teslacrypt | 6950d9f5794147161a7628aedcea38671ee33148580e015cf973f6a86c158d15

Resubmissions

18-10-2024 13:44

241018-q1r6sazdkb 7

18-10-2024 13:29

241018-qrhkzs1hrn 10

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe
Size

344KB
MD5

57b2a1db98a792e2498b6ba5344deb90
SHA1

b8a75d237c860f0128eae5adeb7e76f41233fc36
SHA256

6950d9f5794147161a7628aedcea38671ee33148580e015cf973f6a86c158d15
SHA512

36ebdbc0b27025e9bcc0edbe0cb9b40f2f4f4bbc1582d8e94e42d399a474d45227789d158b7d991fd04424188429fbc00fcf9db06922e3e8abf1506c4aa6d729
SSDEEP

6144:FqvsZf39vcCN1RHCfsIltPv6qn0/+sK+x20Im5iTxSO+xUJ:FqIv/wTPv6Q0GwFPxU

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+efwpl.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/203E6626954748B 2. http://tes543berda73i48fsdfsd.keratadze.at/203E6626954748B 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/203E6626954748B If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/203E6626954748B 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/203E6626954748B http://tes543berda73i48fsdfsd.keratadze.at/203E6626954748B http://tt54rfdjhb34rfbnknaerg.milerteddy.com/203E6626954748B *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/203E6626954748B

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/203E6626954748B

http://tes543berda73i48fsdfsd.keratadze.at/203E6626954748B

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/203E6626954748B

http://xlowfznrg4wf7dli.ONION/203E6626954748B

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (860) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exeefsdrlbupjwp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	efsdrlbupjwp.exe

Drops startup file 3 IoCs

Processes:

efsdrlbupjwp.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+efwpl.txt	efsdrlbupjwp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+efwpl.html	efsdrlbupjwp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+efwpl.png	efsdrlbupjwp.exe

Executes dropped EXE 2 IoCs

Processes:

efsdrlbupjwp.exeefsdrlbupjwp.exe

pid process

4144 efsdrlbupjwp.exe
1836 efsdrlbupjwp.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
4144	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

efsdrlbupjwp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qifvobvxqrlc = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\efsdrlbupjwp.exe\""	efsdrlbupjwp.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

Processes:

57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exeefsdrlbupjwp.exe

description	pid	process	target process
PID 4828 set thread context of 3548	4828	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe
PID 4144 set thread context of 1836	4144	efsdrlbupjwp.exe	efsdrlbupjwp.exe

Drops file in Program Files directory 64 IoCs

Processes:

efsdrlbupjwp.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\he-IL\Recovery+efwpl.txt	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\WideTile.scale-200.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-US\Recovery+efwpl.txt	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_contrast-black.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupSmallTile.scale-400.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-64.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Recovery+efwpl.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-96_altform-unplated_contrast-white.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dtplugin\Recovery+efwpl.txt	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\Recovery+efwpl.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\Recovery+efwpl.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_altform-unplated_contrast-black.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\Recovery+efwpl.html	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\Recovery+efwpl.txt	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\1.jpg	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square150x150\PaintMedTile.scale-125.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\skype-to-phone-small.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LibrarySquare71x71Logo.scale-200.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-400.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA6\Recovery+efwpl.html	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\MoviesAnywhereLogoWithTextDark.scale-125.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-200_contrast-white.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\Recovery+efwpl.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\Recovery+efwpl.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\chats_emptystate_v3.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-24.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\Recovery+efwpl.txt	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\Recovery+efwpl.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-200.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Text\Recovery+efwpl.html	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyCalendarSearch-Dark.scale-100.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_Mocking.help.txt	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\28.jpg	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageSmallTile.scale-150.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeMediumTile.scale-125.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\Recovery+efwpl.html	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\Recovery+efwpl.txt	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\Recovery+efwpl.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Dark.scale-400.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Recovery+efwpl.html	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\es-MX\Recovery+efwpl.txt	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-Toolkit\Recovery+efwpl.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+efwpl.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96_altform-lightunplated.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\Recovery+efwpl.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-80.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\Recovery+efwpl.txt	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\LargeLogo.scale-125_contrast-white.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\Recovery+efwpl.html	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Recovery+efwpl.txt	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailWideTile.scale-200.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\10px.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_scale-200.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Tented\Recovery+efwpl.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\SmallTile.scale-100.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\Recovery+efwpl.html	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-16_altform-unplated_contrast-high.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+efwpl.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-96_altform-lightunplated.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-32.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-60_altform-unplated.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_contrast-white.png	efsdrlbupjwp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-40_altform-lightunplated.png	efsdrlbupjwp.exe

