teslacrypt | 74169c547fdff11862c73f3745bac6c4f214f8ee3ad2ace1a4648a77957f12ff

Analysis

max time kernel
148s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 05:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0199f0d56f43d6789e05f8f9fdf0102_JaffaCakes118.exe
Size

428KB
MD5

c0199f0d56f43d6789e05f8f9fdf0102
SHA1

d6375c82b9460e4555bd5dad28c31f6d00404b38
SHA256

74169c547fdff11862c73f3745bac6c4f214f8ee3ad2ace1a4648a77957f12ff
SHA512

26aca425f3ab5ac9780f7b6eb862ed5a15b6c789e3df8a8561cf12878403bd61012906fab1b4a0e15e4d365760ae52ee9bc75a8aa9e150226bb45670dae2455b
SSDEEP

12288:tzUgz5mSAKNuYH+eCGdFCWhLblCJxfS6:tzUOpQYeeCoFhvOR1

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_RECoVERY_+fstqc.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/AEA3B77C35599F9D 2. http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/AEA3B77C35599F9D 3. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/AEA3B77C35599F9D If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/AEA3B77C35599F9D 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/AEA3B77C35599F9D http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/AEA3B77C35599F9D http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/AEA3B77C35599F9D *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/AEA3B77C35599F9D

URLs

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/AEA3B77C35599F9D

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/AEA3B77C35599F9D

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/AEA3B77C35599F9D

http://xlowfznrg4wf7dli.ONION/AEA3B77C35599F9D

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (878) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c0199f0d56f43d6789e05f8f9fdf0102_JaffaCakes118.exendjeqrywpcap.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	c0199f0d56f43d6789e05f8f9fdf0102_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	ndjeqrywpcap.exe

Drops startup file 6 IoCs

Processes:

ndjeqrywpcap.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+fstqc.html	ndjeqrywpcap.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+fstqc.png	ndjeqrywpcap.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+fstqc.txt	ndjeqrywpcap.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+fstqc.html	ndjeqrywpcap.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+fstqc.png	ndjeqrywpcap.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+fstqc.txt	ndjeqrywpcap.exe

Executes dropped EXE 1 IoCs

Processes:

ndjeqrywpcap.exe

pid process

4240 ndjeqrywpcap.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ndjeqrywpcap.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hvwgbxlfmvoe = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\ndjeqrywpcap.exe\""	ndjeqrywpcap.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

Processes:

ndjeqrywpcap.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\_RECoVERY_+fstqc.html	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\_RECoVERY_+fstqc.txt	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-64_altform-lightunplated.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarMediumTile.scale-200.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-80.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_~_8wekyb3d8bbwe\_RECoVERY_+fstqc.txt	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_altform-unplated_contrast-white.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-200.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\_RECoVERY_+fstqc.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeTile.scale-125.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteLargeTile.scale-125.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_~_8wekyb3d8bbwe\_RECoVERY_+fstqc.txt	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\_RECoVERY_+fstqc.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-16.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\Common Files\System\ado\_RECoVERY_+fstqc.html	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_scale-125.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Light.scale-250.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailWideTile.scale-125.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\_RECoVERY_+fstqc.html	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\CortanaApp.ViewElements\_RECoVERY_+fstqc.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_2019.305.632.0_neutral_~_8wekyb3d8bbwe\_RECoVERY_+fstqc.html	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\_RECoVERY_+fstqc.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\_RECoVERY_+fstqc.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\_RECoVERY_+fstqc.txt	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageMedTile.scale-100_contrast-white.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_targetsize-96.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\beeps\_RECoVERY_+fstqc.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-48_altform-unplated.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\EnsoUI\dashboard_slomo_OFF.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxSmallTile.scale-200.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\_RECoVERY_+fstqc.txt	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\_RECoVERY_+fstqc.html	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\5px.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-16_altform-unplated_contrast-white.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailSmallTile.scale-200.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\_RECoVERY_+fstqc.html	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\WideTile.scale-125.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_scale-100.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LargeTile.scale-100_contrast-black.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\_RECoVERY_+fstqc.txt	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+fstqc.txt	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-32.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\_RECoVERY_+fstqc.html	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\et-EE\_RECoVERY_+fstqc.html	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\_RECoVERY_+fstqc.txt	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionSmallTile.scale-150.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-100_contrast-white.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-20.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-80.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\PhotosApp\Assets\_RECoVERY_+fstqc.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OrientationControlConeHover.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreMedTile.scale-200.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Standard.targetsize-32_contrast-black.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\_RECoVERY_+fstqc.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\winsdkfb\Images\_RECoVERY_+fstqc.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-48.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\_RECoVERY_+fstqc.txt	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\_RECoVERY_+fstqc.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\jsaddins\_RECoVERY_+fstqc.html	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteMediumTile.scale-150.png	ndjeqrywpcap.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\_RECoVERY_+fstqc.png	ndjeqrywpcap.exe

