teslacrypt | d50b6e077e629c2e0f8bb36e85df27977643a472277f254167aef19f8525fd01

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-10-2024 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52aa7e36c5636d8071e21deac876dcbb_JaffaCakes118.exe
Size

352KB
MD5

52aa7e36c5636d8071e21deac876dcbb
SHA1

52e97285ecdb7de4d7130e68ccd894f228f6090d
SHA256

d50b6e077e629c2e0f8bb36e85df27977643a472277f254167aef19f8525fd01
SHA512

79cbd1bdf4de7a10020442402e837948df5ca99ab6cf5eefa659eccb4f629a7126b3ee2a8fd23fa6fd1fc8b96faa2afca65255639ea7816563cbaa157c521e66
SSDEEP

6144:IMeb/EDtpBx1aRXJub19pf3gOURaJmf+ubexB3wLaYZSzvF:ITb/wtN1aRXJg1f3gO9Jm+u2BgeYkzv

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+qokdw.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/A6996AA4EF8E21 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/A6996AA4EF8E21 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/A6996AA4EF8E21 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/A6996AA4EF8E21 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/A6996AA4EF8E21 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/A6996AA4EF8E21 http://yyre45dbvn2nhbefbmh.begumvelic.at/A6996AA4EF8E21 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/A6996AA4EF8E21

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/A6996AA4EF8E21

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/A6996AA4EF8E21

http://yyre45dbvn2nhbefbmh.begumvelic.at/A6996AA4EF8E21

http://xlowfznrg4wf7dli.ONION/A6996AA4EF8E21

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (880) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dtnfknrypgxp.exe52aa7e36c5636d8071e21deac876dcbb_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dtnfknrypgxp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	52aa7e36c5636d8071e21deac876dcbb_JaffaCakes118.exe

Drops startup file 6 IoCs

Processes:

dtnfknrypgxp.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+qokdw.txt	dtnfknrypgxp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+qokdw.html	dtnfknrypgxp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+qokdw.png	dtnfknrypgxp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+qokdw.txt	dtnfknrypgxp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+qokdw.html	dtnfknrypgxp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+qokdw.png	dtnfknrypgxp.exe

Executes dropped EXE 1 IoCs

Processes:

dtnfknrypgxp.exe

pid process

3244 dtnfknrypgxp.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

dtnfknrypgxp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\stoqkci = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\dtnfknrypgxp.exe"	dtnfknrypgxp.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

Processes:

dtnfknrypgxp.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\FileWord32x32.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\THMBNAIL.PNG	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageBadgeLogo.scale-100_contrast-black.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-72_altform-unplated_contrast-white.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxLargeTile.scale-125.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\_ReCoVeRy_+qokdw.txt	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-72_altform-lightunplated.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_ReCoVeRy_+qokdw.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\_ReCoVeRy_+qokdw.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TinyTile.scale-100_contrast-black.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\_ReCoVeRy_+qokdw.txt	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\8041_40x40x32.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\_ReCoVeRy_+qokdw.html	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\_ReCoVeRy_+qokdw.html	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageMedTile.scale-150.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsLargeTile.contrast-black_scale-100.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\fr\_ReCoVeRy_+qokdw.html	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\LargeTile.scale-100.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+qokdw.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\_ReCoVeRy_+qokdw.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Sun.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Content\_ReCoVeRy_+qokdw.html	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageSmallTile.scale-125.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupWideTile.scale-400.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\_ReCoVeRy_+qokdw.html	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\_ReCoVeRy_+qokdw.html	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-48_altform-unplated_contrast-white.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\photo-shim.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraLargeTile.contrast-black_scale-100.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\_ReCoVeRy_+qokdw.html	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-24.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40_altform-unplated.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\_ReCoVeRy_+qokdw.txt	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SplashWideTile.scale-125_contrast-black.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\subscription_intro\_ReCoVeRy_+qokdw.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-150.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeSmallTile.scale-200.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_ReCoVeRy_+qokdw.txt	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\_ReCoVeRy_+qokdw.html	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyView-Dark.scale-125.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\_ReCoVeRy_+qokdw.html	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\_ReCoVeRy_+qokdw.html	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailSmallTile.scale-125.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-16_altform-unplated.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fa-IR\_ReCoVeRy_+qokdw.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\_ReCoVeRy_+qokdw.html	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\_ReCoVeRy_+qokdw.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\Snooze.scale-64.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\Images\star_empty.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageBadgeLogo.scale-100.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+qokdw.html	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsSplashScreen.scale-200.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\_ReCoVeRy_+qokdw.html	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Lumia.MagicEdit\Pages\_ReCoVeRy_+qokdw.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\_ReCoVeRy_+qokdw.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\_ReCoVeRy_+qokdw.html	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\_ReCoVeRy_+qokdw.txt	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-100_contrast-white.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\_ReCoVeRy_+qokdw.txt	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSplashLogo.scale-250.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\_ReCoVeRy_+qokdw.txt	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\_ReCoVeRy_+qokdw.png	dtnfknrypgxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\MedTile.scale-100.png	dtnfknrypgxp.exe

