teslacrypt | bcbc1aee86f5e1fdc2ba6fcb2e29933933b132a4c3d0f2eb0f73061702041243

Analysis

max time kernel
137s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2024 04:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e40f0995144816dd8a6062c5e6cee39b_JaffaCakes118.exe
Size

424KB
MD5

e40f0995144816dd8a6062c5e6cee39b
SHA1

531a334a0be99aff4c74f9a8dfd81ea8f3630360
SHA256

bcbc1aee86f5e1fdc2ba6fcb2e29933933b132a4c3d0f2eb0f73061702041243
SHA512

31623dcd88d0df8559b2662540c2cc740a2a46863bc247578ff4f7cbe758581d3a0db051b98e15cbd39c4ec386d8f84605ff6198d1c29e1aa4c1c1c8c9f1a8c4
SSDEEP

12288:D/BIjVBIpK5ogxO4tnkIHXAipyNZblCJxfS6:TBIjVD5oSOGkIHXAG0VOR1

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_RECoVERY_+nukib.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/3C7E8CC755A940B7 2. http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/3C7E8CC755A940B7 3. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/3C7E8CC755A940B7 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/3C7E8CC755A940B7 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/3C7E8CC755A940B7 http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/3C7E8CC755A940B7 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/3C7E8CC755A940B7 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/3C7E8CC755A940B7

URLs

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/3C7E8CC755A940B7

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/3C7E8CC755A940B7

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/3C7E8CC755A940B7

http://xlowfznrg4wf7dli.ONION/3C7E8CC755A940B7

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (872) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e40f0995144816dd8a6062c5e6cee39b_JaffaCakes118.exesihqwdtqusgu.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	e40f0995144816dd8a6062c5e6cee39b_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	sihqwdtqusgu.exe

Drops startup file 6 IoCs

Processes:

sihqwdtqusgu.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+nukib.png	sihqwdtqusgu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+nukib.txt	sihqwdtqusgu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+nukib.html	sihqwdtqusgu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+nukib.png	sihqwdtqusgu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+nukib.txt	sihqwdtqusgu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+nukib.html	sihqwdtqusgu.exe

Executes dropped EXE 1 IoCs

Processes:

sihqwdtqusgu.exe

pid process

3728 sihqwdtqusgu.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sihqwdtqusgu.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dyvttjpdtbtq = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\sihqwdtqusgu.exe\""	sihqwdtqusgu.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

Processes:

sihqwdtqusgu.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\images\_RECoVERY_+nukib.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlConeHover.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+nukib.html	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-24_altform-lightunplated.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\_RECoVERY_+nukib.html	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-180.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_PigNose.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7d6.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+nukib.html	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Light\Moonlight.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\_RECoVERY_+nukib.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-125_contrast-black.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteMedTile.scale-400.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-72_altform-lightunplated.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailMediumTile.scale-400.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_contrast-black.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\_RECoVERY_+nukib.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeAppList.scale-100.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_scale-100.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-32_altform-unplated.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\MedTile.scale-100.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+nukib.txt	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-48_altform-unplated_contrast-black.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailWideTile.scale-400.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-200_contrast-black.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_contrast-black.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\_RECoVERY_+nukib.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.contrast-white_scale-200.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupLargeTile.scale-150.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\node_modules\_RECoVERY_+nukib.txt	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderSplashScreen.contrast-black_scale-100.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-16_altform-unplated.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-256.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Date.targetsize-24_contrast-white.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosMedTile.scale-100.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageMedTile.scale-200.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\_RECoVERY_+nukib.html	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_contrast-black.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\_RECoVERY_+nukib.txt	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\_RECoVERY_+nukib.txt	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity-dark.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\extensions\_RECoVERY_+nukib.txt	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\FileAssociation\FileAssociation.targetsize-32.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\Win10\MicrosoftSolitaireSmallTile.scale-125.jpg	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+nukib.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-125.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu\_RECoVERY_+nukib.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\_RECoVERY_+nukib.txt	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\_RECoVERY_+nukib.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\_RECoVERY_+nukib.txt	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40_altform-lightunplated.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ie\_RECoVERY_+nukib.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\AppTiles\_RECoVERY_+nukib.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-400_contrast-white.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ShareProvider_CopyLink24x24.scale-125.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\Timer3Sec.targetsize-64.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailWideTile.scale-150.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\_RECoVERY_+nukib.txt	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-256_altform-unplated.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\plugin2\_RECoVERY_+nukib.txt	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_RECoVERY_+nukib.txt	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\_RECoVERY_+nukib.html	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\LibrarySquare150x150Logo.scale-100.png	sihqwdtqusgu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-256_contrast-white.png	sihqwdtqusgu.exe

