teslacrypt | 93644832403246ebef8a76cac49d010b3864b4472a8a056f9cba66e8be7d55d8

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.exe
Size

500KB
MD5

bfb464faecb6c1d1938228c68ee61fc2
SHA1

20ed2de92194ccb2d0a20a9a5f587d2800331ce4
SHA256

93644832403246ebef8a76cac49d010b3864b4472a8a056f9cba66e8be7d55d8
SHA512

359d11ee35717d1fdad942113b5439f4f0c9db5f1ae94896a48d554b957b65c7999c260ce80312125b6b0dd356a0669b4884a3e3d5e8593db03a03b76196d8cd
SSDEEP

6144:knKwYqvjLM36q25h5KdXSEGbXWWjge4R1p120rkv/Sg9/s+hi:xwYqGh205S3WW0TR1p1Po/

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+rwrsc.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/B8ABB2EE8B9A7339 2 - http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/B8ABB2EE8B9A7339 3 - http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/B8ABB2EE8B9A7339 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/B8ABB2EE8B9A7339 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/B8ABB2EE8B9A7339 http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/B8ABB2EE8B9A7339 http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/B8ABB2EE8B9A7339 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/B8ABB2EE8B9A7339

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/B8ABB2EE8B9A7339

http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/B8ABB2EE8B9A7339

http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/B8ABB2EE8B9A7339

http://xlowfznrg4wf7dli.ONION/B8ABB2EE8B9A7339

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (871) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.exeqjlifjmrytti.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	bfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	qjlifjmrytti.exe

Drops startup file 6 IoCs

Processes:

qjlifjmrytti.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+rwrsc.png	qjlifjmrytti.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+rwrsc.txt	qjlifjmrytti.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+rwrsc.html	qjlifjmrytti.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+rwrsc.png	qjlifjmrytti.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+rwrsc.txt	qjlifjmrytti.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+rwrsc.html	qjlifjmrytti.exe

Executes dropped EXE 1 IoCs

Processes:

qjlifjmrytti.exe

pid process

3448 qjlifjmrytti.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

qjlifjmrytti.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cgrmcpd = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\qjlifjmrytti.exe"	qjlifjmrytti.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

Processes:

qjlifjmrytti.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\_ReCoVeRy_+rwrsc.txt	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Logo.scale-100_contrast-white.png	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\WideTile.scale-200.png	qjlifjmrytti.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\_ReCoVeRy_+rwrsc.html	qjlifjmrytti.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\_ReCoVeRy_+rwrsc.txt	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lv-LV\_ReCoVeRy_+rwrsc.html	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+rwrsc.png	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\_ReCoVeRy_+rwrsc.html	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-200_contrast-white.png	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\_ReCoVeRy_+rwrsc.png	qjlifjmrytti.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\_ReCoVeRy_+rwrsc.png	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-256.png	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.scale-200.png	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptySearch.scale-200.png	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_TicketedEvent.png	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+rwrsc.txt	qjlifjmrytti.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d9\_ReCoVeRy_+rwrsc.png	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\_ReCoVeRy_+rwrsc.png	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+rwrsc.html	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\_ReCoVeRy_+rwrsc.png	qjlifjmrytti.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d11\_ReCoVeRy_+rwrsc.png	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48.png	qjlifjmrytti.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\_ReCoVeRy_+rwrsc.html	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_Cliffhouse.jpg	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\canvas_light.jpg	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-30_altform-unplated.png	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\_ReCoVeRy_+rwrsc.txt	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-72.png	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageWideTile.scale-150_contrast-black.png	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\_ReCoVeRy_+rwrsc.png	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\_ReCoVeRy_+rwrsc.html	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_altform-unplated_contrast-white.png	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-125_contrast-white.png	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-100_contrast-black.png	qjlifjmrytti.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\_ReCoVeRy_+rwrsc.txt	qjlifjmrytti.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-180.png	qjlifjmrytti.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\_ReCoVeRy_+rwrsc.txt	qjlifjmrytti.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\_ReCoVeRy_+rwrsc.html	qjlifjmrytti.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\_ReCoVeRy_+rwrsc.html	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-80_altform-unplated.png	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\_ReCoVeRy_+rwrsc.txt	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-40_altform-lightunplated.png	qjlifjmrytti.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\_ReCoVeRy_+rwrsc.png	qjlifjmrytti.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\_ReCoVeRy_+rwrsc.png	qjlifjmrytti.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\te-IN\_ReCoVeRy_+rwrsc.txt	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72_altform-unplated.png	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp2.scale-100.png	qjlifjmrytti.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\_ReCoVeRy_+rwrsc.html	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\_ReCoVeRy_+rwrsc.png	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\82.jpg	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\node_modules\reactxp-experimental-navigation\_ReCoVeRy_+rwrsc.html	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64_altform-unplated.png	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7ca.png	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\_ReCoVeRy_+rwrsc.txt	qjlifjmrytti.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\_ReCoVeRy_+rwrsc.txt	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-125_contrast-black.png	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\_ReCoVeRy_+rwrsc.png	qjlifjmrytti.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses\_ReCoVeRy_+rwrsc.html	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\9.jpg	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_altform-unplated_contrast-white.png	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72.png	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-64_altform-unplated.png	qjlifjmrytti.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-150_contrast-white.png	qjlifjmrytti.exe