Drops file in Windows directory 2 IoCs

Processes:

52aa7e36c5636d8071e21deac876dcbb_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\dtnfknrypgxp.exe	52aa7e36c5636d8071e21deac876dcbb_JaffaCakes118.exe
File opened for modification	C:\Windows\dtnfknrypgxp.exe	52aa7e36c5636d8071e21deac876dcbb_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

52aa7e36c5636d8071e21deac876dcbb_JaffaCakes118.exedtnfknrypgxp.execmd.exeNOTEPAD.EXEcmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	52aa7e36c5636d8071e21deac876dcbb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dtnfknrypgxp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

Processes:

dtnfknrypgxp.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings dtnfknrypgxp.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3708 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dtnfknrypgxp.exe

pid	process
3708	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dtnfknrypgxp.exe

pid	process
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe
3244	dtnfknrypgxp.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

4788 msedge.exe
4788 msedge.exe
4788 msedge.exe
4788 msedge.exe
4788 msedge.exe
4788 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

52aa7e36c5636d8071e21deac876dcbb_JaffaCakes118.exedtnfknrypgxp.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	396	52aa7e36c5636d8071e21deac876dcbb_JaffaCakes118.exe
Token: SeDebugPrivilege	3244	dtnfknrypgxp.exe
Token: SeIncreaseQuotaPrivilege	844	WMIC.exe
Token: SeSecurityPrivilege	844	WMIC.exe
Token: SeTakeOwnershipPrivilege	844	WMIC.exe
Token: SeLoadDriverPrivilege	844	WMIC.exe
Token: SeSystemProfilePrivilege	844	WMIC.exe
Token: SeSystemtimePrivilege	844	WMIC.exe
Token: SeProfSingleProcessPrivilege	844	WMIC.exe
Token: SeIncBasePriorityPrivilege	844	WMIC.exe
Token: SeCreatePagefilePrivilege	844	WMIC.exe
Token: SeBackupPrivilege	844	WMIC.exe
Token: SeRestorePrivilege	844	WMIC.exe
Token: SeShutdownPrivilege	844	WMIC.exe
Token: SeDebugPrivilege	844	WMIC.exe
Token: SeSystemEnvironmentPrivilege	844	WMIC.exe
Token: SeRemoteShutdownPrivilege	844	WMIC.exe
Token: SeUndockPrivilege	844	WMIC.exe
Token: SeManageVolumePrivilege	844	WMIC.exe
Token: 33	844	WMIC.exe
Token: 34	844	WMIC.exe
Token: 35	844	WMIC.exe
Token: 36	844	WMIC.exe
Token: SeIncreaseQuotaPrivilege	844	WMIC.exe
Token: SeSecurityPrivilege	844	WMIC.exe
Token: SeTakeOwnershipPrivilege	844	WMIC.exe
Token: SeLoadDriverPrivilege	844	WMIC.exe
Token: SeSystemProfilePrivilege	844	WMIC.exe
Token: SeSystemtimePrivilege	844	WMIC.exe
Token: SeProfSingleProcessPrivilege	844	WMIC.exe
Token: SeIncBasePriorityPrivilege	844	WMIC.exe
Token: SeCreatePagefilePrivilege	844	WMIC.exe
Token: SeBackupPrivilege	844	WMIC.exe
Token: SeRestorePrivilege	844	WMIC.exe
Token: SeShutdownPrivilege	844	WMIC.exe
Token: SeDebugPrivilege	844	WMIC.exe
Token: SeSystemEnvironmentPrivilege	844	WMIC.exe
Token: SeRemoteShutdownPrivilege	844	WMIC.exe
Token: SeUndockPrivilege	844	WMIC.exe
Token: SeManageVolumePrivilege	844	WMIC.exe
Token: 33	844	WMIC.exe
Token: 34	844	WMIC.exe
Token: 35	844	WMIC.exe
Token: 36	844	WMIC.exe
Token: SeBackupPrivilege	2900	vssvc.exe
Token: SeRestorePrivilege	2900	vssvc.exe
Token: SeAuditPrivilege	2900	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3800	WMIC.exe
Token: SeSecurityPrivilege	3800	WMIC.exe
Token: SeTakeOwnershipPrivilege	3800	WMIC.exe
Token: SeLoadDriverPrivilege	3800	WMIC.exe
Token: SeSystemProfilePrivilege	3800	WMIC.exe
Token: SeSystemtimePrivilege	3800	WMIC.exe
Token: SeProfSingleProcessPrivilege	3800	WMIC.exe
Token: SeIncBasePriorityPrivilege	3800	WMIC.exe
Token: SeCreatePagefilePrivilege	3800	WMIC.exe
Token: SeBackupPrivilege	3800	WMIC.exe
Token: SeRestorePrivilege	3800	WMIC.exe
Token: SeShutdownPrivilege	3800	WMIC.exe
Token: SeDebugPrivilege	3800	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3800	WMIC.exe
Token: SeRemoteShutdownPrivilege	3800	WMIC.exe
Token: SeUndockPrivilege	3800	WMIC.exe
Token: SeManageVolumePrivilege	3800	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

