85e3772d5502b9f5251843b3884788ab6c4d44af761900c787d36e1d5586244c

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-10-2024 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe
Size

604KB
MD5

6f7abbc706baecf6e86cde729475dc7d
SHA1

00a55e2ae828f928770fdd1c59da361198fba382
SHA256

85e3772d5502b9f5251843b3884788ab6c4d44af761900c787d36e1d5586244c
SHA512

70b80ff7efeac45dc3cbaeb5b5a3b4f774dd3f61c08801fe43c5a086e8372ba199ea9f676ab3ceb9dd4d5332ebd5db79616460496632da831a51b21753f61092
SSDEEP

12288:PsEXei41jA1WnzVSxq5p1qHVXACWOEogk3pmIc5A1WnzVSxq5p1qH:PsEX341jA1wBSggHlpp3r0A1wBSggH

Score

10^/10

defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+ydevf.txt

Ransom Note

__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://ert54nfh6hdshbw4f.nursespelk.com/995C55E8C6558A9B 2. http://kk4dshfjn45tsnkdf34fg.tatiejava.at/995C55E8C6558A9B 3. http://akdfrefdkm45tf33fsdfsdf.yamenswash.com/995C55E8C6558A9B If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization 3. Type in the address bar: fwgrhsao3aoml7ej.onion/995C55E8C6558A9B 4. Follow the instructions on the site. !!! IMPORTANT INFORMATION: !!! Your personal pages: http://ert54nfh6hdshbw4f.nursespelk.com/995C55E8C6558A9B http://kk4dshfjn45tsnkdf34fg.tatiejava.at/995C55E8C6558A9B http://akdfrefdkm45tf33fsdfsdf.yamenswash.com/995C55E8C6558A9B !!! Your personal page Tor-Browser: fwgrhsao3aoml7ej.onion/995C55E8C6558A9B !!! Your personal identification ID: 995C55E8C6558A9B

URLs

http://ert54nfh6hdshbw4f.nursespelk.com/995C55E8C6558A9B

http://kk4dshfjn45tsnkdf34fg.tatiejava.at/995C55E8C6558A9B

http://akdfrefdkm45tf33fsdfsdf.yamenswash.com/995C55E8C6558A9B

http://fwgrhsao3aoml7ej.onion/995C55E8C6558A9B

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (879) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

agiki.exefstkjlehu.exeboxty.exe6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	agiki.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	fstkjlehu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	boxty.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe

Drops startup file 6 IoCs

Processes:

fstkjlehu.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ydevf.png	fstkjlehu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ydevf.txt	fstkjlehu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ydevf.html	fstkjlehu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+ydevf.png	fstkjlehu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+ydevf.txt	fstkjlehu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+ydevf.html	fstkjlehu.exe

Executes dropped EXE 4 IoCs

Processes:

fstkjlehu.exefstkjlehu.exeagiki.exeboxty.exe

pid process

1696 fstkjlehu.exe
4732 fstkjlehu.exe
1892 agiki.exe
3280 boxty.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
1696	fstkjlehu.exe
4732	fstkjlehu.exe
1892	agiki.exe
3280	boxty.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fstkjlehu.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qwer-sadkfgsa = "C:\\Windows\\fstkjlehu.exe"	fstkjlehu.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

Processes:

6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exefstkjlehu.exe

description	pid	process	target process
PID 2952 set thread context of 1064	2952	6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe	6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe
PID 1696 set thread context of 4732	1696	fstkjlehu.exe	fstkjlehu.exe

Drops file in Program Files directory 64 IoCs

Processes:

