Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-10-2024 22:18
Static task
static1
Behavioral task
behavioral1
Sample
5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe
-
Size
356KB
-
MD5
5ef1fdd422951c153db8c39b87e84e5d
-
SHA1
a89966004343653b2d20c06b373b1390ed0450d3
-
SHA256
b5a35f6dc7bc0708cfa5b5fb39472509eb81c22ccd93bdb563305164381a1d3e
-
SHA512
94a775ab67babe692fd6cc6c597453f3607e39627579ec82575025a1c1aa3015a108418852a64d84e4fb8c2a5ef4b5619284b25d52a5790b5e3ef11153c11871
-
SSDEEP
6144:nOWcl+ocAAe1EAnT43osv0pnzKK+PDncAuLELquaWVzsHA93Wo8nswPm22fwh:nFeq0F+PzcOLyWRsHA93/oswe
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+hphte.txt
teslacrypt
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/9C1E355595DD6A
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/9C1E355595DD6A
http://yyre45dbvn2nhbefbmh.begumvelic.at/9C1E355595DD6A
http://xlowfznrg4wf7dli.ONION/9C1E355595DD6A
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (879) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exestetcqlymbji.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation stetcqlymbji.exe -
Drops startup file 6 IoCs
Processes:
stetcqlymbji.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+hphte.png stetcqlymbji.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+hphte.txt stetcqlymbji.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+hphte.html stetcqlymbji.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+hphte.png stetcqlymbji.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+hphte.txt stetcqlymbji.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+hphte.html stetcqlymbji.exe -
Executes dropped EXE 2 IoCs
Processes:
stetcqlymbji.exestetcqlymbji.exepid process 4924 stetcqlymbji.exe 2728 stetcqlymbji.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
stetcqlymbji.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mavdnil = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\stetcqlymbji.exe" stetcqlymbji.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exestetcqlymbji.exedescription pid process target process PID 3396 set thread context of 3044 3396 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe PID 4924 set thread context of 2728 4924 stetcqlymbji.exe stetcqlymbji.exe -
Drops file in Program Files directory 64 IoCs
Processes:
stetcqlymbji.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedMedTile.scale-100_contrast-black.png stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\en-US\_ReCoVeRy_+hphte.png stetcqlymbji.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\_ReCoVeRy_+hphte.txt stetcqlymbji.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\_ReCoVeRy_+hphte.txt stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Shell\Themes\Glyphs\Font\_ReCoVeRy_+hphte.html stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16_altform-unplated.png stetcqlymbji.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nb\_ReCoVeRy_+hphte.png stetcqlymbji.exe File opened for modification C:\Program Files\Windows Defender\_ReCoVeRy_+hphte.html stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\_ReCoVeRy_+hphte.html stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+hphte.html stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_altform-unplated_contrast-white.png stetcqlymbji.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-MX\_ReCoVeRy_+hphte.html stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\node_modules\reactxp-experimental-navigation\_ReCoVeRy_+hphte.txt stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.contrast-white_scale-125.png stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\_ReCoVeRy_+hphte.html stetcqlymbji.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tt\_ReCoVeRy_+hphte.png stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageMedTile.scale-125_contrast-white.png stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+hphte.html stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.scale-100.png stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\BadgeLogo.scale-125_contrast-white.png stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uk-UA\View3d\_ReCoVeRy_+hphte.png stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-16.png stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LargeTile.scale-100_contrast-white.png stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\_ReCoVeRy_+hphte.html stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-150.png stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-96_altform-unplated_contrast-white.png stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-24_altform-unplated_contrast-black.png stetcqlymbji.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\_ReCoVeRy_+hphte.txt stetcqlymbji.