Drops file in Windows directory 2 IoCs

Processes:

c0199f0d56f43d6789e05f8f9fdf0102_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\ndjeqrywpcap.exe	c0199f0d56f43d6789e05f8f9fdf0102_JaffaCakes118.exe
File opened for modification	C:\Windows\ndjeqrywpcap.exe	c0199f0d56f43d6789e05f8f9fdf0102_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exec0199f0d56f43d6789e05f8f9fdf0102_JaffaCakes118.exendjeqrywpcap.execmd.exeNOTEPAD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0199f0d56f43d6789e05f8f9fdf0102_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ndjeqrywpcap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

ndjeqrywpcap.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings ndjeqrywpcap.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4156 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	ndjeqrywpcap.exe

pid	process
4156	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ndjeqrywpcap.exe

pid	process
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe
4240	ndjeqrywpcap.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

3192 msedge.exe
3192 msedge.exe
3192 msedge.exe
3192 msedge.exe
3192 msedge.exe
3192 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

c0199f0d56f43d6789e05f8f9fdf0102_JaffaCakes118.exendjeqrywpcap.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	664	c0199f0d56f43d6789e05f8f9fdf0102_JaffaCakes118.exe
Token: SeDebugPrivilege	4240	ndjeqrywpcap.exe
Token: SeIncreaseQuotaPrivilege	1360	WMIC.exe
Token: SeSecurityPrivilege	1360	WMIC.exe
Token: SeTakeOwnershipPrivilege	1360	WMIC.exe
Token: SeLoadDriverPrivilege	1360	WMIC.exe
Token: SeSystemProfilePrivilege	1360	WMIC.exe
Token: SeSystemtimePrivilege	1360	WMIC.exe
Token: SeProfSingleProcessPrivilege	1360	WMIC.exe
Token: SeIncBasePriorityPrivilege	1360	WMIC.exe
Token: SeCreatePagefilePrivilege	1360	WMIC.exe
Token: SeBackupPrivilege	1360	WMIC.exe
Token: SeRestorePrivilege	1360	WMIC.exe
Token: SeShutdownPrivilege	1360	WMIC.exe
Token: SeDebugPrivilege	1360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1360	WMIC.exe
Token: SeRemoteShutdownPrivilege	1360	WMIC.exe
Token: SeUndockPrivilege	1360	WMIC.exe
Token: SeManageVolumePrivilege	1360	WMIC.exe
Token: 33	1360	WMIC.exe
Token: 34	1360	WMIC.exe
Token: 35	1360	WMIC.exe
Token: 36	1360	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1360	WMIC.exe
Token: SeSecurityPrivilege	1360	WMIC.exe
Token: SeTakeOwnershipPrivilege	1360	WMIC.exe
Token: SeLoadDriverPrivilege	1360	WMIC.exe
Token: SeSystemProfilePrivilege	1360	WMIC.exe
Token: SeSystemtimePrivilege	1360	WMIC.exe
Token: SeProfSingleProcessPrivilege	1360	WMIC.exe
Token: SeIncBasePriorityPrivilege	1360	WMIC.exe
Token: SeCreatePagefilePrivilege	1360	WMIC.exe
Token: SeBackupPrivilege	1360	WMIC.exe
Token: SeRestorePrivilege	1360	WMIC.exe
Token: SeShutdownPrivilege	1360	WMIC.exe
Token: SeDebugPrivilege	1360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1360	WMIC.exe
Token: SeRemoteShutdownPrivilege	1360	WMIC.exe
Token: SeUndockPrivilege	1360	WMIC.exe
Token: SeManageVolumePrivilege	1360	WMIC.exe
Token: 33	1360	WMIC.exe
Token: 34	1360	WMIC.exe
Token: 35	1360	WMIC.exe
Token: 36	1360	WMIC.exe
Token: SeBackupPrivilege	3904	vssvc.exe
Token: SeRestorePrivilege	3904	vssvc.exe
Token: SeAuditPrivilege	3904	vssvc.exe
Token: SeIncreaseQuotaPrivilege	212	WMIC.exe
Token: SeSecurityPrivilege	212	WMIC.exe
Token: SeTakeOwnershipPrivilege	212	WMIC.exe
Token: SeLoadDriverPrivilege	212	WMIC.exe
Token: SeSystemProfilePrivilege	212	WMIC.exe
Token: SeSystemtimePrivilege	212	WMIC.exe
Token: SeProfSingleProcessPrivilege	212	WMIC.exe
Token: SeIncBasePriorityPrivilege	212	WMIC.exe
Token: SeCreatePagefilePrivilege	212	WMIC.exe
Token: SeBackupPrivilege	212	WMIC.exe
Token: SeRestorePrivilege	212	WMIC.exe
Token: SeShutdownPrivilege	212	WMIC.exe
Token: SeDebugPrivilege	212	WMIC.exe
Token: SeSystemEnvironmentPrivilege	212	WMIC.exe
Token: SeRemoteShutdownPrivilege	212	WMIC.exe
Token: SeUndockPrivilege	212	WMIC.exe
Token: SeManageVolumePrivilege	212	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c0199f0d56f43d6789e05f8f9fdf0102_JaffaCakes118.exendjeqrywpcap.exemsedge.exe

