teslacrypt | ac4a172dd0cec7582090313549f3adbba96a7aa11a1bb85f39da11246fa73585

Analysis

max time kernel
138s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe
Size

328KB
MD5

2f69faa2bacccf5a61b7c7996c558f4c
SHA1

172c3b8d22eb08f491d4c90cd86aaa21b95f5b95
SHA256

ac4a172dd0cec7582090313549f3adbba96a7aa11a1bb85f39da11246fa73585
SHA512

712184c799086b5c03605ede0adac41695d620aaa5fe74dee82e30e4fa4d440672b2b2af473233c99de17bce511ccd7641b9562363aa875d6e954554d6f38578
SSDEEP

6144:F4MKA86q6kcKPqCAOFPmvSNQgstAw/u5jp2hnU4ZcRdN1Sgg68:F9x1KNRmKN+/Mk3eBU

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_RECoVERY_+yrljd.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/8893394541F7852A 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/8893394541F7852A 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/8893394541F7852A If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/8893394541F7852A 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/8893394541F7852A http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/8893394541F7852A http://yyre45dbvn2nhbefbmh.begumvelic.at/8893394541F7852A Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/8893394541F7852A

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/8893394541F7852A

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/8893394541F7852A

http://yyre45dbvn2nhbefbmh.begumvelic.at/8893394541F7852A

http://xlowfznrg4wf7dli.ONION/8893394541F7852A

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (866) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exenlxqbdyodgqo.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	nlxqbdyodgqo.exe

Drops startup file 6 IoCs

Processes:

nlxqbdyodgqo.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+yrljd.png	nlxqbdyodgqo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+yrljd.txt	nlxqbdyodgqo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+yrljd.html	nlxqbdyodgqo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+yrljd.png	nlxqbdyodgqo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+yrljd.txt	nlxqbdyodgqo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+yrljd.html	nlxqbdyodgqo.exe

Executes dropped EXE 1 IoCs

Processes:

nlxqbdyodgqo.exe

pid process

1052 nlxqbdyodgqo.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

nlxqbdyodgqo.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pgdwtaefoedo = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\nlxqbdyodgqo.exe\""	nlxqbdyodgqo.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

Processes:

nlxqbdyodgqo.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\_RECoVERY_+yrljd.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_RECoVERY_+yrljd.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\_RECoVERY_+yrljd.html	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Views\Utilities\Styling\_RECoVERY_+yrljd.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\_RECoVERY_+yrljd.txt	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+yrljd.html	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\_RECoVERY_+yrljd.txt	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-96_altform-unplated.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\Win10\SplashScreen.scale-200.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalStoreLogo.scale-125_contrast-white.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-32.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\_RECoVERY_+yrljd.txt	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubSplashWideTile.scale-125_contrast-black.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LibrarySquare150x150Logo.scale-125_contrast-black.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarLargeTile.scale-100.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\cacerts.pem	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-60_altform-unplated_contrast-white.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\6.0.27\_RECoVERY_+yrljd.html	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-20_altform-unplated_contrast-black.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\FileAssociation\FileAssociation.targetsize-64.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Dark.scale-300.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\_RECoVERY_+yrljd.html	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\et-EE\View3d\_RECoVERY_+yrljd.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\_RECoVERY_+yrljd.txt	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\_RECoVERY_+yrljd.txt	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorSplashScreen.contrast-black_scale-125.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_RECoVERY_+yrljd.txt	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\StoreLogo\PaintApplist.scale-150.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-100.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\_RECoVERY_+yrljd.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.scale-200.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionLargeTile.scale-150.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\_RECoVERY_+yrljd.html	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\management\_RECoVERY_+yrljd.txt	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-256_altform-unplated_contrast-black_devicefamily-colorfulunplated.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-150.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Extensions\_RECoVERY_+yrljd.txt	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_scale-100.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Tented\TentDesktop_144x56.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-96_altform-unplated.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uk-UA\View3d\_RECoVERY_+yrljd.txt	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-32_altform-unplated.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_contrast-black.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderStoreLogo.contrast-black_scale-100.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-32_contrast-high.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\_RECoVERY_+yrljd.txt	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\_RECoVERY_+yrljd.txt	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_2_Loud.m4a	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\_RECoVERY_+yrljd.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_pound.m4a	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\_RECoVERY_+yrljd.html	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\_RECoVERY_+yrljd.txt	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\_RECoVERY_+yrljd.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\SmallTile.scale-125.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-72_altform-unplated_contrast-white.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-20.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-32.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\_RECoVERY_+yrljd.html	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\_RECoVERY_+yrljd.txt	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-32.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptySearch-Dark.scale-150.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\IC_WelcomeBanner.scale-400.png	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_RECoVERY_+yrljd.txt	nlxqbdyodgqo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.scale-100_contrast-black.png	nlxqbdyodgqo.exe

