teslacrypt | 56cf195bd7fc140caef4a59132cca2d1499783d473633c0384d1b350606731ab

Analysis

max time kernel
143s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-10-2024 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe
Size

368KB
MD5

4e826024050255ddf739c2656f2d9a77
SHA1

856eca0fb51d6994d9d472dfe5358b4c9b5293d7
SHA256

56cf195bd7fc140caef4a59132cca2d1499783d473633c0384d1b350606731ab
SHA512

fb25c55a9710133214b97bbd9492f39df0f2f43ea9e056cf05f6f4943d9f26031e7832d77df5dd2f69f49c97de92b3d9fbb2d3477215d9f405dcf178488ea8ff
SSDEEP

6144:r/VDu6UsyDUOxfDiyQhbw4tRN7eD7Lct/jG2kOREwMunfHAbxwcLNT:hDu6UsibiPbNt370Lcta9OSCnfPuNT

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+xsagl.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/2522153854A8D9F7 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/2522153854A8D9F7 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/2522153854A8D9F7 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/2522153854A8D9F7 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/2522153854A8D9F7 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/2522153854A8D9F7 http://yyre45dbvn2nhbefbmh.begumvelic.at/2522153854A8D9F7 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/2522153854A8D9F7

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/2522153854A8D9F7

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/2522153854A8D9F7

http://yyre45dbvn2nhbefbmh.begumvelic.at/2522153854A8D9F7

http://xlowfznrg4wf7dli.ONION/2522153854A8D9F7

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (867) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exeblsqrwybjixe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	blsqrwybjixe.exe

Drops startup file 6 IoCs

Processes:

blsqrwybjixe.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+xsagl.png	blsqrwybjixe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+xsagl.txt	blsqrwybjixe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+xsagl.html	blsqrwybjixe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+xsagl.png	blsqrwybjixe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+xsagl.txt	blsqrwybjixe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+xsagl.html	blsqrwybjixe.exe

Executes dropped EXE 2 IoCs

Processes:

blsqrwybjixe.exeblsqrwybjixe.exe

pid process

2192 blsqrwybjixe.exe
2468 blsqrwybjixe.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
2192	blsqrwybjixe.exe
2468	blsqrwybjixe.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

blsqrwybjixe.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pyagnvq = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\blsqrwybjixe.exe"	blsqrwybjixe.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

Processes:

4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exeblsqrwybjixe.exe

description	pid	process	target process
PID 1556 set thread context of 4036	1556	4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe	4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe
PID 2192 set thread context of 2468	2192	blsqrwybjixe.exe	blsqrwybjixe.exe

Drops file in Program Files directory 64 IoCs

Processes:

