teslacrypt | dd754c7e866babc27f01d9e9b3bbac680dcc3e83b8a748d39e026b871052b527

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2024 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0633631727771a19c3593b678268e8f9_JaffaCakes118.exe
Size

276KB
MD5

0633631727771a19c3593b678268e8f9
SHA1

2c8af799af11e03abc5face54f3943c2b3071203
SHA256

dd754c7e866babc27f01d9e9b3bbac680dcc3e83b8a748d39e026b871052b527
SHA512

f705f51b7f49f51a13c4509909b80e7eaeecf2914867b41f42dd13f655ad1e815355366cb05b9a6093c1887dae569f204b9ca7ad5761a3f1952b3cbc9b31645b
SSDEEP

6144:wL+ROMHXZ99JX2WngMNSYZh1r0CLf2dWsLf2EUOH9:wQ7J9PgMN7LsqEUO

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+odwlr.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/EDE68A54A6AAC395 2 - http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/EDE68A54A6AAC395 3 - http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/EDE68A54A6AAC395 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/EDE68A54A6AAC395 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/EDE68A54A6AAC395 http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/EDE68A54A6AAC395 http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/EDE68A54A6AAC395 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/EDE68A54A6AAC395

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/EDE68A54A6AAC395

http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/EDE68A54A6AAC395

http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/EDE68A54A6AAC395

http://xlowfznrg4wf7dli.ONION/EDE68A54A6AAC395

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (885) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wihhlutvoais.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+odwlr.png	wihhlutvoais.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+odwlr.txt	wihhlutvoais.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+odwlr.html	wihhlutvoais.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+odwlr.png	wihhlutvoais.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+odwlr.txt	wihhlutvoais.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+odwlr.html	wihhlutvoais.exe

Executes dropped EXE 2 IoCs

pid	Process
856	wihhlutvoais.exe
3784	wihhlutvoais.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hmvdatx = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\wihhlutvoais.exe"	wihhlutvoais.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1300 set thread context of 2112	1300	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe	90
PID 856 set thread context of 3784	856	wihhlutvoais.exe	95