52aa7e36c5636d8071e21deac876dcbb_JaffaCakes118.exedtnfknrypgxp.exemsedge.exe

description	pid	process	target process
PID 396 wrote to memory of 3244	396	52aa7e36c5636d8071e21deac876dcbb_JaffaCakes118.exe	dtnfknrypgxp.exe
PID 396 wrote to memory of 3244	396	52aa7e36c5636d8071e21deac876dcbb_JaffaCakes118.exe	dtnfknrypgxp.exe
PID 396 wrote to memory of 3244	396	52aa7e36c5636d8071e21deac876dcbb_JaffaCakes118.exe	dtnfknrypgxp.exe
PID 396 wrote to memory of 4860	396	52aa7e36c5636d8071e21deac876dcbb_JaffaCakes118.exe	cmd.exe
PID 396 wrote to memory of 4860	396	52aa7e36c5636d8071e21deac876dcbb_JaffaCakes118.exe	cmd.exe
PID 396 wrote to memory of 4860	396	52aa7e36c5636d8071e21deac876dcbb_JaffaCakes118.exe	cmd.exe
PID 3244 wrote to memory of 844	3244	dtnfknrypgxp.exe	WMIC.exe
PID 3244 wrote to memory of 844	3244	dtnfknrypgxp.exe	WMIC.exe
PID 3244 wrote to memory of 3708	3244	dtnfknrypgxp.exe	NOTEPAD.EXE
PID 3244 wrote to memory of 3708	3244	dtnfknrypgxp.exe	NOTEPAD.EXE
PID 3244 wrote to memory of 3708	3244	dtnfknrypgxp.exe	NOTEPAD.EXE
PID 3244 wrote to memory of 4788	3244	dtnfknrypgxp.exe	msedge.exe
PID 3244 wrote to memory of 4788	3244	dtnfknrypgxp.exe	msedge.exe
PID 4788 wrote to memory of 2140	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 2140	4788	msedge.exe	msedge.exe
PID 3244 wrote to memory of 3800	3244	dtnfknrypgxp.exe	WMIC.exe
PID 3244 wrote to memory of 3800	3244	dtnfknrypgxp.exe	WMIC.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1416	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1908	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 1908	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 5080	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 5080	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 5080	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 5080	4788	msedge.exe	msedge.exe
PID 4788 wrote to memory of 5080	4788	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

dtnfknrypgxp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	dtnfknrypgxp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	dtnfknrypgxp.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\52aa7e36c5636d8071e21deac876dcbb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\52aa7e36c5636d8071e21deac876dcbb_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\dtnfknrypgxp.exe
C:\Windows\dtnfknrypgxp.exe
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3244