blsqrwybjixe.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-256_altform-unplated_contrast-black.png	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-150.png	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\_ReCoVeRy_+xsagl.txt	blsqrwybjixe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\osfFPA\_ReCoVeRy_+xsagl.txt	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageWideTile.scale-200.png	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Programmer.targetsize-32_contrast-white.png	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-80_altform-lightunplated.png	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\_ReCoVeRy_+xsagl.txt	blsqrwybjixe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\_ReCoVeRy_+xsagl.txt	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_contrast-black.png	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\WideTile.scale-125.png	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\_ReCoVeRy_+xsagl.html	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\_ReCoVeRy_+xsagl.png	blsqrwybjixe.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\_ReCoVeRy_+xsagl.html	blsqrwybjixe.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\_ReCoVeRy_+xsagl.txt	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupSmallTile.scale-150.png	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-40.png	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\LargeTile.scale-100.png	blsqrwybjixe.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\_ReCoVeRy_+xsagl.html	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\images\NoConnection.scale-100.png	blsqrwybjixe.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\_ReCoVeRy_+xsagl.png	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-72.png	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-24_altform-unplated.png	blsqrwybjixe.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\_ReCoVeRy_+xsagl.png	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-200_contrast-white.png	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsWideTile.scale-125.png	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-400_contrast-black.png	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\hu-HU\_ReCoVeRy_+xsagl.txt	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\video_offline_demo_page2.jpg	blsqrwybjixe.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\_ReCoVeRy_+xsagl.txt	blsqrwybjixe.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\_ReCoVeRy_+xsagl.html	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-32_altform-colorize.png	blsqrwybjixe.exe
File opened for modification	C:\Program Files\Internet Explorer\uk-UA\_ReCoVeRy_+xsagl.png	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorSmallTile.contrast-white_scale-125.png	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\_ReCoVeRy_+xsagl.txt	blsqrwybjixe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\_ReCoVeRy_+xsagl.txt	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-256_contrast-white.png	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\MedTile.scale-200.png	blsqrwybjixe.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	blsqrwybjixe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\_ReCoVeRy_+xsagl.png	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\Assets\_ReCoVeRy_+xsagl.png	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\_ReCoVeRy_+xsagl.html	blsqrwybjixe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\_ReCoVeRy_+xsagl.txt	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\SmallTile.scale-125.png	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageStoreLogo.scale-400_contrast-black.png	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\_ReCoVeRy_+xsagl.txt	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-30_altform-unplated.png	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\MixerBranding\_ReCoVeRy_+xsagl.html	blsqrwybjixe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\_ReCoVeRy_+xsagl.html	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailMediumTile.scale-200.png	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\_ReCoVeRy_+xsagl.html	blsqrwybjixe.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\default_apps\_ReCoVeRy_+xsagl.html	blsqrwybjixe.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\de-DE\_ReCoVeRy_+xsagl.html	blsqrwybjixe.exe
File opened for modification	C:\Program Files\Windows Media Player\uk-UA\_ReCoVeRy_+xsagl.html	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalMedTile.scale-100_contrast-black.png	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\_ReCoVeRy_+xsagl.png	blsqrwybjixe.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\_ReCoVeRy_+xsagl.png	blsqrwybjixe.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\_ReCoVeRy_+xsagl.txt	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\_ReCoVeRy_+xsagl.txt	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-80_altform-unplated_contrast-black.png	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-20_altform-unplated.png	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-20_contrast-black.png	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\uk-UA\_ReCoVeRy_+xsagl.png	blsqrwybjixe.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.scale-125.png	blsqrwybjixe.exe

Drops file in Windows directory 2 IoCs

Processes:

4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\blsqrwybjixe.exe	4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe
File opened for modification	C:\Windows\blsqrwybjixe.exe	4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exeblsqrwybjixe.execmd.exeblsqrwybjixe.exeNOTEPAD.EXEcmd.exe4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	blsqrwybjixe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	blsqrwybjixe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

blsqrwybjixe.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings blsqrwybjixe.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3588 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	blsqrwybjixe.exe

pid	process
3588	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

blsqrwybjixe.exe

pid	process
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe
2468	blsqrwybjixe.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

