teslacrypt | 3503e011b2844b6eb3f18b3a7c0965ff07171ac6af2488fcf03c0e69d95cd066

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2024 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe
Size

368KB
MD5

627ec4f42d9649bc8309d87f03d1c288
SHA1

6cd845e8de2c2197cbab48f94eea823f88b0efd9
SHA256

3503e011b2844b6eb3f18b3a7c0965ff07171ac6af2488fcf03c0e69d95cd066
SHA512

62899ac229fbfff6cd6ace9610b6d6dc027cc32ffe5b7b2c08fb3445815e134caec32047e0a5129118675f22b32aed516fc877b33c90da98261eb44f119a74bd
SSDEEP

6144:e680E92oeOE4G63VEuFwm+DDrhd3wbYqaUq/JyKSmi97Msg4piwbBS9lkw86C:e68PIHt6DObD5dmYqarImi9jB4SBylkN

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+qslsi.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/9EDE72101E9A8FED 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/9EDE72101E9A8FED 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/9EDE72101E9A8FED If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/9EDE72101E9A8FED 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/9EDE72101E9A8FED http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/9EDE72101E9A8FED http://yyre45dbvn2nhbefbmh.begumvelic.at/9EDE72101E9A8FED Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/9EDE72101E9A8FED

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/9EDE72101E9A8FED

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/9EDE72101E9A8FED

http://yyre45dbvn2nhbefbmh.begumvelic.at/9EDE72101E9A8FED

http://xlowfznrg4wf7dli.ONION/9EDE72101E9A8FED

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (874) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	nsubluwdsing.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+qslsi.png	nsubluwdsing.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+qslsi.txt	nsubluwdsing.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+qslsi.html	nsubluwdsing.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+qslsi.png	nsubluwdsing.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+qslsi.txt	nsubluwdsing.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+qslsi.html	nsubluwdsing.exe

Executes dropped EXE 2 IoCs

pid	Process
3596	nsubluwdsing.exe
2180	nsubluwdsing.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vycdmnq = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\nsubluwdsing.exe"	nsubluwdsing.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2352 set thread context of 800	2352	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe	99
PID 3596 set thread context of 2180	3596	nsubluwdsing.exe	105

