teslacrypt | 69155f404a1482e4188726cb0f88b6c6fd6ca94d834b31e05f36e88662281e22

Analysis

max time kernel
144s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2024 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe
Size

418KB
MD5

1a9ab9e924a6856d642bbe88064e4236
SHA1

d9d445e9dcb8694398c7acb33f38d7261c95321c
SHA256

69155f404a1482e4188726cb0f88b6c6fd6ca94d834b31e05f36e88662281e22
SHA512

f41e93d25fe32248f55dbf5c1c721e4af5d2c28531816955094585a00afa94ea2dab0a6e25191abe8896a2185cdbc535d9dcf3beac14b683d05e1c8c7c6f80b2
SSDEEP

6144:/lhEMsxe34/JTpHIOdX2JOVM8aSC4Zl7rOfT+yIaIWk3HtlE0/Ce+Mx62q2jQ1+d:7ssoJhf8JOqQC4/7CfTk/rsh2jQ1T0jv

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_RECoVERY_+ixggh.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/9B6776941C7E49E 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/9B6776941C7E49E 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/9B6776941C7E49E If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/9B6776941C7E49E 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/9B6776941C7E49E http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/9B6776941C7E49E http://yyre45dbvn2nhbefbmh.begumvelic.at/9B6776941C7E49E Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/9B6776941C7E49E

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/9B6776941C7E49E

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/9B6776941C7E49E

http://yyre45dbvn2nhbefbmh.begumvelic.at/9B6776941C7E49E

http://xlowfznrg4wf7dli.ONION/9B6776941C7E49E

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (882) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exeeydypqotqvhi.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	eydypqotqvhi.exe

Drops startup file 6 IoCs

Processes:

eydypqotqvhi.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+ixggh.png	eydypqotqvhi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+ixggh.txt	eydypqotqvhi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+ixggh.html	eydypqotqvhi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+ixggh.png	eydypqotqvhi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+ixggh.txt	eydypqotqvhi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+ixggh.html	eydypqotqvhi.exe

Executes dropped EXE 2 IoCs

Processes:

eydypqotqvhi.exeeydypqotqvhi.exe

pid process

1808 eydypqotqvhi.exe
1676 eydypqotqvhi.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
1808	eydypqotqvhi.exe
1676	eydypqotqvhi.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

eydypqotqvhi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\djkeakuvbayk = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\eydypqotqvhi.exe\""	eydypqotqvhi.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

Processes:

1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exeeydypqotqvhi.exe

description	pid	process	target process
PID 4696 set thread context of 2132	4696	1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe	1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe
PID 1808 set thread context of 1676	1808	eydypqotqvhi.exe	eydypqotqvhi.exe

Drops file in Program Files directory 64 IoCs

Processes:

eydypqotqvhi.exe

description	ioc	process
File opened for modification	C:\Program Files\_RECoVERY_+ixggh.html	eydypqotqvhi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-140.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-200_contrast-white.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\Attribution\accuweather.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\es-ES\View3d\_RECoVERY_+ixggh.html	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteMedTile.scale-125.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\Java\jre-1.8\_RECoVERY_+ixggh.txt	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+ixggh.html	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SplashScreen.scale-125.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\_RECoVERY_+ixggh.html	eydypqotqvhi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\assembly\_RECoVERY_+ixggh.txt	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\id-ID\View3d\_RECoVERY_+ixggh.txt	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ta-IN\View3d\_RECoVERY_+ixggh.html	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\th-TH\View3d\_RECoVERY_+ixggh.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\_RECoVERY_+ixggh.txt	eydypqotqvhi.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\_RECoVERY_+ixggh.txt	eydypqotqvhi.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\_RECoVERY_+ixggh.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupWideTile.scale-400.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\_RECoVERY_+ixggh.txt	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_Package.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-125.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ClippingTool.targetsize-16.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeSmallTile.scale-125.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-36_contrast-white.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_RECoVERY_+ixggh.html	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ta-IN\_RECoVERY_+ixggh.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_DogEar.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsBadgeLogo.scale-100.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\_RECoVERY_+ixggh.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+ixggh.txt	eydypqotqvhi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\_RECoVERY_+ixggh.txt	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\_RECoVERY_+ixggh.html	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-200_contrast-white.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_scale-200.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\_RECoVERY_+ixggh.txt	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\remixCTA_welcome.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\hu-HU\_RECoVERY_+ixggh.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-40.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailBadge.scale-200.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\_RECoVERY_+ixggh.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-72_altform-lightunplated.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\SlowMotionEditor\UserControls\_RECoVERY_+ixggh.html	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-GB\_RECoVERY_+ixggh.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\_RECoVERY_+ixggh.txt	eydypqotqvhi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\_RECoVERY_+ixggh.html	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\_RECoVERY_+ixggh.html	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\MedTile.scale-125.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\kn-IN\View3d\_RECoVERY_+ixggh.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\_RECoVERY_+ixggh.txt	eydypqotqvhi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\office.core.operational.js	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-black\_RECoVERY_+ixggh.html	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_WorriedEye.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_contrast-black.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\ModifiableWindowsApps\_RECoVERY_+ixggh.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\_RECoVERY_+ixggh.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Light.scale-300.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-100_contrast-high.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\_RECoVERY_+ixggh.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_2019.305.632.0_neutral_~_8wekyb3d8bbwe\_RECoVERY_+ixggh.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Retail\NinjaCatOnDragon.scale-100.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSplashLogo.scale-100.png	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\_RECoVERY_+ixggh.txt	eydypqotqvhi.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailSmallTile.scale-150.png	eydypqotqvhi.exe