Drops file in Windows directory 2 IoCs

Processes:

e40f0995144816dd8a6062c5e6cee39b_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\sihqwdtqusgu.exe	e40f0995144816dd8a6062c5e6cee39b_JaffaCakes118.exe
File opened for modification	C:\Windows\sihqwdtqusgu.exe	e40f0995144816dd8a6062c5e6cee39b_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

e40f0995144816dd8a6062c5e6cee39b_JaffaCakes118.exesihqwdtqusgu.execmd.exeNOTEPAD.EXEcmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e40f0995144816dd8a6062c5e6cee39b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sihqwdtqusgu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

sihqwdtqusgu.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings sihqwdtqusgu.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1412 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	sihqwdtqusgu.exe

pid	process
1412	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sihqwdtqusgu.exe

pid	process
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe
3728	sihqwdtqusgu.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

3004 msedge.exe
3004 msedge.exe
3004 msedge.exe
3004 msedge.exe
3004 msedge.exe
3004 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e40f0995144816dd8a6062c5e6cee39b_JaffaCakes118.exesihqwdtqusgu.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1376	e40f0995144816dd8a6062c5e6cee39b_JaffaCakes118.exe
Token: SeDebugPrivilege	3728	sihqwdtqusgu.exe
Token: SeIncreaseQuotaPrivilege	4340	WMIC.exe
Token: SeSecurityPrivilege	4340	WMIC.exe
Token: SeTakeOwnershipPrivilege	4340	WMIC.exe
Token: SeLoadDriverPrivilege	4340	WMIC.exe
Token: SeSystemProfilePrivilege	4340	WMIC.exe
Token: SeSystemtimePrivilege	4340	WMIC.exe
Token: SeProfSingleProcessPrivilege	4340	WMIC.exe
Token: SeIncBasePriorityPrivilege	4340	WMIC.exe
Token: SeCreatePagefilePrivilege	4340	WMIC.exe
Token: SeBackupPrivilege	4340	WMIC.exe
Token: SeRestorePrivilege	4340	WMIC.exe
Token: SeShutdownPrivilege	4340	WMIC.exe
Token: SeDebugPrivilege	4340	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4340	WMIC.exe
Token: SeRemoteShutdownPrivilege	4340	WMIC.exe
Token: SeUndockPrivilege	4340	WMIC.exe
Token: SeManageVolumePrivilege	4340	WMIC.exe
Token: 33	4340	WMIC.exe
Token: 34	4340	WMIC.exe
Token: 35	4340	WMIC.exe
Token: 36	4340	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4340	WMIC.exe
Token: SeSecurityPrivilege	4340	WMIC.exe
Token: SeTakeOwnershipPrivilege	4340	WMIC.exe
Token: SeLoadDriverPrivilege	4340	WMIC.exe
Token: SeSystemProfilePrivilege	4340	WMIC.exe
Token: SeSystemtimePrivilege	4340	WMIC.exe
Token: SeProfSingleProcessPrivilege	4340	WMIC.exe
Token: SeIncBasePriorityPrivilege	4340	WMIC.exe
Token: SeCreatePagefilePrivilege	4340	WMIC.exe
Token: SeBackupPrivilege	4340	WMIC.exe
Token: SeRestorePrivilege	4340	WMIC.exe
Token: SeShutdownPrivilege	4340	WMIC.exe
Token: SeDebugPrivilege	4340	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4340	WMIC.exe
Token: SeRemoteShutdownPrivilege	4340	WMIC.exe
Token: SeUndockPrivilege	4340	WMIC.exe
Token: SeManageVolumePrivilege	4340	WMIC.exe
Token: 33	4340	WMIC.exe
Token: 34	4340	WMIC.exe
Token: 35	4340	WMIC.exe
Token: 36	4340	WMIC.exe
Token: SeBackupPrivilege	2884	vssvc.exe
Token: SeRestorePrivilege	2884	vssvc.exe
Token: SeAuditPrivilege	2884	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2588	WMIC.exe
Token: SeSecurityPrivilege	2588	WMIC.exe
Token: SeTakeOwnershipPrivilege	2588	WMIC.exe
Token: SeLoadDriverPrivilege	2588	WMIC.exe
Token: SeSystemProfilePrivilege	2588	WMIC.exe
Token: SeSystemtimePrivilege	2588	WMIC.exe
Token: SeProfSingleProcessPrivilege	2588	WMIC.exe
Token: SeIncBasePriorityPrivilege	2588	WMIC.exe
Token: SeCreatePagefilePrivilege	2588	WMIC.exe
Token: SeBackupPrivilege	2588	WMIC.exe
Token: SeRestorePrivilege	2588	WMIC.exe
Token: SeShutdownPrivilege	2588	WMIC.exe
Token: SeDebugPrivilege	2588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2588	WMIC.exe
Token: SeRemoteShutdownPrivilege	2588	WMIC.exe
Token: SeUndockPrivilege	2588	WMIC.exe
Token: SeManageVolumePrivilege	2588	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e40f0995144816dd8a6062c5e6cee39b_JaffaCakes118.exesihqwdtqusgu.exemsedge.exe

