teslacrypt | c12d55931b5e6cec59ec102c20171ffda7c2dba4c7d4242ba2bded64cef377e7

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2024 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-16_5acb7cef68bd76c0cae3d8b06472e0b3_teslacrypt.exe
Size

251KB
MD5

5acb7cef68bd76c0cae3d8b06472e0b3
SHA1

4e38bc3beaf8d90f11203dbd35ec6b77be1b7606
SHA256

c12d55931b5e6cec59ec102c20171ffda7c2dba4c7d4242ba2bded64cef377e7
SHA512

0a745230ca22c0f6eea6872610d442ca34f6999ba08f07d9308bca995c890f3e02814553fff509ed09ddc6520e5c144c65f971d49fbe5e774dda0373c1f4eb1b
SSDEEP

3072:PLhtgSlZAeKoNhbKIVzq5JRpLXOOvDaUwkDYnp4U+0mQccFNfxvblzajFKTRprr:D8BRpdDaUPYnfzmQccFNfBxvXrr

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+djivk.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/1BD4498FF78F83D2 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/1BD4498FF78F83D2 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/1BD4498FF78F83D2 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/1BD4498FF78F83D2 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/1BD4498FF78F83D2 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/1BD4498FF78F83D2 http://yyre45dbvn2nhbefbmh.begumvelic.at/1BD4498FF78F83D2 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/1BD4498FF78F83D2

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/1BD4498FF78F83D2

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/1BD4498FF78F83D2

http://yyre45dbvn2nhbefbmh.begumvelic.at/1BD4498FF78F83D2

http://xlowfznrg4wf7dli.ONION/1BD4498FF78F83D2

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (875) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-09-16_5acb7cef68bd76c0cae3d8b06472e0b3_teslacrypt.exejoqrxmmogflp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	2024-09-16_5acb7cef68bd76c0cae3d8b06472e0b3_teslacrypt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	joqrxmmogflp.exe

Drops startup file 6 IoCs

Processes:

joqrxmmogflp.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+djivk.png	joqrxmmogflp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+djivk.txt	joqrxmmogflp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+djivk.html	joqrxmmogflp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+djivk.png	joqrxmmogflp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+djivk.txt	joqrxmmogflp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+djivk.html	joqrxmmogflp.exe

Executes dropped EXE 1 IoCs

Processes:

joqrxmmogflp.exe

pid process

1112 joqrxmmogflp.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

joqrxmmogflp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cwtobhn = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\joqrxmmogflp.exe"	joqrxmmogflp.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

Processes:

joqrxmmogflp.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\_ReCoVeRy_+djivk.txt	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SplashScreen.scale-100.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Light.scale-300.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\_ReCoVeRy_+djivk.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-150.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+djivk.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-80_altform-unplated.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\tilebg.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\_ReCoVeRy_+djivk.html	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pt-BR\_ReCoVeRy_+djivk.txt	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\Doughboy.scale-400.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarLargeTile.scale-150.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-96_altform-unplated.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sq-AL\View3d\_ReCoVeRy_+djivk.txt	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\Movie-TVStoreLogo.scale-200_contrast-white.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-80.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\COPYING.txt	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-60.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\iheart-radio.scale-100_contrast-black.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_ReCoVeRy_+djivk.txt	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\SmallTile.scale-125.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_LogoSmall.scale-100.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSplashScreen.scale-100.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-80_altform-lightunplated.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteWideTile.scale-400.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactNative\Tracing\_ReCoVeRy_+djivk.html	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+djivk.html	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+djivk.html	joqrxmmogflp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Sunglasses.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\search_emptystate.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.scale-125.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-30_altform-unplated.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-200_contrast-white.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\is-IS\View3d\_ReCoVeRy_+djivk.txt	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+djivk.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\_ReCoVeRy_+djivk.html	joqrxmmogflp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\_ReCoVeRy_+djivk.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-125.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\Weather_TileLargeSquare.scale-100.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-32_altform-unplated.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\README.txt	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\_ReCoVeRy_+djivk.txt	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\_ReCoVeRy_+djivk.txt	joqrxmmogflp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\_ReCoVeRy_+djivk.txt	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubMedTile.scale-125_contrast-white.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\ImagePlaceholderWhite.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+djivk.html	joqrxmmogflp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\THMBNAIL.PNG	joqrxmmogflp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\_ReCoVeRy_+djivk.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\15943155-1B69-4427-B98B-8BFC4287D8F3\_ReCoVeRy_+djivk.html	joqrxmmogflp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\_ReCoVeRy_+djivk.html	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MediumTile.scale-125_contrast-black.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\_ReCoVeRy_+djivk.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96_contrast-black.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\_ReCoVeRy_+djivk.txt	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\_ReCoVeRy_+djivk.html	joqrxmmogflp.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\_ReCoVeRy_+djivk.html	joqrxmmogflp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\_ReCoVeRy_+djivk.txt	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_ReCoVeRy_+djivk.txt	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-100_contrast-white.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+djivk.png	joqrxmmogflp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\_ReCoVeRy_+djivk.html	joqrxmmogflp.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-09-16_5acb7cef68bd76c0cae3d8b06472e0b3_teslacrypt.exe