Drops file in Windows directory 2 IoCs

Processes:

bfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\qjlifjmrytti.exe	bfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.exe
File created	C:\Windows\qjlifjmrytti.exe	bfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

bfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.exeqjlifjmrytti.execmd.exeNOTEPAD.EXEcmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qjlifjmrytti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

Processes:

qjlifjmrytti.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings qjlifjmrytti.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3488 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	qjlifjmrytti.exe

pid	process
3488	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

qjlifjmrytti.exe

pid	process
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe
3448	qjlifjmrytti.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

4072 msedge.exe
4072 msedge.exe
4072 msedge.exe
4072 msedge.exe
4072 msedge.exe
4072 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

bfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.exeqjlifjmrytti.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3520	bfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.exe
Token: SeDebugPrivilege	3448	qjlifjmrytti.exe
Token: SeIncreaseQuotaPrivilege	3664	WMIC.exe
Token: SeSecurityPrivilege	3664	WMIC.exe
Token: SeTakeOwnershipPrivilege	3664	WMIC.exe
Token: SeLoadDriverPrivilege	3664	WMIC.exe
Token: SeSystemProfilePrivilege	3664	WMIC.exe
Token: SeSystemtimePrivilege	3664	WMIC.exe
Token: SeProfSingleProcessPrivilege	3664	WMIC.exe
Token: SeIncBasePriorityPrivilege	3664	WMIC.exe
Token: SeCreatePagefilePrivilege	3664	WMIC.exe
Token: SeBackupPrivilege	3664	WMIC.exe
Token: SeRestorePrivilege	3664	WMIC.exe
Token: SeShutdownPrivilege	3664	WMIC.exe
Token: SeDebugPrivilege	3664	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3664	WMIC.exe
Token: SeRemoteShutdownPrivilege	3664	WMIC.exe
Token: SeUndockPrivilege	3664	WMIC.exe
Token: SeManageVolumePrivilege	3664	WMIC.exe
Token: 33	3664	WMIC.exe
Token: 34	3664	WMIC.exe
Token: 35	3664	WMIC.exe
Token: 36	3664	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3664	WMIC.exe
Token: SeSecurityPrivilege	3664	WMIC.exe
Token: SeTakeOwnershipPrivilege	3664	WMIC.exe
Token: SeLoadDriverPrivilege	3664	WMIC.exe
Token: SeSystemProfilePrivilege	3664	WMIC.exe
Token: SeSystemtimePrivilege	3664	WMIC.exe
Token: SeProfSingleProcessPrivilege	3664	WMIC.exe
Token: SeIncBasePriorityPrivilege	3664	WMIC.exe
Token: SeCreatePagefilePrivilege	3664	WMIC.exe
Token: SeBackupPrivilege	3664	WMIC.exe
Token: SeRestorePrivilege	3664	WMIC.exe
Token: SeShutdownPrivilege	3664	WMIC.exe
Token: SeDebugPrivilege	3664	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3664	WMIC.exe
Token: SeRemoteShutdownPrivilege	3664	WMIC.exe
Token: SeUndockPrivilege	3664	WMIC.exe
Token: SeManageVolumePrivilege	3664	WMIC.exe
Token: 33	3664	WMIC.exe
