teslacrypt | 2d160f802f2835b98ce31906dd6803476f014661c472f6478bd56bf811c7031a

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e119b6242f793a4d536159060d8009f1_JaffaCakes118.exe
Size

328KB
MD5

e119b6242f793a4d536159060d8009f1
SHA1

49cc5f9cfea5c01f77aa7d33192a28aa5089d464
SHA256

2d160f802f2835b98ce31906dd6803476f014661c472f6478bd56bf811c7031a
SHA512

213e08c6cbc5b474be91b4682e00156c26a259e3e262591165b8dd4d0b2a4df0f580ea6d8820e22594b978824e5f377688fa3a7ea923a90ad0f6517b86f14342
SSDEEP

6144:lAOlfFYViOkjJEZE4fC/Q9D03bcPSl5xhUDV9kl+JKODK1QztG/7:lnf+ViDEyBQ6r/gDo8JKO4v7

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_RECOVERY_+pfifi.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/845F10B0ECA64E6A 2. http://tes543berda73i48fsdfsd.keratadze.at/845F10B0ECA64E6A 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/845F10B0ECA64E6A If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/845F10B0ECA64E6A 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/845F10B0ECA64E6A http://tes543berda73i48fsdfsd.keratadze.at/845F10B0ECA64E6A http://tt54rfdjhb34rfbnknaerg.milerteddy.com/845F10B0ECA64E6A *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/845F10B0ECA64E6A

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/845F10B0ECA64E6A

http://tes543berda73i48fsdfsd.keratadze.at/845F10B0ECA64E6A

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/845F10B0ECA64E6A

http://xlowfznrg4wf7dli.ONION/845F10B0ECA64E6A

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (860) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	e119b6242f793a4d536159060d8009f1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	lvvahkgflykx.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+pfifi.png	lvvahkgflykx.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+pfifi.txt	lvvahkgflykx.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+pfifi.html	lvvahkgflykx.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+pfifi.png	lvvahkgflykx.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+pfifi.txt	lvvahkgflykx.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+pfifi.html	lvvahkgflykx.exe

Executes dropped EXE 2 IoCs

pid	Process
2992	lvvahkgflykx.exe
4120	lvvahkgflykx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nigkceqrvdeh = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\lvvahkgflykx.exe\""	lvvahkgflykx.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2620 set thread context of 3376	2620	e119b6242f793a4d536159060d8009f1_JaffaCakes118.exe	94
PID 2992 set thread context of 4120	2992	lvvahkgflykx.exe	99