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\caller-id-illustration.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\_ReCoVeRy_+qslsi.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\_ReCoVeRy_+qslsi.txt	nsubluwdsing.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\_ReCoVeRy_+qslsi.html	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsSmallTile.contrast-black_scale-125.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyCalendarSearch.scale-100.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+qslsi.html	nsubluwdsing.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.AdomdClient\13.0.0.0__89845DCD8080CC91\_ReCoVeRy_+qslsi.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.scale-125_contrast-white.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+qslsi.txt	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-20_contrast-white.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\images\splashscreen.scale-125.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\whatsnewsrc\script\_ReCoVeRy_+qslsi.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-48_altform-lightunplated.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptySearch.scale-125.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\LargeTile.scale-100_contrast-black.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+qslsi.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\_ReCoVeRy_+qslsi.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-72_contrast-black.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GameBar_AppList.scale-100.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\_ReCoVeRy_+qslsi.html	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_altform-unplated_contrast-white.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\Images\_ReCoVeRy_+qslsi.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_2019.430.2026.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+qslsi.txt	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-96.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\beeps\_ReCoVeRy_+qslsi.txt	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_TileWide.scale-200.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-48.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\_ReCoVeRy_+qslsi.txt	nsubluwdsing.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\_ReCoVeRy_+qslsi.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-125_contrast-black.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-400_contrast-white.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\_ReCoVeRy_+qslsi.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxAccountsStoreLogo.scale-100.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeBadge.scale-125.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\jfr\_ReCoVeRy_+qslsi.txt	nsubluwdsing.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\_ReCoVeRy_+qslsi.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-100_contrast-black.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OutlookAccount.scale-100.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-GoogleCloudCacheMini.scale-150.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageSmallTile.scale-100_contrast-black.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\_ReCoVeRy_+qslsi.html	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\_ReCoVeRy_+qslsi.html	nsubluwdsing.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fa\_ReCoVeRy_+qslsi.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Velocity\_ReCoVeRy_+qslsi.html	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\en-us\2.jpg	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchWide310x150Logo.scale-200_contrast-black.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SmallTile.scale-125_contrast-white.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fa-IR\_ReCoVeRy_+qslsi.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\_ReCoVeRy_+qslsi.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_altform-unplated_contrast-white.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-125_contrast-white.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\node_modules\reactxp-experimental-navigation\NavigationExperimental\assets\[email protected]	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Dark.scale-250.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-30_contrast-white.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\_ReCoVeRy_+qslsi.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+qslsi.txt	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxWideTile.scale-100.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\_ReCoVeRy_+qslsi.txt	nsubluwdsing.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\_ReCoVeRy_+qslsi.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\_ReCoVeRy_+qslsi.png	nsubluwdsing.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\_ReCoVeRy_+qslsi.txt	nsubluwdsing.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\nsubluwdsing.exe	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe
File created	C:\Windows\nsubluwdsing.exe	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nsubluwdsing.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nsubluwdsing.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	nsubluwdsing.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4632	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe
2180	nsubluwdsing.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	800	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe
Token: SeDebugPrivilege	2180	nsubluwdsing.exe
Token: SeIncreaseQuotaPrivilege	1336	WMIC.exe
Token: SeSecurityPrivilege	1336	WMIC.exe
Token: SeTakeOwnershipPrivilege	1336	WMIC.exe
Token: SeLoadDriverPrivilege	1336	WMIC.exe
Token: SeSystemProfilePrivilege	1336	WMIC.exe
Token: SeSystemtimePrivilege	1336	WMIC.exe
Token: SeProfSingleProcessPrivilege	1336	WMIC.exe
Token: SeIncBasePriorityPrivilege	1336	WMIC.exe
Token: SeCreatePagefilePrivilege	1336	WMIC.exe
Token: SeBackupPrivilege	1336	WMIC.exe
Token: SeRestorePrivilege	1336	WMIC.exe
Token: SeShutdownPrivilege	1336	WMIC.exe
Token: SeDebugPrivilege	1336	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1336	WMIC.exe
