teslacrypt | a45bd6e5fec24298c6453c29f5046fe9346366da194da4fc26935c5482c58734

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2024 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exe
Size

352KB
MD5

1d46f87737ca1591b52ef272100ccab2
SHA1

e0a0f3c73c3829a71eaf2444d9e71977227a8799
SHA256

a45bd6e5fec24298c6453c29f5046fe9346366da194da4fc26935c5482c58734
SHA512

f5de0eaa8e55d07772f8faa0664ddc10378a630050ca8afbb0c855e066d585459b2fd59d6a3b06f466a0bbd99c2f5f5a5c2c8d52df6a0117f07ff6334a5aa332
SSDEEP

6144:QMeb/EDtpBx1aRXJub19pf3gOURaJmf+ubexB3wLaYZSzvF:QTb/wtN1aRXJg1f3gO9Jm+u2BgeYkzv

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+qirwt.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/F75D8447AF7C01F 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/F75D8447AF7C01F 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/F75D8447AF7C01F If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/F75D8447AF7C01F 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/F75D8447AF7C01F http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/F75D8447AF7C01F http://yyre45dbvn2nhbefbmh.begumvelic.at/F75D8447AF7C01F Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/F75D8447AF7C01F

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/F75D8447AF7C01F

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/F75D8447AF7C01F

http://yyre45dbvn2nhbefbmh.begumvelic.at/F75D8447AF7C01F

http://xlowfznrg4wf7dli.ONION/F75D8447AF7C01F

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (879) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exegmtxsywmbppx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	gmtxsywmbppx.exe

Drops startup file 6 IoCs

Processes:

gmtxsywmbppx.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+qirwt.png	gmtxsywmbppx.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+qirwt.txt	gmtxsywmbppx.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+qirwt.html	gmtxsywmbppx.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+qirwt.png	gmtxsywmbppx.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+qirwt.txt	gmtxsywmbppx.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+qirwt.html	gmtxsywmbppx.exe

Executes dropped EXE 1 IoCs

Processes:

gmtxsywmbppx.exe

pid process

1204 gmtxsywmbppx.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

gmtxsywmbppx.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ldpmiyd = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\gmtxsywmbppx.exe"	gmtxsywmbppx.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

Processes:

gmtxsywmbppx.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows NT\TableTextService\en-US\_ReCoVeRy_+qirwt.html	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-150.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+qirwt.html	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\office.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\_ReCoVeRy_+qirwt.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+qirwt.html	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\StopwatchMedTile.contrast-white_scale-100.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyView.scale-200.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\3B9D3023-9E41-4144-80F7-056F252AE726\root\vfs\Windows\assembly\_ReCoVeRy_+qirwt.txt	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\_ReCoVeRy_+qirwt.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-80_altform-unplated.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\_ReCoVeRy_+qirwt.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\_ReCoVeRy_+qirwt.html	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\_ReCoVeRy_+qirwt.txt	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Tented\TentMobile_24x20.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-24_altform-unplated.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ms-MY\View3d\_ReCoVeRy_+qirwt.html	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-20_altform-unplated_contrast-white.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\winsdkfb\Images\_ReCoVeRy_+qirwt.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\es-ES\View3d\_ReCoVeRy_+qirwt.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\SmallTile.scale-125.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+qirwt.txt	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailMediumTile.scale-200.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\SuggestionsService\PushpinDark.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-24_altform-unplated.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\_ReCoVeRy_+qirwt.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_contrast-black.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\_ReCoVeRy_+qirwt.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\_ReCoVeRy_+qirwt.html	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-200.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\_ReCoVeRy_+qirwt.txt	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\_ReCoVeRy_+qirwt.txt	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\LargeLogo.scale-125_contrast-white.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\_ReCoVeRy_+qirwt.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\_ReCoVeRy_+qirwt.txt	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\LargeTile.scale-100_contrast-white.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_altform-unplated_contrast-black.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.jpg	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\_ReCoVeRy_+qirwt.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageMedTile.scale-400_contrast-black.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\tr-TR\View3d\_ReCoVeRy_+qirwt.html	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_ReCoVeRy_+qirwt.txt	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-100_contrast-black.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-30_altform-lightunplated.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+qirwt.txt	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-125_contrast-high.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2019.807.41.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+qirwt.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageLargeTile.scale-200.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\_ReCoVeRy_+qirwt.html	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-200.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\_ReCoVeRy_+qirwt.html	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\_ReCoVeRy_+qirwt.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\_ReCoVeRy_+qirwt.html	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-256_altform-unplated_contrast-white.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\af-ZA\_ReCoVeRy_+qirwt.txt	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uk-UA\_ReCoVeRy_+qirwt.html	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarMediumTile.scale-150.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\_ReCoVeRy_+qirwt.txt	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteMedTile.scale-400.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\_ReCoVeRy_+qirwt.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsPowerShell\_ReCoVeRy_+qirwt.html	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_ReCoVeRy_+qirwt.png	gmtxsywmbppx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-72.png	gmtxsywmbppx.exe