fstkjlehu.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\Recovery+ydevf.png	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Dark.scale-200.png	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Light.scale-125.png	fstkjlehu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\Recovery+ydevf.png	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\Recovery+ydevf.png	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_scale-200.png	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Controls\EndOfLife\Recovery+ydevf.txt	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-72_altform-unplated.png	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxMediumTile.scale-125.png	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\Recovery+ydevf.txt	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\AppxMetadata\Recovery+ydevf.png	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\locallaunch\Recovery+ydevf.txt	fstkjlehu.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\Recovery+ydevf.html	fstkjlehu.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\Recovery+ydevf.png	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp9.scale-125.png	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Recovery+ydevf.html	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\MedTile.scale-100.png	fstkjlehu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\Recovery+ydevf.png	fstkjlehu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\Recovery+ydevf.txt	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Recovery+ydevf.png	fstkjlehu.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\Recovery+ydevf.txt	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\Recovery+ydevf.png	fstkjlehu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\THMBNAIL.PNG	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\150.png	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\192.png	fstkjlehu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-180.png	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+ydevf.html	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\Recovery+ydevf.html	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\smsconnect\SMSConnect2x.png	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.scale-200.png	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-white\Recovery+ydevf.png	fstkjlehu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\Recovery+ydevf.png	fstkjlehu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\Recovery+ydevf.png	fstkjlehu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\AUTHORS.txt	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-48_altform-lightunplated.png	fstkjlehu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt	fstkjlehu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\Recovery+ydevf.png	fstkjlehu.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\Recovery+ydevf.png	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\13.jpg	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-100.png	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Recovery+ydevf.html	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Recovery+ydevf.html	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\offer_cards\o365apps.png	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-80_altform-lightunplated.png	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Recovery+ydevf.html	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsLargeTile.contrast-black_scale-200.png	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\AppxMetadata\Recovery+ydevf.html	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Recovery+ydevf.png	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-64_altform-unplated.png	fstkjlehu.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+ydevf.txt	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\7.jpg	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square71x71\PaintSmallTile.scale-200.png	fstkjlehu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\THMBNAIL.PNG	fstkjlehu.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\Recovery+ydevf.txt	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\MutableBackup\Recovery+ydevf.png	fstkjlehu.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-GB\Recovery+ydevf.html	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\SmallTile.scale-125_contrast-white.png	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraLargeTile.scale-100.png	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\Assets\Recovery+ydevf.html	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_contrast-white.png	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-60_altform-unplated.png	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailLargeTile.scale-125.png	fstkjlehu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailWideTile.scale-125.png	fstkjlehu.exe

Drops file in Windows directory 2 IoCs

Processes:

6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\fstkjlehu.exe	6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe
File created	C:\Windows\fstkjlehu.exe	6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

NOTEPAD.EXEboxty.execmd.exeagiki.exe6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exefstkjlehu.execmd.exefstkjlehu.exe6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	boxty.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	agiki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fstkjlehu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fstkjlehu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exevssadmin.exe

pid process

996 vssadmin.exe
2496 vssadmin.exe
Modifies registry class 1 IoCs

Processes:

fstkjlehu.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings fstkjlehu.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2508 NOTEPAD.EXE

pid	process
996	vssadmin.exe
2496	vssadmin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	fstkjlehu.exe

pid	process
2508	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fstkjlehu.exe

pid	process
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe
4732	fstkjlehu.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

4544 msedge.exe
4544 msedge.exe
4544 msedge.exe
4544 msedge.exe
4544 msedge.exe
4544 msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exefstkjlehu.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1064	6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe
Token: SeDebugPrivilege	4732	fstkjlehu.exe
Token: SeBackupPrivilege	3132	vssvc.exe
Token: SeRestorePrivilege	3132	vssvc.exe
Token: SeAuditPrivilege	3132	vssvc.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exefstkjlehu.exe

pid process

2952 6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe
1696 fstkjlehu.exe

pid	process
2952	6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe
1696	fstkjlehu.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exefstkjlehu.exefstkjlehu.exeagiki.exemsedge.exeboxty.exe

