Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-10-2024 05:47
Static task
static1
Behavioral task
behavioral1
Sample
1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe
-
Size
388KB
-
MD5
1fe6fdfb7796bf1ec5bdf80f86fa9dc5
-
SHA1
c4f86755ca60567fedc3a05ce88c4a342219c8b4
-
SHA256
a878058e1c857a46a565cd950a6e26c2b6d30fca17ef97efb7488625c326aaba
-
SHA512
22cfa91dfb8f8a885932b269202b4e68da7b94316213f47729b3fc2a10050e7629abe310ffa583ca1211b54dbbc37b040f76442c1c2e774a6dfd79e3fd80d9b6
-
SSDEEP
6144:nYMk7V7PQkaYO0iNq/PimTBQNEETJYOo0DldfrvwmjcMVW5OouUI5KtrQ8POyU:nnSdO0iNEPn+TGOoYzwscMSOXUIJ
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\Recovery+mkfjc.txt
teslacrypt
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/5CA146325A55725
http://kkd47eh4hdjshb5t.angortra.at/5CA146325A55725
http://ytrest84y5i456hghadefdsd.pontogrot.com/5CA146325A55725
http://xlowfznrg4wf7dli.ONION/5CA146325A55725
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (875) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exedfyxpnhcruiv.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation dfyxpnhcruiv.exe -
Drops startup file 6 IoCs
Processes:
dfyxpnhcruiv.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+mkfjc.txt dfyxpnhcruiv.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+mkfjc.html dfyxpnhcruiv.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+mkfjc.png dfyxpnhcruiv.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+mkfjc.txt dfyxpnhcruiv.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+mkfjc.html dfyxpnhcruiv.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+mkfjc.png dfyxpnhcruiv.exe -
Executes dropped EXE 2 IoCs
Processes:
dfyxpnhcruiv.exedfyxpnhcruiv.exepid process 4080 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
dfyxpnhcruiv.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhhdfqsvysko = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\dfyxpnhcruiv.exe\"" dfyxpnhcruiv.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exedfyxpnhcruiv.exedescription pid process target process PID 3936 set thread context of 4676 3936 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe PID 4080 set thread context of 4772 4080 dfyxpnhcruiv.exe dfyxpnhcruiv.exe -
Drops file in Program Files directory 64 IoCs
Processes:
dfyxpnhcruiv.exedescription ioc process File opened for modification C:\Program Files\VideoLAN\VLC\README.txt dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\Recovery+mkfjc.html dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\offlineStrings.js dfyxpnhcruiv.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt dfyxpnhcruiv.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nb\Recovery+mkfjc.html dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Recovery+mkfjc.html dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.scale-100_contrast-white.png dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Cloud.png dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookLargeTile.scale-400.png dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-250.png dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarWideTile.scale-400.png dfyxpnhcruiv.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\Recovery+mkfjc.txt dfyxpnhcruiv.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\Recovery+mkfjc.txt dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\SmallTile.scale-125.png dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\Recovery+mkfjc.html dfyxpnhcruiv.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockLargeTile.contrast-black_scale-125.png dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\8.jpg dfyxpnhcruiv.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\applet\Recovery+mkfjc.html dfyxpnhcruiv.exe File opened for modification C:\Program Files\Windows Defender\it-IT\Recovery+mkfjc.txt dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_~_8wekyb3d8bbwe\Recovery+mkfjc.txt dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\8041_40x40x32.png dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\MarkAsReadToastQuickAction.scale-80.png dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ImmersiveVideoPlayback\Content\Recovery+mkfjc.html dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-24_contrast-white.png dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\Recovery+mkfjc.html dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailLargeTile.scale-125.png dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\Recovery+mkfjc.html dfyxpnhcruiv.