Drops file in Windows directory 2 IoCs

Processes:

1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\gmtxsywmbppx.exe	1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exe
File opened for modification	C:\Windows\gmtxsywmbppx.exe	1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exegmtxsywmbppx.execmd.exeNOTEPAD.EXEcmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gmtxsywmbppx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

gmtxsywmbppx.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings gmtxsywmbppx.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3580 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	gmtxsywmbppx.exe

pid	process
3580	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

gmtxsywmbppx.exe

pid	process
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe
1204	gmtxsywmbppx.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

4804 msedge.exe
4804 msedge.exe
4804 msedge.exe
4804 msedge.exe
4804 msedge.exe
4804 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exegmtxsywmbppx.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4452	1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exe
Token: SeDebugPrivilege	1204	gmtxsywmbppx.exe
Token: SeIncreaseQuotaPrivilege	1352	WMIC.exe
Token: SeSecurityPrivilege	1352	WMIC.exe
Token: SeTakeOwnershipPrivilege	1352	WMIC.exe
Token: SeLoadDriverPrivilege	1352	WMIC.exe
Token: SeSystemProfilePrivilege	1352	WMIC.exe
Token: SeSystemtimePrivilege	1352	WMIC.exe
Token: SeProfSingleProcessPrivilege	1352	WMIC.exe
Token: SeIncBasePriorityPrivilege	1352	WMIC.exe
Token: SeCreatePagefilePrivilege	1352	WMIC.exe
Token: SeBackupPrivilege	1352	WMIC.exe
Token: SeRestorePrivilege	1352	WMIC.exe
Token: SeShutdownPrivilege	1352	WMIC.exe
Token: SeDebugPrivilege	1352	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1352	WMIC.exe
Token: SeRemoteShutdownPrivilege	1352	WMIC.exe
Token: SeUndockPrivilege	1352	WMIC.exe
Token: SeManageVolumePrivilege	1352	WMIC.exe
Token: 33	1352	WMIC.exe
Token: 34	1352	WMIC.exe
Token: 35	1352	WMIC.exe
Token: 36	1352	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1352	WMIC.exe
Token: SeSecurityPrivilege	1352	WMIC.exe
Token: SeTakeOwnershipPrivilege	1352	WMIC.exe
Token: SeLoadDriverPrivilege	1352	WMIC.exe
Token: SeSystemProfilePrivilege	1352	WMIC.exe
Token: SeSystemtimePrivilege	1352	WMIC.exe
Token: SeProfSingleProcessPrivilege	1352	WMIC.exe
Token: SeIncBasePriorityPrivilege	1352	WMIC.exe
Token: SeCreatePagefilePrivilege	1352	WMIC.exe
Token: SeBackupPrivilege	1352	WMIC.exe
Token: SeRestorePrivilege	1352	WMIC.exe
Token: SeShutdownPrivilege	1352	WMIC.exe
Token: SeDebugPrivilege	1352	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1352	WMIC.exe
Token: SeRemoteShutdownPrivilege	1352	WMIC.exe
Token: SeUndockPrivilege	1352	WMIC.exe
Token: SeManageVolumePrivilege	1352	WMIC.exe
Token: 33	1352	WMIC.exe
Token: 34	1352	WMIC.exe
Token: 35	1352	WMIC.exe
Token: 36	1352	WMIC.exe
Token: SeBackupPrivilege	2492	vssvc.exe
Token: SeRestorePrivilege	2492	vssvc.exe
Token: SeAuditPrivilege	2492	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1516	WMIC.exe
Token: SeSecurityPrivilege	1516	WMIC.exe
Token: SeTakeOwnershipPrivilege	1516	WMIC.exe
Token: SeLoadDriverPrivilege	1516	WMIC.exe
Token: SeSystemProfilePrivilege	1516	WMIC.exe
Token: SeSystemtimePrivilege	1516	WMIC.exe
Token: SeProfSingleProcessPrivilege	1516	WMIC.exe
Token: SeIncBasePriorityPrivilege	1516	WMIC.exe
Token: SeCreatePagefilePrivilege	1516	WMIC.exe
Token: SeBackupPrivilege	1516	WMIC.exe
Token: SeRestorePrivilege	1516	WMIC.exe
Token: SeShutdownPrivilege	1516	WMIC.exe
Token: SeDebugPrivilege	1516	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1516	WMIC.exe
Token: SeRemoteShutdownPrivilege	1516	WMIC.exe
Token: SeUndockPrivilege	1516	WMIC.exe
Token: SeManageVolumePrivilege	1516	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exegmtxsywmbppx.exemsedge.exe