4716 msedge.exe
4716 msedge.exe
4716 msedge.exe
4716 msedge.exe
4716 msedge.exe
4716 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exeblsqrwybjixe.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4036	4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe
Token: SeDebugPrivilege	2468	blsqrwybjixe.exe
Token: SeIncreaseQuotaPrivilege	4380	WMIC.exe
Token: SeSecurityPrivilege	4380	WMIC.exe
Token: SeTakeOwnershipPrivilege	4380	WMIC.exe
Token: SeLoadDriverPrivilege	4380	WMIC.exe
Token: SeSystemProfilePrivilege	4380	WMIC.exe
Token: SeSystemtimePrivilege	4380	WMIC.exe
Token: SeProfSingleProcessPrivilege	4380	WMIC.exe
Token: SeIncBasePriorityPrivilege	4380	WMIC.exe
Token: SeCreatePagefilePrivilege	4380	WMIC.exe
Token: SeBackupPrivilege	4380	WMIC.exe
Token: SeRestorePrivilege	4380	WMIC.exe
Token: SeShutdownPrivilege	4380	WMIC.exe
Token: SeDebugPrivilege	4380	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4380	WMIC.exe
Token: SeRemoteShutdownPrivilege	4380	WMIC.exe
Token: SeUndockPrivilege	4380	WMIC.exe
Token: SeManageVolumePrivilege	4380	WMIC.exe
Token: 33	4380	WMIC.exe
Token: 34	4380	WMIC.exe
Token: 35	4380	WMIC.exe
Token: 36	4380	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4380	WMIC.exe
Token: SeSecurityPrivilege	4380	WMIC.exe
Token: SeTakeOwnershipPrivilege	4380	WMIC.exe
Token: SeLoadDriverPrivilege	4380	WMIC.exe
Token: SeSystemProfilePrivilege	4380	WMIC.exe
Token: SeSystemtimePrivilege	4380	WMIC.exe
Token: SeProfSingleProcessPrivilege	4380	WMIC.exe
Token: SeIncBasePriorityPrivilege	4380	WMIC.exe
Token: SeCreatePagefilePrivilege	4380	WMIC.exe
Token: SeBackupPrivilege	4380	WMIC.exe
Token: SeRestorePrivilege	4380	WMIC.exe
Token: SeShutdownPrivilege	4380	WMIC.exe
Token: SeDebugPrivilege	4380	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4380	WMIC.exe
Token: SeRemoteShutdownPrivilege	4380	WMIC.exe
Token: SeUndockPrivilege	4380	WMIC.exe
Token: SeManageVolumePrivilege	4380	WMIC.exe
Token: 33	4380	WMIC.exe
Token: 34	4380	WMIC.exe
Token: 35	4380	WMIC.exe
Token: 36	4380	WMIC.exe
Token: SeBackupPrivilege	3788	vssvc.exe
Token: SeRestorePrivilege	3788	vssvc.exe
Token: SeAuditPrivilege	3788	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1648	WMIC.exe
Token: SeSecurityPrivilege	1648	WMIC.exe
Token: SeTakeOwnershipPrivilege	1648	WMIC.exe
Token: SeLoadDriverPrivilege	1648	WMIC.exe
Token: SeSystemProfilePrivilege	1648	WMIC.exe
Token: SeSystemtimePrivilege	1648	WMIC.exe
Token: SeProfSingleProcessPrivilege	1648	WMIC.exe
Token: SeIncBasePriorityPrivilege	1648	WMIC.exe
Token: SeCreatePagefilePrivilege	1648	WMIC.exe
Token: SeBackupPrivilege	1648	WMIC.exe
Token: SeRestorePrivilege	1648	WMIC.exe
Token: SeShutdownPrivilege	1648	WMIC.exe
Token: SeDebugPrivilege	1648	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1648	WMIC.exe
Token: SeRemoteShutdownPrivilege	1648	WMIC.exe
Token: SeUndockPrivilege	1648	WMIC.exe
Token: SeManageVolumePrivilege	1648	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exeblsqrwybjixe.exeblsqrwybjixe.exemsedge.exe