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\_ReCoVeRy_+hphte.png stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.contrast-white_scale-200.png stetcqlymbji.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\_ReCoVeRy_+hphte.png stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsSmallTile.scale-125.png stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-standard\theme-dark\_ReCoVeRy_+hphte.png stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\jsaddins\onenote_strings.js stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-36.png stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_altform-unplated_contrast-white.png stetcqlymbji.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt stetcqlymbji.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] stetcqlymbji.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\fr-FR\_ReCoVeRy_+hphte.png stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-200.png stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ImmersiveVideoPlayback\Content\_ReCoVeRy_+hphte.png stetcqlymbji.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\MEIPreload\_ReCoVeRy_+hphte.html stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\capture\_ReCoVeRy_+hphte.txt stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_ReCoVeRy_+hphte.html stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-400_contrast-white.png stetcqlymbji.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-100.png stetcqlymbji.exe File opened for modification C:\Program Files\VideoLAN\VLC\THANKS.txt stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-60.png stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-200_contrast-white.png stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-36_altform-unplated.png stetcqlymbji.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk\_ReCoVeRy_+hphte.txt stetcqlymbji.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\_ReCoVeRy_+hphte.html stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-20_altform-unplated_contrast-white.png stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-256.png stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\_ReCoVeRy_+hphte.png stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_2019.430.2026.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+hphte.txt stetcqlymbji.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\_ReCoVeRy_+hphte.html stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+hphte.html stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\_ReCoVeRy_+hphte.html stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.scale-100.png stetcqlymbji.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\_ReCoVeRy_+hphte.txt stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-125_contrast-white.png stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\_ReCoVeRy_+hphte.txt stetcqlymbji.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-100_contrast-high.png stetcqlymbji.exe -
Drops file in Windows directory 2 IoCs
Processes:
5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exedescription ioc process File created C:\Windows\stetcqlymbji.exe 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe File opened for modification C:\Windows\stetcqlymbji.exe 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exestetcqlymbji.execmd.exestetcqlymbji.exeNOTEPAD.EXEcmd.exe5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stetcqlymbji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stetcqlymbji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 1 IoCs
Processes:
stetcqlymbji.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings stetcqlymbji.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 3644 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
stetcqlymbji.exepid process 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe 2728 stetcqlymbji.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exestetcqlymbji.exeWMIC.exevssvc.exeWMIC.exedescription pid process Token: SeDebugPrivilege 3044 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe Token: SeDebugPrivilege 2728 stetcqlymbji.exe Token: SeIncreaseQuotaPrivilege 3080 WMIC.exe Token: SeSecurityPrivilege 3080 WMIC.exe Token: SeTakeOwnershipPrivilege 3080 WMIC.exe Token: SeLoadDriverPrivilege 3080 WMIC.exe Token: SeSystemProfilePrivilege 3080 WMIC.exe Token: SeSystemtimePrivilege 3080 WMIC.exe Token: SeProfSingleProcessPrivilege 3080 WMIC.exe Token: SeIncBasePriorityPrivilege 3080 WMIC.exe Token: SeCreatePagefilePrivilege 3080 WMIC.exe Token: SeBackupPrivilege 3080 WMIC.exe Token: SeRestorePrivilege 3080 WMIC.exe Token: SeShutdownPrivilege 3080 WMIC.exe Token: SeDebugPrivilege 3080 WMIC.exe Token: SeSystemEnvironmentPrivilege 3080 WMIC.exe Token: SeRemoteShutdownPrivilege 3080 WMIC.exe Token: SeUndockPrivilege 3080 WMIC.exe Token: SeManageVolumePrivilege 3080 WMIC.exe Token: 33 3080 WMIC.exe Token: 34 3080 WMIC.exe Token: 35 3080 WMIC.exe Token: 36 3080 WMIC.exe Token: SeIncreaseQuotaPrivilege 3080 WMIC.exe Token: SeSecurityPrivilege 3080 WMIC.exe Token: SeTakeOwnershipPrivilege 3080 WMIC.exe Token: SeLoadDriverPrivilege 3080 WMIC.exe Token: SeSystemProfilePrivilege 3080 WMIC.exe Token: SeSystemtimePrivilege 3080 WMIC.exe Token: SeProfSingleProcessPrivilege 3080 WMIC.exe Token: SeIncBasePriorityPrivilege 3080 WMIC.exe Token: SeCreatePagefilePrivilege 3080 WMIC.exe Token: SeBackupPrivilege 3080 WMIC.exe Token: SeRestorePrivilege 3080 WMIC.exe Token: SeShutdownPrivilege 3080 WMIC.exe Token: SeDebugPrivilege 3080 WMIC.exe Token: SeSystemEnvironmentPrivilege 3080 WMIC.exe Token: SeRemoteShutdownPrivilege 3080 WMIC.exe Token: SeUndockPrivilege 3080 WMIC.exe Token: SeManageVolumePrivilege 3080 WMIC.exe Token: 33 3080 WMIC.exe Token: 34 3080 WMIC.exe Token: 35 3080 WMIC.exe Token: 36 3080 WMIC.exe Token: SeBackupPrivilege 2972 vssvc.exe Token: SeRestorePrivilege 2972 vssvc.exe Token: SeAuditPrivilege 2972 vssvc.exe Token: SeIncreaseQuotaPrivilege 3556 WMIC.exe Token: SeSecurityPrivilege 3556 WMIC.exe Token: SeTakeOwnershipPrivilege 3556 WMIC.exe Token: SeLoadDriverPrivilege 3556 WMIC.exe Token: SeSystemProfilePrivilege 3556 WMIC.exe Token: SeSystemtimePrivilege 3556 WMIC.exe Token: SeProfSingleProcessPrivilege 3556 WMIC.exe Token: SeIncBasePriorityPrivilege 3556 WMIC.exe Token: SeCreatePagefilePrivilege 3556 WMIC.exe Token: SeBackupPrivilege 3556 WMIC.exe Token: SeRestorePrivilege 3556 WMIC.exe Token: SeShutdownPrivilege 3556 WMIC.exe Token: SeDebugPrivilege 3556 WMIC.exe Token: SeSystemEnvironmentPrivilege 3556 WMIC.exe Token: SeRemoteShutdownPrivilege 3556 WMIC.exe Token: SeUndockPrivilege 3556 WMIC.exe Token: SeManageVolumePrivilege 3556 WMIC.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exestetcqlymbji.exestetcqlymbji.exemsedge.exedescription pid process target process PID 3396 wrote to memory of 3044 3396 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe PID 3396 wrote to memory of 3044 3396 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe PID 3396 wrote to memory of 3044 3396 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe PID 3396 wrote to memory of 3044 3396 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe PID 3396 wrote to memory of 3044 3396 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe PID 3396 wrote to memory of 3044 3396 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe PID 3396 wrote to memory of 3044 3396 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe PID 3396 wrote to memory of 3044 3396 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe PID 3396 wrote to memory of 3044 3396 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe PID 3396 wrote to memory of 3044 3396 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe PID 3044 wrote to memory of 4924 3044 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe stetcqlymbji.exe PID 3044 wrote to memory of 4924 3044 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe stetcqlymbji.exe PID 3044 wrote to memory of 4924 3044 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe stetcqlymbji.exe PID 3044 wrote to memory of 4356 3044 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe cmd.exe PID 3044 wrote to memory of 4356 3044 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe cmd.exe PID 3044 wrote to memory of 4356 3044 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe cmd.exe PID 4924 wrote to memory of 2728 4924 stetcqlymbji.exe stetcqlymbji.exe PID 4924 wrote to memory of 2728 4924 stetcqlymbji.exe stetcqlymbji.exe PID 4924 wrote to memory of 2728 4924 stetcqlymbji.exe stetcqlymbji.exe PID 4924 wrote to memory of 2728 4924 stetcqlymbji.exe stetcqlymbji.exe PID 4924 wrote to memory of 2728 4924 stetcqlymbji.exe stetcqlymbji.exe PID 4924 wrote to memory of 2728 4924 stetcqlymbji.exe stetcqlymbji.exe PID 4924 wrote to memory of 2728 4924 stetcqlymbji.exe stetcqlymbji.exe PID 4924 wrote to memory of 2728 4924 stetcqlymbji.exe stetcqlymbji.exe PID 4924 wrote to memory of 2728 4924 stetcqlymbji.exe stetcqlymbji.exe PID 4924 wrote to memory of 2728 4924 stetcqlymbji.exe stetcqlymbji.exe PID 2728 wrote to memory of 3080 2728 stetcqlymbji.exe WMIC.exe PID 2728 wrote to memory of 3080 2728 stetcqlymbji.exe WMIC.exe PID 2728 wrote to memory of 3644 2728 stetcqlymbji.exe NOTEPAD.EXE PID 2728 wrote to memory of 3644 2728 stetcqlymbji.exe NOTEPAD.EXE PID 2728 wrote to memory of 3644 2728 stetcqlymbji.exe NOTEPAD.EXE PID 2728 wrote to memory of 2348 2728 stetcqlymbji.exe msedge.exe PID 2728 wrote to memory of 