teslacrypt | 055f455f632bf72f2694befec51708ebfb909f25d59c388e0775af15e86459d1

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe
Size

368KB
MD5

2b70ed1d47f2a5d626d16ab5f355c34b
SHA1

cc903de26a6f4dccfb7e216e84c79c0039ea7492
SHA256

055f455f632bf72f2694befec51708ebfb909f25d59c388e0775af15e86459d1
SHA512

696fdbe87bc478cf85717c4952787a1c4ea0302fd8270b5f04167fed9dcc9c81dc967422c8093870a67ff1ec69ae5bd3506573e1ea680930ec0d165117ef70db
SSDEEP

6144:q/VDu6UsyDUOxfDiyQhbw4tRN7eD7Lct/jG2kOREwMunfHAbxwcLNT:6Du6UsibiPbNt370Lcta9OSCnfPuNT

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+xxexf.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/7069B3352A0BFCA 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/7069B3352A0BFCA 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/7069B3352A0BFCA If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/7069B3352A0BFCA 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/7069B3352A0BFCA http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/7069B3352A0BFCA http://yyre45dbvn2nhbefbmh.begumvelic.at/7069B3352A0BFCA Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/7069B3352A0BFCA

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/7069B3352A0BFCA

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/7069B3352A0BFCA

http://yyre45dbvn2nhbefbmh.begumvelic.at/7069B3352A0BFCA

http://xlowfznrg4wf7dli.ONION/7069B3352A0BFCA

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (876) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exemdokemaxugas.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	mdokemaxugas.exe

Drops startup file 6 IoCs

Processes:

mdokemaxugas.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+xxexf.txt	mdokemaxugas.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+xxexf.html	mdokemaxugas.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+xxexf.png	mdokemaxugas.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+xxexf.txt	mdokemaxugas.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+xxexf.html	mdokemaxugas.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+xxexf.png	mdokemaxugas.exe

Executes dropped EXE 2 IoCs

Processes:

mdokemaxugas.exemdokemaxugas.exe

pid process

4228 mdokemaxugas.exe
1136 mdokemaxugas.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
4228	mdokemaxugas.exe
1136	mdokemaxugas.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

mdokemaxugas.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yvekuhr = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\mdokemaxugas.exe"	mdokemaxugas.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

Processes:

2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exemdokemaxugas.exe

description	pid	process	target process
PID 3164 set thread context of 3228	3164	2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe	2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe
PID 4228 set thread context of 1136	4228	mdokemaxugas.exe	mdokemaxugas.exe

Drops file in Program Files directory 64 IoCs

Processes:

mdokemaxugas.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyCalendarSearch.scale-150.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\_ReCoVeRy_+xxexf.txt	mdokemaxugas.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\_ReCoVeRy_+xxexf.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.scale-125.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\_ReCoVeRy_+xxexf.html	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\_ReCoVeRy_+xxexf.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\_ReCoVeRy_+xxexf.html	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Google.scale-200.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Retail\Retail_Feedback_icon.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationSensorCalibrationFigure.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\Attribution\foreca.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeSmallTile.scale-125.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\_ReCoVeRy_+xxexf.txt	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-48_altform-unplated.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\_ReCoVeRy_+xxexf.html	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ms-MY\_ReCoVeRy_+xxexf.html	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-32_contrast-white.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-72_altform-unplated.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\LargeTile.scale-200.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+xxexf.txt	mdokemaxugas.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_ReCoVeRy_+xxexf.txt	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosWideTile.contrast-white_scale-100.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\_ReCoVeRy_+xxexf.html	mdokemaxugas.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\_ReCoVeRy_+xxexf.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\_ReCoVeRy_+xxexf.html	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\SmallTile.scale-100.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-24.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\_ReCoVeRy_+xxexf.txt	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyCalendarSearch.scale-100.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+xxexf.html	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupSmallTile.scale-200.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\MedTile.scale-125.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\_ReCoVeRy_+xxexf.txt	mdokemaxugas.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\_ReCoVeRy_+xxexf.html	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookMedTile.scale-400.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\Landing.svg	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\69.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\DialRotation.mp4	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\SmallTile.scale-100.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\avatar_128x.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-16_altform-unplated_contrast-white.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_ReCoVeRy_+xxexf.html	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ClippingTool.targetsize-16.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\MoviesAnywhereLogoWithTextLight.scale-125.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-100_contrast-black.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageWideTile.scale-400.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\_ReCoVeRy_+xxexf.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\_ReCoVeRy_+xxexf.html	mdokemaxugas.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\_ReCoVeRy_+xxexf.html	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupMedTile.scale-200.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-64.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_contrast-white.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense_eula.txt	mdokemaxugas.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\index.win32.bundle.map	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-72_altform-unplated_contrast-white.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-125_contrast-white.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.targetsize-256_altform-unplated_contrast-white.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Light.scale-400.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_altform-unplated_contrast-black_devicefamily-colorfulunplated.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\_ReCoVeRy_+xxexf.txt	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\162.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\thumb_stats_render_sm.png	mdokemaxugas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\_ReCoVeRy_+xxexf.png	mdokemaxugas.exe