Drops file in Windows directory 2 IoCs

Processes:

1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\eydypqotqvhi.exe	1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe
File opened for modification	C:\Windows\eydypqotqvhi.exe	1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeeydypqotqvhi.exeNOTEPAD.EXEcmd.exe1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exeeydypqotqvhi.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eydypqotqvhi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eydypqotqvhi.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

eydypqotqvhi.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings eydypqotqvhi.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1380 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	eydypqotqvhi.exe

pid	process
1380	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

eydypqotqvhi.exe

pid	process
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe
1676	eydypqotqvhi.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

1536 msedge.exe
1536 msedge.exe
1536 msedge.exe
1536 msedge.exe
1536 msedge.exe
1536 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exeeydypqotqvhi.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2132	1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe
Token: SeDebugPrivilege	1676	eydypqotqvhi.exe
Token: SeIncreaseQuotaPrivilege	4244	WMIC.exe
Token: SeSecurityPrivilege	4244	WMIC.exe
Token: SeTakeOwnershipPrivilege	4244	WMIC.exe
Token: SeLoadDriverPrivilege	4244	WMIC.exe
Token: SeSystemProfilePrivilege	4244	WMIC.exe
Token: SeSystemtimePrivilege	4244	WMIC.exe
Token: SeProfSingleProcessPrivilege	4244	WMIC.exe
Token: SeIncBasePriorityPrivilege	4244	WMIC.exe
Token: SeCreatePagefilePrivilege	4244	WMIC.exe
Token: SeBackupPrivilege	4244	WMIC.exe
Token: SeRestorePrivilege	4244	WMIC.exe
Token: SeShutdownPrivilege	4244	WMIC.exe
Token: SeDebugPrivilege	4244	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4244	WMIC.exe
Token: SeRemoteShutdownPrivilege	4244	WMIC.exe
Token: SeUndockPrivilege	4244	WMIC.exe
Token: SeManageVolumePrivilege	4244	WMIC.exe
Token: 33	4244	WMIC.exe
Token: 34	4244	WMIC.exe
Token: 35	4244	WMIC.exe
Token: 36	4244	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4244	WMIC.exe
Token: SeSecurityPrivilege	4244	WMIC.exe
Token: SeTakeOwnershipPrivilege	4244	WMIC.exe
Token: SeLoadDriverPrivilege	4244	WMIC.exe
Token: SeSystemProfilePrivilege	4244	WMIC.exe
Token: SeSystemtimePrivilege	4244	WMIC.exe
Token: SeProfSingleProcessPrivilege	4244	WMIC.exe
Token: SeIncBasePriorityPrivilege	4244	WMIC.exe
Token: SeCreatePagefilePrivilege	4244	WMIC.exe
Token: SeBackupPrivilege	4244	WMIC.exe
Token: SeRestorePrivilege	4244	WMIC.exe
Token: SeShutdownPrivilege	4244	WMIC.exe
Token: SeDebugPrivilege	4244	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4244	WMIC.exe
Token: SeRemoteShutdownPrivilege	4244	WMIC.exe
Token: SeUndockPrivilege	4244	WMIC.exe
Token: SeManageVolumePrivilege	4244	WMIC.exe
Token: 33	4244	WMIC.exe
Token: 34	4244	WMIC.exe
Token: 35	4244	WMIC.exe
Token: 36	4244	WMIC.exe
Token: SeBackupPrivilege	4504	vssvc.exe
Token: SeRestorePrivilege	4504	vssvc.exe
Token: SeAuditPrivilege	4504	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4280	WMIC.exe
Token: SeSecurityPrivilege	4280	WMIC.exe
Token: SeTakeOwnershipPrivilege	4280	WMIC.exe
Token: SeLoadDriverPrivilege	4280	WMIC.exe
Token: SeSystemProfilePrivilege	4280	WMIC.exe
Token: SeSystemtimePrivilege	4280	WMIC.exe
Token: SeProfSingleProcessPrivilege	4280	WMIC.exe
Token: SeIncBasePriorityPrivilege	4280	WMIC.exe
Token: SeCreatePagefilePrivilege	4280	WMIC.exe
Token: SeBackupPrivilege	4280	WMIC.exe
Token: SeRestorePrivilege	4280	WMIC.exe
Token: SeShutdownPrivilege	4280	WMIC.exe
Token: SeDebugPrivilege	4280	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4280	WMIC.exe
Token: SeRemoteShutdownPrivilege	4280	WMIC.exe
Token: SeUndockPrivilege	4280	WMIC.exe
Token: SeManageVolumePrivilege	4280	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exeeydypqotqvhi.exeeydypqotqvhi.exemsedge.exe

