teslacrypt | d7a54e392cc051e8fae6d26431351d405fe9836e9467bde07187a8586e0e4fbb

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2024 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe
Size

356KB
MD5

7bc8e9eb9f3d874764d2658b546abb61
SHA1

40b7e79add5449ac8b11b20ddeb338437a0d17bb
SHA256

d7a54e392cc051e8fae6d26431351d405fe9836e9467bde07187a8586e0e4fbb
SHA512

2f633cfd7194a11aaa68b7d42a31e95700d908a5af4c40616427d78afd5bebf56f0a9233bcde1cd500540bf5d553e5320aed1876a42dc934d74e1de3f7a7439d
SSDEEP

6144:NOWcl+ocAAe1EAnT43osv0pnzKK+PDncAuLELquaWVzsHA93Wo8nswPm22fwh:NFeq0F+PzcOLyWRsHA93/oswe

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+drkqp.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/C8EF2CDC42644CA 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/C8EF2CDC42644CA 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/C8EF2CDC42644CA If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/C8EF2CDC42644CA 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/C8EF2CDC42644CA http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/C8EF2CDC42644CA http://yyre45dbvn2nhbefbmh.begumvelic.at/C8EF2CDC42644CA Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/C8EF2CDC42644CA

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/C8EF2CDC42644CA

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/C8EF2CDC42644CA

http://yyre45dbvn2nhbefbmh.begumvelic.at/C8EF2CDC42644CA

http://xlowfznrg4wf7dli.ONION/C8EF2CDC42644CA

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (876) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	roetihrelmsp.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+drkqp.png	roetihrelmsp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+drkqp.txt	roetihrelmsp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+drkqp.html	roetihrelmsp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+drkqp.png	roetihrelmsp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+drkqp.txt	roetihrelmsp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+drkqp.html	roetihrelmsp.exe

Executes dropped EXE 2 IoCs

pid	Process
3580	roetihrelmsp.exe
3416	roetihrelmsp.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mvdatxf = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\roetihrelmsp.exe"	roetihrelmsp.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4232 set thread context of 3940	4232	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe	95
PID 3580 set thread context of 3416	3580	roetihrelmsp.exe	101