Drops file in Windows directory 2 IoCs

Processes:

2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\mdokemaxugas.exe	2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe
File created	C:\Windows\mdokemaxugas.exe	2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exemdokemaxugas.execmd.exemdokemaxugas.exeNOTEPAD.EXEcmd.exe2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mdokemaxugas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mdokemaxugas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

Processes:

mdokemaxugas.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings mdokemaxugas.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

764 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	mdokemaxugas.exe

pid	process
764	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

mdokemaxugas.exe

pid	process
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe
1136	mdokemaxugas.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

528 msedge.exe
528 msedge.exe
528 msedge.exe
528 msedge.exe
528 msedge.exe
528 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exemdokemaxugas.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3228	2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe
Token: SeDebugPrivilege	1136	mdokemaxugas.exe
Token: SeIncreaseQuotaPrivilege	3596	WMIC.exe
Token: SeSecurityPrivilege	3596	WMIC.exe
Token: SeTakeOwnershipPrivilege	3596	WMIC.exe
Token: SeLoadDriverPrivilege	3596	WMIC.exe
Token: SeSystemProfilePrivilege	3596	WMIC.exe
Token: SeSystemtimePrivilege	3596	WMIC.exe
Token: SeProfSingleProcessPrivilege	3596	WMIC.exe
Token: SeIncBasePriorityPrivilege	3596	WMIC.exe
Token: SeCreatePagefilePrivilege	3596	WMIC.exe
Token: SeBackupPrivilege	3596	WMIC.exe
Token: SeRestorePrivilege	3596	WMIC.exe
Token: SeShutdownPrivilege	3596	WMIC.exe
Token: SeDebugPrivilege	3596	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3596	WMIC.exe
Token: SeRemoteShutdownPrivilege	3596	WMIC.exe
Token: SeUndockPrivilege	3596	WMIC.exe
Token: SeManageVolumePrivilege	3596	WMIC.exe
Token: 33	3596	WMIC.exe
Token: 34	3596	WMIC.exe
Token: 35	3596	WMIC.exe
Token: 36	3596	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3596	WMIC.exe
Token: SeSecurityPrivilege	3596	WMIC.exe
Token: SeTakeOwnershipPrivilege	3596	WMIC.exe
Token: SeLoadDriverPrivilege	3596	WMIC.exe
Token: SeSystemProfilePrivilege	3596	WMIC.exe
Token: SeSystemtimePrivilege	3596	WMIC.exe
Token: SeProfSingleProcessPrivilege	3596	WMIC.exe
Token: SeIncBasePriorityPrivilege	3596	WMIC.exe
Token: SeCreatePagefilePrivilege	3596	WMIC.exe
Token: SeBackupPrivilege	3596	WMIC.exe
Token: SeRestorePrivilege	3596	WMIC.exe
Token: SeShutdownPrivilege	3596	WMIC.exe
Token: SeDebugPrivilege	3596	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3596	WMIC.exe
Token: SeRemoteShutdownPrivilege	3596	WMIC.exe
Token: SeUndockPrivilege	3596	WMIC.exe
Token: SeManageVolumePrivilege	3596	WMIC.exe
Token: 33	3596	WMIC.exe
Token: 34	3596	WMIC.exe
Token: 35	3596	WMIC.exe
Token: 36	3596	WMIC.exe
Token: SeBackupPrivilege	2872	vssvc.exe
Token: SeRestorePrivilege	2872	vssvc.exe
Token: SeAuditPrivilege	2872	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2608	WMIC.exe
Token: SeSecurityPrivilege	2608	WMIC.exe
Token: SeTakeOwnershipPrivilege	2608	WMIC.exe
Token: SeLoadDriverPrivilege	2608	WMIC.exe
Token: SeSystemProfilePrivilege	2608	WMIC.exe
Token: SeSystemtimePrivilege	2608	WMIC.exe
Token: SeProfSingleProcessPrivilege	2608	WMIC.exe
Token: SeIncBasePriorityPrivilege	2608	WMIC.exe
Token: SeCreatePagefilePrivilege	2608	WMIC.exe
Token: SeBackupPrivilege	2608	WMIC.exe
Token: SeRestorePrivilege	2608	WMIC.exe
Token: SeShutdownPrivilege	2608	WMIC.exe
Token: SeDebugPrivilege	2608	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2608	WMIC.exe
Token: SeRemoteShutdownPrivilege	2608	WMIC.exe
Token: SeUndockPrivilege	2608	WMIC.exe
Token: SeManageVolumePrivilege	2608	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe
528	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exemdokemaxugas.exemdokemaxugas.exemsedge.exe