description	pid	process	target process
PID 664 wrote to memory of 4240	664	c0199f0d56f43d6789e05f8f9fdf0102_JaffaCakes118.exe	ndjeqrywpcap.exe
PID 664 wrote to memory of 4240	664	c0199f0d56f43d6789e05f8f9fdf0102_JaffaCakes118.exe	ndjeqrywpcap.exe
PID 664 wrote to memory of 4240	664	c0199f0d56f43d6789e05f8f9fdf0102_JaffaCakes118.exe	ndjeqrywpcap.exe
PID 664 wrote to memory of 1568	664	c0199f0d56f43d6789e05f8f9fdf0102_JaffaCakes118.exe	cmd.exe
PID 664 wrote to memory of 1568	664	c0199f0d56f43d6789e05f8f9fdf0102_JaffaCakes118.exe	cmd.exe
PID 664 wrote to memory of 1568	664	c0199f0d56f43d6789e05f8f9fdf0102_JaffaCakes118.exe	cmd.exe
PID 4240 wrote to memory of 1360	4240	ndjeqrywpcap.exe	WMIC.exe
PID 4240 wrote to memory of 1360	4240	ndjeqrywpcap.exe	WMIC.exe
PID 4240 wrote to memory of 4156	4240	ndjeqrywpcap.exe	NOTEPAD.EXE
PID 4240 wrote to memory of 4156	4240	ndjeqrywpcap.exe	NOTEPAD.EXE
PID 4240 wrote to memory of 4156	4240	ndjeqrywpcap.exe	NOTEPAD.EXE
PID 4240 wrote to memory of 3192	4240	ndjeqrywpcap.exe	msedge.exe
PID 4240 wrote to memory of 3192	4240	ndjeqrywpcap.exe	msedge.exe
PID 3192 wrote to memory of 1108	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 1108	3192	msedge.exe	msedge.exe
PID 4240 wrote to memory of 212	4240	ndjeqrywpcap.exe	WMIC.exe
PID 4240 wrote to memory of 212	4240	ndjeqrywpcap.exe	WMIC.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 4824	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 1424	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 1424	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 844	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 844	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 844	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 844	3192	msedge.exe	msedge.exe
PID 3192 wrote to memory of 844	3192	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