Token: 34	3664	WMIC.exe
Token: 35	3664	WMIC.exe
Token: 36	3664	WMIC.exe
Token: SeBackupPrivilege	4620	vssvc.exe
Token: SeRestorePrivilege	4620	vssvc.exe
Token: SeAuditPrivilege	4620	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4400	WMIC.exe
Token: SeSecurityPrivilege	4400	WMIC.exe
Token: SeTakeOwnershipPrivilege	4400	WMIC.exe
Token: SeLoadDriverPrivilege	4400	WMIC.exe
Token: SeSystemProfilePrivilege	4400	WMIC.exe
Token: SeSystemtimePrivilege	4400	WMIC.exe
Token: SeProfSingleProcessPrivilege	4400	WMIC.exe
Token: SeIncBasePriorityPrivilege	4400	WMIC.exe
Token: SeCreatePagefilePrivilege	4400	WMIC.exe
Token: SeBackupPrivilege	4400	WMIC.exe
Token: SeRestorePrivilege	4400	WMIC.exe
Token: SeShutdownPrivilege	4400	WMIC.exe
Token: SeDebugPrivilege	4400	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4400	WMIC.exe
Token: SeRemoteShutdownPrivilege	4400	WMIC.exe
Token: SeUndockPrivilege	4400	WMIC.exe
Token: SeManageVolumePrivilege	4400	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.exeqjlifjmrytti.exemsedge.exe

description	pid	process	target process
PID 3520 wrote to memory of 3448	3520	bfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.exe	qjlifjmrytti.exe
PID 3520 wrote to memory of 3448	3520	bfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.exe	qjlifjmrytti.exe
PID 3520 wrote to memory of 3448	3520	bfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.exe	qjlifjmrytti.exe
PID 3520 wrote to memory of 1988	3520	bfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.exe	cmd.exe
PID 3520 wrote to memory of 1988	3520	bfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.exe	cmd.exe
PID 3520 wrote to memory of 1988	3520	bfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.exe	cmd.exe
PID 3448 wrote to memory of 3664	3448	qjlifjmrytti.exe	WMIC.exe
PID 3448 wrote to memory of 3664	3448	qjlifjmrytti.exe	WMIC.exe
PID 3448 wrote to memory of 3488	3448	qjlifjmrytti.exe	NOTEPAD.EXE
PID 3448 wrote to memory of 3488	3448	qjlifjmrytti.exe	NOTEPAD.EXE
PID 3448 wrote to memory of 3488	3448	qjlifjmrytti.exe	NOTEPAD.EXE
PID 3448 wrote to memory of 4072	3448	qjlifjmrytti.exe	msedge.exe
PID 3448 wrote to memory of 4072	3448	qjlifjmrytti.exe	msedge.exe
PID 4072 wrote to memory of 1612	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 1612	4072	msedge.exe	msedge.exe
PID 3448 wrote to memory of 4400	3448	qjlifjmrytti.exe	WMIC.exe
PID 3448 wrote to memory of 4400	3448	qjlifjmrytti.exe	WMIC.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4980	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4860	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4860	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4036	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4036	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4036	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4036	4072	msedge.exe	msedge.exe
PID 4072 wrote to memory of 4036	4072	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