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\Recovery+mkfjc.png dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\hu-HU\View3d\Recovery+mkfjc.png dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\Recovery+mkfjc.txt dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-200.png dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\Recovery+mkfjc.png dfyxpnhcruiv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\Recovery+mkfjc.html dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-40_altform-unplated.png dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Light.scale-400.png dfyxpnhcruiv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ko-KR\Recovery+mkfjc.txt dfyxpnhcruiv.exe File opened for modification C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-64_altform-unplated.png dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\es-ES\View3d\Recovery+mkfjc.txt dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-64.png dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyCalendarSearch.scale-400.png dfyxpnhcruiv.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\THMBNAIL.PNG dfyxpnhcruiv.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fur\Recovery+mkfjc.png dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageSmallTile.scale-200.png dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockLargeTile.contrast-black_scale-100.png dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Light.scale-250.png dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\AppxMetadata\Recovery+mkfjc.html dfyxpnhcruiv.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\en-us\Recovery+mkfjc.png dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\Recovery+mkfjc.txt dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-40_altform-unplated.png dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-IN\en-IN_female_TTS\Recovery+mkfjc.txt dfyxpnhcruiv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\he-IL\Recovery+mkfjc.png dfyxpnhcruiv.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\Recovery+mkfjc.png dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_TileMediumSquare.scale-200.png dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\Rotate.png dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageLargeTile.scale-125.png dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-24_altform-unplated.png dfyxpnhcruiv.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\PCHEALTH\Recovery+mkfjc.txt dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Recovery+mkfjc.png dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageLargeTile.scale-150.png dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailSplashLogo.scale-250.png dfyxpnhcruiv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_~_8wekyb3d8bbwe\Recovery+mkfjc.html dfyxpnhcruiv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Recovery+mkfjc.txt dfyxpnhcruiv.exe -
Drops file in Windows directory 2 IoCs
Processes:
1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exedescription ioc process File created C:\Windows\dfyxpnhcruiv.exe 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe File opened for modification C:\Windows\dfyxpnhcruiv.exe 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exedfyxpnhcruiv.execmd.exedfyxpnhcruiv.exeNOTEPAD.EXEcmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dfyxpnhcruiv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dfyxpnhcruiv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
dfyxpnhcruiv.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings dfyxpnhcruiv.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2692 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
dfyxpnhcruiv.exepid process 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe 4772 dfyxpnhcruiv.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exedfyxpnhcruiv.