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageStoreLogo.scale-200.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\_RECOVERY_+pfifi.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_RECOVERY_+pfifi.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\_RECOVERY_+pfifi.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\7-Zip\_RECOVERY_+pfifi.txt	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageSmallTile.scale-150.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\_RECOVERY_+pfifi.html	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-100_contrast-white.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-200_contrast-black.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\_RECOVERY_+pfifi.html	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Light\Cabinet.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\Java\jre-1.8\_RECOVERY_+pfifi.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\_RECOVERY_+pfifi.txt	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Resources\_RECOVERY_+pfifi.html	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sw-KE\View3d\_RECOVERY_+pfifi.txt	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\_RECOVERY_+pfifi.html	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.513.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECOVERY_+pfifi.txt	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-100_contrast-black.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\_RECOVERY_+pfifi.html	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_altform-unplated_contrast-black.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\_RECOVERY_+pfifi.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-60_altform-unplated.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-200.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeLargeTile.scale-125.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\_RECOVERY_+pfifi.html	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\_RECOVERY_+pfifi.html	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_neutral_~_8wekyb3d8bbwe\_RECOVERY_+pfifi.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-125.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_RECOVERY_+pfifi.html	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Microsoft.Support.SDK\_RECOVERY_+pfifi.html	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96_contrast-black.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\firstrun\_RECOVERY_+pfifi.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\SmallTile.scale-100.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\SmallTile.scale-100.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\_RECOVERY_+pfifi.txt	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.scale-200_contrast-black.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-96.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\AppCore\Location\Shifter\_RECOVERY_+pfifi.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\Windows Mail\_RECOVERY_+pfifi.html	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_RECOVERY_+pfifi.html	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\_RECOVERY_+pfifi.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Retail\_RECOVERY_+pfifi.html	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\_RECOVERY_+pfifi.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_RECOVERY_+pfifi.txt	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-150.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailBadge.scale-400.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\_RECOVERY_+pfifi.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\_RECOVERY_+pfifi.txt	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\Images\star_3qtr.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SmallTile.scale-200_contrast-black.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-40_altform-lightunplated.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ar-SA\_RECOVERY_+pfifi.html	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-GB\_RECOVERY_+pfifi.txt	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppList.scale-125.