Drops file in Windows directory 2 IoCs

Processes:

57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\efsdrlbupjwp.exe	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe
File opened for modification	C:\Windows\efsdrlbupjwp.exe	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

efsdrlbupjwp.exeNOTEPAD.EXEcmd.exe57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exeefsdrlbupjwp.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efsdrlbupjwp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efsdrlbupjwp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

Processes:

efsdrlbupjwp.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings efsdrlbupjwp.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4392 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	efsdrlbupjwp.exe

pid	process
4392	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

efsdrlbupjwp.exe

pid	process
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe
1836	efsdrlbupjwp.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

4140 msedge.exe
4140 msedge.exe
4140 msedge.exe
4140 msedge.exe
4140 msedge.exe
4140 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exeefsdrlbupjwp.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3548	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe
Token: SeDebugPrivilege	1836	efsdrlbupjwp.exe
Token: SeIncreaseQuotaPrivilege	3404	WMIC.exe
Token: SeSecurityPrivilege	3404	WMIC.exe
Token: SeTakeOwnershipPrivilege	3404	WMIC.exe
Token: SeLoadDriverPrivilege	3404	WMIC.exe
Token: SeSystemProfilePrivilege	3404	WMIC.exe
Token: SeSystemtimePrivilege	3404	WMIC.exe
Token: SeProfSingleProcessPrivilege	3404	WMIC.exe
Token: SeIncBasePriorityPrivilege	3404	WMIC.exe
Token: SeCreatePagefilePrivilege	3404	WMIC.exe
Token: SeBackupPrivilege	3404	WMIC.exe
Token: SeRestorePrivilege	3404	WMIC.exe
Token: SeShutdownPrivilege	3404	WMIC.exe
Token: SeDebugPrivilege	3404	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3404	WMIC.exe
Token: SeRemoteShutdownPrivilege	3404	WMIC.exe
Token: SeUndockPrivilege	3404	WMIC.exe
Token: SeManageVolumePrivilege	3404	WMIC.exe
Token: 33	3404	WMIC.exe
Token: 34	3404	WMIC.exe
Token: 35	3404	WMIC.exe
Token: 36	3404	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3404	WMIC.exe
Token: SeSecurityPrivilege	3404	WMIC.exe
Token: SeTakeOwnershipPrivilege	3404	WMIC.exe
Token: SeLoadDriverPrivilege	3404	WMIC.exe
Token: SeSystemProfilePrivilege	3404	WMIC.exe
Token: SeSystemtimePrivilege	3404	WMIC.exe
Token: SeProfSingleProcessPrivilege	3404	WMIC.exe
Token: SeIncBasePriorityPrivilege	3404	WMIC.exe
Token: SeCreatePagefilePrivilege	3404	WMIC.exe
Token: SeBackupPrivilege	3404	WMIC.exe
Token: SeRestorePrivilege	3404	WMIC.exe
Token: SeShutdownPrivilege	3404	WMIC.exe
Token: SeDebugPrivilege	3404	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3404	WMIC.exe
Token: SeRemoteShutdownPrivilege	3404	WMIC.exe
Token: SeUndockPrivilege	3404	WMIC.exe
Token: SeManageVolumePrivilege	3404	WMIC.exe
Token: 33	3404	WMIC.exe
Token: 34	3404	WMIC.exe
Token: 35	3404	WMIC.exe
Token: 36	3404	WMIC.exe
Token: SeBackupPrivilege	1516	vssvc.exe
Token: SeRestorePrivilege	1516	vssvc.exe
Token: SeAuditPrivilege	1516	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2176	WMIC.exe
Token: SeSecurityPrivilege	2176	WMIC.exe
Token: SeTakeOwnershipPrivilege	2176	WMIC.exe
Token: SeLoadDriverPrivilege	2176	WMIC.exe
Token: SeSystemProfilePrivilege	2176	WMIC.exe
Token: SeSystemtimePrivilege	2176	WMIC.exe
Token: SeProfSingleProcessPrivilege	2176	WMIC.exe
Token: SeIncBasePriorityPrivilege	2176	WMIC.exe
Token: SeCreatePagefilePrivilege	2176	WMIC.exe
Token: SeBackupPrivilege	2176	WMIC.exe
Token: SeRestorePrivilege	2176	WMIC.exe
Token: SeShutdownPrivilege	2176	WMIC.exe
Token: SeDebugPrivilege	2176	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2176	WMIC.exe
Token: SeRemoteShutdownPrivilege	2176	WMIC.exe
Token: SeUndockPrivilege	2176	WMIC.exe
Token: SeManageVolumePrivilege	2176	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exeefsdrlbupjwp.exeefsdrlbupjwp.exemsedge.exe