Token: SeRemoteShutdownPrivilege	1336	WMIC.exe
Token: SeUndockPrivilege	1336	WMIC.exe
Token: SeManageVolumePrivilege	1336	WMIC.exe
Token: 33	1336	WMIC.exe
Token: 34	1336	WMIC.exe
Token: 35	1336	WMIC.exe
Token: 36	1336	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1336	WMIC.exe
Token: SeSecurityPrivilege	1336	WMIC.exe
Token: SeTakeOwnershipPrivilege	1336	WMIC.exe
Token: SeLoadDriverPrivilege	1336	WMIC.exe
Token: SeSystemProfilePrivilege	1336	WMIC.exe
Token: SeSystemtimePrivilege	1336	WMIC.exe
Token: SeProfSingleProcessPrivilege	1336	WMIC.exe
Token: SeIncBasePriorityPrivilege	1336	WMIC.exe
Token: SeCreatePagefilePrivilege	1336	WMIC.exe
Token: SeBackupPrivilege	1336	WMIC.exe
Token: SeRestorePrivilege	1336	WMIC.exe
Token: SeShutdownPrivilege	1336	WMIC.exe
Token: SeDebugPrivilege	1336	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1336	WMIC.exe
Token: SeRemoteShutdownPrivilege	1336	WMIC.exe
Token: SeUndockPrivilege	1336	WMIC.exe
Token: SeManageVolumePrivilege	1336	WMIC.exe
Token: 33	1336	WMIC.exe
Token: 34	1336	WMIC.exe
Token: 35	1336	WMIC.exe
Token: 36	1336	WMIC.exe
Token: SeBackupPrivilege	3804	vssvc.exe
Token: SeRestorePrivilege	3804	vssvc.exe
Token: SeAuditPrivilege	3804	vssvc.exe
Token: SeIncreaseQuotaPrivilege	216	WMIC.exe
Token: SeSecurityPrivilege	216	WMIC.exe
Token: SeTakeOwnershipPrivilege	216	WMIC.exe
Token: SeLoadDriverPrivilege	216	WMIC.exe
Token: SeSystemProfilePrivilege	216	WMIC.exe
Token: SeSystemtimePrivilege	216	WMIC.exe
Token: SeProfSingleProcessPrivilege	216	WMIC.exe
Token: SeIncBasePriorityPrivilege	216	WMIC.exe
Token: SeCreatePagefilePrivilege	216	WMIC.exe
Token: SeBackupPrivilege	216	WMIC.exe
Token: SeRestorePrivilege	216	WMIC.exe
Token: SeShutdownPrivilege	216	WMIC.exe
Token: SeDebugPrivilege	216	WMIC.exe
Token: SeSystemEnvironmentPrivilege	216	WMIC.exe
Token: SeRemoteShutdownPrivilege	216	WMIC.exe
Token: SeUndockPrivilege	216	WMIC.exe
Token: SeManageVolumePrivilege	216	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 800	2352	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe	99
PID 2352 wrote to memory of 800	2352	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe	99
PID 2352 wrote to memory of 800	2352	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe	99
PID 2352 wrote to memory of 800	2352	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe	99
PID 2352 wrote to memory of 800	2352	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe	99
PID 2352 wrote to memory of 800	2352	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe	99
PID 2352 wrote to memory of 800	2352	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe	99
PID 2352 wrote to memory of 800	2352	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe	99
PID 2352 wrote to memory of 800	2352	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe	99
PID 2352 wrote to memory of 800	2352	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe	99
PID 800 wrote to memory of 3596	800	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe	100
PID 800 wrote to memory of 3596	800	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe	100
PID 800 wrote to memory of 3596	800	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe	100
PID 800 wrote to memory of 3816	800	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe	101
PID 800 wrote to memory of 3816	800	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe	101
PID 800 wrote to memory of 3816	800	627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe	101
PID 3596 wrote to memory of 2180	3596	nsubluwdsing.exe	105
PID 3596 wrote to memory of 2180	3596	nsubluwdsing.exe	105
PID 3596 wrote to memory of 2180	3596	nsubluwdsing.exe	105
PID 3596 wrote to memory of 2180	3596	nsubluwdsing.exe	105
PID 3596 wrote to memory of 2180	3596	nsubluwdsing.exe	105
PID 3596 wrote to memory of 2180	3596	nsubluwdsing.exe	105
PID 3596 wrote to memory of 2180	3596	nsubluwdsing.exe	105
PID 3596 wrote to memory of 2180	3596	nsubluwdsing.exe	105
PID 3596 wrote to memory of 2180	3596	nsubluwdsing.exe	105
PID 3596 wrote to memory of 2180	3596	nsubluwdsing.exe	105
PID 2180 wrote to memory of 1336	2180	nsubluwdsing.exe	106
PID 2180 wrote to memory of 1336	2180	nsubluwdsing.exe	106
PID 2180 wrote to memory of 4632	2180	nsubluwdsing.exe	123
PID 2180 wrote to memory of 4632	2180	nsubluwdsing.exe	123
PID 2180 wrote to memory of 4632	2180	nsubluwdsing.exe	123
PID 2180 wrote to memory of 3968	2180	nsubluwdsing.exe	124
PID 2180 wrote to memory of 3968	2180	nsubluwdsing.exe	124
PID 3968 wrote to memory of 2232	3968	msedge.exe	125
PID 3968 wrote to memory of 2232	3968	msedge.exe	125
PID 2180 wrote to memory of 216	2180	nsubluwdsing.exe	126
PID 2180 wrote to memory of 216	2180	nsubluwdsing.exe	126
PID 3968 wrote to memory of 3100	3968	msedge.exe	128
PID 3968 wrote to memory of 3100	3968	msedge.exe	128
PID 3968 wrote to memory of 3100	3968	msedge.exe	128
PID 3968 wrote to memory of 3100	3968	msedge.exe	128
PID 3968 wrote to memory of 3100	3968	msedge.exe	128
PID 3968 wrote to memory of 3100	3968	msedge.exe	128
PID 3968 wrote to memory of 3100	3968	msedge.exe	128
PID 3968 wrote to memory of 3100	3968	msedge.exe	128
PID 3968 wrote to memory of 3100	3968	msedge.exe	128
PID 3968 wrote to memory of 3100	3968	msedge.exe	128
PID 3968 wrote to memory of 3100	3968	msedge.exe	128
PID 3968 wrote to memory of 3100	3968	msedge.exe	128
PID 3968 wrote to memory of 3100	3968	msedge.exe	128
PID 3968 wrote to memory of 3100	3968	msedge.exe	128
PID 3968 wrote to memory of 3100	3968	msedge.exe	128
PID 3968 wrote to memory of 3100	3968	msedge.exe	128
PID 3968 wrote to memory of 3100	3968	msedge.exe	128
PID 3968 wrote to memory of 3100	3968	msedge.exe	128
PID 3968 wrote to memory of 3100	3968	msedge.exe	128
PID 3968 wrote to memory of 3100	3968	msedge.exe	128
PID 3968 wrote to memory of 3100	3968	msedge.exe	128
PID 3968 wrote to memory of 3100	3968	msedge.exe	128
PID 3968 wrote to memory of 3100	3968	msedge.exe	128
PID 3968 wrote to memory of 3100	3968	msedge.exe	128
PID 3968 wrote to memory of 3100	3968	msedge.exe	128
PID 3968 wrote to memory of 3100	3968	msedge.exe	128
PID 3968 wrote to memory of 3100	3968	msedge.exe	128

