teslacrypt | c03c3fde100ab3c72104543c1dbb99f6110f24b4caa1b0846af985ebf6a45115

Analysis

max time kernel
147s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2024 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe
Size

376KB
MD5

050489ff4a10d6cc0897e237f6623e1b
SHA1

c2f9927d5f5a8b50f18fa0a91684c9de02345201
SHA256

c03c3fde100ab3c72104543c1dbb99f6110f24b4caa1b0846af985ebf6a45115
SHA512

b8987b7f20379205b964954644a84acb98ad0daa8258a8b6267abea399ac1d2e79f3f17181d7f0b4fa6e7faa65c217999176ea4ec6fcae598844d24868c6b9b9
SSDEEP

6144:te3rNhMeYq4CGRTs4kadSoKVStcmTVn57CpSCwsUbg62oXd:tY5hMfqwTsTKcmTV5kINEx+d

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+vbdad.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/D371ACCEEA29961 2. http://kkd47eh4hdjshb5t.angortra.at/D371ACCEEA29961 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/D371ACCEEA29961 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/D371ACCEEA29961 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/D371ACCEEA29961 http://kkd47eh4hdjshb5t.angortra.at/D371ACCEEA29961 http://ytrest84y5i456hghadefdsd.pontogrot.com/D371ACCEEA29961 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/D371ACCEEA29961

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/D371ACCEEA29961

http://kkd47eh4hdjshb5t.angortra.at/D371ACCEEA29961

http://ytrest84y5i456hghadefdsd.pontogrot.com/D371ACCEEA29961

http://xlowfznrg4wf7dli.ONION/D371ACCEEA29961

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (876) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cxbyngryuupg.exe050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	cxbyngryuupg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe

Drops startup file 6 IoCs

Processes:

cxbyngryuupg.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+vbdad.png	cxbyngryuupg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+vbdad.txt	cxbyngryuupg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+vbdad.html	cxbyngryuupg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+vbdad.png	cxbyngryuupg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+vbdad.txt	cxbyngryuupg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+vbdad.html	cxbyngryuupg.exe

Executes dropped EXE 2 IoCs

Processes:

cxbyngryuupg.execxbyngryuupg.exe

pid process

3036 cxbyngryuupg.exe
4708 cxbyngryuupg.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
3036	cxbyngryuupg.exe
4708	cxbyngryuupg.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

cxbyngryuupg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ndahhxmggiax = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\cxbyngryuupg.exe\""	cxbyngryuupg.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

Processes:

050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.execxbyngryuupg.exe

description	pid	process	target process
PID 4388 set thread context of 736	4388	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe
PID 3036 set thread context of 4708	3036	cxbyngryuupg.exe	cxbyngryuupg.exe

Drops file in Program Files directory 64 IoCs

Processes:

cxbyngryuupg.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-32.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Simple\Recovery+vbdad.html	cxbyngryuupg.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\Recovery+vbdad.html	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-60_contrast-white.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\Recovery+vbdad.txt	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-100_contrast-black.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyCalendarSearch.scale-150.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notificationsUI\notificationCenter_dark.css	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\AppxMetadata\Recovery+vbdad.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\avatar_128x.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-16_altform-unplated.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-200_contrast-white.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Lumia.AppTk.NativeDirect3d.UAP\Recovery+vbdad.txt	cxbyngryuupg.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailLargeTile.scale-200.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-100.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-20_altform-unplated.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\Recovery+vbdad.txt	cxbyngryuupg.exe
File opened for modification	C:\Program Files\Windows Mail\Recovery+vbdad.txt	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\Recovery+vbdad.txt	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\Fonts\Recovery+vbdad.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_scale-100.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyCalendarSearch.scale-200.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\Common Files\System\Recovery+vbdad.txt	cxbyngryuupg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\Recovery+vbdad.txt	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\zh-CN\View3d\Recovery+vbdad.html	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Planet.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_contrast-white.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.scale-150.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Recovery+vbdad.txt	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsBadge.contrast-white_scale-200.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-256_altform-fullcolor.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+vbdad.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\Recovery+vbdad.html	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\logo.scale-200_contrast-black.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\kn-IN\View3d\Recovery+vbdad.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorStoreLogo.contrast-white_scale-200.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\Recovery+vbdad.txt	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-20_altform-unplated.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\Recovery+vbdad.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\AppxMetadata\Recovery+vbdad.html	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\SmallTile.scale-125.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-16_altform-unplated.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-100_contrast-white.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-200.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\bg-BG\View3d\Recovery+vbdad.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\commerce\Recovery+vbdad.txt	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\Recovery+vbdad.txt	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarWideTile.scale-150.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\Recovery+vbdad.txt	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\AppxMetadata\Recovery+vbdad.html	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-72_contrast-white.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\Recovery+vbdad.html	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-200_contrast-black.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsSplashScreen.scale-100.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fi.pak	cxbyngryuupg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\Recovery+vbdad.html	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsBadge.contrast-black_scale-100.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-US\Recovery+vbdad.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\Recovery+vbdad.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsLargeTile.scale-100.png	cxbyngryuupg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\Recovery+vbdad.html	cxbyngryuupg.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	cxbyngryuupg.exe