description	pid	process	target process
PID 4696 wrote to memory of 2132	4696	1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe	1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe
PID 4696 wrote to memory of 2132	4696	1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe	1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe
PID 4696 wrote to memory of 2132	4696	1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe	1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe
PID 4696 wrote to memory of 2132	4696	1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe	1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe
PID 4696 wrote to memory of 2132	4696	1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe	1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe
PID 4696 wrote to memory of 2132	4696	1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe	1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe
PID 4696 wrote to memory of 2132	4696	1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe	1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe
PID 4696 wrote to memory of 2132	4696	1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe	1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe
PID 4696 wrote to memory of 2132	4696	1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe	1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe
PID 2132 wrote to memory of 1808	2132	1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe	eydypqotqvhi.exe
PID 2132 wrote to memory of 1808	2132	1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe	eydypqotqvhi.exe
PID 2132 wrote to memory of 1808	2132	1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe	eydypqotqvhi.exe
PID 2132 wrote to memory of 4956	2132	1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe	cmd.exe
PID 2132 wrote to memory of 4956	2132	1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe	cmd.exe
PID 2132 wrote to memory of 4956	2132	1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe	cmd.exe
PID 1808 wrote to memory of 1676	1808	eydypqotqvhi.exe	eydypqotqvhi.exe
PID 1808 wrote to memory of 1676	1808	eydypqotqvhi.exe	eydypqotqvhi.exe
PID 1808 wrote to memory of 1676	1808	eydypqotqvhi.exe	eydypqotqvhi.exe
PID 1808 wrote to memory of 1676	1808	eydypqotqvhi.exe	eydypqotqvhi.exe
PID 1808 wrote to memory of 1676	1808	eydypqotqvhi.exe	eydypqotqvhi.exe
PID 1808 wrote to memory of 1676	1808	eydypqotqvhi.exe	eydypqotqvhi.exe
PID 1808 wrote to memory of 1676	1808	eydypqotqvhi.exe	eydypqotqvhi.exe
PID 1808 wrote to memory of 1676	1808	eydypqotqvhi.exe	eydypqotqvhi.exe
PID 1808 wrote to memory of 1676	1808	eydypqotqvhi.exe	eydypqotqvhi.exe
PID 1676 wrote to memory of 4244	1676	eydypqotqvhi.exe	WMIC.exe
PID 1676 wrote to memory of 4244	1676	eydypqotqvhi.exe	WMIC.exe
PID 1676 wrote to memory of 1380	1676	eydypqotqvhi.exe	NOTEPAD.EXE
PID 1676 wrote to memory of 1380	1676	eydypqotqvhi.exe	NOTEPAD.EXE
PID 1676 wrote to memory of 1380	1676	eydypqotqvhi.exe	NOTEPAD.EXE
PID 1676 wrote to memory of 1536	1676	eydypqotqvhi.exe	msedge.exe
PID 1676 wrote to memory of 1536	1676	eydypqotqvhi.exe	msedge.exe
PID 1536 wrote to memory of 1408	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 1408	1536	msedge.exe	msedge.exe
PID 1676 wrote to memory of 4280	1676	eydypqotqvhi.exe	WMIC.exe
PID 1676 wrote to memory of 4280	1676	eydypqotqvhi.exe	WMIC.exe
PID 1536 wrote to memory of 3672	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3672	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3672	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3672	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3672	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3672	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3672	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3672	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3672	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3672	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3672	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3672	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3672	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3672	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3672	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3672	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3672	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3672	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3672	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3672	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3672	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3672	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3672	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3672	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3672	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3672	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3672	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3672	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3672	1536	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