description	pid	process	target process
PID 3164 wrote to memory of 3228	3164	2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe	2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe
PID 3164 wrote to memory of 3228	3164	2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe	2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe
PID 3164 wrote to memory of 3228	3164	2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe	2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe
PID 3164 wrote to memory of 3228	3164	2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe	2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe
PID 3164 wrote to memory of 3228	3164	2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe	2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe
PID 3164 wrote to memory of 3228	3164	2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe	2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe
PID 3164 wrote to memory of 3228	3164	2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe	2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe
PID 3164 wrote to memory of 3228	3164	2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe	2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe
PID 3164 wrote to memory of 3228	3164	2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe	2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe
PID 3164 wrote to memory of 3228	3164	2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe	2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe
PID 3228 wrote to memory of 4228	3228	2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe	mdokemaxugas.exe
PID 3228 wrote to memory of 4228	3228	2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe	mdokemaxugas.exe
PID 3228 wrote to memory of 4228	3228	2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe	mdokemaxugas.exe
PID 3228 wrote to memory of 4008	3228	2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe	cmd.exe
PID 3228 wrote to memory of 4008	3228	2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe	cmd.exe
PID 3228 wrote to memory of 4008	3228	2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe	cmd.exe
PID 4228 wrote to memory of 1136	4228	mdokemaxugas.exe	mdokemaxugas.exe
PID 4228 wrote to memory of 1136	4228	mdokemaxugas.exe	mdokemaxugas.exe
PID 4228 wrote to memory of 1136	4228	mdokemaxugas.exe	mdokemaxugas.exe
PID 4228 wrote to memory of 1136	4228	mdokemaxugas.exe	mdokemaxugas.exe
PID 4228 wrote to memory of 1136	4228	mdokemaxugas.exe	mdokemaxugas.exe
PID 4228 wrote to memory of 1136	4228	mdokemaxugas.exe	mdokemaxugas.exe