Drops file in Windows directory 2 IoCs

Processes:

2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\nlxqbdyodgqo.exe	2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe
File opened for modification	C:\Windows\nlxqbdyodgqo.exe	2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

NOTEPAD.EXEcmd.exe2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exenlxqbdyodgqo.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nlxqbdyodgqo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

Processes:

nlxqbdyodgqo.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings nlxqbdyodgqo.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2452 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	nlxqbdyodgqo.exe

pid	process
2452	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

nlxqbdyodgqo.exe

pid	process
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe
1052	nlxqbdyodgqo.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

3224 msedge.exe
3224 msedge.exe
3224 msedge.exe
3224 msedge.exe
3224 msedge.exe
3224 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exenlxqbdyodgqo.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2848	2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe
Token: SeDebugPrivilege	1052	nlxqbdyodgqo.exe
Token: SeIncreaseQuotaPrivilege	3256	WMIC.exe
Token: SeSecurityPrivilege	3256	WMIC.exe
Token: SeTakeOwnershipPrivilege	3256	WMIC.exe
Token: SeLoadDriverPrivilege	3256	WMIC.exe
Token: SeSystemProfilePrivilege	3256	WMIC.exe
Token: SeSystemtimePrivilege	3256	WMIC.exe
Token: SeProfSingleProcessPrivilege	3256	WMIC.exe
Token: SeIncBasePriorityPrivilege	3256	WMIC.exe
Token: SeCreatePagefilePrivilege	3256	WMIC.exe
Token: SeBackupPrivilege	3256	WMIC.exe
Token: SeRestorePrivilege	3256	WMIC.exe
Token: SeShutdownPrivilege	3256	WMIC.exe
Token: SeDebugPrivilege	3256	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3256	WMIC.exe
Token: SeRemoteShutdownPrivilege	3256	WMIC.exe
Token: SeUndockPrivilege	3256	WMIC.exe
Token: SeManageVolumePrivilege	3256	WMIC.exe
Token: 33	3256	WMIC.exe
Token: 34	3256	WMIC.exe
Token: 35	3256	WMIC.exe
Token: 36	3256	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3256	WMIC.exe
Token: SeSecurityPrivilege	3256	WMIC.exe
Token: SeTakeOwnershipPrivilege	3256	WMIC.exe
Token: SeLoadDriverPrivilege	3256	WMIC.exe
Token: SeSystemProfilePrivilege	3256	WMIC.exe
Token: SeSystemtimePrivilege	3256	WMIC.exe
Token: SeProfSingleProcessPrivilege	3256	WMIC.exe
Token: SeIncBasePriorityPrivilege	3256	WMIC.exe
Token: SeCreatePagefilePrivilege	3256	WMIC.exe
Token: SeBackupPrivilege	3256	WMIC.exe
Token: SeRestorePrivilege	3256	WMIC.exe
Token: SeShutdownPrivilege	3256	WMIC.exe
Token: SeDebugPrivilege	3256	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3256	WMIC.exe
Token: SeRemoteShutdownPrivilege	3256	WMIC.exe
Token: SeUndockPrivilege	3256	WMIC.exe
Token: SeManageVolumePrivilege	3256	WMIC.exe
Token: 33	3256	WMIC.exe
Token: 34	3256	WMIC.exe
Token: 35	3256	WMIC.exe
Token: 36	3256	WMIC.exe
Token: SeBackupPrivilege	3536	vssvc.exe
Token: SeRestorePrivilege	3536	vssvc.exe
Token: SeAuditPrivilege	3536	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3028	WMIC.exe
Token: SeSecurityPrivilege	3028	WMIC.exe
Token: SeTakeOwnershipPrivilege	3028	WMIC.exe
Token: SeLoadDriverPrivilege	3028	WMIC.exe
Token: SeSystemProfilePrivilege	3028	WMIC.exe
Token: SeSystemtimePrivilege	3028	WMIC.exe
Token: SeProfSingleProcessPrivilege	3028	WMIC.exe
Token: SeIncBasePriorityPrivilege	3028	WMIC.exe
Token: SeCreatePagefilePrivilege	3028	WMIC.exe
Token: SeBackupPrivilege	3028	WMIC.exe
Token: SeRestorePrivilege	3028	WMIC.exe
Token: SeShutdownPrivilege	3028	WMIC.exe
Token: SeDebugPrivilege	3028	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3028	WMIC.exe
Token: SeRemoteShutdownPrivilege	3028	WMIC.exe
Token: SeUndockPrivilege	3028	WMIC.exe
Token: SeManageVolumePrivilege	3028	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exenlxqbdyodgqo.exemsedge.exe