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	nsubluwdsing.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	nsubluwdsing.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\627ec4f42d9649bc8309d87f03d1c288_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:800
- - C:\Windows\nsubluwdsing.exe
    C:\Windows\nsubluwdsing.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3596
  - - C:\Windows\nsubluwdsing.exe
      C:\Windows\nsubluwdsing.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2180
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1336
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:4632
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3968
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ffccf9a46f8,0x7ffccf9a4708,0x7ffccf9a4718
        6⤵
        
        PID:2232
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,12203515265197867232,9849806607737222433,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
        6⤵
        
        PID:3100
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,12203515265197867232,9849806607737222433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
        6⤵
        
        PID:2484
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,12203515265197867232,9849806607737222433,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
        6⤵
        
        PID:2432
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12203515265197867232,9849806607737222433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
        6⤵
        
        PID:3196
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12203515265197867232,9849806607737222433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
        6⤵
        
        PID:3916
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,12203515265197867232,9849806607737222433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8
        6⤵
        
        PID:2164
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,12203515265197867232,9849806607737222433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8
        6⤵
        
        PID:4484
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12203515265197867232,9849806607737222433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
        6⤵
        
        PID:1544
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12203515265197867232,9849806607737222433,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
        6⤵
        
        PID:1912
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12203515265197867232,9849806607737222433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
        6⤵
        
        PID:3428
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12203515265197867232,9849806607737222433,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
        6⤵
        
        PID:616
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:216
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\NSUBLU~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:712
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\627EC4~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3816

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:296

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+qslsi.html

Filesize
12KB

MD5
40cdfac8647d712923999bc08aabc68e

SHA1
e32c8ae38ecc8e176febf8e248865672312abda6

SHA256
f01b3df0536cd3cba6e4c14dbc18689007790ad6906c58afa285edcf5326cfcb

SHA512
3609a12dea5e9de56ced47ee9cad7c3bdbbe06f7bbe391356e98dbeb2f850f6901596e38789eed0137bac22b2abbf77c36ed3198cdf3fbd18e92a890b5add913

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+qslsi.png

Filesize
65KB

MD5
c97cb439965944d36a24366bd21c7889

SHA1
386dbaf0f40b65ee7ae347a64e3ee328b3e1db9a

SHA256
9f410c98c9757c1c24ea0c97e30fbf292232f142b3ebedb67ed7f42f00da71c8

SHA512
23069347f2db50cea78e14c146fcc8fef1bc5f6e210d54e767ffd98eb8587bcfd66e56042ea3af9943cc3e0442cf44151278ea16ed44db0a754b5e1596b0618d

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+qslsi.txt

Filesize
1KB

MD5
dc62153ec3b9ed4b24821470ae3fa54f

SHA1
efe9cfe46b669bf0ee39b0334f6ee07f87bf0210

SHA256
d9390bc5b5e76c99418fdfb2626f7f24b4cc49ad1b81111c93c916306e608d4f

SHA512
8d6021f3464040c70a86d637fdac8901201b67be45f0654c3579c97ef6527001cc0dca2490de5cf2a84fc0fcfc514e94b46877dc78d572e9eb851a6f3c5eeb26

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
7f51ced450b1bda71d66af217bafe8f8

SHA1
cbfb9346aea8c884c2d6d1a12220f86430e113c2

SHA256
e19fd6170e2d3d46f47a67a593422e742cf4d0db2145b870df094866489f3380

SHA512
24c9d16874664ad55c03757fe5ad21db7fdf01b16e759f590c0999c275a4b2561f155d1f4fe331293897f4c9731eb5348433cd480152140e0a2b7cee8b59e769

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
3397f5c74b1ba0ef553f5f89ecb74d82

SHA1
cdb07bd38174649a3e36cc1d22442a342f89eb06

SHA256
c6b4d3c7805ead7ad111c1b62e6bb5cdd6063bad297df8185313def455274f13

SHA512
a67f9ff920c6969f210f016276c6b22da7d519edc455ce0ce5d4d8f04611d393bc8378f1c8c38f5389b6f3355bf6b27a6ed64125ff138d6077b10f679694b721

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
61082df67f6af44635624c8dd81dd690

SHA1
ec99ae27a6a5e3bf95660ee33ceaa2c308d425ac

SHA256
ceb3ef7dd00b29b890a9503b4c4a5a1b72035b8e580d3d9cbac1660091d1c6e0

SHA512
255b1a69a1e13514d8f7227181c4d56b6a0cf9f7702d60a388c551ddd687b286b44ae5e6595b79a64bddef05b18df918b89a900e4003cbab3fb089704542d08d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7fcde6dc-61f7-43ed-9a01-4ef92370e658.tmp