description	ioc	process
File created	C:\Windows\joqrxmmogflp.exe	2024-09-16_5acb7cef68bd76c0cae3d8b06472e0b3_teslacrypt.exe
File opened for modification	C:\Windows\joqrxmmogflp.exe	2024-09-16_5acb7cef68bd76c0cae3d8b06472e0b3_teslacrypt.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2024-09-16_5acb7cef68bd76c0cae3d8b06472e0b3_teslacrypt.exejoqrxmmogflp.execmd.exeNOTEPAD.EXEcmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-16_5acb7cef68bd76c0cae3d8b06472e0b3_teslacrypt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	joqrxmmogflp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

Processes:

joqrxmmogflp.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings joqrxmmogflp.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3472 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	joqrxmmogflp.exe

pid	process
3472	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

joqrxmmogflp.exe

pid	process
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe
1112	joqrxmmogflp.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

3352 msedge.exe
3352 msedge.exe
3352 msedge.exe
3352 msedge.exe
3352 msedge.exe
3352 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-09-16_5acb7cef68bd76c0cae3d8b06472e0b3_teslacrypt.exejoqrxmmogflp.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3504	2024-09-16_5acb7cef68bd76c0cae3d8b06472e0b3_teslacrypt.exe
Token: SeDebugPrivilege	1112	joqrxmmogflp.exe
Token: SeIncreaseQuotaPrivilege	2388	WMIC.exe
Token: SeSecurityPrivilege	2388	WMIC.exe
Token: SeTakeOwnershipPrivilege	2388	WMIC.exe
Token: SeLoadDriverPrivilege	2388	WMIC.exe
Token: SeSystemProfilePrivilege	2388	WMIC.exe
Token: SeSystemtimePrivilege	2388	WMIC.exe
Token: SeProfSingleProcessPrivilege	2388	WMIC.exe
Token: SeIncBasePriorityPrivilege	2388	WMIC.exe
Token: SeCreatePagefilePrivilege	2388	WMIC.exe
Token: SeBackupPrivilege	2388	WMIC.exe
Token: SeRestorePrivilege	2388	WMIC.exe
Token: SeShutdownPrivilege	2388	WMIC.exe
Token: SeDebugPrivilege	2388	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2388	WMIC.exe
Token: SeRemoteShutdownPrivilege	2388	WMIC.exe
Token: SeUndockPrivilege	2388	WMIC.exe
Token: SeManageVolumePrivilege	2388	WMIC.exe
Token: 33	2388	WMIC.exe
Token: 34	2388	WMIC.exe
Token: 35	2388	WMIC.exe
Token: 36	2388	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2388	WMIC.exe
Token: SeSecurityPrivilege	2388	WMIC.exe
Token: SeTakeOwnershipPrivilege	2388	WMIC.exe
Token: SeLoadDriverPrivilege	2388	WMIC.exe
Token: SeSystemProfilePrivilege	2388	WMIC.exe
Token: SeSystemtimePrivilege	2388	WMIC.exe
Token: SeProfSingleProcessPrivilege	2388	WMIC.exe
Token: SeIncBasePriorityPrivilege	2388	WMIC.exe
Token: SeCreatePagefilePrivilege	2388	WMIC.exe
Token: SeBackupPrivilege	2388	WMIC.exe
Token: SeRestorePrivilege	2388	WMIC.exe
Token: SeShutdownPrivilege	2388	WMIC.exe
Token: SeDebugPrivilege	2388	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2388	WMIC.exe
Token: SeRemoteShutdownPrivilege	2388	WMIC.exe
Token: SeUndockPrivilege	2388	WMIC.exe
Token: SeManageVolumePrivilege	2388	WMIC.exe
Token: 33	2388	WMIC.exe
Token: 34	2388	WMIC.exe
Token: 35	2388	WMIC.exe
Token: 36	2388	WMIC.exe
Token: SeBackupPrivilege	2632	vssvc.exe
Token: SeRestorePrivilege	2632	vssvc.exe
Token: SeAuditPrivilege	2632	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3336	WMIC.exe
Token: SeSecurityPrivilege	3336	WMIC.exe
Token: SeTakeOwnershipPrivilege	3336	WMIC.exe
Token: SeLoadDriverPrivilege	3336	WMIC.exe
Token: SeSystemProfilePrivilege	3336	WMIC.exe
Token: SeSystemtimePrivilege	3336	WMIC.exe
Token: SeProfSingleProcessPrivilege	3336	WMIC.exe
Token: SeIncBasePriorityPrivilege	3336	WMIC.exe
Token: SeCreatePagefilePrivilege	3336	WMIC.exe
Token: SeBackupPrivilege	3336	WMIC.exe
Token: SeRestorePrivilege	3336	WMIC.exe
Token: SeShutdownPrivilege	3336	WMIC.exe
Token: SeDebugPrivilege	3336	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3336	WMIC.exe
Token: SeRemoteShutdownPrivilege	3336	WMIC.exe
Token: SeUndockPrivilege	3336	WMIC.exe
Token: SeManageVolumePrivilege	3336	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-09-16_5acb7cef68bd76c0cae3d8b06472e0b3_teslacrypt.exejoqrxmmogflp.exemsedge.exe