description	pid	process	target process
PID 4452 wrote to memory of 1204	4452	1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exe	gmtxsywmbppx.exe
PID 4452 wrote to memory of 1204	4452	1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exe	gmtxsywmbppx.exe
PID 4452 wrote to memory of 1204	4452	1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exe	gmtxsywmbppx.exe
PID 4452 wrote to memory of 2452	4452	1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exe	cmd.exe
PID 4452 wrote to memory of 2452	4452	1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exe	cmd.exe
PID 4452 wrote to memory of 2452	4452	1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exe	cmd.exe
PID 1204 wrote to memory of 1352	1204	gmtxsywmbppx.exe	WMIC.exe
PID 1204 wrote to memory of 1352	1204	gmtxsywmbppx.exe	WMIC.exe
PID 1204 wrote to memory of 3580	1204	gmtxsywmbppx.exe	NOTEPAD.EXE
PID 1204 wrote to memory of 3580	1204	gmtxsywmbppx.exe	NOTEPAD.EXE
PID 1204 wrote to memory of 3580	1204	gmtxsywmbppx.exe	NOTEPAD.EXE
PID 1204 wrote to memory of 4804	1204	gmtxsywmbppx.exe	msedge.exe
PID 1204 wrote to memory of 4804	1204	gmtxsywmbppx.exe	msedge.exe
PID 4804 wrote to memory of 1396	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1396	4804	msedge.exe	msedge.exe
PID 1204 wrote to memory of 1516	1204	gmtxsywmbppx.exe	WMIC.exe
PID 1204 wrote to memory of 1516	1204	gmtxsywmbppx.exe	WMIC.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1432	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 2812	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 2812	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1596	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1596	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1596	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1596	4804	msedge.exe	msedge.exe
PID 4804 wrote to memory of 1596	4804	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

gmtxsywmbppx.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	gmtxsywmbppx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gmtxsywmbppx.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4452

C:\Windows\gmtxsywmbppx.exe
C:\Windows\gmtxsywmbppx.exe
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1204

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:3580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8174146f8,0x7ff817414708,0x7ff817414718
4⤵
PID:1396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,18151957319992264627,15237046154744004767,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1928 /prefetch:2
4⤵
PID:1432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,18151957319992264627,15237046154744004767,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
4⤵
PID:2812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,18151957319992264627,15237046154744004767,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
4⤵
PID:1596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,18151957319992264627,15237046154744004767,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
4⤵
PID:4760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,18151957319992264627,15237046154744004767,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
4⤵
PID:3320

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,18151957319992264627,15237046154744004767,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8
4⤵
PID:3436

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,18151957319992264627,15237046154744004767,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8
4⤵
PID:828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,18151957319992264627,15237046154744004767,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
4⤵
PID:908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,18151957319992264627,15237046154744004767,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
4⤵
PID:2448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,18151957319992264627,15237046154744004767,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
4⤵
PID:3104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,18151957319992264627,15237046154744004767,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
4⤵
PID:620

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\GMTXSY~1.EXE
3⤵
- System Location Discovery: System Language Discovery
PID:1768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\1D46F8~1.EXE
2⤵
- System Location Discovery: System Language Discovery
PID:2452

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+qirwt.html

Filesize
12KB

MD5
cde3ce077f24548e0e84e1a2f92d8639

SHA1
e31eb7eab6df7756fa543988814ae78dd7b83fbd

SHA256
79423c6f5da6702622b7063e497410184bc60ecfac7a7193bf1e9ea7910083ea

SHA512
fd2eacdee8b6a0df76bdc00a8af60aec6bf09aea45f81690880cd5df972fd1dbd42ef8c228c0e4c9827867f70fa4f7370ae1bca97cde8cb0b8d0228f0fbabbc4

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+qirwt.png

Filesize
64KB

MD5
c7321e8a02a7224cd6f3e77abfc29b0b

SHA1
8c642d48dbbee6ce780e94d9d7e15ddd586cfe19

SHA256
cd6e3ae9692cf6d71cda02c407ce0297e53b8df1c2549ad20ea6245c795f051b

SHA512
2b1bb42bc8f5803a94e3c1a9df42208f504550704570b4c677027241a1cbcac01c462666c879869f25e6c35812433941baf881a274c98e442bb1d4479ea816ab

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+qirwt.txt

Filesize
1KB

MD5
581271eb071ac34d2c9e287870f24cf5

SHA1
cd4c724e1ac61afe22f84d6638878c77824df69c

SHA256
9ed2de48ae94bf2aaf3eaf04c4d5c1103f8f7ba6abe830fe463e18d5da5b4152

SHA512
c9fbb4e235f10e9569046dbfeab0be6b199559ef4fa15dc234413e924dee14de28ea4fbe9053b177290b725e7473ccb40151d291ab761daa6a8272a18f17ed34