description	pid	process	target process
PID 1556 wrote to memory of 4036	1556	4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe	4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe
PID 1556 wrote to memory of 4036	1556	4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe	4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe
PID 1556 wrote to memory of 4036	1556	4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe	4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe
PID 1556 wrote to memory of 4036	1556	4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe	4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe
PID 1556 wrote to memory of 4036	1556	4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe	4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe
PID 1556 wrote to memory of 4036	1556	4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe	4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe
PID 1556 wrote to memory of 4036	1556	4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe	4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe
PID 1556 wrote to memory of 4036	1556	4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe	4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe
PID 1556 wrote to memory of 4036	1556	4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe	4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe
PID 1556 wrote to memory of 4036	1556	4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe	4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe
PID 4036 wrote to memory of 2192	4036	4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe	blsqrwybjixe.exe
PID 4036 wrote to memory of 2192	4036	4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe	blsqrwybjixe.exe
PID 4036 wrote to memory of 2192	4036	4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe	blsqrwybjixe.exe
PID 4036 wrote to memory of 1904	4036	4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe	cmd.exe
PID 4036 wrote to memory of 1904	4036	4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe	cmd.exe
PID 4036 wrote to memory of 1904	4036	4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe	cmd.exe
PID 2192 wrote to memory of 2468	2192	blsqrwybjixe.exe	blsqrwybjixe.exe
PID 2192 wrote to memory of 2468	2192	blsqrwybjixe.exe	blsqrwybjixe.exe
PID 2192 wrote to memory of 2468	2192	blsqrwybjixe.exe	blsqrwybjixe.exe
PID 2192 wrote to memory of 2468	2192	blsqrwybjixe.exe	blsqrwybjixe.exe
PID 2192 wrote to memory of 2468	2192	blsqrwybjixe.exe	blsqrwybjixe.exe
PID 2192 wrote to memory of 2468	2192	blsqrwybjixe.exe	blsqrwybjixe.exe
PID 2192 wrote to memory of 2468	2192	blsqrwybjixe.exe	blsqrwybjixe.exe
PID 2192 wrote to memory of 2468	2192	blsqrwybjixe.exe	blsqrwybjixe.exe
PID 2192 wrote to memory of 2468	2192	blsqrwybjixe.exe	blsqrwybjixe.exe
PID 2192 wrote to memory of 2468	2192	blsqrwybjixe.exe	blsqrwybjixe.exe
PID 2468 wrote to memory of 4380	2468	blsqrwybjixe.exe	WMIC.exe
PID 2468 wrote to memory of 4380	2468	blsqrwybjixe.exe	WMIC.exe
PID 2468 wrote to memory of 3588	2468	blsqrwybjixe.exe	NOTEPAD.EXE
PID 2468 wrote to memory of 3588	2468	blsqrwybjixe.exe	NOTEPAD.EXE
PID 2468 wrote to memory of 3588	2468	blsqrwybjixe.exe	NOTEPAD.EXE
PID 2468 wrote to memory of 4716	2468	blsqrwybjixe.exe	msedge.exe
PID 2468 wrote to memory of 4716	2468	blsqrwybjixe.exe	msedge.exe
PID 4716 wrote to memory of 3988	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 3988	4716	msedge.exe	msedge.exe
PID 2468 wrote to memory of 1648	2468	blsqrwybjixe.exe	WMIC.exe
PID 2468 wrote to memory of 1648	2468	blsqrwybjixe.exe	WMIC.exe
PID 4716 wrote to memory of 3976	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 3976	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 3976	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 3976	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 3976	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 3976	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 3976	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 3976	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 3976	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 3976	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 3976	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 3976	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 3976	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 3976	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 3976	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 3976	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 3976	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 3976	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 3976	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 3976	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 3976	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 3976	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 3976	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 3976	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 3976	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 3976	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 3976	4716	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

blsqrwybjixe.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	blsqrwybjixe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	blsqrwybjixe.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1556

C:\Users\Admin\AppData\Local\Temp\4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4e826024050255ddf739c2656f2d9a77_JaffaCakes118.exe"
2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4036

C:\Windows\blsqrwybjixe.exe
C:\Windows\blsqrwybjixe.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\blsqrwybjixe.exe
C:\Windows\blsqrwybjixe.exe
4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2468

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4380

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:3588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0xd8,0x7ffcd42746f8,0x7ffcd4274708,0x7ffcd4274718
6⤵
PID:3988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,5425973742151817614,7503406742902396833,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
6⤵
PID:3976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,5425973742151817614,7503406742902396833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
6⤵
PID:3960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,5425973742151817614,7503406742902396833,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
6⤵
PID:4572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5425973742151817614,7503406742902396833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
6⤵
PID:2964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5425973742151817614,7503406742902396833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
6⤵
PID:2236