description	pid	process	target process
PID 3504 wrote to memory of 1112	3504	2024-09-16_5acb7cef68bd76c0cae3d8b06472e0b3_teslacrypt.exe	joqrxmmogflp.exe
PID 3504 wrote to memory of 1112	3504	2024-09-16_5acb7cef68bd76c0cae3d8b06472e0b3_teslacrypt.exe	joqrxmmogflp.exe
PID 3504 wrote to memory of 1112	3504	2024-09-16_5acb7cef68bd76c0cae3d8b06472e0b3_teslacrypt.exe	joqrxmmogflp.exe
PID 3504 wrote to memory of 528	3504	2024-09-16_5acb7cef68bd76c0cae3d8b06472e0b3_teslacrypt.exe	cmd.exe
PID 3504 wrote to memory of 528	3504	2024-09-16_5acb7cef68bd76c0cae3d8b06472e0b3_teslacrypt.exe	cmd.exe
PID 3504 wrote to memory of 528	3504	2024-09-16_5acb7cef68bd76c0cae3d8b06472e0b3_teslacrypt.exe	cmd.exe
PID 1112 wrote to memory of 2388	1112	joqrxmmogflp.exe	WMIC.exe
PID 1112 wrote to memory of 2388	1112	joqrxmmogflp.exe	WMIC.exe
PID 1112 wrote to memory of 3472	1112	joqrxmmogflp.exe	NOTEPAD.EXE
PID 1112 wrote to memory of 3472	1112	joqrxmmogflp.exe	NOTEPAD.EXE
PID 1112 wrote to memory of 3472	1112	joqrxmmogflp.exe	NOTEPAD.EXE
PID 1112 wrote to memory of 3352	1112	joqrxmmogflp.exe	msedge.exe
PID 1112 wrote to memory of 3352	1112	joqrxmmogflp.exe	msedge.exe
PID 3352 wrote to memory of 3392	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3392	3352	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3336	1112	joqrxmmogflp.exe	WMIC.exe
PID 1112 wrote to memory of 3336	1112	joqrxmmogflp.exe	WMIC.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3804	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4552	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4552	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 2888	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 2888	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 2888	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 2888	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 2888	3352	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