qjlifjmrytti.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	qjlifjmrytti.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	qjlifjmrytti.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\bfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bfb464faecb6c1d1938228c68ee61fc2_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Windows\qjlifjmrytti.exe
  C:\Windows\qjlifjmrytti.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3448
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3664
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:3488
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4072
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd709946f8,0x7ffd70994708,0x7ffd70994718
      4⤵
      PID:1612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,15386923031964295490,4659786396718140186,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
      4⤵
      PID:4980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,15386923031964295490,4659786396718140186,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
      4⤵
      PID:4860
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,15386923031964295490,4659786396718140186,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
      4⤵
      PID:4036
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15386923031964295490,4659786396718140186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
      4⤵
      PID:3360
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15386923031964295490,4659786396718140186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
      4⤵
      PID:4296
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,15386923031964295490,4659786396718140186,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
      4⤵
      PID:3608
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,15386923031964295490,4659786396718140186,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
      4⤵
      PID:4660
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15386923031964295490,4659786396718140186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
      4⤵
      PID:4556
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15386923031964295490,4659786396718140186,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
      4⤵
      PID:8
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15386923031964295490,4659786396718140186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
      4⤵
      PID:2552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15386923031964295490,4659786396718140186,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
      4⤵
      PID:1500
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4400
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\QJLIFJ~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4240
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\BFB464~1.EXE
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1988

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4620

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1656

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+rwrsc.html

Filesize
11KB

MD5
8ff5ee35aa625f7c5a438873d3a18f00

SHA1
3f5d4c1c2df4fd35a938589a0329a2ff16c89689

SHA256
c70c9eb46030ee961de88b54673e369e6bca9642872dc9593b351f387c9e3897

SHA512
4e6a4acead84b0957695ea907e54d554ad96016702ed6cfaa186447e5d4d37983b645cf6f8a40a9cdcafd363eb4ed198fa6e88eda86ec56bd46456b29c594ef7

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+rwrsc.png

Filesize
64KB

MD5
e2fdc99e9a8965d6636473402e42d8bf

SHA1
d1e8a4a89a2295c9c40dea74d04fe8a5f0c79361

SHA256
4e448ef915ec6d2a59d4455200d95061e9d116e3c0f7d4f944b71d7c9a4c76b0

SHA512
eeeac1d15e195598824bd2df4fe490976f291ef359b5c31f85040fd5fc9a2840598acb924c7ef75c3373d59114b5a43e91b80838d6fb8a57e720fc5201bdf72f

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+rwrsc.txt

Filesize
1KB

MD5
97562af22c93a49c87aee6f60e526717

SHA1
29fa466a051c57d7c6561f7bb1b41386c51ec20d

SHA256
8a929a2a1ce8cdaeb956f04de803a0e41bf3967241f480630e1bd82e1ec1965d

SHA512
181e5e601514d5abd7c418eea82ec1ea1d30c64edcf8e9d6b498a918ab70360b340b4001c7b1b6d2aa1476c9474ec11f33f041e3df3f20746d8db5d16fc48f36

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
93cc92c274655f2854694ab495580445

SHA1
091adeb6cab1ef459480b5359cea0d58a23155ba

SHA256
d16cd39e510733628bed1e0a69829528d009b4dbc68d764440e47e667a53c523

SHA512
93105dce23e7de0ae38cf076075bee5803626ec3c254871f2aac74241bd49dce5b401dbce1c883bfa38645634e1f917d390afe0e2ba03eec7837c0e5bfcd6825

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
8316ad6993145c07a62e46acf65eae7b

SHA1
59da3e83b4d7864cd1de5c3b624d0e92934f4da1

SHA256
742b39910859480aae6c81223700b5c8775fe9e6c8e2123f8ee122236f45c180

SHA512
4815521c7a85b1c56968cfaeadf92a569e91cee5207cca29ef8691b10fbe7ae12a04d2380e510024f6b85115e0ba9a5d216d588f29d038c6ee551ade7d72d079