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 4676 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe Token: SeDebugPrivilege 4772 dfyxpnhcruiv.exe Token: SeIncreaseQuotaPrivilege 4228 WMIC.exe Token: SeSecurityPrivilege 4228 WMIC.exe Token: SeTakeOwnershipPrivilege 4228 WMIC.exe Token: SeLoadDriverPrivilege 4228 WMIC.exe Token: SeSystemProfilePrivilege 4228 WMIC.exe Token: SeSystemtimePrivilege 4228 WMIC.exe Token: SeProfSingleProcessPrivilege 4228 WMIC.exe Token: SeIncBasePriorityPrivilege 4228 WMIC.exe Token: SeCreatePagefilePrivilege 4228 WMIC.exe Token: SeBackupPrivilege 4228 WMIC.exe Token: SeRestorePrivilege 4228 WMIC.exe Token: SeShutdownPrivilege 4228 WMIC.exe Token: SeDebugPrivilege 4228 WMIC.exe Token: SeSystemEnvironmentPrivilege 4228 WMIC.exe Token: SeRemoteShutdownPrivilege 4228 WMIC.exe Token: SeUndockPrivilege 4228 WMIC.exe Token: SeManageVolumePrivilege 4228 WMIC.exe Token: 33 4228 WMIC.exe Token: 34 4228 WMIC.exe Token: 35 4228 WMIC.exe Token: 36 4228 WMIC.exe Token: SeIncreaseQuotaPrivilege 2188 WMIC.exe Token: SeSecurityPrivilege 2188 WMIC.exe Token: SeTakeOwnershipPrivilege 2188 WMIC.exe Token: SeLoadDriverPrivilege 2188 WMIC.exe Token: SeSystemProfilePrivilege 2188 WMIC.exe Token: SeSystemtimePrivilege 2188 WMIC.exe Token: SeProfSingleProcessPrivilege 2188 WMIC.exe Token: SeIncBasePriorityPrivilege 2188 WMIC.exe Token: SeCreatePagefilePrivilege 2188 WMIC.exe Token: SeBackupPrivilege 2188 WMIC.exe Token: SeRestorePrivilege 2188 WMIC.exe Token: SeShutdownPrivilege 2188 WMIC.exe Token: SeDebugPrivilege 2188 WMIC.exe Token: SeSystemEnvironmentPrivilege 2188 WMIC.exe Token: SeRemoteShutdownPrivilege 2188 WMIC.exe Token: SeUndockPrivilege 2188 WMIC.exe Token: SeManageVolumePrivilege 2188 WMIC.exe Token: 33 2188 WMIC.exe Token: 34 2188 WMIC.exe Token: 35 2188 WMIC.exe Token: 36 2188 WMIC.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exedfyxpnhcruiv.exedfyxpnhcruiv.exemsedge.exedescription pid process target process PID 3936 wrote to memory of 4676 3936 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe PID 3936 wrote to memory of 4676 3936 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe PID 3936 wrote to memory of 4676 3936 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe PID 3936 wrote to memory of 4676 3936 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe PID 3936 wrote to memory of 4676 3936 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe PID 3936 wrote to memory of 4676 3936 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe PID 3936 wrote to memory of 4676 3936 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe PID 3936 wrote to memory of 4676 3936 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe PID 3936 wrote to memory of 4676 3936 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe PID 3936 wrote to memory of 4676 3936 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe PID 4676 wrote to memory of 4080 4676 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe dfyxpnhcruiv.exe PID 4676 wrote to memory of 4080 4676 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe dfyxpnhcruiv.exe PID 4676 wrote to memory of 4080 4676 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe dfyxpnhcruiv.exe PID 4676 wrote to memory of 208 4676 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe cmd.exe PID 4676 wrote to memory of 208 4676 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe cmd.exe PID 4676 wrote to memory of 208 4676 1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe cmd.exe PID 4080 wrote to memory of 4772 4080 dfyxpnhcruiv.exe dfyxpnhcruiv.exe PID 4080 wrote to memory of 4772 4080 dfyxpnhcruiv.exe dfyxpnhcruiv.exe PID 4080 wrote to memory of 4772 4080 dfyxpnhcruiv.exe dfyxpnhcruiv.exe PID 4080 wrote to memory of 4772 4080 dfyxpnhcruiv.exe dfyxpnhcruiv.exe PID 4080 wrote to memory of 4772 4080 dfyxpnhcruiv.exe dfyxpnhcruiv.exe PID 4080 wrote to memory of 4772 4080 dfyxpnhcruiv.exe dfyxpnhcruiv.exe PID 4080 wrote to memory of 4772 4080 dfyxpnhcruiv.exe dfyxpnhcruiv.exe PID 4080 wrote to memory of 4772 4080 dfyxpnhcruiv.exe dfyxpnhcruiv.exe PID 4080 wrote to memory of 4772 4080 dfyxpnhcruiv.exe dfyxpnhcruiv.exe PID 4080 wrote to memory of 4772 4080 dfyxpnhcruiv.exe dfyxpnhcruiv.exe PID 4772 wrote to memory of 4228 4772 dfyxpnhcruiv.exe WMIC.exe PID 4772 wrote to memory of 4228 4772 dfyxpnhcruiv.exe WMIC.exe PID 4772 wrote to memory of 2692 4772 dfyxpnhcruiv.exe NOTEPAD.EXE PID 4772 wrote to memory of 2692 4772 dfyxpnhcruiv.exe NOTEPAD.EXE PID 4772 wrote to memory of 2692 4772 dfyxpnhcruiv.exe NOTEPAD.EXE PID 4772 wrote to memory of 4036 4772 dfyxpnhcruiv.exe msedge.exe PID 4772 wrote to memory of 4036 4772 dfyxpnhcruiv.exe msedge.exe PID 4036 wrote to memory of 4984 4036 msedge.exe msedge.exe PID 4036 wrote to memory of 4984 4036 msedge.exe msedge.exe PID 4772 wrote to memory of 2188 4772 dfyxpnhcruiv.exe WMIC.exe PID 4772 wrote to memory of 2188 4772 dfyxpnhcruiv.exe WMIC.exe PID 4036 wrote to memory of 3280 4036 msedge.exe msedge.exe PID 4036 wrote to memory of 3280 4036 msedge.exe msedge.exe PID 4036 wrote to