Drops file in Windows directory 2 IoCs

Processes:

050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\cxbyngryuupg.exe	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe
File opened for modification	C:\Windows\cxbyngryuupg.exe	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cxbyngryuupg.exeNOTEPAD.EXEcmd.exe050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.execxbyngryuupg.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cxbyngryuupg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cxbyngryuupg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

cxbyngryuupg.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings cxbyngryuupg.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1724 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	cxbyngryuupg.exe

pid	process
1724	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cxbyngryuupg.exe

pid	process
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe
4708	cxbyngryuupg.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

5028 msedge.exe
5028 msedge.exe
5028 msedge.exe
5028 msedge.exe
5028 msedge.exe
5028 msedge.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.execxbyngryuupg.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	736	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe
Token: SeDebugPrivilege	4708	cxbyngryuupg.exe
Token: SeIncreaseQuotaPrivilege	2128	WMIC.exe
Token: SeSecurityPrivilege	2128	WMIC.exe
Token: SeTakeOwnershipPrivilege	2128	WMIC.exe
Token: SeLoadDriverPrivilege	2128	WMIC.exe
Token: SeSystemProfilePrivilege	2128	WMIC.exe
Token: SeSystemtimePrivilege	2128	WMIC.exe
Token: SeProfSingleProcessPrivilege	2128	WMIC.exe
Token: SeIncBasePriorityPrivilege	2128	WMIC.exe
Token: SeCreatePagefilePrivilege	2128	WMIC.exe
Token: SeBackupPrivilege	2128	WMIC.exe
Token: SeRestorePrivilege	2128	WMIC.exe
Token: SeShutdownPrivilege	2128	WMIC.exe
Token: SeDebugPrivilege	2128	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2128	WMIC.exe
Token: SeRemoteShutdownPrivilege	2128	WMIC.exe
Token: SeUndockPrivilege	2128	WMIC.exe
Token: SeManageVolumePrivilege	2128	WMIC.exe
Token: 33	2128	WMIC.exe
Token: 34	2128	WMIC.exe
Token: 35	2128	WMIC.exe
Token: 36	2128	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3432	WMIC.exe
Token: SeSecurityPrivilege	3432	WMIC.exe
Token: SeTakeOwnershipPrivilege	3432	WMIC.exe
Token: SeLoadDriverPrivilege	3432	WMIC.exe
Token: SeSystemProfilePrivilege	3432	WMIC.exe
Token: SeSystemtimePrivilege	3432	WMIC.exe
Token: SeProfSingleProcessPrivilege	3432	WMIC.exe
Token: SeIncBasePriorityPrivilege	3432	WMIC.exe
Token: SeCreatePagefilePrivilege	3432	WMIC.exe
Token: SeBackupPrivilege	3432	WMIC.exe
Token: SeRestorePrivilege	3432	WMIC.exe
Token: SeShutdownPrivilege	3432	WMIC.exe
Token: SeDebugPrivilege	3432	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3432	WMIC.exe
Token: SeRemoteShutdownPrivilege	3432	WMIC.exe
Token: SeUndockPrivilege	3432	WMIC.exe
Token: SeManageVolumePrivilege	3432	WMIC.exe
Token: 33	3432	WMIC.exe
Token: 34	3432	WMIC.exe
Token: 35	3432	WMIC.exe
Token: 36	3432	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.execxbyngryuupg.execxbyngryuupg.exemsedge.exe