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_altform-unplated_contrast-black.png	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\_ReCoVeRy_+odwlr.html	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-16_altform-unplated.png	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Exchange.scale-200.png	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\WideTile.scale-200.png	wihhlutvoais.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\_ReCoVeRy_+odwlr.txt	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-200.png	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_contrast-black.png	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.scale-200.png	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_ReCoVeRy_+odwlr.png	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+odwlr.png	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\FlatFreehand3D.mp4	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+odwlr.txt	wihhlutvoais.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_ReCoVeRy_+odwlr.html	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_contrast-black.png	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+odwlr.html	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_altform-unplated_contrast-black.png	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\LargeTile.scale-125.png	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\39.jpg	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-100.png	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare-Dark.scale-100.png	wihhlutvoais.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\_ReCoVeRy_+odwlr.txt	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nl-NL\_ReCoVeRy_+odwlr.txt	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockSmallTile.contrast-black_scale-100.png	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-40.png	wihhlutvoais.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\_ReCoVeRy_+odwlr.html	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-16_altform-lightunplated.png	wihhlutvoais.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\_ReCoVeRy_+odwlr.png	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\xaml\onenote\_ReCoVeRy_+odwlr.png	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\_ReCoVeRy_+odwlr.txt	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Schema\_ReCoVeRy_+odwlr.txt	wihhlutvoais.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\_ReCoVeRy_+odwlr.txt	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\WideTile.scale-125_contrast-white.png	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\zh-CN\_ReCoVeRy_+odwlr.txt	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+odwlr.html	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\_ReCoVeRy_+odwlr.png	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosAppList.scale-125.png	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60.png	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-200.png	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-GoogleCloudCacheMini.scale-150.png	wihhlutvoais.exe
File opened for modification	C:\Program Files\RevokeRedo.m3u	wihhlutvoais.exe
File opened for modification	C:\Program Files\Windows Media Player\uk-UA\_ReCoVeRy_+odwlr.html	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\_ReCoVeRy_+odwlr.html	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-96_altform-lightunplated.png	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\_ReCoVeRy_+odwlr.txt	wihhlutvoais.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\_ReCoVeRy_+odwlr.png	wihhlutvoais.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\_ReCoVeRy_+odwlr.html	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\_ReCoVeRy_+odwlr.html	wihhlutvoais.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\_ReCoVeRy_+odwlr.png	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\24.png	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_altform-unplated_devicefamily-colorfulunplated.png	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeWideTile.scale-400.png	wihhlutvoais.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\_ReCoVeRy_+odwlr.html	wihhlutvoais.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\_ReCoVeRy_+odwlr.txt	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\_ReCoVeRy_+odwlr.png	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-64_altform-unplated_contrast-black.png	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GameBar_SplashScreen.scale-125.png	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_altform-unplated_contrast-white.png	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\_ReCoVeRy_+odwlr.html	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Date.targetsize-16_contrast-white.png	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSmallTile.scale-100.png	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\Resources\_ReCoVeRy_+odwlr.html	wihhlutvoais.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerLargeTile.contrast-black_scale-125.png	wihhlutvoais.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\wihhlutvoais.exe	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe
File opened for modification	C:\Windows\wihhlutvoais.exe	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wihhlutvoais.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wihhlutvoais.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	wihhlutvoais.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1712	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe
3784	wihhlutvoais.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2112	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe
Token: SeDebugPrivilege	3784	wihhlutvoais.exe
Token: SeIncreaseQuotaPrivilege	3936	WMIC.exe
Token: SeSecurityPrivilege	3936	WMIC.exe
Token: SeTakeOwnershipPrivilege	3936	WMIC.exe
Token: SeLoadDriverPrivilege	3936	WMIC.exe
Token: SeSystemProfilePrivilege	3936	WMIC.exe
Token: SeSystemtimePrivilege	3936	WMIC.exe
Token: SeProfSingleProcessPrivilege	3936	WMIC.exe
Token: SeIncBasePriorityPrivilege	3936	WMIC.exe
Token: SeCreatePagefilePrivilege	3936	WMIC.exe
Token: SeBackupPrivilege	3936	WMIC.exe
Token: SeRestorePrivilege	3936	WMIC.exe
Token: SeShutdownPrivilege	3936	WMIC.exe