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\nav_icons_store.targetsize-48.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\_ReCoVeRy_+drkqp.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-16.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\_ReCoVeRy_+drkqp.html	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\hi-IN\View3d\_ReCoVeRy_+drkqp.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\PeopleAppStoreLogo.scale-100.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\256x256.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Light\Cavalier.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\images\Square150x150Logo.scale-100.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Content\_ReCoVeRy_+drkqp.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\ja-JP\_ReCoVeRy_+drkqp.txt	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-125.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\1949_24x24x32.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7d6.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\LargeTile.scale-200.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\Win10\MicrosoftSolitaireSmallTile.scale-125.jpg	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteLargeTile.scale-125.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_ReCoVeRy_+drkqp.txt	roetihrelmsp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\_ReCoVeRy_+drkqp.txt	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\_ReCoVeRy_+drkqp.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32_altform-unplated.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-100_contrast-black.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_altform-unplated_contrast-black.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\_ReCoVeRy_+drkqp.html	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-64_altform-lightunplated.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+drkqp.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\_ReCoVeRy_+drkqp.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-80_altform-unplated_contrast-white.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_ReCoVeRy_+drkqp.txt	roetihrelmsp.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\_ReCoVeRy_+drkqp.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ImmersiveVideoPlayback\Content\Shaders\LoadedModelShaders\_ReCoVeRy_+drkqp.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\SmallTile.scale-200.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40_altform-unplated.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-256.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-black\_ReCoVeRy_+drkqp.txt	roetihrelmsp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\_ReCoVeRy_+drkqp.html	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-16_altform-unplated.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\_ReCoVeRy_+drkqp.txt	roetihrelmsp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\1033\_ReCoVeRy_+drkqp.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+drkqp.html	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\_ReCoVeRy_+drkqp.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-256.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\_ReCoVeRy_+drkqp.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\LargeTile.scale-125.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedMedTile.scale-200_contrast-white.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-54_altform-unplated.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailBadge.scale-125.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\_ReCoVeRy_+drkqp.txt	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderSplashScreen.contrast-black_scale-200.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileWide.scale-200.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+drkqp.html	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-100_contrast-black.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Dark.scale-125.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarBadge.scale-200.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-64_altform-unplated_contrast-white.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-125_contrast-white.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\fr\_ReCoVeRy_+drkqp.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\_ReCoVeRy_+drkqp.html	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\_ReCoVeRy_+drkqp.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\_ReCoVeRy_+drkqp.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-72.png	roetihrelmsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\SmallTile.scale-200.png	roetihrelmsp.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\roetihrelmsp.exe	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe
File opened for modification	C:\Windows\roetihrelmsp.exe	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	roetihrelmsp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	roetihrelmsp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	roetihrelmsp.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1168	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe
3416	roetihrelmsp.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3940	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe
Token: SeDebugPrivilege	3416	roetihrelmsp.exe
Token: SeIncreaseQuotaPrivilege	624	WMIC.exe
Token: SeSecurityPrivilege	624	WMIC.exe
Token: SeTakeOwnershipPrivilege	624	WMIC.exe
Token: SeLoadDriverPrivilege	624	WMIC.exe
Token: SeSystemProfilePrivilege	624	WMIC.exe
Token: SeSystemtimePrivilege	624	WMIC.exe
Token: SeProfSingleProcessPrivilege	624	WMIC.exe
Token: SeIncBasePriorityPrivilege	624	WMIC.exe
Token: SeCreatePagefilePrivilege	624	WMIC.exe
Token: SeBackupPrivilege	624	WMIC.exe
Token: SeRestorePrivilege	624	WMIC.exe
Token: SeShutdownPrivilege	624	WMIC.exe
Token: SeDebugPrivilege	624	WMIC.exe
Token: SeSystemEnvironmentPrivilege	624	WMIC.exe
Token: SeRemoteShutdownPrivilege	624	WMIC.exe
Token: SeUndockPrivilege	624	WMIC.exe