description	pid	process	target process
PID 2952 wrote to memory of 1064	2952	6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe	6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe
PID 2952 wrote to memory of 1064	2952	6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe	6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe
PID 2952 wrote to memory of 1064	2952	6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe	6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe
PID 2952 wrote to memory of 1064	2952	6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe	6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe
PID 2952 wrote to memory of 1064	2952	6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe	6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe
PID 2952 wrote to memory of 1064	2952	6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe	6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe
PID 2952 wrote to memory of 1064	2952	6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe	6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe
PID 2952 wrote to memory of 1064	2952	6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe	6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe
PID 2952 wrote to memory of 1064	2952	6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe	6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe
PID 2952 wrote to memory of 1064	2952	6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe	6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe
PID 1064 wrote to memory of 1696	1064	6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe	fstkjlehu.exe
PID 1064 wrote to memory of 1696	1064	6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe	fstkjlehu.exe
PID 1064 wrote to memory of 1696	1064	6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe	fstkjlehu.exe
PID 1064 wrote to memory of 2508	1064	6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe	cmd.exe
PID 1064 wrote to memory of 2508	1064	6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe	cmd.exe
PID 1064 wrote to memory of 2508	1064	6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe	cmd.exe
PID 1696 wrote to memory of 4732	1696	fstkjlehu.exe	fstkjlehu.exe
PID 1696 wrote to memory of 4732	1696	fstkjlehu.exe	fstkjlehu.exe
PID 1696 wrote to memory of 4732	1696	fstkjlehu.exe	fstkjlehu.exe
PID 1696 wrote to memory of 4732	1696	fstkjlehu.exe	fstkjlehu.exe
PID 1696 wrote to memory of 4732	1696	fstkjlehu.exe	fstkjlehu.exe
PID 1696 wrote to memory of 4732	1696	fstkjlehu.exe	fstkjlehu.exe
PID 1696 wrote to memory of 4732	1696	fstkjlehu.exe	fstkjlehu.exe
PID 1696 wrote to memory of 4732	1696	fstkjlehu.exe	fstkjlehu.exe
PID 1696 wrote to memory of 4732	1696	fstkjlehu.exe	fstkjlehu.exe
PID 1696 wrote to memory of 4732	1696	fstkjlehu.exe	fstkjlehu.exe
PID 4732 wrote to memory of 1892	4732	fstkjlehu.exe	agiki.exe
PID 4732 wrote to memory of 1892	4732	fstkjlehu.exe	agiki.exe
PID 4732 wrote to memory of 1892	4732	fstkjlehu.exe	agiki.exe
PID 1892 wrote to memory of 996	1892	agiki.exe	vssadmin.exe
PID 1892 wrote to memory of 996	1892	agiki.exe	vssadmin.exe
PID 4732 wrote to memory of 2508	4732	fstkjlehu.exe	NOTEPAD.EXE
PID 4732 wrote to memory of 2508	4732	fstkjlehu.exe	NOTEPAD.EXE
PID 4732 wrote to memory of 2508	4732	fstkjlehu.exe	NOTEPAD.EXE
PID 4732 wrote to memory of 4544	4732	fstkjlehu.exe	msedge.exe
PID 4732 wrote to memory of 4544	4732	fstkjlehu.exe	msedge.exe
PID 4544 wrote to memory of 1628	4544	msedge.exe	msedge.exe
PID 4544 wrote to memory of 1628	4544	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3280	4732	fstkjlehu.exe	boxty.exe
PID 4732 wrote to memory of 3280	4732	fstkjlehu.exe	boxty.exe
PID 4732 wrote to memory of 3280	4732	fstkjlehu.exe	boxty.exe
PID 3280 wrote to memory of 2496	3280	boxty.exe	vssadmin.exe
PID 3280 wrote to memory of 2496	3280	boxty.exe	vssadmin.exe
PID 4544 wrote to memory of 4152	4544	msedge.exe	msedge.exe
PID 4544 wrote to memory of 4152	4544	msedge.exe	msedge.exe
PID 4544 wrote to memory of 4152	4544	msedge.exe	msedge.exe
PID 4544 wrote to memory of 4152	4544	msedge.exe	msedge.exe
PID 4544 wrote to memory of 4152	4544	msedge.exe	msedge.exe
PID 4544 wrote to memory of 4152	4544	msedge.exe	msedge.exe
PID 4544 wrote to memory of 4152	4544	msedge.exe	msedge.exe
PID 4544 wrote to memory of 4152	4544	msedge.exe	msedge.exe
PID 4544 wrote to memory of 4152	4544	msedge.exe	msedge.exe
PID 4544 wrote to memory of 4152	4544	msedge.exe	msedge.exe
PID 4544 wrote to memory of 4152	4544	msedge.exe	msedge.exe
PID 4544 wrote to memory of 4152	4544	msedge.exe	msedge.exe
PID 4544 wrote to memory of 4152	4544	msedge.exe	msedge.exe
PID 4544 wrote to memory of 4152	4544	msedge.exe	msedge.exe
PID 4544 wrote to memory of 4152	4544	msedge.exe	msedge.exe
PID 4544 wrote to memory of 4152	4544	msedge.exe	msedge.exe
PID 4544 wrote to memory of 4152	4544	msedge.exe	msedge.exe
PID 4544 wrote to memory of 4152	4544	msedge.exe	msedge.exe
PID 4544 wrote to memory of 4152	4544	msedge.exe	msedge.exe
PID 4544 wrote to memory of 4152	4544	msedge.exe	msedge.exe
PID 4544 wrote to memory of 4152	4544	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2952

C:\Users\Admin\AppData\Local\Temp\6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe"
2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\fstkjlehu.exe
C:\Windows\fstkjlehu.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\fstkjlehu.exe
C:\Windows\fstkjlehu.exe
4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4732

C:\Users\Admin\Documents\agiki.exe
C:\Users\Admin\Documents\agiki.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
6⤵
- Interacts with shadow copies
PID:996