Token: SeDebugPrivilege	3936	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3936	WMIC.exe
Token: SeRemoteShutdownPrivilege	3936	WMIC.exe
Token: SeUndockPrivilege	3936	WMIC.exe
Token: SeManageVolumePrivilege	3936	WMIC.exe
Token: 33	3936	WMIC.exe
Token: 34	3936	WMIC.exe
Token: 35	3936	WMIC.exe
Token: 36	3936	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3936	WMIC.exe
Token: SeSecurityPrivilege	3936	WMIC.exe
Token: SeTakeOwnershipPrivilege	3936	WMIC.exe
Token: SeLoadDriverPrivilege	3936	WMIC.exe
Token: SeSystemProfilePrivilege	3936	WMIC.exe
Token: SeSystemtimePrivilege	3936	WMIC.exe
Token: SeProfSingleProcessPrivilege	3936	WMIC.exe
Token: SeIncBasePriorityPrivilege	3936	WMIC.exe
Token: SeCreatePagefilePrivilege	3936	WMIC.exe
Token: SeBackupPrivilege	3936	WMIC.exe
Token: SeRestorePrivilege	3936	WMIC.exe
Token: SeShutdownPrivilege	3936	WMIC.exe
Token: SeDebugPrivilege	3936	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3936	WMIC.exe
Token: SeRemoteShutdownPrivilege	3936	WMIC.exe
Token: SeUndockPrivilege	3936	WMIC.exe
Token: SeManageVolumePrivilege	3936	WMIC.exe
Token: 33	3936	WMIC.exe
Token: 34	3936	WMIC.exe
Token: 35	3936	WMIC.exe
Token: 36	3936	WMIC.exe
Token: SeBackupPrivilege	2324	vssvc.exe
Token: SeRestorePrivilege	2324	vssvc.exe
Token: SeAuditPrivilege	2324	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3320	WMIC.exe
Token: SeSecurityPrivilege	3320	WMIC.exe
Token: SeTakeOwnershipPrivilege	3320	WMIC.exe
Token: SeLoadDriverPrivilege	3320	WMIC.exe
Token: SeSystemProfilePrivilege	3320	WMIC.exe
Token: SeSystemtimePrivilege	3320	WMIC.exe
Token: SeProfSingleProcessPrivilege	3320	WMIC.exe
Token: SeIncBasePriorityPrivilege	3320	WMIC.exe
Token: SeCreatePagefilePrivilege	3320	WMIC.exe
Token: SeBackupPrivilege	3320	WMIC.exe
Token: SeRestorePrivilege	3320	WMIC.exe
Token: SeShutdownPrivilege	3320	WMIC.exe
Token: SeDebugPrivilege	3320	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3320	WMIC.exe
Token: SeRemoteShutdownPrivilege	3320	WMIC.exe
Token: SeUndockPrivilege	3320	WMIC.exe
Token: SeManageVolumePrivilege	3320	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 2112	1300	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe	90
PID 1300 wrote to memory of 2112	1300	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe	90
PID 1300 wrote to memory of 2112	1300	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe	90
PID 1300 wrote to memory of 2112	1300	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe	90
PID 1300 wrote to memory of 2112	1300	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe	90
PID 1300 wrote to memory of 2112	1300	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe	90
PID 1300 wrote to memory of 2112	1300	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe	90
PID 1300 wrote to memory of 2112	1300	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe	90
PID 1300 wrote to memory of 2112	1300	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe	90
PID 1300 wrote to memory of 2112	1300	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe	90
PID 2112 wrote to memory of 856	2112	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe	91
PID 2112 wrote to memory of 856	2112	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe	91
PID 2112 wrote to memory of 856	2112	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe	91
PID 2112 wrote to memory of 4792	2112	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe	92
PID 2112 wrote to memory of 4792	2112	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe	92
PID 2112 wrote to memory of 4792	2112	0633631727771a19c3593b678268e8f9_JaffaCakes118.exe	92
PID 856 wrote to memory of 3784	856	wihhlutvoais.exe	95
PID 856 wrote to memory of 3784	856	wihhlutvoais.exe	95
PID 856 wrote to memory of 3784	856	wihhlutvoais.exe	95
PID 856 wrote to memory of 3784	856	wihhlutvoais.exe	95
PID 856 wrote to memory of 3784	856	wihhlutvoais.exe	95
PID 856 wrote to memory of 3784	856	wihhlutvoais.exe	95
PID 856 wrote to memory of 3784	856	wihhlutvoais.exe	95
PID 856 wrote to memory of 3784	856	wihhlutvoais.exe	95
PID 856 wrote to memory of 3784	856	wihhlutvoais.exe	95
PID 856 wrote to memory of 3784	856	wihhlutvoais.exe	95
PID 3784 wrote to memory of 3936	3784	wihhlutvoais.exe	96
PID 3784 wrote to memory of 3936	3784	wihhlutvoais.exe	96
PID 3784 wrote to memory of 1712	3784	wihhlutvoais.exe	101
PID 3784 wrote to memory of 1712	3784	wihhlutvoais.exe	101
PID 3784 wrote to memory of 1712	3784	wihhlutvoais.exe	101
PID 3784 wrote to memory of 1300	3784	wihhlutvoais.exe	102
PID 3784 wrote to memory of 1300	3784	wihhlutvoais.exe	102
PID 1300 wrote to memory of 1056	1300	msedge.exe	103
PID 1300 wrote to memory of 1056	1300	msedge.exe	103
PID 3784 wrote to memory of 3320	3784	wihhlutvoais.exe	104
PID 3784 wrote to memory of 3320	3784	wihhlutvoais.exe	104
PID 1300 wrote to memory of 4292	1300	msedge.exe	106
PID 1300 wrote to memory of 4292	1300	msedge.exe	106
PID 1300 wrote to memory of 4292	1300	msedge.exe	106
PID 1300 wrote to memory of 4292	1300	msedge.exe	106
PID 1300 wrote to memory of 4292	1300	msedge.exe	106
PID 1300 wrote to memory of 4292	1300	msedge.exe	106
PID 1300 wrote to memory of 4292	1300	msedge.exe	106
PID 1300 wrote to memory of 4292	1300	msedge.exe	106
PID 1300 wrote to memory of 4292	1300	msedge.exe	106
PID 1300 wrote to memory of 4292	1300	msedge.exe	106
PID 1300 wrote to memory of 4292	1300	msedge.exe	106
PID 1300 wrote to memory of 4292	1300	msedge.exe	106
PID 1300 wrote to memory of 4292	1300	msedge.exe	106
PID 1300 wrote to memory of 4292	1300	msedge.exe	106
PID 1300 wrote to memory of 4292	1300	msedge.exe	106
PID 1300 wrote to memory of 4292	1300	msedge.exe	106
PID 1300 wrote to memory of 4292	1300	msedge.exe	106
PID 1300 wrote to memory of 4292	1300	msedge.exe	106
PID 1300 wrote to memory of 4292	1300	msedge.exe	106
PID 1300 wrote to memory of 4292	1300	msedge.exe	106
PID 1300 wrote to memory of 4292	1300	msedge.exe	106
PID 1300 wrote to memory of 4292	1300	msedge.exe	106
PID 1300 wrote to memory of 4292	1300	msedge.exe	106
PID 1300 wrote to memory of 4292	1300	msedge.exe	106
PID 1300 wrote to memory of 4292	1300	msedge.exe	106
PID 1300 wrote to memory of 4292	1300	msedge.exe	106
PID 1300 wrote to memory of 4292	1300	msedge.exe	106

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wihhlutvoais.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	wihhlutvoais.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0633631727771a19c3593b678268e8f9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0633631727771a19c3593b678268e8f9_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Users\Admin\AppData\Local\Temp\0633631727771a19c3593b678268e8f9_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0633631727771a19c3593b678268e8f9_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\wihhlutvoais.exe
    C:\Windows\wihhlutvoais.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:856
  - - C:\Windows\wihhlutvoais.exe
      C:\Windows\wihhlutvoais.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3784
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3936
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:1712
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1300
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa497346f8,0x7ffa49734708,0x7ffa49734718
        6⤵
        
        PID:1056
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,9271940705844593772,16988143294244498011,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:2
        6⤵
        
        PID:4292
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2224,9271940705844593772,16988143294244498011,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
        6⤵
        
        PID:452
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2224,9271940705844593772,16988143294244498011,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
        6⤵
        
        PID:5044
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9271940705844593772,16988143294244498011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
        6⤵
        
        PID:2980
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9271940705844593772,16988143294244498011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
        6⤵
        
        PID:5040
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,9271940705844593772,16988143294244498011,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
        6⤵
        
        PID:3912
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,9271940705844593772,16988143294244498011,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
        6⤵
        
        PID:3388
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9271940705844593772,16988143294244498011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
        6⤵
        
        PID:3684
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9271940705844593772,16988143294244498011,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
        6⤵
        
        PID:740
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9271940705844593772,16988143294244498011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
        6⤵
        
        PID:1644
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9271940705844593772,16988143294244498011,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
        6⤵
        
        PID:1672
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3320
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\WIHHLU~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2268
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\063363~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4792

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+odwlr.html

Filesize
11KB

MD5
fb9d62dbf8298c29665bab70e280da31

SHA1
dda4c9244abed3dc8e756245ba902cc4e2557438

SHA256
fe6c5b40442b5860dbb52fbe6036a5a35d11bd6f63193134d634a30a6307826d

SHA512
f5648a5a1c3dd5e6179aa36feb034a45a5314e3703a89ae6323c71c9442fd0fb39542e3238a174226ce0d22592b92df98096fae3855f9cdda45cbb2d569126c6

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+odwlr.png

Filesize
65KB

MD5
2d5b30025221f5ee596ea3aa5c74dec2

SHA1
203092543781f59376b44c7baa77f6fa8e19ee85

SHA256
9408c5a57c9a59b0644029d0a5640f0367453b56442428a8dcec2e0aa1114377

SHA512
539abbf44829a4b719d4bee99fbf916a3d83000d779bc04f4bfa248280a1a704b39d82d4aed5fc70e9e9e8f722392db38b3932c77bc51abcbcc2b430b945b311

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+odwlr.txt

Filesize
1KB

MD5
7fa49ba9582dcce83a966c4d064a4cea

SHA1
b5c8cb5d654853a65c35d82631df25a73127475b

SHA256
01c996083e59a4e4c9724f6ecc22946f6019841ea6eab63ce671dd41cc41f25e

SHA512
60abb05863ce066a84bd314997d48b4960e7b83ee5c8b1c803611cf0d8cac3893b1d45758582cdd7ff8b807820a9665679768dce41f4dfcd3ec64304da89c07b

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
4e4e5bcc4d0d0b3888abde492556c61e

SHA1
b64185ebcaee3c068562f41b550dd6877b1d4b2f

SHA256
b82ec0ee95e669a6b7bd0a831f5705ae8d1985f8ede56897ef9fc8bb46a8ca69

SHA512
261326242e931d18a1d86f99ccacb727236d46e453dd6c861be81538d1373fac5c10f1576fc97e63848beddfe79ffbc3bdde65216cb4184c00b6ae5a4e080971

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
c117f1cdb97984fd60c74427f1b3e868

SHA1
c2260eaba8f66cb83e186b3ba6972610ca854a23

SHA256
1a4246ec274664400657d283f1cbaf77a0cd1e698f8264615eac9ed3d57d260b

SHA512
ff5d048735a4054eebd36715a262eafb14e94b72d4d577379f02c43afe723c1be0e7bce350ffd9d3324faf3a90cde23d643d90393fc6200bbf6010c85aed7929

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
a86b89b6eaa1f880e3aafbfb22b182f2

SHA1
4f024326dd158abb6167d2dc885b083f36e773da

SHA256
c5f234d9d5750452a03ceee83c0802d80c469d187dc481f55ae44c00342b627c

SHA512
5dd6a234998163ca3e1d22a057152034436de1efc16247258e8453cc70d18b8591981bff778e99047392a0e31fc3414509d48e60a4ea3bbb522b7d6fac7ccacb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
369ee465201662a4e97d7b7b1be04370

SHA1
57e17a59c530931b0e912bd86d2b4b3a5510bdce

SHA256
1f7fa2336f571f0635a78cdf148626dd5f13c8ad26f34deb27412dc88fbaedd7

SHA512
1de8053e5c133ba0f3fb486d2479544c8692f860b52d8af1d97aa522f8a0d952f78b9283de9d6830c47a248144656d36d0b38db2ccc311127c2e91f6de2cfeb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f27eb43d37808d696332919385746b55

SHA1
c4ba7e9e1a28a876329f3ab67b5e522a78fce91a

SHA256
81b80a913d0530de120a58e91efbab1934b28f87834e4b8409227e3f1b12dca4

SHA512
65e33fde7aa9302f4f0ab29b6aaed713072ca5d94d414518c3e48ba05ecc4d0f27372bac27cbbc8ec363cecda79ee27e033de417e65f113391a0b68d1c41cfe4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e0a81202c4cd702bba3c1e33b036ec13

SHA1
76b5d2d65e213d36b87ba3d05975d2a9ed9c79d2

SHA256
17d24e2abc9a77b4613a2daeed4c8bc58ff474b95c1563c07ab01f80cfe48e90

SHA512
3267a61a899da9babff7be2279817e5a8186ef9965926d642b35fc34b7c22a919c9ee29e4ecba31d47e6c29ac1848794a97f59a654b3ab34e4a226687f46e62d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670756351725002.txt

Filesize
47KB

MD5
cf4edb26bbfceae96ebd29ac943f6073

SHA1
63907b9017a814cb9e25ece17b5edde9da5d73d3

SHA256
18103093de6f309db1bd03d0bbcad0b5542c186f85110513db050398c5ad2f18

SHA512
518ea79a3bf37a33ebe601ebe214b52ed80a9c085972e934857627b2ed4fa5a7bed2cadec0faeb2ff1b2d7ce2fa88207c8cc88a7a7c48047bd3a56f9b6dc2059

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670764151817172.txt

Filesize
74KB

MD5
bc08d94ee980ae74f93f20711507c9ce

SHA1
6ebeec71a06df78d4b31245989017d59b4d1e4ac

SHA256
46e92e460f7dc156d6e216d36b40cf0cf436f2c33667392ee49815e491aa7f05

SHA512
a161962c3b4328db719216ceae2739849970f33a592aae07a17e77a78e1825be8b25fd17e54d2a850f9e62c10efd986e05b39a8e1b4945f6eaeb23a1a4960b08

Download Submit
C:\Windows\wihhlutvoais.exe

Filesize
276KB

MD5
0633631727771a19c3593b678268e8f9

SHA1
2c8af799af11e03abc5face54f3943c2b3071203

SHA256
dd754c7e866babc27f01d9e9b3bbac680dcc3e83b8a748d39e026b871052b527

SHA512
f705f51b7f49f51a13c4509909b80e7eaeecf2914867b41f42dd13f655ad1e815355366cb05b9a6093c1887dae569f204b9ca7ad5761a3f1952b3cbc9b31645b

Download Submit
memory/856-12-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1300-4-0x0000000000660000-0x0000000000665000-memory.dmp

Filesize
20KB

Download
memory/1300-1-0x0000000000660000-0x0000000000665000-memory.dmp

Filesize
20KB

Download
memory/1300-0-0x0000000000660000-0x0000000000665000-memory.dmp

Filesize
20KB

Download
memory/2112-5-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2112-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2112-3-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2112-13-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2112-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3784-17-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3784-6022-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3784-3063-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3784-9506-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3784-10708-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3784-10709-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3784-10717-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3784-10718-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3784-3062-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3784-231-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3784-24-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3784-10745-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3784-22-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3784-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3784-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3784-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download