description	pid	process	target process
PID 1376 wrote to memory of 3728	1376	e40f0995144816dd8a6062c5e6cee39b_JaffaCakes118.exe	sihqwdtqusgu.exe
PID 1376 wrote to memory of 3728	1376	e40f0995144816dd8a6062c5e6cee39b_JaffaCakes118.exe	sihqwdtqusgu.exe
PID 1376 wrote to memory of 3728	1376	e40f0995144816dd8a6062c5e6cee39b_JaffaCakes118.exe	sihqwdtqusgu.exe
PID 1376 wrote to memory of 2120	1376	e40f0995144816dd8a6062c5e6cee39b_JaffaCakes118.exe	cmd.exe
PID 1376 wrote to memory of 2120	1376	e40f0995144816dd8a6062c5e6cee39b_JaffaCakes118.exe	cmd.exe
PID 1376 wrote to memory of 2120	1376	e40f0995144816dd8a6062c5e6cee39b_JaffaCakes118.exe	cmd.exe
PID 3728 wrote to memory of 4340	3728	sihqwdtqusgu.exe	WMIC.exe
PID 3728 wrote to memory of 4340	3728	sihqwdtqusgu.exe	WMIC.exe
PID 3728 wrote to memory of 1412	3728	sihqwdtqusgu.exe	NOTEPAD.EXE
PID 3728 wrote to memory of 1412	3728	sihqwdtqusgu.exe	NOTEPAD.EXE
PID 3728 wrote to memory of 1412	3728	sihqwdtqusgu.exe	NOTEPAD.EXE
PID 3728 wrote to memory of 3004	3728	sihqwdtqusgu.exe	msedge.exe
PID 3728 wrote to memory of 3004	3728	sihqwdtqusgu.exe	msedge.exe
PID 3004 wrote to memory of 2284	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 2284	3004	msedge.exe	msedge.exe
PID 3728 wrote to memory of 2588	3728	sihqwdtqusgu.exe	WMIC.exe
PID 3728 wrote to memory of 2588	3728	sihqwdtqusgu.exe	WMIC.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4220	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4180	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 4180	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 2488	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 2488	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 2488	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 2488	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 2488	3004	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