2348 2728 stetcqlymbji.exe msedge.exe PID 2348 wrote to memory of 4992 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 4992 2348 msedge.exe msedge.exe PID 2728 wrote to memory of 3556 2728 stetcqlymbji.exe WMIC.exe PID 2728 wrote to memory of 3556 2728 stetcqlymbji.exe WMIC.exe PID 2348 wrote to memory of 288 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 288 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 288 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 288 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 288 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 288 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 288 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 288 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 288 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 288 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 288 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 288 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 288 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 288 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 288 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 288 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 288 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 288 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 288 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 288 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 288 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 288 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 288 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 288 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 288 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 288 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 288 2348 msedge.exe msedge.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
stetcqlymbji.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" stetcqlymbji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System stetcqlymbji.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Users\Admin\AppData\Local\Temp\5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\stetcqlymbji.exeC:\Windows\stetcqlymbji.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\stetcqlymbji.exeC:\Windows\stetcqlymbji.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2728 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3080 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:3644 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffd361546f8,0x7ffd36154708,0x7ffd361547186⤵PID:4992
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,16551731062999898916,3278692855380246558,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:26⤵PID:288
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,16551731062999898916,3278692855380246558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:36⤵PID:3840
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,16551731062999898916,3278692855380246558,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:86⤵PID:208
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16551731062999898916,3278692855380246558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:16⤵PID:2804
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16551731062999898916,3278692855380246558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:16⤵PID:5104
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,16551731062999898916,3278692855380246558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:86⤵PID:1708
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,16551731062999898916,3278692855380246558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:86⤵PID:2592
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16551731062999898916,3278692855380246558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:16⤵PID:548
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16551731062999898916,3278692855380246558,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:16⤵PID:292
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16551731062999898916,3278692855380246558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:16⤵PID:4288
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16551731062999898916,3278692855380246558,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:16⤵PID:1840
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3556 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\STETCQ~1.EXE5⤵
- System Location Discovery: System Language Discovery
PID:1716 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\5EF1FD~1.EXE3⤵
- System Location Discovery: System Language Discovery
PID:4356
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2208