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\iadata\_RECOVERY_+pfifi.txt	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-256.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-125_contrast-black.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\_RECOVERY_+pfifi.html	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\_RECOVERY_+pfifi.html	lvvahkgflykx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_RECOVERY_+pfifi.html	lvvahkgflykx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity-dark.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\_RECOVERY_+pfifi.png	lvvahkgflykx.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\_RECOVERY_+pfifi.txt	lvvahkgflykx.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\lvvahkgflykx.exe	e119b6242f793a4d536159060d8009f1_JaffaCakes118.exe
File opened for modification	C:\Windows\lvvahkgflykx.exe	e119b6242f793a4d536159060d8009f1_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e119b6242f793a4d536159060d8009f1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e119b6242f793a4d536159060d8009f1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lvvahkgflykx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lvvahkgflykx.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	lvvahkgflykx.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4856	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe
4120	lvvahkgflykx.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3376	e119b6242f793a4d536159060d8009f1_JaffaCakes118.exe
Token: SeDebugPrivilege	4120	lvvahkgflykx.exe
Token: SeIncreaseQuotaPrivilege	2504	WMIC.exe
Token: SeSecurityPrivilege	2504	WMIC.exe
Token: SeTakeOwnershipPrivilege	2504	WMIC.exe
Token: SeLoadDriverPrivilege	2504	WMIC.exe
Token: SeSystemProfilePrivilege	2504	WMIC.exe
Token: SeSystemtimePrivilege	2504	WMIC.exe
Token: SeProfSingleProcessPrivilege	2504	WMIC.exe
Token: SeIncBasePriorityPrivilege	2504	WMIC.exe
Token: SeCreatePagefilePrivilege	2504	WMIC.exe
Token: SeBackupPrivilege	2504	WMIC.exe
Token: SeRestorePrivilege	2504	WMIC.exe
Token: SeShutdownPrivilege	2504	WMIC.exe
Token: SeDebugPrivilege	2504	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2504	WMIC.exe
Token: SeRemoteShutdownPrivilege	2504	WMIC.exe
Token: SeUndockPrivilege	2504	WMIC.exe
Token: SeManageVolumePrivilege	2504	WMIC.exe
Token: 33	2504	WMIC.exe
Token: 34	2504	WMIC.exe
Token: 35	2504	WMIC.exe
Token: 36	2504	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2504	WMIC.exe
Token: SeSecurityPrivilege	2504	WMIC.exe
Token: SeTakeOwnershipPrivilege	2504	WMIC.exe
Token: SeLoadDriverPrivilege	2504	WMIC.exe
Token: SeSystemProfilePrivilege	2504	WMIC.exe
Token: SeSystemtimePrivilege	2504	WMIC.exe
Token: SeProfSingleProcessPrivilege	2504	WMIC.exe
Token: SeIncBasePriorityPrivilege	2504	WMIC.exe
Token: SeCreatePagefilePrivilege	2504	WMIC.exe
Token: SeBackupPrivilege	2504	WMIC.exe
Token: SeRestorePrivilege	2504	WMIC.exe
Token: SeShutdownPrivilege	2504	WMIC.exe
Token: SeDebugPrivilege	2504	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2504	WMIC.exe
Token: SeRemoteShutdownPrivilege	2504	WMIC.exe
Token: SeUndockPrivilege	2504	WMIC.exe
Token: SeManageVolumePrivilege	2504	WMIC.exe
Token: 33	2504	WMIC.exe
Token: 34	2504	WMIC.exe
Token: 35	2504	WMIC.exe
Token: 36	2504	WMIC.exe
Token: SeBackupPrivilege	2744	vssvc.exe
Token: SeRestorePrivilege	2744	vssvc.exe
Token: SeAuditPrivilege	2744	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4540	WMIC.exe
Token: SeSecurityPrivilege	4540	WMIC.exe
Token: SeTakeOwnershipPrivilege	4540	WMIC.exe
Token: SeLoadDriverPrivilege	4540	WMIC.exe
Token: SeSystemProfilePrivilege	4540	WMIC.exe
Token: SeSystemtimePrivilege	4540	WMIC.exe
Token: SeProfSingleProcessPrivilege	4540	WMIC.exe
Token: SeIncBasePriorityPrivilege	4540	WMIC.exe
Token: SeCreatePagefilePrivilege	4540	WMIC.exe
Token: SeBackupPrivilege	4540	WMIC.exe
Token: SeRestorePrivilege	4540	WMIC.exe
Token: SeShutdownPrivilege	4540	WMIC.exe
Token: SeDebugPrivilege	4540	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4540	WMIC.exe
Token: SeRemoteShutdownPrivilege	4540	WMIC.exe
Token: SeUndockPrivilege	4540	WMIC.exe