eydypqotqvhi.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	eydypqotqvhi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	eydypqotqvhi.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Users\Admin\AppData\Local\Temp\1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\1a9ab9e924a6856d642bbe88064e4236_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\eydypqotqvhi.exe
    C:\Windows\eydypqotqvhi.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Windows\eydypqotqvhi.exe
      C:\Windows\eydypqotqvhi.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1676
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4244
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:1380
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1536
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa111446f8,0x7ffa11144708,0x7ffa11144718
        6⤵
        
        PID:1408
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,15726354879162274991,2477708923343199313,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
        6⤵
        
        PID:3672
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,15726354879162274991,2477708923343199313,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
        6⤵
        
        PID:116
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,15726354879162274991,2477708923343199313,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
        6⤵
        
        PID:4940
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15726354879162274991,2477708923343199313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
        6⤵
        
        PID:4676
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15726354879162274991,2477708923343199313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
        6⤵
        
        PID:2012
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,15726354879162274991,2477708923343199313,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
        6⤵
        
        PID:4620
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,15726354879162274991,2477708923343199313,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
        6⤵
        
        PID:2188
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15726354879162274991,2477708923343199313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
        6⤵
        
        PID:2296
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15726354879162274991,2477708923343199313,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1
        6⤵
        
        PID:2220
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15726354879162274991,2477708923343199313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
        6⤵
        
        PID:4952
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15726354879162274991,2477708923343199313,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
        6⤵
        
        PID:284
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4280
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\EYDYPQ~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5088
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\1A9AB9~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4956

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4504

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4816

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_RECoVERY_+ixggh.html

Filesize
12KB

MD5
0061a905a62924d5082ade83ff1d73d4

SHA1
150a12042873360f1fc35a7e61f184edb296942a

SHA256
df9a7e499c522a3f3adc059810ae463ee50a7fa95d5762e9c3c3e0949191f10f

SHA512
6808530d7d8181843c93190d6e1c93d4b6af52e67c2f769535f4f431bd142e6588e3d137069cd75e24fdb1f595dd48cca4e18308fe7c96cf704d9710790d6517

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+ixggh.png

Filesize
64KB

MD5
8f7fc54630cd059349ebfb211abb9c71

SHA1
645168b900e348f59134efa061e30c426fb34469

SHA256
c9a5ac5537a591219504b694dfa76d168dfad4f5271f0514e4a7a13a7f83c646

SHA512
f2a618620a041a6f781e866205d99bd56a22aa6d0e8fbdca05516763b12b82194860aec79cb3990b4a625a66dfd0e00c0d7d73354f5021769b20d1b6a0bfcb6f

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+ixggh.txt

Filesize
1KB

MD5
fe5edb842a6db198ce54486fd56d02bd

SHA1
7de8a0d3ff46396946f48fc0f97dc88398e4fbf5

SHA256
a8329ff3b7eeff4167d8e53cd800723b4012dbaced9272d422787e388aff1d54

SHA512
943436a8cc838613aba52e2b0badb3f51db918b74fca9dadb8c5fd5346a048338f10392f69164d74de021a8bff4553f73f37b87f0304cede8425dc94057f784d

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
dbfc93617d38a75e7354edb223eb2899

SHA1
25b6164b81d7c26115c8e537528d9b377e4f14f5

SHA256
aeeacf4f70b3f77ea12f29ef28c804e3914fd44a0d96dab85494b0ac56d5c903

SHA512
245eced0e4d44a4cd20fbaf609835bf0e90b87c48aae7d1f6901c85c40852626ac1f78b02393cdcb087c5cde3b910df6dfa707bbd110851c50c9393151f82003

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
2849dbc6fe73a944a01ffcdca30fb04f

SHA1
be50987944eace3a52695e112324b8f5ff477f26

SHA256
edf4da0659c85216805987cd29dc0a402a64074d34ccb8ebaf155cd5d9584f43

SHA512
8b3cdfaa83c248d5781cd89252d03c2cf4aec5dea397dc63c029d2df743248880182cf9f9fbb0efb345e216cd9283d37c33bebbfb18cf666f2608bb3a9bee828