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:3708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdde5346f8,0x7ffdde534708,0x7ffdde534718
4⤵
PID:2140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,11590086166708702769,5408032360245018588,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
4⤵
PID:1416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,11590086166708702769,5408032360245018588,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
4⤵
PID:1908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,11590086166708702769,5408032360245018588,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
4⤵
PID:5080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11590086166708702769,5408032360245018588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
4⤵
PID:3452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11590086166708702769,5408032360245018588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
4⤵
PID:3676

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,11590086166708702769,5408032360245018588,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
4⤵
PID:1208

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,11590086166708702769,5408032360245018588,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
4⤵
PID:2144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11590086166708702769,5408032360245018588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
4⤵
PID:4880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11590086166708702769,5408032360245018588,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4288 /prefetch:1
4⤵
PID:4952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11590086166708702769,5408032360245018588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
4⤵
PID:1652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11590086166708702769,5408032360245018588,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
4⤵
PID:1324

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3800

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\DTNFKN~1.EXE
3⤵
- System Location Discovery: System Language Discovery
PID:4624

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\52AA7E~1.EXE
2⤵
- System Location Discovery: System Language Discovery
PID:4860

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+qokdw.html

Filesize
12KB

MD5
92fc648386f1b021782a8b2762561278

SHA1
5aee6a9a8ab3155f6fe3e816e380518ea9b3364e

SHA256
a5ef263e3eeb9b8a81d6ceaa106ce094bf85bd5dad32db7abb25271751232fd5

SHA512
c46c5bb6f6e9ce3a1197830baf041e199e7def4f2e79dfaa0de4f2905f28ace075ed400b2ca7e3372fed4a6ea3f61ae2f3cb9a9141b55a51421803d22347c962

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+qokdw.png

Filesize
64KB

MD5
3bb29e044465f898f63bc5518f2652f6

SHA1
c4351238fe09a42aa56f1ad7acfb627de42d02eb

SHA256
3b645f7118acdde4143b59f20d0f32cdacc6da6852f60b549ff67f2278ac70ec

SHA512
b2a5d29585a773d6fc02a6343d0f7fa1992d4a30c9af789de94cc28623b9da33daf8d6057caaa3860b83f07024e0c45dc3cf0ccd09a0974565e99c47b8a2fe1f

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+qokdw.txt

Filesize
1KB

MD5
bad57cc4433f2243a28a6826553eb09c

SHA1
406fc6ae77e205616df17985576d1238c4b97815

SHA256
8c69cd05f0a874017016a03923dabafbe90d2cb15153ce5d7a4524624b687c7a

SHA512
b19f6be36a13098ff3c3b6e8498f7f27bc0f2d63744b5e024601a74f8984ee9630fd9d94c3936dd687803d2969da387ccb4680fe9d269cf01386333f311d33f5

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
0bc0505b839c02e8bb328cf015268e92

SHA1
5fbf801dacaaf5e7cd2d8c74a8c3e859f80d804f

SHA256
ae1b6f455d35d1a4eace28de46633175a7473f2808ddf0e1375f52f2484104a8

SHA512
c8052f969715241c125dc3ac6a4923e9071331c88aec1c424d7193b614a594a37c764d95adfc9c3ef7383065d98af8f7bb4b755b10962c341004513a3d0a245f

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
29460235889e1d95077465d1bc9884fc

SHA1
d5170b00324bc9b36f6a01f547fd9b8766a2e887

SHA256
ee32f0615f96e688e77f009db08592bf5027c7d72eed9e678bc1efbacb04efb8

SHA512
f8cf4f616215712a1aca51d32ca34705b0a9a942972287a357e65c0f5416f2b739e531fa8957c34213a4e6b397941597038eec27a2c3afbee6084ac14803ebfb

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
5465e3a9b8029574af8d0f51257b6139

SHA1
7388b731d727ca54756f3d916f6480ca7e76fe3c

SHA256
be3f585c713edcf932ea330ff854253d4b76549d0ca40aeff54b42ed04949ebc

SHA512
6c983a48f4d3f4847955d7537cccde99f44d647e979694ada8f69cf3c89a0a128c43ad7f3c4e3c056a04b2528241bd2d5b59dc8ab1f23d406e71b7a8e98e71fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d8e01d4706c2856c118f0bcb38bc9f65