PID 4228 wrote to memory of 1136	4228	mdokemaxugas.exe	mdokemaxugas.exe
PID 4228 wrote to memory of 1136	4228	mdokemaxugas.exe	mdokemaxugas.exe
PID 4228 wrote to memory of 1136	4228	mdokemaxugas.exe	mdokemaxugas.exe
PID 4228 wrote to memory of 1136	4228	mdokemaxugas.exe	mdokemaxugas.exe
PID 1136 wrote to memory of 3596	1136	mdokemaxugas.exe	WMIC.exe
PID 1136 wrote to memory of 3596	1136	mdokemaxugas.exe	WMIC.exe
PID 1136 wrote to memory of 764	1136	mdokemaxugas.exe	NOTEPAD.EXE
PID 1136 wrote to memory of 764	1136	mdokemaxugas.exe	NOTEPAD.EXE
PID 1136 wrote to memory of 764	1136	mdokemaxugas.exe	NOTEPAD.EXE
PID 1136 wrote to memory of 528	1136	mdokemaxugas.exe	msedge.exe
PID 1136 wrote to memory of 528	1136	mdokemaxugas.exe	msedge.exe
PID 528 wrote to memory of 2336	528	msedge.exe	msedge.exe
PID 528 wrote to memory of 2336	528	msedge.exe	msedge.exe
PID 1136 wrote to memory of 2608	1136	mdokemaxugas.exe	WMIC.exe
PID 1136 wrote to memory of 2608	1136	mdokemaxugas.exe	WMIC.exe
PID 528 wrote to memory of 804	528	msedge.exe	msedge.exe
PID 528 wrote to memory of 804	528	msedge.exe	msedge.exe
PID 528 wrote to memory of 804	528	msedge.exe	msedge.exe
PID 528 wrote to memory of 804	528	msedge.exe	msedge.exe
PID 528 wrote to memory of 804	528	msedge.exe	msedge.exe
PID 528 wrote to memory of 804	528	msedge.exe	msedge.exe
PID 528 wrote to memory of 804	528	msedge.exe	msedge.exe
PID 528 wrote to memory of 804	528	msedge.exe	msedge.exe
PID 528 wrote to memory of 804	528	msedge.exe	msedge.exe
PID 528 wrote to memory of 804	528	msedge.exe	msedge.exe
PID 528 wrote to memory of 804	528	msedge.exe	msedge.exe
PID 528 wrote to memory of 804	528	msedge.exe	msedge.exe
PID 528 wrote to memory of 804	528	msedge.exe	msedge.exe
PID 528 wrote to memory of 804	528	msedge.exe	msedge.exe
PID 528 wrote to memory of 804	528	msedge.exe	msedge.exe
PID 528 wrote to memory of 804	528	msedge.exe	msedge.exe
PID 528 wrote to memory of 804	528	msedge.exe	msedge.exe
PID 528 wrote to memory of 804	528	msedge.exe	msedge.exe
PID 528 wrote to memory of 804	528	msedge.exe	msedge.exe
PID 528 wrote to memory of 804	528	msedge.exe	msedge.exe
PID 528 wrote to memory of 804	528	msedge.exe	msedge.exe
PID 528 wrote to memory of 804	528	msedge.exe	msedge.exe
PID 528 wrote to memory of 804	528	msedge.exe	msedge.exe
PID 528 wrote to memory of 804	528	msedge.exe	msedge.exe
PID 528 wrote to memory of 804	528	msedge.exe	msedge.exe
PID 528 wrote to memory of 804	528	msedge.exe	msedge.exe
PID 528 wrote to memory of 804	528	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