Token: SeManageVolumePrivilege	624	WMIC.exe
Token: 33	624	WMIC.exe
Token: 34	624	WMIC.exe
Token: 35	624	WMIC.exe
Token: 36	624	WMIC.exe
Token: SeIncreaseQuotaPrivilege	624	WMIC.exe
Token: SeSecurityPrivilege	624	WMIC.exe
Token: SeTakeOwnershipPrivilege	624	WMIC.exe
Token: SeLoadDriverPrivilege	624	WMIC.exe
Token: SeSystemProfilePrivilege	624	WMIC.exe
Token: SeSystemtimePrivilege	624	WMIC.exe
Token: SeProfSingleProcessPrivilege	624	WMIC.exe
Token: SeIncBasePriorityPrivilege	624	WMIC.exe
Token: SeCreatePagefilePrivilege	624	WMIC.exe
Token: SeBackupPrivilege	624	WMIC.exe
Token: SeRestorePrivilege	624	WMIC.exe
Token: SeShutdownPrivilege	624	WMIC.exe
Token: SeDebugPrivilege	624	WMIC.exe
Token: SeSystemEnvironmentPrivilege	624	WMIC.exe
Token: SeRemoteShutdownPrivilege	624	WMIC.exe
Token: SeUndockPrivilege	624	WMIC.exe
Token: SeManageVolumePrivilege	624	WMIC.exe
Token: 33	624	WMIC.exe
Token: 34	624	WMIC.exe
Token: 35	624	WMIC.exe
Token: 36	624	WMIC.exe
Token: SeBackupPrivilege	2520	vssvc.exe
Token: SeRestorePrivilege	2520	vssvc.exe
Token: SeAuditPrivilege	2520	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4332	WMIC.exe
Token: SeSecurityPrivilege	4332	WMIC.exe
Token: SeTakeOwnershipPrivilege	4332	WMIC.exe
Token: SeLoadDriverPrivilege	4332	WMIC.exe
Token: SeSystemProfilePrivilege	4332	WMIC.exe
Token: SeSystemtimePrivilege	4332	WMIC.exe
Token: SeProfSingleProcessPrivilege	4332	WMIC.exe
Token: SeIncBasePriorityPrivilege	4332	WMIC.exe
Token: SeCreatePagefilePrivilege	4332	WMIC.exe
Token: SeBackupPrivilege	4332	WMIC.exe
Token: SeRestorePrivilege	4332	WMIC.exe
Token: SeShutdownPrivilege	4332	WMIC.exe
Token: SeDebugPrivilege	4332	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4332	WMIC.exe
Token: SeRemoteShutdownPrivilege	4332	WMIC.exe
Token: SeUndockPrivilege	4332	WMIC.exe
Token: SeManageVolumePrivilege	4332	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 3940	4232	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe	95
PID 4232 wrote to memory of 3940	4232	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe	95
PID 4232 wrote to memory of 3940	4232	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe	95
PID 4232 wrote to memory of 3940	4232	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe	95
PID 4232 wrote to memory of 3940	4232	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe	95
PID 4232 wrote to memory of 3940	4232	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe	95
PID 4232 wrote to memory of 3940	4232	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe	95
PID 4232 wrote to memory of 3940	4232	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe	95
PID 4232 wrote to memory of 3940	4232	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe	95
PID 4232 wrote to memory of 3940	4232	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe	95
PID 3940 wrote to memory of 3580	3940	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe	96
PID 3940 wrote to memory of 3580	3940	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe	96
PID 3940 wrote to memory of 3580	3940	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe	96
PID 3940 wrote to memory of 1824	3940	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe	97
PID 3940 wrote to memory of 1824	3940	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe	97
PID 3940 wrote to memory of 1824	3940	7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe	97
PID 3580 wrote to memory of 3416	3580	roetihrelmsp.exe	101
PID 3580 wrote to memory of 3416	3580	roetihrelmsp.exe	101
PID 3580 wrote to memory of 3416	3580	roetihrelmsp.exe	101
PID 3580 wrote to memory of 3416	3580	roetihrelmsp.exe	101
PID 3580 wrote to memory of 3416	3580	roetihrelmsp.exe	101
PID 3580 wrote to memory of 3416	3580	roetihrelmsp.exe	101
PID 3580 wrote to memory of 3416	3580	roetihrelmsp.exe	101
PID 3580 wrote to memory of 3416	3580	roetihrelmsp.exe	101
PID 3580 wrote to memory of 3416	3580	roetihrelmsp.exe	101
PID 3580 wrote to memory of 3416	3580	roetihrelmsp.exe	101
PID 3416 wrote to memory of 624	3416	roetihrelmsp.exe	102
PID 3416 wrote to memory of 624	3416	roetihrelmsp.exe	102
PID 3416 wrote to memory of 1168	3416	roetihrelmsp.exe	115
PID 3416 wrote to memory of 1168	3416	roetihrelmsp.exe	115
PID 3416 wrote to memory of 1168	3416	roetihrelmsp.exe	115
PID 3416 wrote to memory of 2836	3416	roetihrelmsp.exe	116
PID 3416 wrote to memory of 2836	3416	roetihrelmsp.exe	116
PID 2836 wrote to memory of 2892	2836	msedge.exe	117
PID 2836 wrote to memory of 2892	2836	msedge.exe	117
PID 3416 wrote to memory of 4332	3416	roetihrelmsp.exe	118
PID 3416 wrote to memory of 4332	3416	roetihrelmsp.exe	118
PID 2836 wrote to memory of 4580	2836	msedge.exe	120
PID 2836 wrote to memory of 4580	2836	msedge.exe	120
PID 2836 wrote to memory of 4580	2836	msedge.exe	120
PID 2836 wrote to memory of 4580	2836	msedge.exe	120
PID 2836 wrote to memory of 4580	2836	msedge.exe	120
PID 2836 wrote to memory of 4580	2836	msedge.exe	120
PID 2836 wrote to memory of 4580	2836	msedge.exe	120
PID 2836 wrote to memory of 4580	2836	msedge.exe	120
PID 2836 wrote to memory of 4580	2836	msedge.exe	120
PID 2836 wrote to memory of 4580	2836	msedge.exe	120
PID 2836 wrote to memory of 4580	2836	msedge.exe	120
PID 2836 wrote to memory of 4580	2836	msedge.exe	120
PID 2836 wrote to memory of 4580	2836	msedge.exe	120
PID 2836 wrote to memory of 4580	2836	msedge.exe	120
PID 2836 wrote to memory of 4580	2836	msedge.exe	120
PID 2836 wrote to memory of 4580	2836	msedge.exe	120
PID 2836 wrote to memory of 4580	2836	msedge.exe	120
PID 2836 wrote to memory of 4580	2836	msedge.exe	120
PID 2836 wrote to memory of 4580	2836	msedge.exe	120
PID 2836 wrote to memory of 4580	2836	msedge.exe	120
PID 2836 wrote to memory of 4580	2836	msedge.exe	120
PID 2836 wrote to memory of 4580	2836	msedge.exe	120
PID 2836 wrote to memory of 4580	2836	msedge.exe	120
PID 2836 wrote to memory of 4580	2836	msedge.exe	120
PID 2836 wrote to memory of 4580	2836	msedge.exe	120
PID 2836 wrote to memory of 4580	2836	msedge.exe	120
PID 2836 wrote to memory of 4580	2836	msedge.exe	120