SHA1
d6dc1c18c4adc1af57791f6696df00af4df58909

SHA256
86e2b26baa97f9a380b1d2eeb49dc475df2cc99c3f1013cef0a5eabac115aa1d

SHA512
53e90d21f3dcd94fe9106242cf0a9680f5c7bb96562186d727662e6e3e300668ab820223590ce88bac9919b68bcfd10fd58af15c80263aa96eefe8192ea6854d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
18112e330badb77b1cd7e8896045e369

SHA1
0b0f85bddf5b5753ac8d1dd499157f9a7a1305dd

SHA256
b980adf921d8fbdabf2a03ff69b22dae8ebb7ec3a233f0e667fb773d13b6b8e8

SHA512
f75ebbf2509f5ded85cdc6842790edb041eb506407c22573c2463c23e680bf7373d0ef8219e482c6f758bb31c537e2199b5983211e12171c0c21c500c5ec9a32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3a339053b3b068f98e3e5268f44ed665

SHA1
f32fd2cb890a683c4c095716b9785906763f1547

SHA256
08efebbf5ddbe0d90b9d0ad2c7f04de1def4c49e6703fb6e92679ec17aeb1be5

SHA512
c6007060bc01a168907c8a4b40678ab8c28753f0485204b03a8dce410f9fc502674c3aca09b5693b2e475b71d9e76bc5c039432eda219d026c9c06363a70c953

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656325443828.txt

Filesize
77KB

MD5
3413f7f88e5ef3b856c13d1819efe4b0

SHA1
3b93cfedfef0ab77c7f881bf2620ffe1cfc8494c

SHA256
d4de8b7712e20c23c1e395bd579f3bffb5b81903c35ab79908527a1f6880b5a6

SHA512
b793aa323b41497165d917e4acae08ed471abea53706732cbbcd94b54b1d39de9512dfe5363776b9fb4f8fc201db4491c379a259c2979e1b86d410299c15a222

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727657695736094.txt

Filesize
47KB

MD5
5bc4649522b773fae3d981abe47c38fd

SHA1
e0c6280db8d079f24f06ee63e12f85eb3abd0136

SHA256
ee51f4ecedf000a6224a8f772616b49dc17be6e45beaebc9fa0f17f8f9e1ec7a

SHA512
e5075e2384ffae28257f8e72d11738bc3f36e838fdddc340ea88acf2ea495a41796e457758006392e65c0087d6290e71c87a94ade734d8920ab178707b16bcd8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727666235612999.txt

Filesize
74KB

MD5
9918f16dcdfc637d40b3c7b8c8578aae

SHA1
7109ad1ee293d502de17e7939acd6e518a1a9c5f

SHA256
6d712284f1e197c4bc18217c124d783488ef9eae207b8c003992c36f338d3c30

SHA512
ce654a8e8955da04d7e956ea68119f1fb01170e39cb60fa265a7a523b945c11539f36e0f6c5ef435c54dca14021beb90b101cf1b2829b69348ee3cf9b7bef311

Download Submit
C:\Windows\dtnfknrypgxp.exe

Filesize
352KB

MD5
52aa7e36c5636d8071e21deac876dcbb

SHA1
52e97285ecdb7de4d7130e68ccd894f228f6090d

SHA256
d50b6e077e629c2e0f8bb36e85df27977643a472277f254167aef19f8525fd01

SHA512
79cbd1bdf4de7a10020442402e837948df5ca99ab6cf5eefa659eccb4f629a7126b3ee2a8fd23fa6fd1fc8b96faa2afca65255639ea7816563cbaa157c521e66

Download Submit
\??\pipe\LOCAL\crashpad_4788_FOXVMZKIUZGQYEUO

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/396-0-0x0000000002220000-0x00000000022A6000-memory.dmp

Filesize
536KB

Download
memory/396-9-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/396-11-0x0000000002220000-0x00000000022A6000-memory.dmp

Filesize
536KB

Download
memory/396-2-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3244-5623-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3244-9119-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3244-10747-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3244-2848-0x0000000002150000-0x00000000021D6000-memory.dmp

Filesize
536KB

Download
memory/3244-2847-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3244-10791-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3244-10-0x0000000002150000-0x00000000021D6000-memory.dmp

Filesize
536KB

Download