memory of 3280 4036 msedge.exe msedge.exe PID 4036 wrote to memory of 3280 4036 msedge.exe msedge.exe PID 4036 wrote to memory of 3280 4036 msedge.exe msedge.exe PID 4036 wrote to memory of 3280 4036 msedge.exe msedge.exe PID 4036 wrote to memory of 3280 4036 msedge.exe msedge.exe PID 4036 wrote to memory of 3280 4036 msedge.exe msedge.exe PID 4036 wrote to memory of 3280 4036 msedge.exe msedge.exe PID 4036 wrote to memory of 3280 4036 msedge.exe msedge.exe PID 4036 wrote to memory of 3280 4036 msedge.exe msedge.exe PID 4036 wrote to memory of 3280 4036 msedge.exe msedge.exe PID 4036 wrote to memory of 3280 4036 msedge.exe msedge.exe PID 4036 wrote to memory of 3280 4036 msedge.exe msedge.exe PID 4036 wrote to memory of 3280 4036 msedge.exe msedge.exe PID 4036 wrote to memory of 3280 4036 msedge.exe msedge.exe PID 4036 wrote to memory of 3280 4036 msedge.exe msedge.exe PID 4036 wrote to memory of 3280 4036 msedge.exe msedge.exe PID 4036 wrote to memory of 3280 4036 msedge.exe msedge.exe PID 4036 wrote to memory of 3280 4036 msedge.exe msedge.exe PID 4036 wrote to memory of 3280 4036 msedge.exe msedge.exe PID 4036 wrote to memory of 3280 4036 msedge.exe msedge.exe PID 4036 wrote to memory of 3280 4036 msedge.exe msedge.exe PID 4036 wrote to memory of 3280 4036 msedge.exe msedge.exe PID 4036 wrote to memory of 3280 4036 msedge.exe msedge.exe PID 4036 wrote to memory of 3280 4036 msedge.exe msedge.exe PID 4036 wrote to memory of 3280 4036 msedge.exe msedge.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
dfyxpnhcruiv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" dfyxpnhcruiv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System dfyxpnhcruiv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\dfyxpnhcruiv.exeC:\Windows\dfyxpnhcruiv.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\dfyxpnhcruiv.exeC:\Windows\dfyxpnhcruiv.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4772 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4228
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:2692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff29a946f8,0x7fff29a94708,0x7fff29a947186⤵PID:4984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,13921705386224093788,15669640915244444088,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:26⤵PID:3280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,13921705386224093788,15669640915244444088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:36⤵PID:4012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,13921705386224093788,15669640915244444088,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:86⤵PID:3944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13921705386224093788,15669640915244444088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:16⤵PID:2276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13921705386224093788,15669640915244444088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:16⤵PID:5088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,13921705386224093788,15669640915244444088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:86⤵PID:1412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,13921705386224093788,15669640915244444088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:86⤵PID:1852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13921705386224093788,15669640915244444088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:16⤵PID:4748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13921705386224093788,15669640915244444088,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:16⤵PID:4508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13921705386224093788,15669640915244444088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:16⤵PID:1932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13921705386224093788,15669640915244444088,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:16⤵PID:2728
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\DFYXPN~1.EXE5⤵
- System Location Discovery: System Language Discovery
PID:3092
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\1FE6FD~1.EXE3⤵
- System Location Discovery: System Language Discovery
PID:208
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4988
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2896
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD554a7d7bda802af382e8d3622a8063af2
SHA1ffb86a9e8fb8d83a44e5b585a6d060ef1eda759b
SHA25674cf9892e3108128ecf01147be93350c6136361ab6eb3eeba29aca181b87c93f