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,5425973742151817614,7503406742902396833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 /prefetch:8
6⤵
PID:2684

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,5425973742151817614,7503406742902396833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 /prefetch:8
6⤵
PID:4512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5425973742151817614,7503406742902396833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
6⤵
PID:3392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5425973742151817614,7503406742902396833,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
6⤵
PID:3040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5425973742151817614,7503406742902396833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
6⤵
PID:4968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5425973742151817614,7503406742902396833,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
6⤵
PID:1972

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\BLSQRW~1.EXE
5⤵
- System Location Discovery: System Language Discovery
PID:3040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\4E8260~1.EXE
3⤵
- System Location Discovery: System Language Discovery
PID:1904

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3788

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1552

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+xsagl.html

Filesize
12KB

MD5
1fa53b377b528335c401e62e955df817

SHA1
a32046b3bc24b07d79872a2f54b7112ff63af9c9

SHA256
b1232acbce4b3e7b332bd5394bf5a710ac1928a933f6e80c54bb1b8473909d62

SHA512
51b74fc7b95fc6e011f5fa750030221b87e7c43b9c61da3846405b613e14af026411d31d39cb9b18d0c2c29b87e0963f849ba7120732484a9f466967d438c0d4

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+xsagl.png

Filesize
65KB

MD5
146ca2846929b0eeee36cfa27f698a97

SHA1
d1709b21ec7c8cc9f740c8d3b5a8edff8ce6da0b

SHA256
b513dddff1f79baf3f82cf09aacac6f4ba56bca50de54e0453fcd660a3fc4b9d

SHA512
ceb15a533d56bd602055f5f22738b7c494e6124fd7775c971bf802b86555ed4eb35ad381cf5a37f7048780b4e1b3b844d93ada269c7f667c7c1d934bd88d92de

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+xsagl.txt

Filesize
1KB

MD5
f01b832088d5b23c281a31da3eb44eed

SHA1
920caebef8b3566d847ba531d4e96321988d3e59

SHA256
5ede202f1bef582c7aaa3bfa3fe97c88a81f524659afb5d972daf1b58ddbad57

SHA512
66e9a490a685570fadaf92e1a558d2da26030c8308d1f2f23a55b4a28885a6e4dcff9e230ac91a3338130adcce10f03f6f86be737ff5d766b43962119f0d70be

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
daaeab79731a0ef6c0849efe34de4bd2

SHA1
b2bbf980dc6fd64d4d0ba1a8587ba26d452b3ed6

SHA256
722fe15bb61d5480a44813c4754a02099a6170987409b7244120690ac1035997

SHA512
5d2711e56e8c281dfe632e213afb28dd3e85ead51d59468fdae4b1728bdac71872b5dd9a63e86d9133f93d73e0b6c3c72fa372a8ae8f57af3247323cbdd9d6ad

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
509f9f8f81a7b1c84a4c8bc97d00a5d1

SHA1
4209714b4167a2dab6c617f91d429751dae69a75

SHA256
7a19d07cc02ea76fe358764ce050f367143492b6c27dc58ca66b272430f644b6

SHA512
878483e890495c99d8b8e680ed03712c02124d52310994adfdf7b800e418fae30a7147ce276ce7d99c43b15bf641845ca476d1d5c5cb10381b5c948da1c993b7

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
0bf887df9daeb17c64390fb8ee4d4a5e

SHA1
4ffa2eb596a0de7cf186b4b927d5a59c5e2669d4

SHA256
4955fdd7143b65a3442b70d6f3c3727030fba89d252faad1099e501739855cfc

SHA512
13cd057c41ad67eb84500adeae98bb3f787f1ddde8044b1dc6cb456580e8402472c4503bc39dc24010ece24f3e4790f0a933850efbcd18d284c2d5831ac62643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4d6c9af3-1a88-4783-87ee-d58121b052d8.tmp