description	pid	process	target process
PID 4828 wrote to memory of 3548	4828	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe
PID 4828 wrote to memory of 3548	4828	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe
PID 4828 wrote to memory of 3548	4828	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe
PID 4828 wrote to memory of 3548	4828	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe
PID 4828 wrote to memory of 3548	4828	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe
PID 4828 wrote to memory of 3548	4828	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe
PID 4828 wrote to memory of 3548	4828	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe
PID 4828 wrote to memory of 3548	4828	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe
PID 4828 wrote to memory of 3548	4828	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe
PID 3548 wrote to memory of 4144	3548	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe	efsdrlbupjwp.exe
PID 3548 wrote to memory of 4144	3548	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe	efsdrlbupjwp.exe
PID 3548 wrote to memory of 4144	3548	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe	efsdrlbupjwp.exe
PID 3548 wrote to memory of 3592	3548	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe	cmd.exe
PID 3548 wrote to memory of 3592	3548	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe	cmd.exe
PID 3548 wrote to memory of 3592	3548	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe	cmd.exe
PID 4144 wrote to memory of 1836	4144	efsdrlbupjwp.exe	efsdrlbupjwp.exe
PID 4144 wrote to memory of 1836	4144	efsdrlbupjwp.exe	efsdrlbupjwp.exe
PID 4144 wrote to memory of 1836	4144	efsdrlbupjwp.exe	efsdrlbupjwp.exe
PID 4144 wrote to memory of 1836	4144	efsdrlbupjwp.exe	efsdrlbupjwp.exe
PID 4144 wrote to memory of 1836	4144	efsdrlbupjwp.exe	efsdrlbupjwp.exe
PID 4144 wrote to memory of 1836	4144	efsdrlbupjwp.exe	efsdrlbupjwp.exe
PID 4144 wrote to memory of 1836	4144	efsdrlbupjwp.exe	efsdrlbupjwp.exe
PID 4144 wrote to memory of 1836	4144	efsdrlbupjwp.exe	efsdrlbupjwp.exe
PID 4144 wrote to memory of 1836	4144	efsdrlbupjwp.exe	efsdrlbupjwp.exe
PID 1836 wrote to memory of 3404	1836	efsdrlbupjwp.exe	WMIC.exe
PID 1836 wrote to memory of 3404	1836	efsdrlbupjwp.exe	WMIC.exe
PID 1836 wrote to memory of 4392	1836	efsdrlbupjwp.exe	NOTEPAD.EXE
PID 1836 wrote to memory of 4392	1836	efsdrlbupjwp.exe	NOTEPAD.EXE
PID 1836 wrote to memory of 4392	1836	efsdrlbupjwp.exe	NOTEPAD.EXE
PID 1836 wrote to memory of 4140	1836	efsdrlbupjwp.exe	msedge.exe
PID 1836 wrote to memory of 4140	1836	efsdrlbupjwp.exe	msedge.exe
PID 4140 wrote to memory of 376	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 376	4140	msedge.exe	msedge.exe
PID 1836 wrote to memory of 2176	1836	efsdrlbupjwp.exe	WMIC.exe
PID 1836 wrote to memory of 2176	1836	efsdrlbupjwp.exe	WMIC.exe
PID 4140 wrote to memory of 1152	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 1152	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 1152	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 1152	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 1152	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 1152	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 1152	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 1152	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 1152	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 1152	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 1152	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 1152	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 1152	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 1152	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 1152	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 1152	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 1152	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 1152	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 1152	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 1152	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 1152	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 1152	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 1152	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 1152	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 1152	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 1152	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 1152	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 1152	4140	msedge.exe	msedge.exe
PID 4140 wrote to memory of 1152	4140	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

efsdrlbupjwp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	efsdrlbupjwp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	efsdrlbupjwp.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4828

