe	118
PID 756 wrote to memory of 4148	756	msedge.exe	118
PID 756 wrote to memory of 4148	756	msedge.exe	118
PID 756 wrote to memory of 4148	756	msedge.exe	118

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

vbkdkvlcaflw.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vbkdkvlcaflw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	vbkdkvlcaflw.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Windows\vbkdkvlcaflw.exe
    C:\Windows\vbkdkvlcaflw.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Windows\vbkdkvlcaflw.exe
      C:\Windows\vbkdkvlcaflw.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4480
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4320
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:540
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:756
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb43e846f8,0x7ffb43e84708,0x7ffb43e84718
        6⤵
        
        PID:2272
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,7710131820768425457,13221169384652796094,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
        6⤵
        
        PID:4148
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,7710131820768425457,13221169384652796094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
        6⤵
        
        PID:2368
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,7710131820768425457,13221169384652796094,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
        6⤵
        
        PID:1392
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7710131820768425457,13221169384652796094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
        6⤵
        
        PID:1228
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7710131820768425457,13221169384652796094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2124 /prefetch:1
        6⤵
        
        PID:4960
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,7710131820768425457,13221169384652796094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
        6⤵
        
        PID:5012
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,7710131820768425457,13221169384652796094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
        6⤵
        
        PID:3528
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7710131820768425457,13221169384652796094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
        6⤵
        
        PID:2236
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7710131820768425457,13221169384652796094,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
        6⤵
        
        PID:2156
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7710131820768425457,13221169384652796094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
        6⤵
        
        PID:820
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7710131820768425457,13221169384652796094,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
        6⤵
        
        PID:1028
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3492
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\VBKDKV~1.EXE
        5⤵
        
        PID:5036
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\546FE4~1.EXE
    3⤵
    PID:3708

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\Recovery+erglr.html

Filesize
11KB

MD5
1d8a272c85b8b9d7085300c33be4f263

SHA1
6c35afcb852c64e3c1d70bc0d6125bcfacb23655

SHA256
48e1c6988bb6afb3ba405e2bbd754b6ff8725689966b6ecd9df91f50e5aeefb6

SHA512
47e932755339ccf93f12d84fa450fe1e9ddb387a25157f46c723fa7c801c057a0fc56c41d9cf2dda35abfc830c2a92c77600cb751b1415433c794527421ceb56

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+erglr.png

Filesize
64KB

MD5
95fcaf2d3b505ddade4679075b923c2f

SHA1
49677f455e658a331978b25bf979cb6bb6c63fc9

SHA256
dac5a0e723ff068bc37a2fc14059c0084160cc09562a44b46d29f073776f311a

SHA512
19a94e5b4f10f401f5b1db3383b73f9a65d1e36fb30a8c98a17b9f2558e8c61c724ee24051d42c25c89f224dab6286ec0f7d607ee4aed050d9cd77de88202d88

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+erglr.txt

Filesize
1KB

MD5
9872b451b8f5937ceb711a53be8985a8

SHA1
165fb0daf51624eb84d1dfa4aeae563965cb85c1

SHA256
0445421e9c5840f88c19b0c77237217a997f42208d457c89ea62836facf2b7e1

SHA512
f166275230b3eb3bb8884259ecb5d388ce625539da2b5991389bcb92783337ed414f1760ba5555959c81ad33d2f7350b74cc4909a2f677f0c5cc6b57a07d8aa3

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
f1a517643e2a86542fe9a45c9ad833a4

SHA1
1a1e59edbacacb6d2577c5da02cca5dfe80a92c1

SHA256
ce3f9eab2f1b60033a718ac1fdc16831a7735f4a8955478a2575fb9fb36c7f5a

SHA512
efc9cc3ea6827227b2f9bec4c5b51c6f116930cfd41ce37b23f625b8126295214fb4813b7ca4a450bb513406ce595603bb479146dd4c0b4045542df3e9111783

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
bc323e1c2054cf21477d236b3550980b

SHA1
0480afc0e6d5323b7ac9a876015035fe2e5035bc

SHA256
d351db2fd90c23a69c87a43b0af473d93dd3f371ebb454042bae8e2b41c6a8c2

SHA512
8aee99270ccec2c91d508cbcc4b39f0f3eae65c8d00ab30b20ca0a4ced72beaaa867df9571d1483a9af13260d0d5ce62057ee937cc23def4be73fd1db96e3883

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
5592b2c76c6ac431a43e122b0e021339