description	pid	process	target process
PID 2848 wrote to memory of 1052	2848	2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe	nlxqbdyodgqo.exe
PID 2848 wrote to memory of 1052	2848	2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe	nlxqbdyodgqo.exe
PID 2848 wrote to memory of 1052	2848	2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe	nlxqbdyodgqo.exe
PID 2848 wrote to memory of 1604	2848	2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe	cmd.exe
PID 2848 wrote to memory of 1604	2848	2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe	cmd.exe
PID 2848 wrote to memory of 1604	2848	2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe	cmd.exe
PID 1052 wrote to memory of 3256	1052	nlxqbdyodgqo.exe	WMIC.exe
PID 1052 wrote to memory of 3256	1052	nlxqbdyodgqo.exe	WMIC.exe
PID 1052 wrote to memory of 2452	1052	nlxqbdyodgqo.exe	NOTEPAD.EXE
PID 1052 wrote to memory of 2452	1052	nlxqbdyodgqo.exe	NOTEPAD.EXE
PID 1052 wrote to memory of 2452	1052	nlxqbdyodgqo.exe	NOTEPAD.EXE
PID 1052 wrote to memory of 3224	1052	nlxqbdyodgqo.exe	msedge.exe
PID 1052 wrote to memory of 3224	1052	nlxqbdyodgqo.exe	msedge.exe
PID 3224 wrote to memory of 2176	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 2176	3224	msedge.exe	msedge.exe
PID 1052 wrote to memory of 3028	1052	nlxqbdyodgqo.exe	WMIC.exe
PID 1052 wrote to memory of 3028	1052	nlxqbdyodgqo.exe	WMIC.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4084	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 1416	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 1416	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 2344	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 2344	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 2344	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 2344	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 2344	3224	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