description	pid	process	target process
PID 4388 wrote to memory of 736	4388	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe
PID 4388 wrote to memory of 736	4388	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe
PID 4388 wrote to memory of 736	4388	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe
PID 4388 wrote to memory of 736	4388	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe
PID 4388 wrote to memory of 736	4388	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe
PID 4388 wrote to memory of 736	4388	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe
PID 4388 wrote to memory of 736	4388	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe
PID 4388 wrote to memory of 736	4388	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe
PID 4388 wrote to memory of 736	4388	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe
PID 4388 wrote to memory of 736	4388	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe
PID 736 wrote to memory of 3036	736	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe	cxbyngryuupg.exe
PID 736 wrote to memory of 3036	736	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe	cxbyngryuupg.exe
PID 736 wrote to memory of 3036	736	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe	cxbyngryuupg.exe
PID 736 wrote to memory of 3244	736	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe	cmd.exe
PID 736 wrote to memory of 3244	736	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe	cmd.exe
PID 736 wrote to memory of 3244	736	050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe	cmd.exe
PID 3036 wrote to memory of 4708	3036	cxbyngryuupg.exe	cxbyngryuupg.exe
PID 3036 wrote to memory of 4708	3036	cxbyngryuupg.exe	cxbyngryuupg.exe
PID 3036 wrote to memory of 4708	3036	cxbyngryuupg.exe	cxbyngryuupg.exe
PID 3036 wrote to memory of 4708	3036	cxbyngryuupg.exe	cxbyngryuupg.exe
PID 3036 wrote to memory of 4708	3036	cxbyngryuupg.exe	cxbyngryuupg.exe
PID 3036 wrote to memory of 4708	3036	cxbyngryuupg.exe	cxbyngryuupg.exe
PID 3036 wrote to memory of 4708	3036	cxbyngryuupg.exe	cxbyngryuupg.exe
PID 3036 wrote to memory of 4708	3036	cxbyngryuupg.exe	cxbyngryuupg.exe
PID 3036 wrote to memory of 4708	3036	cxbyngryuupg.exe	cxbyngryuupg.exe
PID 3036 wrote to memory of 4708	3036	cxbyngryuupg.exe	cxbyngryuupg.exe
PID 4708 wrote to memory of 2128	4708	cxbyngryuupg.exe	WMIC.exe
PID 4708 wrote to memory of 2128	4708	cxbyngryuupg.exe	WMIC.exe
PID 4708 wrote to memory of 1724	4708	cxbyngryuupg.exe	NOTEPAD.EXE
PID 4708 wrote to memory of 1724	4708	cxbyngryuupg.exe	NOTEPAD.EXE
PID 4708 wrote to memory of 1724	4708	cxbyngryuupg.exe	NOTEPAD.EXE
PID 4708 wrote to memory of 5028	4708	cxbyngryuupg.exe	msedge.exe
PID 4708 wrote to memory of 5028	4708	cxbyngryuupg.exe	msedge.exe
PID 5028 wrote to memory of 2056	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 2056	5028	msedge.exe	msedge.exe
PID 4708 wrote to memory of 3432	4708	cxbyngryuupg.exe	WMIC.exe
PID 4708 wrote to memory of 3432	4708	cxbyngryuupg.exe	WMIC.exe
PID 5028 wrote to memory of 3012	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 3012	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 3012	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 3012	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 3012	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 3012	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 3012	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 3012	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 3012	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 3012	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 3012	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 3012	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 3012	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 3012	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 3012	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 3012	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 3012	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 3012	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 3012	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 3012	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 3012	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 3012	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 3012	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 3012	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 3012	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 3012	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 3012	5028	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

cxbyngryuupg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cxbyngryuupg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	cxbyngryuupg.exe