mdokemaxugas.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	mdokemaxugas.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	mdokemaxugas.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3164

C:\Users\Admin\AppData\Local\Temp\2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe"
2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3228

C:\Windows\mdokemaxugas.exe
C:\Windows\mdokemaxugas.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4228

C:\Windows\mdokemaxugas.exe
C:\Windows\mdokemaxugas.exe
4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1136

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffff93046f8,0x7ffff9304708,0x7ffff9304718
6⤵
PID:2336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,1972990264228393930,4680949110612064062,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
6⤵
PID:804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,1972990264228393930,4680949110612064062,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
6⤵
PID:1192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,1972990264228393930,4680949110612064062,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:8
6⤵
PID:4140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1972990264228393930,4680949110612064062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
6⤵
PID:2320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1972990264228393930,4680949110612064062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
6⤵
PID:2456

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,1972990264228393930,4680949110612064062,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
6⤵
PID:3476

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,1972990264228393930,4680949110612064062,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
6⤵
PID:2716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1972990264228393930,4680949110612064062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
6⤵
PID:1476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1972990264228393930,4680949110612064062,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
6⤵
PID:2344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1972990264228393930,4680949110612064062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
6⤵
PID:1952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1972990264228393930,4680949110612064062,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
6⤵
PID:3660

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\MDOKEM~1.EXE
5⤵
- System Location Discovery: System Language Discovery
PID:3420

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2B70ED~1.EXE
3⤵
- System Location Discovery: System Language Discovery
PID:4008

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1160

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+xxexf.html

Filesize
12KB

MD5
fe0557b804c30ae74e0da398c273ef99

SHA1
593aa35a3017039e0d12f128ee7ef9b4cebcd5c3

SHA256
fe422dfe1b328e735858842c05249ce9316d848745c0b760f7900ccbaf9b8e0a

SHA512
51b3b9653715a37a04c2dadb685e1cc5574c29cb95c75c5250255d3ff50c3f0959a359a938e37eb5862811052cdebe3ffd48539da174632ad1129320d9735ab6

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+xxexf.png

Filesize
64KB

MD5
5d47a95adc3ba122ba1515dd8ec829db

SHA1
fb031625e960a50c1b49f231726756be88f6213f

SHA256
de36a0007fc577516175880166eb370d48bcf492b26d19f693606825662fda44

SHA512
c310566dbad2ee10b3bd176b1819c169d413f72f180a73727423ae569957675c3a0486381884e79c333e6ca41f1f2baf8d50b62f6f44ff72dc1d1a05eb1509fb

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+xxexf.txt

Filesize
1KB

MD5
cbf17f5270f00906b8dc02400ed1d1b7

SHA1
d967ac75f75194a4a79a8e8ce4ba68cef50792e9

SHA256
9e917c2ca2ae632dd3c78b020ce72a452ecc3eb5ec6c00aafee86dc0cbdcd2d4

SHA512
3cca34f07472a3fe21415286dc8c21cf37854b883582cf9f724679ec78f726292d8aa867f2bc56de151cefb251175c8e46de8c1b2e4f4025cf70c301e3c366d1

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
1f21bf9a6607a2bfd427bf2fae603ef0

SHA1
b48a189d8c63a0f5fa4e2d19c00928e88e134f69

SHA256
d4707ae82c1bcdfc218691f77ca2fee4cdad27e319ac970586187951664acc7f

SHA512
da18e4812aba7425bdca3257ac3786120fd86038de752028dd294fc981499a73b348415c8cba9555335dc05b201b8459f2e87cb4b8f299564f875a67f1efa095

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
f0d997b32eee79011cb69c756caaabdb

SHA1
6b348e63bfa624c5c3c9656d8c2c94a3da3ddc00

SHA256
ad75fb28fec7f702830a7854aa8e85462f38190ea26cc1a0cc7e849b00b62cef

SHA512
ab586d99aafb6e1819767e9accf733ae050effe6e4441732f14eaaa879d68d90faf92cef5d8cd2eb5c231299609c301ce2b5b8e7420ec66991a68a46a9da156a

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
56f2e9dad2d21172782d0e65e1600670

SHA1
b34551e7f2d68554dab8f646cee9abfe4ede0a33

SHA256
49a06359ac9f920da3d69462fb42a81c002223be970444f0d69ba27910806dd6

SHA512
0438271eff6a7a0645eb4cfc83fde3193013841d4b92350ba6baa8cd910ea93a38e5af4b413c76227fcbf3ca2060b92a5b81e7a14796a7955ee5b402f1681df2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3fe28b95045da726ddd9b9ed4d2a9691