SHA512df0060c89133bf00f5092f8ae9f15507e0c82adc967b99b07975729cbbbe27dd666d0e2d606f4a08c1fe7ef44e6d923b5f476e0341dfbb1ad25409d638898a35
-
Filesize
62KB
MD55101ca8ffd45bca97d7a10f6111dce40
SHA1f6c7fcb062aa27241ec09ac1fced8eeae48b20c5
SHA2562c395f9bab956f1313cee2f18b16e9ba43c6f4dc1844f4d65f8988f22040fedd
SHA512ca5cf2b45c76428585eafdba7934fb91f19eff5aeb2327afb83369f483895be4d433d53202168445f7ae6404d884ea5b385fd49f1492a27babc0bc8b35eea47a
-
Filesize
1KB
MD52ea0f0d087b45989d3dd3b4256812ee4
SHA13d895b4a1df422878485f04c2703e6b7780dc3c5
SHA256ac732b5d3da4367db7d87a75d308ca784a260026b01a7834b486069d29b5e2ad
SHA5124b8f8c2eb1dda4307735a8cd8db7a0c76ce69c366d002f1af5d26541b10617296ac5442858805b3e0921c436930e60b398ff9275003aca331123a6fccec973ab
-
Filesize
560B
MD5843d2385318a28524d944caa3ba06c11
SHA143ab42208605b609b00fd13eab1bf15008639936
SHA256f18a603bec6b863ad557d2e3909ec7c502b8ba21f479b6efe1764753eee791ea
SHA512f13b420e1e28d3f5feea6ccbba57cc72a2c293b3a27da4e8df6ca2d59f807906390ea827f2bd7e318c0cd1dcfe746e54969035f9beb155f8a6f4e2d0adb9413b
-
Filesize
560B
MD5634f1914fff2fd35062bfb6c185a6f7e
SHA172a7651c291b2bb33e826704189a4bb4ce9398d9
SHA2567a0a86a940c8d0fc36b54eabe00c82cf585e73248167464b6994618d25a1523f
SHA51243847ef7986e7b6c689d7590b3729c47dfe0180feed215eb568b9cf3b70dcc044766671d03c46c73b7a995bc217ec573eb2ee934f987583f4c9a0c28f4a45297
-
Filesize
416B
MD5c2ae79360952a3efdd28f3b961f70868
SHA1252e5ed865a8095e1a854fb724ea2dc1023f61a0
SHA25675373777326b9e3cbc02efe33d4bda12084b16d6a6a17da2a8c789476d0ea500
SHA512512f75a0e7d692ab06ac25e50863d8572aee3aea3743e2b775f04f9311297fd689dce5e8a424c0f15542ec53797c09aaff64e36cd45e1bd4da42cc42666d29ec
-
Filesize
152B
MD57de1bbdc1f9cf1a58ae1de4951ce8cb9
SHA1010da169e15457c25bd80ef02d76a940c1210301
SHA2566e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e
SHA512e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c
-
Filesize
152B
MD585ba073d7015b6ce7da19235a275f6da
SHA1a23c8c2125e45a0788bac14423ae1f3eab92cf00
SHA2565ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617
SHA512eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3
-
Filesize
6KB
MD50d14f6b00ffe2e43845898ad052a00ac
SHA124234c2e84c0ebff8d11ba1fd54c52c9f37cea2f
SHA25695e23736e659220f9ce116cd116350a036acd3b3960f4bf0b8c4f8fc4def8c7d
SHA51252b02720c4572c666862aeacbb278778471907c3f3ad5263d9f3d0586f5c72d84a8ea181e844b70aa7acf78c033a62ef7d70331ccf947bcda15107158c5fd551
-
Filesize
6KB
MD5fadc31079ae7d6e93764f58ac923d282
SHA1c3b5f08b5f4d814a69750e0658394aff813329bd
SHA256d94b3f8f837eaded4e73b4cce3b02ccf63989cfb3e0591bbe2dbe50522b48751
SHA512c88fbed6b02a579c2ec26198cc0cc11ba18017ba75ea4f7c35c1eb159088a64c0c750ddd919eba908ae835d937ac532423e0354a190102c25e8cd3556c7bf4d0
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5f12f7d1d61993b9c087d30bc437f4ebe
SHA1b0bdb225c1e7b41566375e1819c6700f36610258
SHA2560c4ac229b4f12b03f68659e83ac14ba106895c536c397c72cce8effec3a36f97
SHA5124211fea4e1824df0d5db538e777bd6331016aac724fcce3339aecc996a1fbead117f8b48121fcd388207b6c467a881f196c3c74807ce5c8536402f50b9d2f916
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656298443196.txt
Filesize77KB
MD5d2aa36d5c27a3b44f77ddb6b33e4443b
SHA18c7bbe83b1251709bad19ec388ac44933c847ebc
SHA256730eb20d2d37209920177c82d8abdbe19ce9b46cccb12fb15b9aa30da18708b4
SHA5124e4911fbd01668143ca797b8f4950710a5a53a890d8b67e8116d892b6a94554b1188ca8311b1f76710247377dc3108469be4adfd21288a7c9b5a79f155d221b9
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727657999741523.txt
Filesize47KB
MD5935f5fc5a2045f7b7a2d5be6e5a168ae
SHA1f5e6d21361dacbdd7415812dc694c72798ebe697
SHA2565defee96efea1c80a92ab54624dd61414c9215f7af4cbfc8d1d98794fe8908f0
SHA512a802b74cb798cc299971feea206a91f6e4f91d59a3ce34397374f88a6f4a251ed64375b8aa03aeb2a406412dcc0716bdc7162d2a970bcffdf1c2b7c34d4b9a61
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727666039184869.txt
Filesize74KB
MD5475481f774bc2550eae223ca8066adbd
SHA1ad3f6f1316701e5b9184064b2f7d91e51fcc9cf1
SHA256cb165353de165902c63505638e0c33fa75342c920e7a30fe33e1c88a5eb4d781
SHA512c77d8ccb89c4d267f56c356068c0eea209835c856418d017018df5d1a7fe01a5655a886ca8cf3508ce56e8e2d1a7a96f01506a1f148b36735e06f5674c2d3efa
-
Filesize
388KB
MD51fe6fdfb7796bf1ec5bdf80f86fa9dc5
SHA1c4f86755ca60567fedc3a05ce88c4a342219c8b4
SHA256a878058e1c857a46a565cd950a6e26c2b6d30fca17ef97efb7488625c326aaba
SHA51222cfa91dfb8f8a885932b269202b4e68da7b94316213f47729b3fc2a10050e7629abe310ffa583ca1211b54dbbc37b040f76442c1c2e774a6dfd79e3fd80d9b6
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e