joqrxmmogflp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	joqrxmmogflp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	joqrxmmogflp.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-09-16_5acb7cef68bd76c0cae3d8b06472e0b3_teslacrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-16_5acb7cef68bd76c0cae3d8b06472e0b3_teslacrypt.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Windows\joqrxmmogflp.exe
  C:\Windows\joqrxmmogflp.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1112
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2388
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:3472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3352
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffebe846f8,0x7fffebe84708,0x7fffebe84718
      4⤵
      PID:3392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,2080680889297605487,2717565334446420290,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
      4⤵
      PID:3804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,2080680889297605487,2717565334446420290,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
      4⤵
      PID:4552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,2080680889297605487,2717565334446420290,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
      4⤵
      PID:2888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2080680889297605487,2717565334446420290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:1
      4⤵
      PID:3340
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2080680889297605487,2717565334446420290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
      4⤵
      PID:2524
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,2080680889297605487,2717565334446420290,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
      4⤵
      PID:5016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,2080680889297605487,2717565334446420290,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
      4⤵
      PID:404
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2080680889297605487,2717565334446420290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
      4⤵
      PID:3536
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2080680889297605487,2717565334446420290,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
      4⤵
      PID:1636
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2080680889297605487,2717565334446420290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:1
      4⤵
      PID:4392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2080680889297605487,2717565334446420290,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
      4⤵
      PID:1684
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3336
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\JOQRXM~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1876
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE
  2⤵
  - System Location Discovery: System Language Discovery
  PID:528

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4620

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+djivk.html

Filesize
12KB

MD5
84c7f2530a2c0ba804cdb1978399bf20

SHA1
35f6128626db7e943768d98f922376aecc2458c8

SHA256
6128b8cb1a69785ad960bb62bb48e3d7403000c3a397a39ab44bcec297ca79cf

SHA512
87bd8128377ba23fdacf5a97c650dff8ac6dc2c4488baf87650e12aaaf8bfbab5085d3f7a269ba442abc424a327a6192e094b3810c187cc269573521be8aa976

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+djivk.png

Filesize
64KB

MD5
8e5e1cd007557e87c76723db7c708108

SHA1
8cc0ce1f5e0f045facaa31d188b8b2dc63bca68a

SHA256
4dbe95a229677b08c89829221b5c5e826fd8f4da4e3e3b0a822f7f6be26d3357

SHA512
90304b377369341ef28a72bda2b83981ab3b8aa52f3596f22c510edc0b1e7b1f41777c6d2548e95d13cec8f76712efa2150ce7ff306a849e30a3b9055c01ac34

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+djivk.txt

Filesize
1KB

MD5
21bc2d7d5d0018dd82aa9d7fc82740d7

SHA1
0946bb2fe1be0b92da7fdbd8145145f31b4930f9

SHA256
8466a1eaec4bb68e20913b8762f2e857f07921d4aee60c7ca20b8534b92d90d3

SHA512
c062eb96da47505fdb9ddab7c22dc5b0d47fc91b2f58ab9be61f3cc6a05142fb04dd953b4d39ef046f4f43b8ea65e3670bca582db9b334cf709fd8326af1fbec

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
e6ca401d9e4cb35db9da5c1410caa658

SHA1
88df47a318c1df0fcde8e41d09c4950ce0cd1678

SHA256
1d8ceb19d94545aa30b337367563c053933de8802cb92b2a2ba90303022d171e

SHA512
ed150ae86d9d8345b48cf0d008d1db4d72b0b0a1e9714286335734abe8861f3b561f0f5f6330d94560efd2d3fc9eec72886093f1455e16fd67f22f27fc2a5f18

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
a40d5ee8e911107c1d86ffb7ef20ef31

SHA1
bac084891e382fbe9e0d4f626d1cbccd21b2954a

SHA256
dd3734a1d63715263485a52b2a05ec5c183a55a0810d967158a8ef25c3c2e604

SHA512
daa9391002bb73335758fdc89441cb8061a614de831384f0c4f6b0352f00b510c08e4191acf283eca66ff767fca565175e9bd2d431889cf91075db3c3e892ec0

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
47053cd5a1ff8156bbf85c0599f97d65