sihqwdtqusgu.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	sihqwdtqusgu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sihqwdtqusgu.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e40f0995144816dd8a6062c5e6cee39b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e40f0995144816dd8a6062c5e6cee39b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\sihqwdtqusgu.exe
  C:\Windows\sihqwdtqusgu.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3728
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4340
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:1412
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec36246f8,0x7ffec3624708,0x7ffec3624718
      4⤵
      PID:2284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,10984963764384018741,1312250785111001685,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
      4⤵
      PID:4220
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,10984963764384018741,1312250785111001685,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
      4⤵
      PID:4180
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,10984963764384018741,1312250785111001685,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
      4⤵
      PID:2488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10984963764384018741,1312250785111001685,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
      4⤵
      PID:116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10984963764384018741,1312250785111001685,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
      4⤵
      PID:4568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,10984963764384018741,1312250785111001685,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
      4⤵
      PID:4960
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,10984963764384018741,1312250785111001685,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
      4⤵
      PID:512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10984963764384018741,1312250785111001685,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
      4⤵
      PID:4276
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10984963764384018741,1312250785111001685,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
      4⤵
      PID:4800
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10984963764384018741,1312250785111001685,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
      4⤵
      PID:3504
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10984963764384018741,1312250785111001685,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
      4⤵
      PID:4576
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\SIHQWD~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3284
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\E40F09~1.EXE
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2120

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_RECoVERY_+nukib.html

Filesize
11KB

MD5
5d5ccbd8fdb5f55b5e5fec03b396e933

SHA1
ccf4324ba98d93b2adec2109fa820c23143e81cb

SHA256
b46922ebb00a1e7b842227b59404dcbd6916a4b80b496e08e4e563fe8686a525

SHA512
1a7ab6bf47db4df70bb285fb8fb14a820b816ebe5874fa6b2cb1382836d3bf6abd312eb2cacc0cb5087ee2fda5d336feb4bb8e5b95743c43cd497c32e80b97f8

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+nukib.png

Filesize
64KB

MD5
1ec9c4df45b2c24a1c2cb6cae82818c1

SHA1
65d539a784a4b71f3052af36c328bc192ba91728

SHA256
d3566f4efefd46247f79641a755c31b29b0c4a9b5ed1e68417c54ae0e725ec32

SHA512
c46a2be57ddb74f47e2e723f0fe78cd92bfe38725b12f539685989293d80b35467d763a7a9265dcaf8c0e731e13a92b8add05006ed7d9e08ed11bff4c663f067

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+nukib.txt

Filesize
1KB

MD5
3db050a87bcaab7276fa3a05cf2725ea

SHA1
780bde04dae78b434cc71a0a1c29f5bd6e402d59

SHA256
2d1b7ebe8ae7d123406422ca6a63dbd75012e708d60223d9e3775cbd88d59e39

SHA512
882829deeb9ceb4187f34361c793a847c2a5eb6c6f24a0a94ca924eddae6648015709bc0472a0cb61211b4e9b2ee6004aa1d8348470f47e7825722c5a4dae33f

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
59a537435a3a7c21b3c571b8cfa5a9d8

SHA1
cdfa0e23689125abe11c5be63233283f1918c459

SHA256
8f9cbf8a4df4ee85cd3f2aed3dfb1fa63e05981cce44ddea02d50e0913a9f7ad

SHA512
05e6f5e6ed7c8dbe67dc3c0353bfe68de767a793fa435033807f826cfacd677bb8b1d8f694cad7a856ce2958518b3ec6de18a266c277cd9103a0898b5e8e9035

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
f3ec848b919007559decd415cb9fc3ae

SHA1
926a38b3e90792cb01df125b96c01988e94ab05f

SHA256
374890af52fa1770af156fc1585148c21da6b6f95a63ff17e7432bc10d35e5ba

SHA512
bc2f7afdc1cef1571ce2744f798e0e6ab952817d862a555f929a3355dbde780283a7d574322eeab2bf4555eb081a6bd2baab84013b088d35b2327fac0e81d270