ndjeqrywpcap.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ndjeqrywpcap.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	ndjeqrywpcap.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c0199f0d56f43d6789e05f8f9fdf0102_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c0199f0d56f43d6789e05f8f9fdf0102_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:664
- C:\Windows\ndjeqrywpcap.exe
  C:\Windows\ndjeqrywpcap.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4240
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1360
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:4156
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3192
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff886e846f8,0x7ff886e84708,0x7ff886e84718
      4⤵
      PID:1108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,10645862360583185919,8167754564843177231,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
      4⤵
      PID:4824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,10645862360583185919,8167754564843177231,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
      4⤵
      PID:1424
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,10645862360583185919,8167754564843177231,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
      4⤵
      PID:844
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10645862360583185919,8167754564843177231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
      4⤵
      PID:4512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10645862360583185919,8167754564843177231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
      4⤵
      PID:3540
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,10645862360583185919,8167754564843177231,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
      4⤵
      PID:1816
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,10645862360583185919,8167754564843177231,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
      4⤵
      PID:3096
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10645862360583185919,8167754564843177231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
      4⤵
      PID:640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10645862360583185919,8167754564843177231,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
      4⤵
      PID:4404
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10645862360583185919,8167754564843177231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
      4⤵
      PID:3136
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10645862360583185919,8167754564843177231,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
      4⤵
      PID:3684
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:212
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\NDJEQR~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4828
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\C0199F~1.EXE
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1568

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_RECoVERY_+fstqc.html

Filesize
11KB

MD5
7b919b472c3af9e24a6eb5197472bfa5

SHA1
54d77d72266b330907b6884cc5dfa71d4381ab7d

SHA256
23a684c156328b52e4485f94d9eef74aef201c74fd5853b5a40482f583f8f836

SHA512
7747a17a17cbe4d7c7c97b257a7d1ba9dfaa93218abd527669d764d5229656b6b43c32450a249bdea2daa0d9ba7002d454bc4518c39cfdaa515da6cd13b6384d

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+fstqc.png

Filesize
64KB

MD5
6ef5de623d515670825e7e627d645664

SHA1
f0958385c8eebb12978e4e696e1ad0d6d739dce5

SHA256
dd8eee4101402ccd3e0349c43bd98e1353ec8edea04bcc46fbc14c229ab48b40

SHA512
0c4297d99e7ba6d4798155fd32a60e15ed9cb19b3fa99837911b1f382d1c2a83fc382ff73dc1d2078ffecaaeec9986c9427dc34f5a6f8862b316b17b812752ba

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+fstqc.txt

Filesize
1KB

MD5
169a8ffc419c0ac3c5b70fbac073fa81

SHA1
845eaac6f9acf0e528d92917b1f0b00bc342d027

SHA256
f92cbec2eb57fc7e5bcca323604968ba65ad04db2220955924dc59f6948dc628

SHA512
3206df650433ba089b04bf3fc882c2f1530f28711f273105673c9dfb898d14a0011fbe963f676cc57d3ad7cfc133f5b12f884566a98bc032cf9e7fb4874fcbdd

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
39c838ece53dffe102bdc1af46f0e481

SHA1
61e81b9827326100fbd01619bd91f5e9656223a1

SHA256
87ca9573ededc42f0f9b9ffd2f1930fa0e33b579a9c45ea6ddd14be96e5df61f

SHA512
ff2fd346876b9837236792722c9ff3b83c77dd01aa19959379cc855fee188a8111a5598506baaf7bd0035e9e113610394c402a612021d594344d3788fc034662

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
24045b3a29c5b9728277265891fc344e

SHA1
9da5c12caffaae3ab0a0daac98fc935068e2c94e

SHA256
ed9564df5c905e789083cad13919e81b3422ee33d61fe6b3a84b725351f74e28

SHA512
0853e4f21980d37c2eae83f32ab5fdf6162a7e917d397c011ad45f3bef76f5c64c714008e83c15dd4d8ba2e15c1929b41f96bfac36f6e6971882603f696725b9

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
bb05b5b0fe3595994b11432e29c5715c