SHA1
d01ff10c7bc2275e87b30c5d12cd8839c5331b1b

SHA256
77f4784e947974e24c18d93e10d5fdb9f38a8e635da750c797ee1dcbf75be1d6

SHA512
2e8e480bebf0fff7b4e4d5c4c8c98b54b1b1e9faed00cf994dfb9fad490ea8fe9c7679a450731da2f2132f2265416019736b3bdf4c89ed2d32c3ca73d04c126a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
87f7abeb82600e1e640b843ad50fe0a1

SHA1
045bbada3f23fc59941bf7d0210fb160cb78ae87

SHA256
b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262

SHA512
ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f61fa5143fe872d1d8f1e9f8dc6544f9

SHA1
df44bab94d7388fb38c63085ec4db80cfc5eb009

SHA256
284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64

SHA512
971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0f8825cd0bfdb9beb92ff8c43993811f

SHA1
1f0772a12cbab2c02c6bc022f7761e6fe425760b

SHA256
0310d053749989c544147b8eb9ef5d6f28e35e8c7c4c2ad04d222dc8b613d393

SHA512
6da7dd873aa7a2fb37b42a8406170542a06a10757b33589f5aaf2f4f77413b5831cb2a77bfabcd379ee2254d02fae15050df510dba431282b6b5e7b02ef53b37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a09c156695d22f7313c4568a22eff245

SHA1
93f156ac91dcf424e4646ae7cb014f3eb55319a8

SHA256
23e71e1a266f9d065c8ecf0bd5fb02c86ddcb095403e4a81f6e9384b683ff2a5

SHA512
f7e83882dd772feb4b1219552c3160c0191ba27c4b83b875a808668466c697a9db0a7d606a542f8d176f93dbd0b83ef2a01c973e596976723b2a328dd6423af8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3497032226aa8abb739c2379156425ef

SHA1
ca2c948bad538bfbd98bd22297d842ec97992849

SHA256
38cc37b2469b69349d1d57eab162f69faf88465e6cc158beee72f58ce961845c

SHA512
69fa737b9e44d84bf133517ece24b664e842926a4be053d44edc2d9653d8b98495a37df14cee5901ea2ae476dd9a093ba0e44761900abf42187f5e812109f784

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596380552933791.txt

Filesize
47KB

MD5
619864a24cefbe81ed3e825f0d758d47

SHA1
9ef9de05cc079f0af1ce05cd4a51417c2277ff68

SHA256
fb73eb59cccbf63f0cd0d0d04eaa9569e5abf2b3f2078ef92d126c0ec64a2362

SHA512
50fe373277f6751a356fd71899f2f9f0aaa5236a0d2053da3f78ad6811e0f7b7318cbd9e3e6a05ba671d9a6c40918d028548c0f9125e5614fbe772be50dee4e1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596412463398182.txt

Filesize
75KB

MD5
b02e5e5c1dbd15a3e57099622ea979e7

SHA1
8d15c6da92e184c4629c116a25ac87d231668de5

SHA256
cf73ea1d1e59759e51bd78f2d8ea09bc2b61c619e7a25cf82fc6e2a1f06d0e79

SHA512
66c56eac6944465a4d78b6847a31cf22a5999ba982c18fc84aab4761f9d04dca9437700395f5ebedc6059e06be2fd4ca3f18908370a2e434cc8338b2abdd25ff

Download Submit
C:\Windows\vbkdkvlcaflw.exe

Filesize
384KB

MD5
546fe4e8d28a6c67a1047286eb57d773

SHA1
19a807a5fe6f1974ea4ba5f2bafb5cf4edb56f23

SHA256
828cd60f0928c571477a4e351b0d98d0d03abe48f0b67a9ed605a2eb8dab5c4c

SHA512
702ac5cd5e84d6157ab79fc6e41fa4fc1075e72318459345e7e75db200c07d09bf20d7f5b759c53e1207f80d0bbc2f5ab2c464b3cd8c8b8d4ffbc1b32707e5f2

Download Submit
\??\pipe\LOCAL\crashpad_756_IGKLIVZTBGSTDNAZ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1876-12-0x0000000000400000-0x0000000000748000-memory.dmp

Filesize
3.3MB

Download
memory/2252-0-0x0000000000D90000-0x0000000000D93000-memory.dmp

Filesize
12KB

Download
memory/2252-5-0x0000000000D90000-0x0000000000D93000-memory.dmp

Filesize
12KB

Download
memory/2252-1-0x0000000000D90000-0x0000000000D93000-memory.dmp

Filesize
12KB

Download
memory/4020-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4020-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4020-3-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4020-4-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4020-13-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4480-17-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4480-5526-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4480-8175-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4480-10353-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4480-10354-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4480-10362-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4480-10363-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4480-4748-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4480-2426-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4480-511-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4480-25-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4480-10402-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4480-23-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4480-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4480-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4480-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download