C:\Users\Admin\AppData\Local\Temp\57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe"
2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\efsdrlbupjwp.exe
C:\Windows\efsdrlbupjwp.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4144

C:\Windows\efsdrlbupjwp.exe
C:\Windows\efsdrlbupjwp.exe
4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1836

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:4392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff916ba46f8,0x7ff916ba4708,0x7ff916ba4718
6⤵
PID:376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,11080675869079904612,16374748625677161129,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
6⤵
PID:1152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,11080675869079904612,16374748625677161129,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
6⤵
PID:4356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,11080675869079904612,16374748625677161129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
6⤵
PID:1928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11080675869079904612,16374748625677161129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
6⤵
PID:3908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11080675869079904612,16374748625677161129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
6⤵
PID:3088

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,11080675869079904612,16374748625677161129,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
6⤵
PID:1120

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,11080675869079904612,16374748625677161129,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
6⤵
PID:3688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11080675869079904612,16374748625677161129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
6⤵
PID:1964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11080675869079904612,16374748625677161129,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
6⤵
PID:4864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11080675869079904612,16374748625677161129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
6⤵
PID:1564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11080675869079904612,16374748625677161129,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
6⤵
PID:4328

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\EFSDRL~1.EXE
5⤵
- System Location Discovery: System Language Discovery
PID:3132

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\57B2A1~1.EXE
3⤵
- System Location Discovery: System Language Discovery
PID:3592

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4332

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\Recovery+efwpl.html

Filesize
11KB

MD5
9eb45dcadb0b0f44714b75de50d8db10

SHA1
b8f03e20f959166ac82eeedb9c0211a5c17f4712

SHA256
ad0d8bbac94025255b9fce31e95db6b7f5eeafa4ca6c3cb3064f5fb7d1e1c628

SHA512
a05aab561ce163f5709347437d16df84e24a7ae2e0c439becdf560d0fe45d1faba65a931807e8bef07e7ccb6d668eb36ee6c903e4d06c1dbef8ea2238868ed13

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+efwpl.png

Filesize
62KB

MD5
94c0122559ddf01315f8ef65e3139848

SHA1
cd3df3cdb2cabcffefd205043e2fc3ab677abce0

SHA256
de0cd1a8ec897b5417720a094b3fca3caf725772f6fea58751f027e976436095

SHA512
834fd5552d999999adbbdb9f1f88cfc655fe6b86c4f1ad17eae57e2fb98d224924b72553b95b517d00e683209f4291ee8e123b5c59bf8a3063e84b1638c93b25

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+efwpl.txt

Filesize
1KB

MD5
af4b1659b2106f65a7445a4fb0bcec0a

SHA1
8f3cb736f776dc480269e2ffffe9cf9b2e94719c

SHA256
865ba436e504dd1fad17ded902aa48e4745bb744c3d65caea0c4ec083929cc2e

SHA512
105cd8d87a918ef633285dffec08928e4e0e08cc85ca5a00351a5c4064dde14c36a10ee553b2cf81cf44d6dfcf9b1173e8bb3278032844be7ea61b9cc7123930

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
cbd1194ebc83a4730314bf66047db620

SHA1
b76793291544af4d0e6efb07ad03d59a0ad341f5

SHA256
fcd457f1428a1896e03303bc4d7c54d8c86f3e32f490e6fce0fb0c0b2c41bf97

SHA512
2f2efc65b6aa4c61ddc4ac5759645ffee0f60d7f3c52939f69552ecf7ac16a8365d1aef5ea1615c815df75f69a9b58f9bd5d676334500b4098f32af2cdc70cd4

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
6da57b4412f42ae23b92e612ce0f311c

SHA1
cb6583272766108af0d9ab05a31b88f1da14225b

SHA256
404f8d1660780de02ac820d513155d74df2e98c1a006024ae685110de13ab93b

SHA512
66e4a31eb7ec2b6f965b10091a4185c4179d9832bbc8a61a84630eb7c5fcc0571346edd17851fde1b812428d8c5720348afbca44ef4e9feb6cb5a041c274a448

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
866d49245fe77cd187ecd226185847b4

SHA1
0ea21886412cd7fe45312063ef7b732a99d1d146

SHA256
dc4c1501b9f97e8679cce5a2943c5fd14d023977de9a59a570b12a314afff6f3

SHA512
4da366d03e161508018cf185c2c0f6ff57f2a17c83e3b24fd688bbc3630b9f9750864864027cfe2efbc253fa62e6399086fd668500955ab3802acb79f1e32463