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	roetihrelmsp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	roetihrelmsp.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Users\Admin\AppData\Local\Temp\7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\7bc8e9eb9f3d874764d2658b546abb61_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3940
- - C:\Windows\roetihrelmsp.exe
    C:\Windows\roetihrelmsp.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3580
  - - C:\Windows\roetihrelmsp.exe
      C:\Windows\roetihrelmsp.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3416
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:1168
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2836
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd784546f8,0x7ffd78454708,0x7ffd78454718
        6⤵
        
        PID:2892
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,8357741348386582150,13769495921937867804,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
        6⤵
        
        PID:4580
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,8357741348386582150,13769495921937867804,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
        6⤵
        
        PID:3348
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,8357741348386582150,13769495921937867804,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
        6⤵
        
        PID:64
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8357741348386582150,13769495921937867804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
        6⤵
        
        PID:3756
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8357741348386582150,13769495921937867804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
        6⤵
        
        PID:4752
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,8357741348386582150,13769495921937867804,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:8
        6⤵
        
        PID:4028
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,8357741348386582150,13769495921937867804,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:8
        6⤵
        
        PID:1208
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8357741348386582150,13769495921937867804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
        6⤵
        
        PID:2356
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8357741348386582150,13769495921937867804,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
        6⤵
        
        PID:4344
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8357741348386582150,13769495921937867804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
        6⤵
        
        PID:1000
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8357741348386582150,13769495921937867804,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
        6⤵
        
        PID:1200
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4332
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\ROETIH~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1172
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\7BC8E9~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1824

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+drkqp.html

Filesize
12KB

MD5
035efefd873ccd28d301eb753de245b5

SHA1
60bc0adea3ff25644cf097579b6646d86456668b

SHA256
a8681d110043a4750c43d134415b9592375d23c69c23e0c6b9772857f24ecf02

SHA512
cf52594f20351889e056093ddb10aae2f9bf9f08347007ed41f8cfa43fce7acc8c1849a8603a6a7eb4c84a64f712ee4c903e5170b1053bbc12c42c3f480ba712