SHA1
fc3a5157e6b920872efec1b9ddebfc40654b6c3f

SHA256
cd0915a96cd0f2c9982284eea0045bbedb5e9370d0552238e32a23b1d29939ea

SHA512
6c4878129439b4fe5cc506a819db848d657d53b468a4e0b25637eace3f8a04aa21ddcf46cf32ba1cb3c502ee0877af6ef17f131bc73a0d5d65821f71fc31f5c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5fce19b261c20aea782fd89bd1e1f301

SHA1
741cc43988b75cbf22a0d0465acb4a45ade9f6b9

SHA256
c1fb85dc1cfedd6b99503f4107e82809d9e318155e4c4c35adbe3e073065d3cc

SHA512
a02276c11e5a0c99b4c84e60837657b0b0366152f4d3ae3808d2befa6f330eeb187f70aecfa8813cfdaef7e141129324c84a3e96519d59e9e3adc6f7809d26d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7eaf175597ace8b20b6f791811429761

SHA1
f8196235c3843a36a00c9ba760698deb8bc79355

SHA256
52743360209c3b7d6981d6872ba0286cd7cf394ce9c4df040b174363859eb2f5

SHA512
ac064c2892c07d0ee61cf74b6664010cbf132ee1f5f99d63c61ed0dc42d9e7435a639f48152189ec7bd6feaf724ce4ff30c96ed4c82a8d7ed75caa47b000bb55

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662824772148.txt

Filesize
77KB

MD5
33eb4a0806aeb92bcf01db84c4970f89

SHA1
8ac16eb26666e828209ad790a9196ae68eb6e4bd

SHA256
49b60f1111c45c3bffcb8691fdb4352dedd4c1eb25f9a2c317cbeb1d3b1b6eeb

SHA512
7b7fd96824fd0bd26d6bd3bb0b9d2aa4024f3b17f6c89a0aa582f7e436b3d98864d61f8fbf492bbb8ef55aad88206de1558f49ce22c69b1c836f2c9d640a8823

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727671764608349.txt

Filesize
74KB

MD5
19079ec7db523e2d57f8a71427231662

SHA1
e3474beb8041f3ee2e28c0151e9bd49fee948f94

SHA256
a64e28d0c82e8fc0383bf510daabedd6c80f77da02d2161e4e0b7044a94b5aa7

SHA512
d011b13dc4ba503b85ded771bbc0fc8cb95288407c7ad18c2b712252e37fda4b8ddc2808c813012d770ea5bc7d6e0a6b17730a543ffe1f0251386f9616ee5ed5

Download Submit
C:\Windows\mdokemaxugas.exe

Filesize
368KB

MD5
2b70ed1d47f2a5d626d16ab5f355c34b

SHA1
cc903de26a6f4dccfb7e216e84c79c0039ea7492

SHA256
055f455f632bf72f2694befec51708ebfb909f25d59c388e0775af15e86459d1

SHA512
696fdbe87bc478cf85717c4952787a1c4ea0302fd8270b5f04167fed9dcc9c81dc967422c8093870a67ff1ec69ae5bd3506573e1ea680930ec0d165117ef70db

Download Submit
\??\pipe\LOCAL\crashpad_528_RSKSIGJYPCZZXLIT

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1136-1012-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1136-10543-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1136-23-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1136-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1136-10592-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1136-17-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1136-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1136-2871-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1136-2872-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1136-5726-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1136-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1136-10553-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1136-9225-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1136-25-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1136-10544-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1136-10552-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3164-0-0x0000000000690000-0x0000000000695000-memory.dmp

Filesize
20KB

Download
memory/3164-3-0x0000000000690000-0x0000000000695000-memory.dmp

Filesize
20KB

Download
memory/3164-1-0x0000000000690000-0x0000000000695000-memory.dmp

Filesize
20KB

Download
memory/3228-13-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3228-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3228-5-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3228-4-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3228-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4228-12-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download