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1668
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD516498f5835d4e84e73e985136535fb6c
SHA1080c38ee1abd20c6b5cd5af45b2b463676d81824
SHA256595b888e93bd59741a495d5130c370ae62468e2155718226ac2c16dfa522bb63
SHA5126aa595d87d91b00921bb4bbef4d0f977219445197cd1b8a5434d8aa94dfde56ac4f72c1f5d398d489ac7c5fdcbc2d322fce6dbd6c9debef49ad3e377abb91137
-
Filesize
64KB
MD55190c7e6b91aa8463cbfe26bd67ac155
SHA17ab8c93e96c35cefe126abe0d8e2dbef39667e01
SHA2563cc5e0dee02c4f0c231284f255a2e914ab9c7b65c3a54cad3f6d1a891a6fe1fb
SHA512186e1e28375985a966598354d09927f7bc1dab53da43c90b418482c9f870297109faec96a6fa9f52676b5420a87f6fe7b6d3bb54a6d1436a0c5ca9944fc0077e
-
Filesize
1KB
MD5a653901ac27d3a1f7cb35922df93b6c0
SHA1abf30407845e01907cc8c4d4035ed39d4b52787e
SHA256aaa82f49cc6788c02a55d26a38963dd8dd83722cb830e3aee16c20b7b37039a1
SHA51237965fc17d3876e4968a4e4fe14bebf525748aee4aaca863409a59389f930022a710bbfd9d6da9b81c545a5d83dd2d783060b647f5b46526648219b7c661f9b6
-
Filesize
560B
MD55afdff6596fb94be517f4e030c75f0e0
SHA14ef608ec3bad82d3635848ffb180b213345c23e4
SHA2565051e285f84f0a5c0db0430ef9af7352eb406fafd305c20ea6db9cf54aed5be9
SHA51236312e6cf66427e145c4a6dc14e83fd0b2096c0ff0ec99990395e7966898179af61bf1e3e17b88f9e4ffa6793c3c6c4a6bc0f182d709630b9679ce1da65e34f5
-
Filesize
560B
MD557c3b0e0a51702ae3bc039e21236ffbb
SHA186f9e2989654cc4df9504c7227b4ed5566e6b9db
SHA2560e3ab621e0fa7731094ef44349fd4a2c7a49d52abf3e1b6a8880b767d0335783
SHA512c9ac6e3a6c2d670ec94d288526c0fad012f98401758b487c148dce212bc52bf364a30866da55554f0d8ec279bb0c2a8b201a2c325390bde668f20cd9c6c82e35
-
Filesize
416B
MD57fcb1e83fc8a96b6f16c6e6da500c2a3
SHA12637ad6698309135abd54e4df285fd63634486bd
SHA2564d17cf9fd3ab1988bbb019ae0a49337c959e3d84bcfef0d71edfc561757632f0
SHA5121270ac5aabc2f3932033c0ffd77520018eb79a47a9068d431bef40f8f87a947bd643aa76c081f04dce1aeb8a369c22fd43e5454bc329b48b6f7d8ba42b664ef2
-
Filesize
152B
MD5d22073dea53e79d9b824f27ac5e9813e
SHA16d8a7281241248431a1571e6ddc55798b01fa961
SHA25686713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6
SHA51297152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413
-
Filesize
152B
MD5bffcefacce25cd03f3d5c9446ddb903d
SHA18923f84aa86db316d2f5c122fe3874bbe26f3bab
SHA25623e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405
SHA512761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7
-
Filesize
5KB
MD5da0bb20a73ca1628692baf50b163cc90
SHA1e19477aaac2031d3a79ff7b35ef846fde2c69431
SHA2560ca74c45155e1b7d2d9285fc046496803c21858d912024e0fa15c2b9acebe9cf
SHA512b4acbea73711759e4dbb26372d32e85825429c6fdfa57f85c5216cc90c2a1a21e9a4a55fe416c216adaa26eaeeb664aa4cede2015e5f54e8da11704ae90e1ef9
-
Filesize
6KB
MD5f4aee8ccecc11944f58d239ac57450ed
SHA1f460159c092e58cfc12cc76838e7b619644da73a
SHA256ca32cbd8ebc3a401126e4daa7b29b59c92b0fba7c4f0774eb52dd59d20758b63
SHA512a14072b8feaa795bfa8b6f9689d8266e0bd47e9b50bf1d9b215bbc3aedd0e8b832e711eb16fb1343cdb537bd5c0993fc1b2e81fda5e72db36ec1117fb4dfa802
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD54990acdd93bb4198bb05f75983db046c
SHA1d3631623414fc950a595e2d90af675dcd1fe9a86
SHA25611a530661cd643bd8f8e41d982a30471c3467890879afde38bee012691febf72
SHA512610ed27e30cd51f03afe34eed050a35a63a063152325ba8aca2a9cfbe9740a4d87d09a52eef6e184e083ee15c3bb86f199504b8bd88c7c952ff5ce37f7b74b0c
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662192103813.txt
Filesize77KB
MD50cda444361d0e78ce7eaf17a79c6099a
SHA16058bc4231b4ca965f7a984504559239e732b433
SHA2565917424e97b0b93aaf404a976ff5222a7098e6fa83ef1f1598f80920b94d7d44
SHA512127644caf5b73d8ac350a0f6cc67e3c1feb6ab18cbecf8ec665a605edc15a39d1f6894a5122aa8e80f31e38a8501b28a21310fdd6e148b2df7c1de324880b65d
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727663401899668.txt
Filesize47KB
MD5250646e00251ddd08dd4c948bf9ba553
SHA160b6da18f49a2d3109e80842adf6a70663fde7c9
SHA25636d534a22d660e6b1267c574a0378135419154393d79de8ff919c14cb0b5050a
SHA512816b324aaf25e444632a3fc633a926b3109512434abb7b1c15912573a9db5f3431adb20215d14275153ee3b7935c1bd759e8eb6dfc42d31b186875ee79b06c1e
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727670771168387.txt
Filesize74KB
MD5fff803db53fe7c05c929ea2eb78a17cb
SHA176c813e72b1d70ebfa167bbd6cf48b81fc32dce6
SHA25638f609f10b9544c64a347688ad292264141fa724dff1e6e8752aaa2faee14a1f
SHA51246f457197ab708b1aa5c1d8a29070bb4e1f116c019c918f7db8d16ba055a674a3a02e178c3cdef0da5ef1aaf8f906bee6fb04aa3220eff6dc88dece0b9e73ab0
-
Filesize
356KB
MD55ef1fdd422951c153db8c39b87e84e5d
SHA1a89966004343653b2d20c06b373b1390ed0450d3
SHA256b5a35f6dc7bc0708cfa5b5fb39472509eb81c22ccd93bdb563305164381a1d3e
SHA51294a775ab67babe692fd6cc6c597453f3607e39627579ec82575025a1c1aa3015a108418852a64d84e4fb8c2a5ef4b5619284b25d52a5790b5e3ef11153c11871
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e