C:\Users\Admin\AppData\Local\Temp\050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Users\Admin\AppData\Local\Temp\050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\050489ff4a10d6cc0897e237f6623e1b_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:736
- - C:\Windows\cxbyngryuupg.exe
    C:\Windows\cxbyngryuupg.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Windows\cxbyngryuupg.exe
      C:\Windows\cxbyngryuupg.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4708
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:1724
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:5028
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe9dab46f8,0x7ffe9dab4708,0x7ffe9dab4718
        6⤵
        
        PID:2056
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,10887089312434206392,15884491926262748031,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
        6⤵
        
        PID:3012
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,10887089312434206392,15884491926262748031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
        6⤵
        
        PID:2096
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,10887089312434206392,15884491926262748031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
        6⤵
        
        PID:3596
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10887089312434206392,15884491926262748031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
        6⤵
        
        PID:5080
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10887089312434206392,15884491926262748031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
        6⤵
        
        PID:2024
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,10887089312434206392,15884491926262748031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
        6⤵
        
        PID:2256
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,10887089312434206392,15884491926262748031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
        6⤵
        
        PID:4912
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10887089312434206392,15884491926262748031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
        6⤵
        
        PID:3508
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10887089312434206392,15884491926262748031,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:1
        6⤵
        
        PID:2736
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10887089312434206392,15884491926262748031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
        6⤵
        
        PID:4808
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10887089312434206392,15884491926262748031,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
        6⤵
        
        PID:3376
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3432
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\CXBYNG~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4568
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\050489~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\Recovery+vbdad.html

Filesize
7KB

MD5
e438133303daf698935e3d221223a70b

SHA1
b3131a8ebc63983cb10687778c59b10c2a4942b4

SHA256
202b810e07019af7a019ab3c9a5917ff6f21d5f8fdffb3b6959325f8b5ab36b6

SHA512
d6da7d3ff7376843bbdc53dafd699330abb6aceabd823224698f74b493cd6230351a02d4cf42338793e3453f2e05923700cf99a1ac800aeecac326b424ae95ad

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+vbdad.png

Filesize
63KB

MD5
71d9357d4fcef53546d9b9f8bf8b6769

SHA1
a7166b6d88e2be3281d2c7cd8189f672b7c2f4d6

SHA256
ea7d6e1267a5a0e130897503dca62ab629fee4ce4ccdf952c47d46f1b3f5550e

SHA512
185c9b86c3b8f8a3186b0486479cd73913ba128db5e7604a5c4c2d0315078f21ca93b5ce8305f6f1fbad223a8ed97b3729998550d1989c87c68b64acc4ed029d

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+vbdad.txt

Filesize
1KB

MD5
779dfbe46078727570d33753039e73be

SHA1
61179bdce469e3f449083319fb0af6d7ca487e7d

SHA256
927ff7504fe9852150195f0182b8bb61849854862f0aa339852a822605b3e291

SHA512
86f6ec32af4f5d648e97bce931246c5d34835702d3949b672cc6f330c71d0c5589fbd5996acab02180a60d0baa59e8df24490aa7115b104dafbf2178325ef173

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
4090737cdbf70718faffb941c1aa5323

SHA1
bd065c7d74f10a98ddcfb0a0de5cf1e4dd6f8577

SHA256
acc592281f03461a56e940b90430843c7118458335f79e82e84283498c6b5d6c

SHA512
47aa2c8d01ef63cdc85cc71cbc80ee0c8efbfd7aec05eae8dcbfffe1a6ebfff6bc39f22dcd77f31a3af54b64f9a0be2b0d66249b74305809d8d22bbd19d27751

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
a09161cf3f36c53523e50fd84ab103da

SHA1
693db7c080ab2221e85871d27c4807f78911d40f

SHA256
963657161cf4fc2c1b44a43cdd5b3d9544e5c64a08fb731732d5787727fcb94c

SHA512
9526289876fc68a5f981f347a910f81569c9c128a171e614d940566772ff495c38748ce8862ab5d90729565c570d1e8a547dee4ea09fe8797b41b9f0eddc050c