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:2508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcf62946f8,0x7ffcf6294708,0x7ffcf6294718
6⤵
PID:1628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,10035792977011507568,6205143878605930138,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
6⤵
PID:4152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,10035792977011507568,6205143878605930138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
6⤵
PID:1896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,10035792977011507568,6205143878605930138,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
6⤵
PID:3732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,10035792977011507568,6205143878605930138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
6⤵
PID:3780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,10035792977011507568,6205143878605930138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
6⤵
PID:1840

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,10035792977011507568,6205143878605930138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 /prefetch:8
6⤵
PID:3092

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,10035792977011507568,6205143878605930138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 /prefetch:8
6⤵
PID:2280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,10035792977011507568,6205143878605930138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
6⤵
PID:3512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,10035792977011507568,6205143878605930138,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
6⤵
PID:2952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,10035792977011507568,6205143878605930138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
6⤵
PID:3324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,10035792977011507568,6205143878605930138,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
6⤵
PID:4788

C:\Users\Admin\Documents\boxty.exe
C:\Users\Admin\Documents\boxty.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3280

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
6⤵
- Interacts with shadow copies
PID:2496

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\FSTKJL~1.EXE
5⤵
- System Location Discovery: System Language Discovery
PID:1240

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\6F7ABB~1.EXE
3⤵
- System Location Discovery: System Language Discovery
PID:2508

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\Recovery+ydevf.html

Filesize
6KB

MD5
a5135cdaab1ad4662810a1065e378448

SHA1
186cd6d254117f6f6136fde718939df83598b334

SHA256
beeb6d2655f3264ca9ace9c8be3f2240be518a5b8486bfedefa53668dffd13e9

SHA512
66321b51db03337bb9b7a323611f8bbd1598bde1abd427f5aa6ec64805521a79f904a6436eab251fba864eec7d6ad20f4474cb02313c24249a3d5ef7d7b860e7

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+ydevf.png

Filesize
66KB

MD5
5a3bd6a95968fc67b817d97aaa2c3568

SHA1
059da845adba1f742e903d6ca6f245316c4bfa85

SHA256
6b14ff9c06cfa60adf630a58238405df89f8bd321badec439dfb796ee0f5726c

SHA512
0cd1e55c1c9b6eb7808def08db7b00a6e3eee2515ef5ba63dd5953f2aa8266d2ab0e4c91984e121a6603f6ebbbe4c78249b7aad0a61050b2151014e329949fcf

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+ydevf.txt

Filesize
2KB

MD5
a17905b316cf4c189eeec7291dc31233

SHA1
ed1c37bd45b703deb611038a0ddfe1534884dac0

SHA256
21b6caa7870b7d71c522abe86f9dd1b74dec07e729d001fb5dae7cba0bf9ebdd

SHA512
6e61c6037380dd67a789ea1fe63a2a058f291637e89a9065401157da1d146d79e7ba9ef6bba5ad5c9278550cbacbeb79822ad0956f5e3d35ca70ad437cde5868

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
7d01d6562bcfb46b0fd1b71c73c0b436

SHA1
ba7f7f08b2961fa490345fe493040b6dfa2afb13

SHA256
4efdc4e23ecafa49e97a4119323d3c476c2768b41f1b771fe87dd443dc442bbb

SHA512
a7cf27007263e0dcefc584b81b87dd51f36c4c1169a2aec2d9611af82b4b0c7ecf7f0b653612f58442e41f85a275e5cecafd2772a07963b0f5c8d87095bd5420

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
50de89f8c33c8cef061aa04357b6fc09

SHA1
dc393527053b7ba9877c98c9ad9850523cdacff9

SHA256
ecf524863c81e1a1ba4a53a76e87c3ce0b5e8cff3067a16081e5878f5d6472f6

SHA512
9e752b5e4571e959a1c8c8aa6fc8b3be76fcc7761cb48302bd5ea7a83934172c69dd0ce9bb1c423c4d70d664156e98aea4775605e82c8966ec0357cedbabe9bd

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
f84c3ea2ff3bba758989b39835b8241c

SHA1
893a69a3ed6a4ab6ed8d725ed2eafec7a02ad2cc

SHA256
0c7b7d43b9dcad70caf2a88dfab67fced85040c4afd922993ba2738b8974eb2d

SHA512
9b5aebcb82145c82dc5470ff04c7d92e799602b42f51fb6db0ce62abd7a19694e03402463a9a125c865d9ed4674879ff212a6eb1197e748ca45612db2cc797f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4ccd75200115b336720aaf6c209e4d6b