Filesize
6KB

MD5
0b125942c6a4fc8ec991ebed897cd7f5

SHA1
d2763f150dcc16a836fef19f3fdcf9d37f46237f

SHA256
1485b61c5fb1fa02d987e5cb4b423abd2c0e48f3184b5212ac94dec426d1ce33

SHA512
388e3a62664358a2ce34007ad9c80c5ce5069bf6072bd73ad629c534f335da46236d4612bff0006d43b3d5d1cd84266c03e90f383eca3dab44d049bdedfb24b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c9cdc60328dc47d2d0bc881d030eed0b

SHA1
02dc964c4c8c85c224fa4a606a5ceaf0a54f77e2

SHA256
7f01f17d0439a1d0861ee5a9ce6b198572236dd319fcddb5a263c6edf30297a0

SHA512
b858d86f5b7e2521f947001437b698a38f711907c730cbfc8ad6ff69aaabb11e81a3936180a7b9ae9d1367a32195adede2bf1a7171ef01dcbba18a89091559af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
488c7fee4452f5d52190dfc22ec24f06

SHA1
3b875fd1bcbd031081e5e34cfa14dece86f90e30

SHA256
d09ac6370671b79597bb9a4b16e43e1c1b05ef6208a9f23a6ad823e53b15d461

SHA512
9b3fa489cbe715189a8e9aab1f3e22fd2872d0261b1234b7b8145e7b7103d2c1afd90fbcba671d23078abe066de0c90418088a84c6565ab722ed7b993d280237

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662898920525.txt

Filesize
77KB

MD5
3d51a7c72ac0b11a756e0050fdd315b7

SHA1
a68be0201e89f63c89ea7a21224174ae9df95fae

SHA256
cae7c6f12de1a43a10bee56914992bf519d4aa848c42054066c2c5796ed13090

SHA512
6b34f339e39239a38322f8a578bcab712de2233c4e757a02f0fbbf11e3a37e1c12f1f9d8c6b59a204e8cf024337ba02d09c59b36e8f6b4ced87e8d902dd00148

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727672984949051.txt

Filesize
74KB

MD5
0fc29b21a3e7693fc9d8d956c945862c

SHA1
a4c45c175e8f0491b304ad83486280119c033ffe

SHA256
600a67c54c3ae6c17f2d98b68355cbd3c481e571e9563c39416682861f722399

SHA512
ea0210c5f95232733926b35546c20e57b28c3a0ff933eae5128979d22aa7e551f7fdf2ed4473429a5f91bbac9a9c0d9cfccfd5e7eb1fa3964028d58f3dcf1b20

Download Submit
C:\Windows\blsqrwybjixe.exe

Filesize
368KB

MD5
4e826024050255ddf739c2656f2d9a77

SHA1
856eca0fb51d6994d9d472dfe5358b4c9b5293d7

SHA256
56cf195bd7fc140caef4a59132cca2d1499783d473633c0384d1b350606731ab

SHA512
fb25c55a9710133214b97bbd9492f39df0f2f43ea9e056cf05f6f4943d9f26031e7832d77df5dd2f69f49c97de92b3d9fbb2d3477215d9f405dcf178488ea8ff

Download Submit
\??\pipe\LOCAL\crashpad_4716_RCFTOPLBQFHXLSJN

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1556-0-0x0000000000680000-0x0000000000685000-memory.dmp

Filesize
20KB

Download
memory/1556-4-0x0000000000680000-0x0000000000685000-memory.dmp

Filesize
20KB

Download
memory/1556-1-0x0000000000680000-0x0000000000685000-memory.dmp

Filesize
20KB

Download
memory/2192-12-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2468-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2468-10738-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2468-2322-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2468-2323-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2468-4812-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2468-8003-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2468-26-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2468-24-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2468-10727-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2468-10729-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2468-10737-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2468-235-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2468-21-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2468-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2468-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2468-10777-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4036-15-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4036-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4036-5-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4036-3-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4036-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download