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
e594a527c718468e7372b654f7d1ca78

SHA1
971531f1244363fca0e02af2d1ed6fa7f449e529

SHA256
3b60b66bca7aef15880a339c332d1e4023f65c28d46cb73778283bcb34ad3931

SHA512
4f48c3938c7cffc84b79da95f67be399b3c27e7e67dab925a9dabea6111e92f57b80bbdc316c57a6bf3689f945084c9a79cc362bae30fe5aa76d9afab8a45698

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d8616ec086c908bd7d4b194828df51f8

SHA1
d20226d87196927c8ed1495951edfbe7a24c9431

SHA256
1547dceb5f6743f9aead277c855960403702ca61491804971802a309f5e74b5a

SHA512
769dbfcbcf4ff9b52e5745e5d3e71ba4829034a4f9ed429e081e897b2f822ec6db0592393a0a2874515ecacedd456e7e252f4d14dbf83b7feb0d6a99ce36750b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
97e47361cb4ca76f4d00d55547aa0e68

SHA1
b819f6b70fe4431db712545d1f84a4dc328b326c

SHA256
211e935c0f8dc856827011b37d9447546602e8e13c198661c34b139354842265

SHA512
a851fd83a1a9b0f2b0a9d263b555958bf7731d07386ccde5b79caa2b8ab43743af7d76822d716fd504cc42c8b7c204c467070c38984d6d4748a94297245fc46d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
93ea539df3dcc460a118fd8fea8b8803

SHA1
a2a18dae772d799190581466171e33e63b9f8846

SHA256
2b17952957f443b27bc0553d20afe3e896aeb88364ac06b69559b67d8e38f3ab

SHA512
5040ccc3a93d1e8f5216771b2a3a818a0a029c967ddbc85f7ea3b0b1e9c9dbebd83a8a23bb88cce6cc7c358e6cee05d429cb890add5f8cc14001a4777fc7ee89

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670756182462133.txt

Filesize
47KB

MD5
661c74c750144027baad57f1f80d44f6

SHA1
22e35c7f818b8007c929836a005f28b7178713aa

SHA256
d5a66f52ec70647585ba8f7c6152e965417230d04ec064d5a5cdac9ed39ca552

SHA512
03e12e9ce1ea0fd82671528c956bd6855845b3523506396f9825a6a4f1838e10b6f3739f430c7213371321cfa291c44fcf9c56ebb416d9d31af6a2d159ae50f6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670764368086779.txt

Filesize
74KB

MD5
4b2d493f7eb99fa39b1aaa120c095ee5

SHA1
6ce0ef69319458e0fd9aa75b26651b53e062b61f

SHA256
e382fa6e115280bad69b742b2f18dd4756e32414a9ac4e31d07df8b8fdbe3200

SHA512
9000125cff7aef48e185d634aacb79e3d11dca479249e1c6307fe67bfb99053fe56faab1b90bd5d47563b2364e169e8d1d00ea388863f1f8b7024ba2964d933d

Download Submit
C:\Windows\eydypqotqvhi.exe

Filesize
418KB

MD5
1a9ab9e924a6856d642bbe88064e4236

SHA1
d9d445e9dcb8694398c7acb33f38d7261c95321c

SHA256
69155f404a1482e4188726cb0f88b6c6fd6ca94d834b31e05f36e88662281e22

SHA512
f41e93d25fe32248f55dbf5c1c721e4af5d2c28531816955094585a00afa94ea2dab0a6e25191abe8896a2185cdbc535d9dcf3beac14b683d05e1c8c7c6f80b2

Download Submit
\??\pipe\LOCAL\crashpad_1536_RRCJYGOIFKOBJRTL

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1676-17-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1676-9123-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1676-23-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1676-20-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1676-19-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1676-18-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1676-2817-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1676-2818-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1676-5622-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1676-10532-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1676-10502-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1676-156-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1676-10492-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1676-10493-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1676-10501-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1808-12-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2132-13-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2132-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2132-6-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2132-3-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2132-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4696-0-0x0000000000560000-0x0000000000564000-memory.dmp

Filesize
16KB

Download
memory/4696-4-0x0000000000560000-0x0000000000564000-memory.dmp

Filesize
16KB

Download
memory/4696-1-0x0000000000560000-0x0000000000564000-memory.dmp

Filesize
16KB

Download