Token: SeManageVolumePrivilege	4540	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 3376	2620	e119b6242f793a4d536159060d8009f1_JaffaCakes118.exe	94
PID 2620 wrote to memory of 3376	2620	e119b6242f793a4d536159060d8009f1_JaffaCakes118.exe	94
PID 2620 wrote to memory of 3376	2620	e119b6242f793a4d536159060d8009f1_JaffaCakes118.exe	94
PID 2620 wrote to memory of 3376	2620	e119b6242f793a4d536159060d8009f1_JaffaCakes118.exe	94
PID 2620 wrote to memory of 3376	2620	e119b6242f793a4d536159060d8009f1_JaffaCakes118.exe	94
PID 2620 wrote to memory of 3376	2620	e119b6242f793a4d536159060d8009f1_JaffaCakes118.exe	94
PID 2620 wrote to memory of 3376	2620	e119b6242f793a4d536159060d8009f1_JaffaCakes118.exe	94
PID 2620 wrote to memory of 3376	2620	e119b6242f793a4d536159060d8009f1_JaffaCakes118.exe	94
PID 2620 wrote to memory of 3376	2620	e119b6242f793a4d536159060d8009f1_JaffaCakes118.exe	94
PID 3376 wrote to memory of 2992	3376	e119b6242f793a4d536159060d8009f1_JaffaCakes118.exe	95
PID 3376 wrote to memory of 2992	3376	e119b6242f793a4d536159060d8009f1_JaffaCakes118.exe	95
PID 3376 wrote to memory of 2992	3376	e119b6242f793a4d536159060d8009f1_JaffaCakes118.exe	95
PID 3376 wrote to memory of 4676	3376	e119b6242f793a4d536159060d8009f1_JaffaCakes118.exe	96
PID 3376 wrote to memory of 4676	3376	e119b6242f793a4d536159060d8009f1_JaffaCakes118.exe	96
PID 3376 wrote to memory of 4676	3376	e119b6242f793a4d536159060d8009f1_JaffaCakes118.exe	96
PID 2992 wrote to memory of 4120	2992	lvvahkgflykx.exe	99
PID 2992 wrote to memory of 4120	2992	lvvahkgflykx.exe	99
PID 2992 wrote to memory of 4120	2992	lvvahkgflykx.exe	99
PID 2992 wrote to memory of 4120	2992	lvvahkgflykx.exe	99
PID 2992 wrote to memory of 4120	2992	lvvahkgflykx.exe	99
PID 2992 wrote to memory of 4120	2992	lvvahkgflykx.exe	99
PID 2992 wrote to memory of 4120	2992	lvvahkgflykx.exe	99
PID 2992 wrote to memory of 4120	2992	lvvahkgflykx.exe	99
PID 2992 wrote to memory of 4120	2992	lvvahkgflykx.exe	99
PID 4120 wrote to memory of 2504	4120	lvvahkgflykx.exe	100
PID 4120 wrote to memory of 2504	4120	lvvahkgflykx.exe	100
PID 4120 wrote to memory of 4856	4120	lvvahkgflykx.exe	105
PID 4120 wrote to memory of 4856	4120	lvvahkgflykx.exe	105
PID 4120 wrote to memory of 4856	4120	lvvahkgflykx.exe	105
PID 4120 wrote to memory of 4456	4120	lvvahkgflykx.exe	106
PID 4120 wrote to memory of 4456	4120	lvvahkgflykx.exe	106
PID 4456 wrote to memory of 1292	4456	msedge.exe	107
PID 4456 wrote to memory of 1292	4456	msedge.exe	107
PID 4120 wrote to memory of 4540	4120	lvvahkgflykx.exe	108
PID 4120 wrote to memory of 4540	4120	lvvahkgflykx.exe	108
PID 4456 wrote to memory of 4600	4456	msedge.exe	110
PID 4456 wrote to memory of 4600	4456	msedge.exe	110
PID 4456 wrote to memory of 4600	4456	msedge.exe	110
PID 4456 wrote to memory of 4600	4456	msedge.exe	110
PID 4456 wrote to memory of 4600	4456	msedge.exe	110
PID 4456 wrote to memory of 4600	4456	msedge.exe	110
PID 4456 wrote to memory of 4600	4456	msedge.exe	110
PID 4456 wrote to memory of 4600	4456	msedge.exe	110
PID 4456 wrote to memory of 4600	4456	msedge.exe	110
PID 4456 wrote to memory of 4600	4456	msedge.exe	110
PID 4456 wrote to memory of 4600	4456	msedge.exe	110
PID 4456 wrote to memory of 4600	4456	msedge.exe	110
PID 4456 wrote to memory of 4600	4456	msedge.exe	110
PID 4456 wrote to memory of 4600	4456	msedge.exe	110
PID 4456 wrote to memory of 4600	4456	msedge.exe	110
PID 4456 wrote to memory of 4600	4456	msedge.exe	110
PID 4456 wrote to memory of 4600	4456	msedge.exe	110
PID 4456 wrote to memory of 4600	4456	msedge.exe	110
PID 4456 wrote to memory of 4600	4456	msedge.exe	110
PID 4456 wrote to memory of 4600	4456	msedge.exe	110
PID 4456 wrote to memory of 4600	4456	msedge.exe	110
PID 4456 wrote to memory of 4600	4456	msedge.exe	110
PID 4456 wrote to memory of 4600	4456	msedge.exe	110
PID 4456 wrote to memory of 4600	4456	msedge.exe	110
PID 4456 wrote to memory of 4600	4456	msedge.exe	110
PID 4456 wrote to memory of 4600	4456	msedge.exe	110
PID 4456 wrote to memory of 4600	4456	msedge.exe	110
PID 4456 wrote to memory of 4600	4456	msedge.exe	110
PID 4456 wrote to memory of 4600	4456	msedge.exe	110