nlxqbdyodgqo.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	nlxqbdyodgqo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	nlxqbdyodgqo.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\nlxqbdyodgqo.exe
  C:\Windows\nlxqbdyodgqo.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1052
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3256
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:2452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3224
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a25846f8,0x7ff9a2584708,0x7ff9a2584718
      4⤵
      PID:2176
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,11712426192345568812,1112534757964996305,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
      4⤵
      PID:4084
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,11712426192345568812,1112534757964996305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
      4⤵
      PID:1416
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,11712426192345568812,1112534757964996305,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
      4⤵
      PID:2344
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,11712426192345568812,1112534757964996305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
      4⤵
      PID:2272
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,11712426192345568812,1112534757964996305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
      4⤵
      PID:436
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,11712426192345568812,1112534757964996305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 /prefetch:8
      4⤵
      PID:3832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,11712426192345568812,1112534757964996305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 /prefetch:8
      4⤵
      PID:4708
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,11712426192345568812,1112534757964996305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
      4⤵
      PID:3564
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,11712426192345568812,1112534757964996305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
      4⤵
      PID:4496
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,11712426192345568812,1112534757964996305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:1
      4⤵
      PID:3344
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,11712426192345568812,1112534757964996305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
      4⤵
      PID:836
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\NLXQBD~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1784
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2F69FA~1.EXE
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1604

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1160

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_RECoVERY_+yrljd.html

Filesize
12KB

MD5
e9381f7f94428c6c22352966495bfde3

SHA1
94ded40b350d5fddc6a25fc6c5672ba0cd9ec3cc

SHA256
40a217d73b85d8f763f3096a75ff333595c796120d5ac942084711e8c4ebde12

SHA512
bcc4b9e09f375df9d503a3c330ba8b1820750742239249fb574940c89e0572f72c7cb78d032f12b9493fef4b4f777cf8be1d4d1c9886dc8ff90c2cc53aad4971

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+yrljd.png

Filesize
64KB

MD5
c98fd4f4e4111046da8570f59355525c

SHA1
6eaea70b862d88c0e0afef0164f60c5717becd59

SHA256
2374e41d44f37dbe8474697a3f85e9f2a1dc63cbf60357b82f76235d90a84b7e

SHA512
9449f611f28c10de95d671198b5a2978449dd277b5f9aeae559a80e4ad76c9c1bc0bd2a60827679154a7eb46b3c796dc65442641339e2a8dfe6324dcc20ea5ff

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+yrljd.txt

Filesize
1KB

MD5
dea822b9e82378182fff8f6c6d271a5e

SHA1
db42ee8686e6e64f05b177473bbb7de1b1d060df

SHA256
45111c4d2dfd90feda0c38758668ecd73ec8f5f09f3bf41e16db52a64f79be9f

SHA512
b8e5667530ce34a427d4a6cf10b10ee1b409204238fe049e54ec3f89bc8691cd92188df7a1424451bd2db62e0f1ec0c4d4f8c61e5a52ee96afbb550600e60e0d

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
14e767c9c7a84fadb6a59d221d704b81

SHA1
bd43fb4a74131d025861aee6b5bc837b308ee10d

SHA256
9a93cc084a15692de91d5a284d90401b73a81c670c0e6f83d6697ed6e12b138d

SHA512
8f52c75d37fefe380cece5a46e3a7075a42fff63771782ad5fdcfe9a18bafc5b8e05f0b72411d04c787a72c9584e21745f750809fc1bcd99be375258c9ec8e54

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
7d97b92fc31e4b362c1a4c43ed61e374

SHA1
3486a15c609b3ee4ee6df500e37435a7ae1fce40

SHA256
20fcbc1175f557da31e9b1bbe5d0547ac1bac38533b906077fe1745341fbce4c

SHA512
ae7c202a89cceec15b5c25e48c61dda7ae0bc8fbb17013611e02913808e18c72bb5c4bca08a6e0b7c1593886e5302aad2867169a2737964afd9c153d98cde76f

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
8417ae8b3b10962284124bef418d9889