Filesize
6KB

MD5
03cd1adb11b0d8fa1f8e432d4bf10c15

SHA1
e8e366a5164e7bac4c5fa3536d60bd548c028e4a

SHA256
54604a11f4dc159deabf3c96a43a28fab2cdaf1185cf3e9bb61d93a0bf4baac2

SHA512
636cc12355033eb333b3836d0cdbf62febe41f6fc7448114b434e7fc7ddb5563fee12800f134857e9658b66599921b556480f94f880a6decc72af302c7fad46e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ac359679fcc2cd010fadbd7e87f9caca

SHA1
10aeae11730ff5d0dc2c5235e863e1a6fdad3fd4

SHA256
42ef68467daca10f8f8a02f644846a474dc7f6d37f17528beeb5b68246d9d668

SHA512
f1774972be488b60595ab33a16f7c71f751f2b3e260e1ab24d2e7775ca3012af62bf3cd78f575ce1084764478d3db8c98f6c2c3b10e0bddeed99f68c2799f4f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ad977c6319ab96b1e103961542389be8

SHA1
bc4bec16de9c18189bc32635998fe23cc189bb13

SHA256
6072f910aaa40aff379589715d48b05712badaaa8f6b16836393307236f29f5d

SHA512
fce139144b093cb7140cbbabdc2713fb4dbf8d40f4beef62728ce135aedecb840812359097ba7ef9a0d817b81bb848191ea803c850f89f52cb86156f5fd39ab6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662192103813.txt

Filesize
77KB

MD5
1da30577aefe210b93dc5cc6b6fa6086

SHA1
05a0b7c6bcf803d41ceeddea014321ade92dace3

SHA256
60a7541f6b833a5c5f8510974a154e9062059eae1b3fa77ffe81679b26854960

SHA512
fae81fbc357044f3e535cb6feaa87768451c1c23e61d54cc8961a52d662c4d2ba0c918bd491eeb1ba4abb6f1926324869276aa5538134e09a4f878f98a204c54

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727663401899668.txt

Filesize
47KB

MD5
2db77f294c995537828c56eeb363b904

SHA1
97432b9330610ac2f43ddf84aa4ec3665fa8df78

SHA256
ccf13821e315bbca8b25606f234f32c008c39e1f2059ceaf2d6ce87e4d9fee48

SHA512
6d7d1177eb060d6c1a334d26f11af602be8f519916506439ce4373c53708b4bbec6ac0bd597670e569633c11d8f698f7a52788b2775f8b2dc2a1e0b8c121d768

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727670771168387.txt

Filesize
74KB

MD5
65a46a398304cda2287ee901f5422d2d

SHA1
da3f0955b28cdd83916afcabdc8f42c77966ba30

SHA256
35b20ce7623444727c19d2af7e77139a70c61117ab1d19ae84e724964c2b3b61

SHA512
88931e0138e2894fdd8eab550b01d31a33cb2ef00040863d9d54e9ebd0f560251f2305eda48a0ef0db2c389c87f9fe0c7652dc441cf895fe8140853fa4e26a68

Download Submit
C:\Windows\nsubluwdsing.exe

Filesize
368KB

MD5
627ec4f42d9649bc8309d87f03d1c288

SHA1
6cd845e8de2c2197cbab48f94eea823f88b0efd9

SHA256
3503e011b2844b6eb3f18b3a7c0965ff07171ac6af2488fcf03c0e69d95cd066

SHA512
62899ac229fbfff6cd6ace9610b6d6dc027cc32ffe5b7b2c08fb3445815e134caec32047e0a5129118675f22b32aed516fc877b33c90da98261eb44f119a74bd

Download Submit
memory/800-13-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/800-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/800-5-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/800-3-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/800-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2180-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2180-10540-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2180-2809-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2180-5734-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2180-369-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2180-24-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2180-22-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2180-9216-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2180-10539-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2180-2808-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2180-10548-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2180-10549-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2180-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2180-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2180-17-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2180-10588-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2352-0-0x0000000000650000-0x0000000000655000-memory.dmp

Filesize
20KB

Download
memory/2352-4-0x0000000000650000-0x0000000000655000-memory.dmp

Filesize
20KB

Download
memory/2352-1-0x0000000000650000-0x0000000000655000-memory.dmp

Filesize
20KB

Download
memory/3596-12-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download