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a16d487cb027ce86b1a4e32f87f6e173

SHA1
fc55ceefc0c96ba16ad28b4c3a718fd376b089a6

SHA256
539a0a21027e80451a00edf50775b8ae5d44e101340d3048e0d84cae27a6d31f

SHA512
1e3833a7e4cc9cc1653bd7bd2082ae370f64505c6817a8cd593054a9859f0090a6ad292a9285dc9326b850486ec7094848e774a6bb1744315c0036cc592af5c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
aab206908b6c15607c9f09764ad71b6a

SHA1
edac7bcfabae3231aaa26d934374125dcdc5ef94

SHA256
174e12e61c6f303e74a77d4bbf06c0db0486d2b324bc848b5de5dff2a31acf3e

SHA512
08f11aa5987b848a5615597181cc3a44976f3ca8d71467fe6f1b4b7069e1ac015de1fa965f6d376f6fbbdef5cf57b72f3a728f48d7e4bfe290892292feca7af9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c385aa808fea35eea240cdef30110202

SHA1
c083b6e618d48f404f1f77b6f27e0bacd4ee6e44

SHA256
dc1312a80903de01a8a3fe4974a66f81a8f656e6fa5b4d4b362b81c05f46bf71

SHA512
c6d7a57dd1bc0b0788da3608f194c06845e51217d7a3f54fadf80fe10a3d244587f69965061a151d3e0e91ad074705df34be574294d5170e48e4c93e9750c159

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656325443828.txt

Filesize
77KB

MD5
c10d42e8a844ab0a242f4f57b05c0223

SHA1
39215a19cba285440b827f9ce5cb783b9113e328

SHA256
0dcedaa9e0cf7845cf158bc8c35f84225f9ae294c818e1739a6e2e06585fcf1e

SHA512
fa192f46b97d765b353599fc225faa52de4be7fd7af09e4816bba02030f90ad2cd2c99abf145107e14e9068ed095dc96b638617286dc7b620e877cdca5931f94

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727657695736094.txt

Filesize
47KB

MD5
0019d63a3d5d063077ae384cc85697db

SHA1
f62a7693647d4a99181e64061c01954255e053bf

SHA256
6d5fd05255744082395f8a27a6b85aadb3655c70dd1292bd6a5752a6a93219e6

SHA512
776805d3dae64d20fb30606d41f402e3270704cf462c4e87c0523a9d31673023bcbb4dc23321d5a8b30112305177ad71544025f7904cb44071abe70f422407f1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727666235612999.txt

Filesize
74KB

MD5
2013049827a2a29a5633ca03bb4e979a

SHA1
77a8ceac0937db3928471c123cbe62679ae58468

SHA256
00f5cc67304bee435b51b1ae6ab5a91267a73dffc8d5111d922d2f1353578598

SHA512
99ee35735ad67e34819e99a75f7b48950fefeec370c6c373082ae14006df8675bc807a538c8767dba31172c0654c673f569f54d31bda3e1c50f6202b9211d6cd

Download Submit
C:\Windows\efsdrlbupjwp.exe

Filesize
344KB

MD5
57b2a1db98a792e2498b6ba5344deb90

SHA1
b8a75d237c860f0128eae5adeb7e76f41233fc36

SHA256
6950d9f5794147161a7628aedcea38671ee33148580e015cf973f6a86c158d15

SHA512
36ebdbc0b27025e9bcc0edbe0cb9b40f2f4f4bbc1582d8e94e42d399a474d45227789d158b7d991fd04424188429fbc00fcf9db06922e3e8abf1506c4aa6d729

Download Submit
\??\pipe\LOCAL\crashpad_4140_RMMHDZWCGOQLKGSH

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1836-17-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1836-9119-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1836-24-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1836-19-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1836-1642-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1836-2657-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1836-2656-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1836-5499-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1836-16-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1836-10558-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1836-18-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1836-22-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1836-10492-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1836-10493-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1836-10501-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1836-10503-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3548-12-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3548-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3548-4-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3548-1-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3548-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4144-11-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/4828-0-0x00000000025F0000-0x00000000025F3000-memory.dmp

Filesize
12KB

Download
memory/4828-3-0x00000000025F0000-0x00000000025F3000-memory.dmp

Filesize
12KB

Download