SHA1
cf60787f0c37088559a8d20d49472dd41754d992

SHA256
1130219e4b1ea241be4f74fbfb948ed03789f7ac66da543086e1764e58677e67

SHA512
74627ed4c90eea7a1d351b0f47f0a01647bd711b7dfaa5b48bf134e7f2c6989624b35a0b108b4f0c4b7f032d97c9dbbe997fb3437c2763c4b4bc8560f213ce5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bebbc5792579ae2df3ee881b7c03a1cb

SHA1
57de34c8eb375cd650f0e11d46d5bf2641997e4a

SHA256
6abacd566775e0b4323db812de3961c5e0bae833729b6d7393cdac5ded22af59

SHA512
38d77a85cb21c470c228b2a2fea33bbebb0d87ed03729299d507ac983e015fb09ed43ccf487c99cfffc61597ea0a7e35349d2bffd205cddafc4225d5a6915db3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ba212f9b-7703-40d2-8cef-6a78c568edb2.tmp

Filesize
6KB

MD5
c664916fd418a59ec182c04e330a6b6c

SHA1
69a9c43c0152f0dc210ec03021735703a37ad2d8

SHA256
4baaeaf0c01cee3de9133024ae855c08346abff0bb735f0e1971f1d0fc33a3c2

SHA512
88371673db050c6307e8ec74f6de749d750b46504ac5a829a82538196985873ea14fbce744d7310ef7eaf22c00ae4bce1daaf3f646384e67f74afb08d4fe3ca0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e3fdd7d7949905fba93c3fc5eea548ba

SHA1
2960ff5546a6b623c89eb9d55e0c6720f0b6ad61

SHA256
aa8f8915bc8cdfe0bdbc9cc13cc320c83ed8f31985df9002b680b09aba704088

SHA512
96f02e95fae1db285bb92d0b36e7409cfcf8247d437e6f3fa8f772163787aa5ce7cffa526c545ffbcfd054f4178980f9ba79ca97ac88ffca05c39cbc61d71f84

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670754183138346.txt

Filesize
77KB

MD5
87f413b0d353220732664e82f9797d8b

SHA1
e61fb84c715ec6124d96f8f97028bc1b779602b2

SHA256
36954558cd1fd9c713afbd285c1c0a79dc5ae6a74066c2db8167f2516ff3372a

SHA512
f096bd7cd7f81a44b8331abd9ec254894773c3eb7d3274613e8ed79518ae393aad283a400a3a71e0c793d8d76b0f2b66c40e31f21457da8192259de5c645d0ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670763712487382.txt

Filesize
74KB

MD5
fae51344029b4e9ebd7fb7df469d2478

SHA1
9d5c5c2429145c20eacebe5059c4fef48e7331ac

SHA256
386975a14072153fde5101de40658a59edde4fdf8e9c3305d7e9b079511505ab

SHA512
69e2efe866989b241e78d0ede865d25820638b90695384fe2b92a8f0d0431d65231a2aa910efa4290eecd1e82cb008d9b60513c36e81f14d9481ca53fcdc536b

Download Submit
C:\Windows\ndjeqrywpcap.exe

Filesize
428KB

MD5
c0199f0d56f43d6789e05f8f9fdf0102

SHA1
d6375c82b9460e4555bd5dad28c31f6d00404b38

SHA256
74169c547fdff11862c73f3745bac6c4f214f8ee3ad2ace1a4648a77957f12ff

SHA512
26aca425f3ab5ac9780f7b6eb862ed5a15b6c789e3df8a8561cf12878403bd61012906fab1b4a0e15e4d365760ae52ee9bc75a8aa9e150226bb45670dae2455b

Download Submit
\??\pipe\LOCAL\crashpad_3192_APBAMYASKQXUYPYF

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/664-9-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/664-10-0x0000000000AB0000-0x0000000000B35000-memory.dmp

Filesize
532KB

Download
memory/664-0-0x0000000000AB0000-0x0000000000B35000-memory.dmp

Filesize
532KB

Download
memory/664-1-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/4240-10317-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/4240-11-0x0000000000990000-0x0000000000A15000-memory.dmp

Filesize
532KB

Download
memory/4240-9047-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/4240-10363-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/4240-10364-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/4240-5494-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/4240-2585-0x0000000000990000-0x0000000000A15000-memory.dmp

Filesize
532KB

Download
memory/4240-2569-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download