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lvvahkgflykx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	lvvahkgflykx.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e119b6242f793a4d536159060d8009f1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e119b6242f793a4d536159060d8009f1_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Users\Admin\AppData\Local\Temp\e119b6242f793a4d536159060d8009f1_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e119b6242f793a4d536159060d8009f1_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Windows\lvvahkgflykx.exe
    C:\Windows\lvvahkgflykx.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\lvvahkgflykx.exe
      C:\Windows\lvvahkgflykx.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4120
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:4856
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4456
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x7c,0x108,0x7ff9914c46f8,0x7ff9914c4708,0x7ff9914c4718
        6⤵
        
        PID:1292
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,12621200260639510623,6530614352634561317,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
        6⤵
        
        PID:4600
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,12621200260639510623,6530614352634561317,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
        6⤵
        
        PID:2528
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,12621200260639510623,6530614352634561317,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
        6⤵
        
        PID:2608
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12621200260639510623,6530614352634561317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
        6⤵
        
        PID:4148
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12621200260639510623,6530614352634561317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
        6⤵
        
        PID:1936
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,12621200260639510623,6530614352634561317,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 /prefetch:8
        6⤵
        
        PID:4236
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,12621200260639510623,6530614352634561317,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 /prefetch:8
        6⤵
        
        PID:2928
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12621200260639510623,6530614352634561317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
        6⤵
        
        PID:4900
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12621200260639510623,6530614352634561317,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
        6⤵
        
        PID:1804
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12621200260639510623,6530614352634561317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
        6⤵
        
        PID:2516
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12621200260639510623,6530614352634561317,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
        6⤵
        
        PID:2876
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4540
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\LVVAHK~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3176
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\E119B6~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4676

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_RECOVERY_+pfifi.html

Filesize
11KB

MD5
a17aeef8627c7c61611320b3bb649f76

SHA1
7732b6981bd753b30e557b3acfab0b5d4baeeb88

SHA256
6552e53418e63f23a9dac1ba75cc314e4b8baf3ea1cf2039e36a5e7caab51069

SHA512
3d5418889b95573a2e1b282b5302ae1756688779282af47fd19e28e4aeaac0278eefa7fe7b73a8dfe0778c35c68a0d964f6469c7590e8e2182a93f39b8d2f41d

Download Submit
C:\Program Files\7-Zip\Lang\_RECOVERY_+pfifi.png

Filesize
62KB

MD5
0d0cb2f8d236e3b1d45b0bb748e054cf

SHA1
51c34f5fe47ff4ddadb88d671dd13b42a6e956a2

SHA256
92dd110f690db63f7edcaaa5283ce1ea06d12153679b0722f50b2d8b4ec161eb

SHA512
ae7ffdc27a12bbf96cd207be076c4b0801baa308031b84f8a0fde02e6690abf3ed08d4c37ca3cd4489b96db52ba6a624188977dd3f002079afcf91f489a81031

Download Submit
C:\Program Files\7-Zip\Lang\_RECOVERY_+pfifi.txt

Filesize
1KB

MD5
f61342b659c82b6feac3ca3bd8f31f97

SHA1
449df2db62489853aeb35e8048835cae1f5f6320

SHA256
cc302575837d304912de8a0df7aef6d6efbc7590c83016f56d9335f4543a4250

SHA512
1bb99803ef432bac393e77ad95d6ea39ff985dced6c16b78cda720c5dec3f9e5bef23708edca966d2aa99b99dbdbde0055bd7af187df8606b88b7a1712223d4a

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
c39cb84435d9fb620dface3ea0275c1a

SHA1
43adcea95f12c7626705957de2c207e4c344633b

SHA256
10c52ed4b8d79dcb6e596a5baa2faab005b7f440552ae8e152ee7a00c569c839

SHA512
5488071d460528523b92852f465866d5322184a13676024295975fa1b333ad5a997dea436ad71b05f3f153f664b419e6b8511cb9e881315410b43b3b140528fc

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
77214cb611d0db12087f96eadfe9a69e

SHA1
088be3b90106c15cc54906eb2e7de3757278cdf2

SHA256
aab972cc8cce3a28938abb9dbe72277bf865bba9634d56167345c3df8f99e1d1

SHA512
0c9ef9112f27a68294ed29ad5427b581d84e5778fb7ec3c286913baa02d8ff3267aed537432e8d5b9ae8d148ac01442fc1dc76b093e358d6cb18c898879bd2a4

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
342f8ed9a85285815206b842d7d976c4

SHA1
4cfea8b4ce1f66a6659e2b2dfb129d692212366e

SHA256
0c82c67659b5df44ce34d5e43bddd1a343b0887c6b57c3e51ebfe1db6bb7b497

SHA512
57096061f182408af8bc17fbff04bc757001ec93186e5a3a10a2cab5a72dec06f9d7a1a12e97f9330a3406af4f17d038b972034e404b908a0fa82cde76eda50e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
17974268c75aca15dae58405cbe3e85b