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
9a7714880ae51a75a66ac0ecb86798ba

SHA1
65d228add3a420f06b903b8179d946744ea02cc5

SHA256
9f3085043c0721ee4b003e255948149812f19fdbeac0d91f7fd498e3db7cdd43

SHA512
09feb44e8684e15118bf2ea613c53e90025d84c2cf0027cd8f38f5e97d8105b00e13291d62bfa19475981a9eb99bad606e02b3c157a3d340774621446e82d978

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4d18b2372ca1b76726a8c9f7c3430ee4

SHA1
98cee079cffab2eaf6a53f835d99ee49565249b3

SHA256
66905f3080eb6fbc05646c172f422ee91a1df727d78139fc49cd3ecb788c5ee9

SHA512
2bb451c8840f2404cd866eab66ce919f94eb8c346add70c38c9c8f108a1fbfdd9b7b2833275670dcc34aa2221b2fc51ace533137e7a1d23a521ac0b93eadbf15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
499e4ddde48bf7a28dab50faa7d14e00

SHA1
af4bbc4bd4afc34d0a4f4d154f105f9478af8095

SHA256
a9513597f23aa0394769837ad1f46d31cc7800abf795811245ffa1728b217a40

SHA512
b62eb57d540367dfcdc0b95217a243e2e6c980d0f7ecac3fbe3b0140b7bcd45cc99a282d11f4f7c66425eb22714893ddb4f6d3db5f3a070e68cb0f3d41c13758

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c4dfe094a71641f71e6f3e22993c811c

SHA1
725b5998b29fe00cd96a03a8cf7c3027997cd86c

SHA256
11d44ffa97126dcd16c186f3e252473df6c2a954e9eb3c46b9960939c02b9c23

SHA512
918346597d467e96fb7c083bded45d8e4e540f9f97a31d662fc99b99fdbce47bf13d97e8c2df960eca421e927a6647c2ef2ec1c41cc5b2a5e7384b1e06732d22

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670764101374726.txt

Filesize
74KB

MD5
585c25716a6cd83b6119119dc2228f86

SHA1
e4cc7be5395521d53c193122fa93317c18407da4

SHA256
90ec106c9f573d8e9a41566f25bdfc4c13585b0b98caa01275bf2c4b10564d9b

SHA512
ace1233c3cb07519265b37944ea7ea0b1ac6ec28a6fa70d7f260c7d5a96d67dde5c4178c3a91bace8a7daf923e89606ca904e84c3a1ac9c698e6ab3c4087af9c

Download Submit
C:\Windows\cxbyngryuupg.exe

Filesize
376KB

MD5
050489ff4a10d6cc0897e237f6623e1b

SHA1
c2f9927d5f5a8b50f18fa0a91684c9de02345201

SHA256
c03c3fde100ab3c72104543c1dbb99f6110f24b4caa1b0846af985ebf6a45115

SHA512
b8987b7f20379205b964954644a84acb98ad0daa8258a8b6267abea399ac1d2e79f3f17181d7f0b4fa6e7faa65c217999176ea4ec6fcae598844d24868c6b9b9

Download Submit
\??\pipe\LOCAL\crashpad_5028_ENPHPNJVKBSQWCGN

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/736-13-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/736-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/736-3-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/736-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/736-6-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3036-12-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/4388-0-0x00000000006E0000-0x00000000006E3000-memory.dmp

Filesize
12KB

Download
memory/4388-1-0x00000000006E0000-0x00000000006E3000-memory.dmp

Filesize
12KB

Download
memory/4388-4-0x00000000006E0000-0x00000000006E3000-memory.dmp

Filesize
12KB

Download
memory/4708-17-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4708-3147-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4708-9930-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4708-10584-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4708-10586-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4708-10594-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4708-10595-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4708-6382-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4708-3146-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4708-25-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4708-18-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4708-19-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4708-10657-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4708-20-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4708-23-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download