SHA1
3cb0219ed7fbc93a828b22d805fbbdd17f71f339

SHA256
b6fc82ea6cb4d87c763194c5822181b90ff64d2e3f5b307ad057adcb12c26d8c

SHA512
b5ab7d802346d5d0987bc3894bee9aa100a50a3660c2a0b841de654d72132e2b55ebaab4210aaf53e3ae0f02e8776b301bfcb6ab34ef12dfdbca45812b99e4e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2058a2cb925d125dbfbf11e956caee5d

SHA1
e24bc3012b4ae9c18a295a761c820aad96f24951

SHA256
a34965d59c99632dd0d6fb5d88ec82a572ddccebd87f271c7203409c8fffa4d1

SHA512
3f26ab77c1b966a61f54c10bb25c663ab06b418a6ceffe2f77253dfa0c1b9db1a7ffed554882f60ca6298f4e808b61199d7bbbda2bbca5b37ecf33ae0adbdaf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
44c12630bc72ff08fc5c6d2837b4c3b9

SHA1
b5b6d146d805ad5b016283385d39338fcc8e67a6

SHA256
e072f47d389bc239637e983d564910528a9ef92d89375779e0f9d3debfab2b13

SHA512
748f46ee9b4e42e97eb6b3b6c8e4fd9f7bd0540c10bb944457f4a364098c897d46707f22f200e3f13fa17bf74e7c3e6b5baf2986585a6eb55b8cf9f96c618d9b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656067266351.txt

Filesize
77KB

MD5
b4940fb093834fb75a71cec2077ad3a3

SHA1
200e94e37b594d130057508e28d8c54985ee680f

SHA256
6bcb8227516e8c115a20d928d798df2f209241dc804c4f1db4a99fc83e5992df

SHA512
aeb4349cfd06ef92352dc9519fda49f7c23ec86903d8dd0dca78eaf9d93a201b3860d3271de05db0c1a54bce7292bb9e47815fbd1e638cb05bc052c1c052e110

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727665714398674.txt

Filesize
74KB

MD5
b8f32bdfbebd814976ce05a2d0753c55

SHA1
c4ff36ac9565b2a07133d37b9aa93663f6ed1294

SHA256
818d4f4193d1efb091ce7acb37ff8463004ae8e6d1826bde390db7ab349ce659

SHA512
90e01cc8ce0f50432b4aa87031ffc866e61c2bb8156665c0750d2e82c141ff576c2e458b3e6f6f7dafb4d51854255dd40c1284ecce6d5846503e2e1f9295b221

Download Submit
C:\Users\Admin\Documents\agiki.exe

Filesize
4KB

MD5
307074acffa41e69ae7449338accbac4

SHA1
d880915f78361db3b15ff18b0d3239a5d2a6a997

SHA256
a5d3ed693c85298bd8f1c116bb16f78e032364143c76da2e22b3d0de29182380

SHA512
aba5ffe7ec7342ba381927d3ff995f339b1837faab30e0fe48ed38b2da636b4e38b969a23c1c87271e54862522098775cb2f695c22a42b7a81d7f4e88fefa426

Download Submit
C:\Windows\fstkjlehu.exe

Filesize
604KB

MD5
6f7abbc706baecf6e86cde729475dc7d

SHA1
00a55e2ae828f928770fdd1c59da361198fba382

SHA256
85e3772d5502b9f5251843b3884788ab6c4d44af761900c787d36e1d5586244c

SHA512
70b80ff7efeac45dc3cbaeb5b5a3b4f774dd3f61c08801fe43c5a086e8372ba199ea9f676ab3ceb9dd4d5332ebd5db79616460496632da831a51b21753f61092

Download Submit
\??\pipe\LOCAL\crashpad_4544_MMWPJAQTEBJDOVMD

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1064-5-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1064-4-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1064-3-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1064-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1064-15-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1696-12-0x0000000000400000-0x000000000078B000-memory.dmp

Filesize
3.5MB

Download
memory/1696-20-0x0000000000400000-0x000000000078B000-memory.dmp

Filesize
3.5MB

Download
memory/2952-6-0x0000000000950000-0x0000000000953000-memory.dmp

Filesize
12KB

Download
memory/2952-0-0x0000000000950000-0x0000000000953000-memory.dmp

Filesize
12KB

Download
memory/2952-1-0x0000000000950000-0x0000000000953000-memory.dmp

Filesize
12KB

Download
memory/4732-651-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4732-7722-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4732-4638-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4732-10298-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4732-10594-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4732-10595-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4732-2221-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4732-2208-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4732-29-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4732-27-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4732-10644-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4732-10648-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4732-21-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4732-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4732-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download