SHA1
af5c651153c972ead6f8300f948bd70a4e0eddd1

SHA256
c800c8d0c73b31c1e0815fe57dea00bac6da80be498f34f8a08116955f81bfe2

SHA512
3d0b48790bebc52dc884e15810938bd97c6da7a831b563f7e528917ca0e640aab6e8bd752b72c4abd76f3175e12b363d18c6d40edafd841dbab458be947b5e89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4939e9a8a729bf4d93775fa15a82a597

SHA1
01bb0ff60bc1dccff62bd73e53c092d849b2b396

SHA256
377bdc2f23fc48f0a04026b13949bb5c821a7d297dbb2040e85fe15ef8b8d17d

SHA512
d56304aa0dfa56883c623fe27e6f3f768fa5a0138176751023dcffa0ff908fda6f65574230cc31467144c997e232525f378e359f233a5c9887a0c7d152a6aa6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3d1337a0393a40fc0bc481d31170d571

SHA1
d8705ede88d40122a43828b89138069a623f776a

SHA256
9a7e55acfbf5d31a595a4f8a41307db31784fb502d6eea6ca998783bc09f3c5d

SHA512
0da4fce5baaea89994214c7bf52eb4e90de5828138d3f7e8b912d452c95a32c5074bbb22f46886893ef419b254b3f459cad428568b99f97a4df849f9b5ee09ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
25f981a5c7a8f7b5e7907196fce6de05

SHA1
36d08919aa6a22604c1e5c55cb98f9ffcc9ba3de

SHA256
3d04428b174f5b9b0dc3786d4b0c6546f53456ca0c929e533a361de1513be792

SHA512
e175890354d3dc8c2d5dcd89eda4617ecea67fc26244a15ef11c7408017665fd5bcaf65536d88177f0db3963a7d8d255e6cc110a817e1764521feb7b3b952816

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662824772148.txt

Filesize
77KB

MD5
c863f246d5b4d8c4efe409651482db9a

SHA1
ac3feb42cca0af75f94690cd038662090e5b4dd4

SHA256
4268361429015ba2365befa116d5533ddb8749a8bf23ae1f841f77f819a6f192

SHA512
d9b356fa9f7d7c6db18a8ebfee0daa3412edcdd248a4fb80b74004b505ac452c01fd1e2da9e885a056e5999761c15e42df3094224b30b1379fd369c8156dd8f5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727671764608349.txt

Filesize
74KB

MD5
496f47746a8edc8f70f1aecd00348ace

SHA1
0fa82769427a978bb34bf874d5386f3890ade55b

SHA256
dd0bdc083cacf1c1061d5ff6a872704be2576355ab0a60a0052c115973d60758

SHA512
d94afc7f9e518d3d688263a8c16dc45367475961b3bb6f4c52fbfcb6f6c7763f0e921ac9d8e8e1922e4b6a1287fe25e9a720429824a3fc92c3372a32be53edd3

Download Submit
C:\Windows\nlxqbdyodgqo.exe

Filesize
328KB

MD5
2f69faa2bacccf5a61b7c7996c558f4c

SHA1
172c3b8d22eb08f491d4c90cd86aaa21b95f5b95

SHA256
ac4a172dd0cec7582090313549f3adbba96a7aa11a1bb85f39da11246fa73585

SHA512
712184c799086b5c03605ede0adac41695d620aaa5fe74dee82e30e4fa4d440672b2b2af473233c99de17bce511ccd7641b9562363aa875d6e954554d6f38578

Download Submit
\??\pipe\LOCAL\crashpad_3224_EBOYFLIYHRSPGAOI

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1052-5575-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1052-9054-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1052-10505-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1052-2641-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1052-10551-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1052-12-0x00000000021D0000-0x0000000002255000-memory.dmp

Filesize
532KB

Download
memory/2848-14-0x00000000022A0000-0x0000000002325000-memory.dmp

Filesize
532KB

Download
memory/2848-0-0x00000000022A0000-0x0000000002325000-memory.dmp

Filesize
532KB

Download
memory/2848-2-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2848-13-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download