SHA1
3472245aad1b6b7e5b2dd679660bf69f1dd97461

SHA256
4f6bce602f2d6e55a8d7fd5f20f07e2298a34ed3b9f7f1b28711bc5fbb7f9d9c

SHA512
ed4a6cc8a3b5cece56da59408745186b99a06754e2032f2b10917db9424e69a2d0351f8d1c03dabaac1cb4464dbd5b94640cd06387a255e73d67e80c206d0204

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cde3f9173d6794adff04597896bb3615

SHA1
9f60acce1c4ab42513abf9f7fd80211c5ae78ea8

SHA256
b4c9688c2a3d317875d9424c1d167d00f349de91d7e642b050dab8c7ddc2f4a2

SHA512
1d08ec322625a932966c8edaed151485c79e11d7e3afa6134484f5055a651c517cd64b4b669fea483dda9298c8d2e931c4fea7b92651002bfb984bfa7d17a2e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
67d958bc156531e6ef9598ca6ea08805

SHA1
f6243940a0ff0149155de1f398b4bc56637cb336

SHA256
dbe13e171dca0bd1fc233feaea48ce413b992bc531e2588e30de45af36965c92

SHA512
e26d3317576f9cf8798827a1872dfdc1dcc064c4de90cc4b9741387ad153b0edea118d2a3fce4738b83df48821909fbb2d2996554fa1999b33887af051a6cb44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
56033ebf5ce43f221a82b67a4317c14b

SHA1
19c0bff370eb99eb2a30bc9e0426205b30dc9184

SHA256
1092d374bd4310b4c4dd59d5c58a9c9ef3ae1ee54169306bfbb50f1d758364c8

SHA512
59d5074aef1912ab87e833506326859637835c87315317a08bf2914651f2838ace827fd511c6b8448f92054040dbe6594677d79875619758514f3fd4535c1ec2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670754057554938.txt

Filesize
77KB

MD5
c03c544e3bc8bba47a2b98a5a77dba6f

SHA1
4d5de1f7d3040722ea1dfe3f8d4bfe1cc9823597

SHA256
d8ee4b386076cfbb1448c433d83cc9b8d35815fe646c965c5c2cfa66cff0da0a

SHA512
48acf223f9154510bdaa039672c852586701bec86f302b0dca5607c40118cca5e147c0cb0c19700958acfdb0f4e82051fb1ea1ebefcc74a01fbbdd1c687da212

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670756429722460.txt

Filesize
47KB

MD5
d0f822a58921e7d19f15548ea165df9c

SHA1
8be6f9111578ad55dd6e02d2e5ac1f77cd6cdb95

SHA256
2f65032e188c0d25fdaea2b1448f5770391d18f8c5de6f12ea0f46753e9c3c2a

SHA512
3922a997c5509ed115784b2cc1569465eb8976cafd964d66187d72e6bd9efd5fc8cb95f9ea46eda5740d5f151d9d6caae15ab27cde9b90a00d61676b21f169e2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670764200529937.txt

Filesize
74KB

MD5
936d928a97d431e76b19ab6964765d8e

SHA1
69deede4e746f45ec95642dc8f26fd4575a33095

SHA256
884bd0cbf4f5c3d63d387b981a39b66904104fb6721838482cfec62ca94caadf

SHA512
ee067cb6bb041bdb63676a7e56746dd9a879fe674a534dccfb3be9e7acda1cf87e4cd149ae270df798d4f6f1603b22bd8a38a68336218bb0daef13ec29b77a3b

Download Submit
C:\Windows\joqrxmmogflp.exe

Filesize
251KB

MD5
5acb7cef68bd76c0cae3d8b06472e0b3

SHA1
4e38bc3beaf8d90f11203dbd35ec6b77be1b7606

SHA256
c12d55931b5e6cec59ec102c20171ffda7c2dba4c7d4242ba2bded64cef377e7

SHA512
0a745230ca22c0f6eea6872610d442ca34f6999ba08f07d9308bca995c890f3e02814553fff509ed09ddc6520e5c144c65f971d49fbe5e774dda0373c1f4eb1b

Download Submit
\??\pipe\LOCAL\crashpad_3352_OLPFMHKVJGJKRAZK

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit