8d1386773be9c28c6b3a5b5aa6838cf575189cedf17544105b95500c156b8f7e

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09e28e9a94fee8af07007497677976fc_JaffaCakes118.exe
Size

327KB
MD5

09e28e9a94fee8af07007497677976fc
SHA1

383a448b39b3eb8917cf36661996ca2c933ae53e
SHA256

8d1386773be9c28c6b3a5b5aa6838cf575189cedf17544105b95500c156b8f7e
SHA512

a7a705bfa8cec58de945e86e82f2dcdb658b8f0b1d8aa606caf35e1d6860e2d3ea890c6d974dd8c692ae260d1d342f2ff875880a04f247290089c477cc9d4c02
SSDEEP

6144:UpLp0syTnvooi3umGCJ1aynXgtGF0bo8ZZma/PC4yUYS5xCKszrQZ9:UpLesyNiVRJ1a6Xgtf3ZFPRY1zrU

Score

10^/10

defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+fcxjo.txt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a miracle and get your price doubled , or start obtaining BITCOIN NOW !!!!! , and restore your data easy way If You have really valuable data, you better not waste your time, because there is no other way to get your files , except make a payment For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below * http://t54ndnku456ngkwsudqer.wallymac.com/25C4603F6F862BC0 * http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/25C4603F6F862BC0 * http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/25C4603F6F862BC0 If for some reasons the addresses are not available, follow these steps * Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en * After a successful installation, run the browser * Type in the address bar: xlowfznrg4wf7dli.onion/25C4603F6F862BC0 * Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://t54ndnku456ngkwsudqer.wallymac.com/25C4603F6F862BC0 http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/25C4603F6F862BC0 http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/25C4603F6F862BC0

URLs

http://t54ndnku456ngkwsudqer.wallymac.com/25C4603F6F862BC0

http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/25C4603F6F862BC0

http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/25C4603F6F862BC0

http://xlowfznrg4wf7dli.onion/25C4603F6F862BC0

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (864) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

09e28e9a94fee8af07007497677976fc_JaffaCakes118.exeuvwhenmrxegd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	09e28e9a94fee8af07007497677976fc_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	uvwhenmrxegd.exe

Drops startup file 6 IoCs

Processes:

uvwhenmrxegd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+fcxjo.txt	uvwhenmrxegd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+fcxjo.html	uvwhenmrxegd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+fcxjo.png	uvwhenmrxegd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+fcxjo.txt	uvwhenmrxegd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+fcxjo.html	uvwhenmrxegd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+fcxjo.png	uvwhenmrxegd.exe

Executes dropped EXE 1 IoCs

Processes:

uvwhenmrxegd.exe

pid process

2372 uvwhenmrxegd.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

uvwhenmrxegd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aroinics_svc = "C:\\Windows\\SYSTEM32\\CMD.EXE /C START C:\\Windows\\uvwhenmrxegd.exe"	uvwhenmrxegd.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

Processes:

uvwhenmrxegd.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\_ReCoVeRy_+fcxjo.txt	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml\Assets\_ReCoVeRy_+fcxjo.html	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-80.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\_ReCoVeRy_+fcxjo.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\_ReCoVeRy_+fcxjo.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-72_altform-unplated.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ie\_ReCoVeRy_+fcxjo.html	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-16.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-36.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeMediumTile.scale-400.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_contrast-black.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nl-NL\_ReCoVeRy_+fcxjo.txt	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_TeethSmile.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\uk-UA\_ReCoVeRy_+fcxjo.html	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-16_altform-unplated.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-48_altform-lightunplated_devicefamily-colorfulunplated.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-36_altform-lightunplated.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\es-ES\_ReCoVeRy_+fcxjo.txt	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Fonts\_ReCoVeRy_+fcxjo.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\smsconnect\SMSConnect2x.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-36.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-36_altform-unplated_contrast-black.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\_ReCoVeRy_+fcxjo.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\_ReCoVeRy_+fcxjo.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\ADOMD.NET\_ReCoVeRy_+fcxjo.txt	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_scale-100.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Wide310x150Logo.scale-200.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\tr-TR\View3d\_ReCoVeRy_+fcxjo.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\en-US\meBoot.min.js	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tt\_ReCoVeRy_+fcxjo.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\_ReCoVeRy_+fcxjo.txt	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\_ReCoVeRy_+fcxjo.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-150.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\WideTile.scale-200.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_altform-unplated_contrast-black.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\_ReCoVeRy_+fcxjo.txt	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\_ReCoVeRy_+fcxjo.txt	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailLargeTile.scale-200.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\SmallTile.scale-100.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\_ReCoVeRy_+fcxjo.txt	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\_ReCoVeRy_+fcxjo.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-72_altform-unplated_contrast-white.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\_ReCoVeRy_+fcxjo.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\_ReCoVeRy_+fcxjo.txt	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\_ReCoVeRy_+fcxjo.txt	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleAppAssets\Videos\people_fre_motionAsset_p1.mp4	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_0.m4a	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\EnsoUI\id_arrow_black.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\_ReCoVeRy_+fcxjo.html	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Shell\Themes\Glyphs\Font\_ReCoVeRy_+fcxjo.html	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LibrarySquare150x150Logo.scale-100_contrast-black.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\7.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-64_contrast-white.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_contrast-black.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GameBar_SmallTile.scale-100.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-48_altform-unplated.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\_ReCoVeRy_+fcxjo.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\_ReCoVeRy_+fcxjo.txt	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\_ReCoVeRy_+fcxjo.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\_ReCoVeRy_+fcxjo.txt	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-125_contrast-black.png	uvwhenmrxegd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-32_contrast-black.png	uvwhenmrxegd.exe

Drops file in Windows directory 2 IoCs

Processes:

09e28e9a94fee8af07007497677976fc_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\uvwhenmrxegd.exe	09e28e9a94fee8af07007497677976fc_JaffaCakes118.exe
File opened for modification	C:\Windows\uvwhenmrxegd.exe	09e28e9a94fee8af07007497677976fc_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

09e28e9a94fee8af07007497677976fc_JaffaCakes118.exeuvwhenmrxegd.execmd.exeNOTEPAD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09e28e9a94fee8af07007497677976fc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uvwhenmrxegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

uvwhenmrxegd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings uvwhenmrxegd.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4728 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	uvwhenmrxegd.exe

pid	process
4728	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

uvwhenmrxegd.exe

pid	process
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe
2372	uvwhenmrxegd.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

4628 msedge.exe
4628 msedge.exe
4628 msedge.exe
4628 msedge.exe
4628 msedge.exe
4628 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

09e28e9a94fee8af07007497677976fc_JaffaCakes118.exeuvwhenmrxegd.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3812	09e28e9a94fee8af07007497677976fc_JaffaCakes118.exe
Token: SeDebugPrivilege	2372	uvwhenmrxegd.exe
Token: SeIncreaseQuotaPrivilege	2940	WMIC.exe
Token: SeSecurityPrivilege	2940	WMIC.exe
Token: SeTakeOwnershipPrivilege	2940	WMIC.exe
Token: SeLoadDriverPrivilege	2940	WMIC.exe
Token: SeSystemProfilePrivilege	2940	WMIC.exe
Token: SeSystemtimePrivilege	2940	WMIC.exe
Token: SeProfSingleProcessPrivilege	2940	WMIC.exe
Token: SeIncBasePriorityPrivilege	2940	WMIC.exe
Token: SeCreatePagefilePrivilege	2940	WMIC.exe
Token: SeBackupPrivilege	2940	WMIC.exe
Token: SeRestorePrivilege	2940	WMIC.exe
Token: SeShutdownPrivilege	2940	WMIC.exe
Token: SeDebugPrivilege	2940	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2940	WMIC.exe
Token: SeRemoteShutdownPrivilege	2940	WMIC.exe
Token: SeUndockPrivilege	2940	WMIC.exe
Token: SeManageVolumePrivilege	2940	WMIC.exe
Token: 33	2940	WMIC.exe
Token: 34	2940	WMIC.exe
Token: 35	2940	WMIC.exe
Token: 36	2940	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2940	WMIC.exe
Token: SeSecurityPrivilege	2940	WMIC.exe
Token: SeTakeOwnershipPrivilege	2940	WMIC.exe
Token: SeLoadDriverPrivilege	2940	WMIC.exe
Token: SeSystemProfilePrivilege	2940	WMIC.exe
Token: SeSystemtimePrivilege	2940	WMIC.exe
Token: SeProfSingleProcessPrivilege	2940	WMIC.exe
Token: SeIncBasePriorityPrivilege	2940	WMIC.exe
Token: SeCreatePagefilePrivilege	2940	WMIC.exe
Token: SeBackupPrivilege	2940	WMIC.exe
Token: SeRestorePrivilege	2940	WMIC.exe
Token: SeShutdownPrivilege	2940	WMIC.exe
Token: SeDebugPrivilege	2940	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2940	WMIC.exe
Token: SeRemoteShutdownPrivilege	2940	WMIC.exe
Token: SeUndockPrivilege	2940	WMIC.exe
Token: SeManageVolumePrivilege	2940	WMIC.exe
Token: 33	2940	WMIC.exe
Token: 34	2940	WMIC.exe
Token: 35	2940	WMIC.exe
Token: 36	2940	WMIC.exe
Token: SeBackupPrivilege	3424	vssvc.exe
Token: SeRestorePrivilege	3424	vssvc.exe
Token: SeAuditPrivilege	3424	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4608	WMIC.exe
Token: SeSecurityPrivilege	4608	WMIC.exe
Token: SeTakeOwnershipPrivilege	4608	WMIC.exe
Token: SeLoadDriverPrivilege	4608	WMIC.exe
Token: SeSystemProfilePrivilege	4608	WMIC.exe
Token: SeSystemtimePrivilege	4608	WMIC.exe
Token: SeProfSingleProcessPrivilege	4608	WMIC.exe
Token: SeIncBasePriorityPrivilege	4608	WMIC.exe
Token: SeCreatePagefilePrivilege	4608	WMIC.exe
Token: SeBackupPrivilege	4608	WMIC.exe
Token: SeRestorePrivilege	4608	WMIC.exe
Token: SeShutdownPrivilege	4608	WMIC.exe
Token: SeDebugPrivilege	4608	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4608	WMIC.exe
Token: SeRemoteShutdownPrivilege	4608	WMIC.exe
Token: SeUndockPrivilege	4608	WMIC.exe
Token: SeManageVolumePrivilege	4608	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

09e28e9a94fee8af07007497677976fc_JaffaCakes118.exeuvwhenmrxegd.exemsedge.exe

description	pid	process	target process
PID 3812 wrote to memory of 2372	3812	09e28e9a94fee8af07007497677976fc_JaffaCakes118.exe	uvwhenmrxegd.exe
PID 3812 wrote to memory of 2372	3812	09e28e9a94fee8af07007497677976fc_JaffaCakes118.exe	uvwhenmrxegd.exe
PID 3812 wrote to memory of 2372	3812	09e28e9a94fee8af07007497677976fc_JaffaCakes118.exe	uvwhenmrxegd.exe
PID 3812 wrote to memory of 3204	3812	09e28e9a94fee8af07007497677976fc_JaffaCakes118.exe	cmd.exe
PID 3812 wrote to memory of 3204	3812	09e28e9a94fee8af07007497677976fc_JaffaCakes118.exe	cmd.exe
PID 3812 wrote to memory of 3204	3812	09e28e9a94fee8af07007497677976fc_JaffaCakes118.exe	cmd.exe
PID 2372 wrote to memory of 2940	2372	uvwhenmrxegd.exe	WMIC.exe
PID 2372 wrote to memory of 2940	2372	uvwhenmrxegd.exe	WMIC.exe
PID 2372 wrote to memory of 4728	2372	uvwhenmrxegd.exe	NOTEPAD.EXE
PID 2372 wrote to memory of 4728	2372	uvwhenmrxegd.exe	NOTEPAD.EXE
PID 2372 wrote to memory of 4728	2372	uvwhenmrxegd.exe	NOTEPAD.EXE
PID 2372 wrote to memory of 4628	2372	uvwhenmrxegd.exe	msedge.exe
PID 2372 wrote to memory of 4628	2372	uvwhenmrxegd.exe	msedge.exe
PID 4628 wrote to memory of 4356	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4356	4628	msedge.exe	msedge.exe
PID 2372 wrote to memory of 4608	2372	uvwhenmrxegd.exe	WMIC.exe
PID 2372 wrote to memory of 4608	2372	uvwhenmrxegd.exe	WMIC.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4596	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4088	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 4088	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1788	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1788	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1788	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1788	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1788	4628	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

uvwhenmrxegd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvwhenmrxegd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	uvwhenmrxegd.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\09e28e9a94fee8af07007497677976fc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\09e28e9a94fee8af07007497677976fc_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Windows\uvwhenmrxegd.exe
  C:\Windows\uvwhenmrxegd.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2372
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2940
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:4728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4628
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe8a6446f8,0x7ffe8a644708,0x7ffe8a644718
      4⤵
      PID:4356
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,1882953303127261020,7434896331683254575,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
      4⤵
      PID:4596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,1882953303127261020,7434896331683254575,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
      4⤵
      PID:4088
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,1882953303127261020,7434896331683254575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
      4⤵
      PID:1788
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1882953303127261020,7434896331683254575,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
      4⤵
      PID:4916
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1882953303127261020,7434896331683254575,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
      4⤵
      PID:1404
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,1882953303127261020,7434896331683254575,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 /prefetch:8
      4⤵
      PID:4440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,1882953303127261020,7434896331683254575,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 /prefetch:8
      4⤵
      PID:4404
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1882953303127261020,7434896331683254575,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
      4⤵
      PID:4408
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1882953303127261020,7434896331683254575,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
      4⤵
      PID:4268
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1882953303127261020,7434896331683254575,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
      4⤵
      PID:760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1882953303127261020,7434896331683254575,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
      4⤵
      PID:2220
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4608
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\09E28E~1.EXE
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3204

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+fcxjo.html

Filesize
11KB

MD5
e4cc99aa6074b34cba8997b333a5fa3b

SHA1
46504ed2ea3f796cf57a3ae5fa5826f555164bd9

SHA256
d7c8e9600440c3760ca3dd1e05bb82e8ef84ab5bb20eeada7d8afd983cb59fad

SHA512
27071f6e55e022f41c4071a4a93ae196fb70c9999d451aa2e5087d42e9a5d59d4796eef6ac38aa379225fcdeaa21b1a33e3de771df836b79665f93a2203c3409

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+fcxjo.png

Filesize
61KB

MD5
7a84c8f072ffd796650e13235933debe

SHA1
f004bc25482b790aaa6ab9a95dc0bc11ddda4c1d

SHA256
366db962949d2c9a7c4a7fa7248525629a85a1a47f30f20377e2215601b28caf

SHA512
212ec10c088ea7d4b31c0068a66a7a7971d6ead0ef4580ca49e02e4ee628b8d6cb99b730c7e2881ebf48104d029085185923c564d3aa242533de7b57ede0c9d7

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+fcxjo.txt

Filesize
1KB

MD5
41d63ab8bc312b20d348f6163ff4caa8

SHA1
15d85daaf5bf850962b5e583541a53dfcc4da115

SHA256
5d78c1a81e5e2421dbaa7dd41c40bd589a48fdc77b7dd5187715f5875b85390a

SHA512
f5440e0aa6bc25ffb80a22929f6c1323be24b0404f1d4a1c8c8362aa8962b7a8cb19990fb2004e21b9dd4d554e77363d074fd7a93d8c4aa7f77e1dcfd50e6795

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
3c6f7ae955de8b7853a437ce48b41784

SHA1
7dc4036d548744879ced0f063bf6bde7da83b034

SHA256
259321861c81432f445eb46871f6f6cfa33b3c1e7cf5e42bd8a5a10e4c40b681

SHA512
413243576905007e5d57dcbc426e7bdb39f8a2c9636ba8d7d82a00a1da16fee0bba007b586d2bc16b072fe414acab58356b7da9089cc8bb1c8bca8fb219fa58e

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
f73b287c526a67c79a2ccc3da4ee3c45

SHA1
9cc8811d7c1ed9f03eb46f4b1279b24d98715343

SHA256
6b944560265f8aa15aa801ca0175df7621dc821f2af7da29b3c2f688af86dcc4

SHA512
aae3cf02e69cb9bdcb69adf2a9faea4b2a9f0056e0b752b1bef918c94da2c2fd8d7d56918683eda48b5b536f1ede1dbbbc93b9451187fc9af23321bb11446bde

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
cc11e770b922f8523fea7d3d5f7d8b41

SHA1
44a07e5019d801957dc6b93ff3e4aa8e4e522e20

SHA256
c652680275542b970aae3eca4845f2b46f2612a2f4e209491386a833f16d3ca0

SHA512
3eceec57bf75a394941779031b342c6c6ff64c74c59e0c72919a9b7ec1cff7ae70dc21afd0a6ad0b2362a7bafea67a6efdfcc6f98e760d42d236b755ff0519e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b4b5eaf7edd9d5391ddfdb694e0cd888

SHA1
d1f92fbd238c4d5fb6861a83153893568d514586

SHA256
1d5fc1e6da67b60df30ee83dd11359ec3dbe0c4bdddff2f2f862fa9c4619d903

SHA512
1b62d5740572b1c17dadcb83d9e0017d6a8ff94cc64bc024cc47fa92a8180f7c2d18bef79ddf5cac8a9a97ecefd8461b06665e522acb0c5857dac1a2838fc048

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
db1ed3bbcaa8e96c29a0b57e72bf0319

SHA1
9bc11860837a2bcdd048613ba8dd76d6d77d32d9

SHA256
7c7db5dde536599fd7ffd4dee8e03ca0f6680e662022869057b09a4635b9b87c

SHA512
eb7375877e9b51ebcf8cfc62cf822fdce3fdce837fbbd00d4d54c52c4f67bd82408e4809e1c92f32e9f3edc9e6726910f752fbeaf14704745688b0239405e6c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fb2057640717d4245ab09f7bfa05b253

SHA1
bb345cd075bef11c844ba13648ee71c40233851e

SHA256
ef5179c12fb34cf3ec7fdd967d0684940a6c536a84e48724a513879b1d373807

SHA512
de70e0eea78a549b1f917f57c806653335b06b9ce103857d5cd452a4f5b02210cc4aee24109473693fe44c6c076662d1e1bee3491f8095154f09b674608c35dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4141f1e405847b031f8788ddc70b2b19

SHA1
153a0a0b3e50abfa932a0269050fb98c06831ea0

SHA256
32b53fd8ca6045eef7ea9fc693e9de6744d637029f969ef9fec90356a01ec910

SHA512
a473a3c1ed398cadf66d9773aa1fc070781dcc36efa4fff3717dc3a7184471835d5f5073d8dd9a97de630de3a906170b5b9dcb24243371fd54810804ce38936b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
941ea4c983b3cf877ce6e1aab38f2794

SHA1
c4fcce581d0660a0c96d0579aedb528a8168233c

SHA256
3d4479f291d239eec609801437c1962e41e19c53a3eadd2f95342167fa7ad342

SHA512
f47836cc619ea50f24d3804a697bb562781e812a65285959d7dbce53db8945cbbab2f9b8290ba2bd9925f620858918ddc676c082cdadae8444a9751d642a381b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3de38a9562178fe08b09bd235c9a3e90

SHA1
fbdebfec9b24baea017991c5f6ac6e4a4b709c4c

SHA256
ae4a89511bbe864430dbee1b77c6d5c3bbeb89f647f5e19ff05daa1550ba4d43

SHA512
635feb9dd1e36aa62e511f099c22feb95bb5094f4aed62ed50046b83bd1ae54495dc2b8bf052b41198f9e53e6edf2cb032a286d221f533282f9a813bdda4ad17

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133704348992857764.txt

Filesize
47KB

MD5
09c7a2ad2c1d2e4d31e95c76105ac363

SHA1
82292a967820d57271a05127adeaff1b71492325

SHA256
d2100a77f2349b1840be0e96f6a0a4838da858642936e96f31f28732b9b95692

SHA512
e6121324c9707a46def923e4abd9c509b8c273628fcbba04b6b4788db7569c800f60d2004079670c22c02745d95ca68a8263915d938f9c24e689836d08a7b8d1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133704357726034926.txt

Filesize
74KB

MD5
d01b809012d26f9dfcd9eb675a36e11b

SHA1
374ea6ae9e8681a9b0f4540b4df52ba6b1a41f1f

SHA256
5d74f3dc6d1c84c34f618e201f3222793da24a7ce9617daa97db3a1995c45470

SHA512
287d9522ae35116d43d62475b15775040b036cac9aea1510caada4e09d6512bced0456dceb534ef96450690adfe146b94c6956ced829c278de5e1a71263f93a7

Download Submit
C:\Windows\uvwhenmrxegd.exe

Filesize
327KB

MD5
09e28e9a94fee8af07007497677976fc

SHA1
383a448b39b3eb8917cf36661996ca2c933ae53e

SHA256
8d1386773be9c28c6b3a5b5aa6838cf575189cedf17544105b95500c156b8f7e

SHA512
a7a705bfa8cec58de945e86e82f2dcdb658b8f0b1d8aa606caf35e1d6860e2d3ea890c6d974dd8c692ae260d1d342f2ff875880a04f247290089c477cc9d4c02

Download Submit
\??\pipe\LOCAL\crashpad_4628_NYNWBHUROFQCQFWX

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2372-10498-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/2372-8755-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/2372-10544-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/2372-5300-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/2372-2732-0x0000000000610000-0x0000000000696000-memory.dmp

Filesize
536KB

Download
memory/2372-2721-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/2372-9-0x0000000000610000-0x0000000000696000-memory.dmp

Filesize
536KB

Download
memory/2372-10646-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/3812-1-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/3812-14-0x0000000000880000-0x0000000000906000-memory.dmp

Filesize
536KB

Download
memory/3812-0-0x0000000000880000-0x0000000000906000-memory.dmp

Filesize
536KB

Download
memory/3812-13-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download