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
c4a435dff8d29d9b90cc72ac75726258

SHA1
3e680a950dd6370139bf95a607c6022ad787ad59

SHA256
547f8e63a77e0960a415fa6b581e52174ad089f6ac0fff9bc97bc27edd280292

SHA512
51e5f1c069c3d13de7898add453191a0f36d4f1ddb1fa1c8f168aad27e2387ac759fe4aefc22062d50566e206e5a0be43a458e49303a50781e7a494a7c3550fc

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
22dffd1bcc8986c3707a6eefb97b83ad

SHA1
a76124ad613bd1ccf6e24267b58f704084d1bc2d

SHA256
a7d0bea7bde72bdb2acf1f414364321b9ec11aa3b5b945278b2db6005d64eda4

SHA512
1dab511647329783a49260c37c22736224be04293966a65df9ff524528e71f584079af0d828d269de9b3591bef3e518891c059c789a5b5d51422302cee5eb3a3

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
534f271daa05b8df2f13117bbcfc9283

SHA1
69221b3124570d9f3f8ecf4527c387befa835ab4

SHA256
be15eeb1068f89249a0a31981d70203a45b327fa5d716bff0462f6e1608c8d42

SHA512
f0367f5e242c0bdee9bc37db2099aca69619ad81ef44b850c5597ec93fb4a10f1010516aca1a84b06398f405102a1db2522086e362daaea4ebc44ba9e27f10ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c1edce8f18d6039e0cbf5f2c13d3e0cc

SHA1
322de663889293abdfb2772c67f744df2a7fcbaf

SHA256
0f8c51c3ecb527bdb26c6f00b819cebbbc77d590a9fa1dc6ee09115bfe70e0b9

SHA512
a6b3a6835edb92ba3b0b467f2eeafd8fecb27764035be48bfd17848081fd365650ce3bf6238c64bb20c72d277bfd4819e0a7637d30b4290823d79db1669e9880

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
22eb1ac8cfc701924d3e44e18a234e89

SHA1
94a5bbc058062f8abc0cbc0d2d317b398aad0776

SHA256
8129cae1632cd54a11af77d19184f40ab1e10d9969995cbf80d45aeeb32ab8f1

SHA512
80c213f2a59114353b41c47f5d47961799697fd426e026cb04ce7992ad9c7c977bf21ed688cf7f960ffbca0fab4c9e567ca8e5d8fcdfa6d9984afb372c25525b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
806055657e30d72b21336ee76cccbbf6

SHA1
0bbc7a5881adea41e97d8858f830be44f1216631

SHA256
d634085d6f4a318de768ae0b8f13bc21a8214dd7f64faecb1bd44c293782af86

SHA512
8adfaaced1d3a1f4fc4f69015c412a651a9710d449417f91259a8e91e8bf642f466554f4daf61ee9e33ba5c38e4f828721464ff77b8a988fad5e9b5c3634f21c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727665766873969.txt

Filesize
74KB

MD5
06e082adbdf796612654f51a01a527a7

SHA1
a303a9768db97fa238f779e8304f6bf1b3225ae9

SHA256
2f32f02b583adcb8df36b358dff76a3b2a3e847ce2aaa29edd571cfc8a7abc73

SHA512
2ea3ae748f01fbc8a4033c8a1d035368a6b5d723f2c1b8a34025bf5fd4ed82c1b5a4ef3dbbe32fa6c00a9d6357f58b5087b4b538c17fb2a038ff5ffa1d17f2d5

Download Submit
C:\Windows\gmtxsywmbppx.exe

Filesize
352KB

MD5
1d46f87737ca1591b52ef272100ccab2

SHA1
e0a0f3c73c3829a71eaf2444d9e71977227a8799

SHA256
a45bd6e5fec24298c6453c29f5046fe9346366da194da4fc26935c5482c58734

SHA512
f5de0eaa8e55d07772f8faa0664ddc10378a630050ca8afbb0c855e066d585459b2fd59d6a3b06f466a0bbd99c2f5f5a5c2c8d52df6a0117f07ff6334a5aa332

Download Submit
\??\pipe\LOCAL\crashpad_4804_OHQDHIZKRBUHAEER

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1204-2806-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1204-9227-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1204-10817-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1204-2822-0x0000000002140000-0x00000000021C6000-memory.dmp

Filesize
536KB

Download
memory/1204-10861-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1204-5739-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1204-9-0x0000000002140000-0x00000000021C6000-memory.dmp

Filesize
536KB

Download
memory/4452-0-0x0000000002230000-0x00000000022B6000-memory.dmp

Filesize
536KB

Download
memory/4452-14-0x0000000002230000-0x00000000022B6000-memory.dmp

Filesize
536KB

Download
memory/4452-1-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4452-13-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download