SHA1
2e4bd60030147106dbcdd27c337740f5cc966b90

SHA256
02a70e5e277035954d1c8683bc17f2fefe9e6660011a23eea49119bbf4524ac3

SHA512
60dcbf16a891fbf8bc7682f894e41021077cbc49ba20ba83ad1f870210953561ebf51796eef7d0715b0c2e59aa84359a56cf86462367b85c5c93ffba4ea3944c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
29a62ecc6618aa86dfad93de644f3409

SHA1
bc83fa7a9a90aadc198fb5208f10e13cf4c2b199

SHA256
0ba4151961d684cab2799bdbe386fc3509073f5c25b7d8783dfe4472b7d2b0d6

SHA512
43911b32790c45dd1de25ccc40ee3b4c8174c0a509fde5d12278fa051907d65635e93ff2e3fe9d4dfa66c3925fbb2863f64bded85fc1ba4dc1a32ea023f4389e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b0689e3b6fe3e7e282ec618d2d8245dd

SHA1
2cec25d5b2df4bd304ecf3bc393f8c3bafa1cf33

SHA256
dd9b7bd1d44c704a3dab8a1af8a741d1b281d0e6d1e2b630812ced6ecc38abbb

SHA512
8cfc47f1db5a2aacc3824256b4693606ba455a17627930fdd1d5493d97ee368eb11fe35aed4c0cf4e68ab5bf87791cce3c613099d498ea6c2308537c22cddaf9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670756182462133.txt

Filesize
47KB

MD5
4479b656f84fb9f01831a2e6577d665e

SHA1
6f42b0bc2e05ce911a8c7928787bf425ac15460e

SHA256
14366e385af4b4297c64dcb1a5275ab789fc740e6ee525d6ca63591ca4472828

SHA512
1b88be70b394a9d041166b98ec386b3a59215102f48e4a60759747c42722c0d46b141b6c78956bdbb37163abcba1b23dfde8d596845eeee07268647f45490171

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670764368086779.txt

Filesize
74KB

MD5
edbe1664ca6de5dc8387d4ea7ed8a9f0

SHA1
5231b0290ac216c8d1a347de55a45b510a8eb0df

SHA256
36c982ca1ab7a9c8eb3b0792bce0761dbed8e9c75cb356ac5a411f806051ffdb

SHA512
129b081523a5a819df4dad2853a3dd0ea8263069b05bd6890a9afa08ed1db36c1e0483b5595e29782352826158d02d39867b8ff7900cdea8f7ec8f5bd7f88960

Download Submit
C:\Windows\lvvahkgflykx.exe

Filesize
328KB

MD5
e119b6242f793a4d536159060d8009f1

SHA1
49cc5f9cfea5c01f77aa7d33192a28aa5089d464

SHA256
2d160f802f2835b98ce31906dd6803476f014661c472f6478bd56bf811c7031a

SHA512
213e08c6cbc5b474be91b4682e00156c26a259e3e262591165b8dd4d0b2a4df0f580ea6d8820e22594b978824e5f377688fa3a7ea923a90ad0f6517b86f14342

Download Submit
memory/2620-0-0x0000000002440000-0x0000000002443000-memory.dmp

Filesize
12KB

Download
memory/2620-3-0x0000000002440000-0x0000000002443000-memory.dmp

Filesize
12KB

Download
memory/2992-11-0x0000000000400000-0x000000000064B000-memory.dmp

Filesize
2.3MB

Download
memory/3376-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3376-4-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3376-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3376-1-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3376-14-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4120-17-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4120-5610-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4120-9194-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4120-10448-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4120-10449-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4120-10457-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4120-10458-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4120-3130-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4120-2863-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4120-2862-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4120-24-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4120-23-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4120-20-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4120-19-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4120-18-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4120-10546-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download