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
960d6e612437c5d1eab339c77719ca17

SHA1
71e5740ead46c054f64fe7f3616f7f8739e503c4

SHA256
db438ddaa9768bbb1c8e6215e9d8a26cb7d122fdb1ae2cfdffbd3fecb0e4cff7

SHA512
dde0f7f25446308c8856b5edf440b0521b7641737d8b0a61daf80954b82e11c3eb2b072097cbc4dbf04b071a633d08f780a3bca5db21fdc67066a036d968c29e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0cd670116372a586e3e53bff8ce104fe

SHA1
3fa5ad671109ca4f3cc4914bb947a8ace7582fa3

SHA256
ab3553d001c2179ec548dbad8c503b6bd507d74b0be62cc08182b5d0a83b9eab

SHA512
ddd8b23632c256fb062d228a87d8b622da12115a81593576ebaa8cbfae1314c0ad3ba6eb7bc1447dad002d70dbe2988634fed4c15c0b4429587bce11913abc6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d40154b280a86d2732355a8ac551bb39

SHA1
e2deb646c9a630c6561b08a3cdba4e8c46d6e3b9

SHA256
c9530418220dc7626f2641ba6e8a01f2595cce593eef97df4107cfb7dd345413

SHA512
4e0ff72877764c380f1585864d655eca0d03cb84f08ea7c2deab0455622d0d3403f0cd1668664eedc6c92464f716dbd199b1cc6b9ba9ad5b98d730ca1edaeb22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fb67cc253a591ebd7b66a1c753c2e607

SHA1
98e3836c993828d8106f5c0c6221c90c8a6d99c0

SHA256
9e7ff65be0162527bc332cea400eac84a6165b771724fb1261d35d180a672a5e

SHA512
2d41a6198e872b67466bdd45280f849b89a11cbf29340acc2b6191e58c156cc94c3e3a332f347a78af2470b29b912357961dcf51b15f099a8bd5301a534657df

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670764416908406.txt

Filesize
74KB

MD5
43295f924dcfccd4d3dde70e2f6b9084

SHA1
f8074366c60e095bd922260d473a61a8f05adaf4

SHA256
b6c2daeaeba11c855febd36d9413edfa71ac6a1c040ddb464668c09f51496d20

SHA512
96b7705a51872e907ed8373cdc3c20fd1948625559ca6ba6e365c8783421a2acf8d06a930751fc039b5ed299fc1d42a5f03dcef935e75d1ccd1cc39ff1368a7e

Download Submit
C:\Windows\sihqwdtqusgu.exe

Filesize
424KB

MD5
e40f0995144816dd8a6062c5e6cee39b

SHA1
531a334a0be99aff4c74f9a8dfd81ea8f3630360

SHA256
bcbc1aee86f5e1fdc2ba6fcb2e29933933b132a4c3d0f2eb0f73061702041243

SHA512
31623dcd88d0df8559b2662540c2cc740a2a46863bc247578ff4f7cbe758581d3a0db051b98e15cbd39c4ec386d8f84605ff6198d1c29e1aa4c1c1c8c9f1a8c4

Download Submit
\??\pipe\LOCAL\crashpad_3004_LUMCOYOAMYDYKNZR

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1376-0-0x00000000006C0000-0x0000000000745000-memory.dmp

Filesize
532KB

Download
memory/1376-2-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/1376-10-0x00000000006C0000-0x0000000000745000-memory.dmp

Filesize
532KB

Download
memory/1376-9-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3728-5737-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3728-9541-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3728-10464-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3728-11-0x0000000002210000-0x0000000002295000-memory.dmp

Filesize
532KB

Download
memory/3728-2856-0x0000000002210000-0x0000000002295000-memory.dmp

Filesize
532KB

Download
memory/3728-2845-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3728-10524-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download