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
49d1b3de3bd93a5854d0b2f93bf663cf

SHA1
fcc89c5b06568f550a12fc75448fa28742b7fda7

SHA256
cca9d8092a10b91c29b9ee33428ad61f52d8d0b05fabb2c7c27b5176d2dea4b2

SHA512
e62f98ff2609b5ad786d766606a3bb2d93a04def65bfcd8253358221b5a284f899447a7724247a2c178ba92d9cc914aa39f4b6cbf193c34c4d014e88c68f011f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c45ee5f6b797686096a017a101a322ab

SHA1
0603724f2244e06c0e7df24ffe35144a4de283d6

SHA256
9cfca58b68f4a7ffbf2469a9d51d3cb90774b3f0909f96ea653734e31a97023f

SHA512
bd717da954b68c383097890572bb11d89e376f458e5fc606c6b1ac714eaa4d296b5f067a6e863001aa6b5ff67f72cfc584f010b7dd153fe785fe62c7367884d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ff6793351ba84977c5224e7cdb91ff01

SHA1
86cb7ae70cf7ec5285b5ee56bd41ef97bc2f7639

SHA256
fe9355a92c3422a20ee27e170926d144e6c1920a7f1326103ddf2d14677fcf56

SHA512
340f8617a99c689a8fc542c0c9db43ae8093f00629866520660f867e604167730f58212c64c6f7c51a24e15489adb245ef183cbebfa92402c91a100973c1b306

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
58109a6c115ef3a72f0cfff327d46434

SHA1
c9ca3f875239598192549de8406c3edf704d1ffe

SHA256
89d42311cda6fe7d35cdc6a2cf2c9bb3ce1b1f764aae9a4214ce23b909d4dd09

SHA512
0f9ed4c0a05b34ed1a897e0fd76b22d98be6b6b8ba5534db87baae27f686b62ada1796f90f3b1fdefc8e429ece9e8822b1eeb1794b5cbf4cf35bd286a3e8f6ba

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670764416908406.txt

Filesize
74KB

MD5
40d7635c9453bd35c6b6a6a5885acfc4

SHA1
655e53139b48de192dd361d7a1164b8fc229a41d

SHA256
ab61ba643a7056937aa14ae0e600bfb0d5f04667a0cf365d1b88bd70de626e5e

SHA512
d9a9c35e16b0d54f334b5f70c83ec0a7e1b4995a1322352b06948e8b9b5aaca9bf1b899533031262c1cfe34f0853fd9cf54e2ba6639a58862e37d938d35817f0

Download Submit
C:\Windows\qjlifjmrytti.exe

Filesize
500KB

MD5
bfb464faecb6c1d1938228c68ee61fc2

SHA1
20ed2de92194ccb2d0a20a9a5f587d2800331ce4

SHA256
93644832403246ebef8a76cac49d010b3864b4472a8a056f9cba66e8be7d55d8

SHA512
359d11ee35717d1fdad942113b5439f4f0c9db5f1ae94896a48d554b957b65c7999c260ce80312125b6b0dd356a0669b4884a3e3d5e8593db03a03b76196d8cd

Download Submit
\??\pipe\LOCAL\crashpad_4072_UJBGAOCKVWIAJAAR

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3448-10666-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3448-8604-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3448-11-0x0000000002160000-0x00000000021E6000-memory.dmp

Filesize
536KB

Download
memory/3448-5093-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3448-2555-0x0000000002160000-0x00000000021E6000-memory.dmp

Filesize
536KB

Download
memory/3448-2554-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3448-10710-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3448-10711-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3520-0-0x0000000000AD0000-0x0000000000B56000-memory.dmp

Filesize
536KB

Download
memory/3520-2-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3520-10-0x0000000000AD0000-0x0000000000B56000-memory.dmp

Filesize
536KB

Download
memory/3520-9-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download