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+drkqp.png

Filesize
64KB

MD5
896b91fe277cffce3ac01cf51ada6ba5

SHA1
cc842473de125537f22df7d88bb3b695a4395f51

SHA256
4e8e42a87b4ae98cffaf166174a3aedf1ba46b9a77b3a77a0f9a81e0f471296d

SHA512
fe105041c20e9bc653249821b9d4d4aa1b3b4185f5018f88134b5bd7cb419befbc51d88e68b0cc252ac5993db1be0a5ba29b175444c56f3f6bccc5de063302f6

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+drkqp.txt

Filesize
1KB

MD5
8b41375fa36c1737b7e2576bb6314f96

SHA1
adeb2fd7d093478e4d7e8d428cf141ff3555ad89

SHA256
ff6eba61b7a0a47c2441e5cb6541db125d0cba7d73d56bb3cc79304534661edf

SHA512
8c0bc63a39a29f575cb3e1bcb4092ec5fd9008c66b7e61e49bc303d6561c34947ed7479376a83c209dcd8fc265b5595260e1be203a10ce72fff81b5cddf1bd9e

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
505ba73c3a4fb2b5a64699f5561485ef

SHA1
464208eea732b177315420035f45b0c9c860e475

SHA256
6ad605c7ed96ac0418e7ecc7f2ea458a905b22a01107c5925f154d4971479b87

SHA512
ebadae7bcb6b2bad4ced08c8a9c060139ef170b6028559b47fa5c79ec931683ce938ccb3a59899bd0053dda7def6e2ca0994a7b6293a3056af5d847b8f2bf864

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
ed59747091d3a0e9fba2ba46a0959d79

SHA1
40192a0b78ebc7b2dbe2d4907fd066170563951c

SHA256
9676611d17c793418145d41b67f5949d0edb1a1257b83df06a4bcdd75f3a40fb

SHA512
a4c527a5c9333a41e5185c968303a17e72c20bc9956e39ab39b5811e7887f613f47189498440956f1cfe7249ffa0c79a97ee4a2221b42a3a8ea4924c0bc6308b

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
7fcae428157cab629f53b76843eb28f6

SHA1
8a2a328caadd759a42127585dd8ea45e568b50b0

SHA256
556b3f02488cf2cf3c80de079990ecb1afa3603a24e44c4c385df2e466e990da

SHA512
61e6973182cdfa8ea8a505c65df7bca70e942daaa0123f6472e0d7ee03cd30724c61ef43eda669a4af8ee5cff932b850830d05c9171519c8dd67dbf3d517787d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6dc9b7a2540cc11fe5ef100a14015000

SHA1
8b5e4037c5ded4ed5861302760268645210cde4d

SHA256
6abe33cef3257d27c077862067cbbf089077e6dd8e3507fcfaee85079baab670

SHA512
291c541acdb62e37b2b7c410ed2fb070b8a1f51675548b18b2c8b61fc391766a6510c3d61465083f7b60d4b52f539c9533d2f2be80aff29de7a13b2db2a03a84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0eb58e84b419381ab744949134bf15ba

SHA1
adc43a3b6805078b54d90acbccca75a91b822036

SHA256
32b43ca26e1e634fcaaf5cc559da07b8026a64c6321153614f2a2bb91d56ec2d

SHA512
d1f1ceb187036c51867d7e0fcc7fd10e4073a9a7dec5b228d2773e584655ec1cbc3acac99f60d9308e304b13f6b5079653b1112f1bc4fc72172e711f5a25edb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
27658d9b1d297345f8b939092de28fa3

SHA1
0de4c4342261ed9afce8c55c8cd6f29aba6084dd

SHA256
1eda1bd05309aadaf2e9caf1b4b91915966715bd2245508469f9d3aa18a6950c

SHA512
8270c06a1fc7f177fe52d969598ec1908f169333b342b09f47fd140776e992e1defc9b18cf5bfa013fe6f315f0c4c98d6548a2dc76cfa18dd284d6c7fee438d8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656067266351.txt

Filesize
77KB

MD5
a14805989672f35709658acb63b2645b

SHA1
3e22a3d6b48cbbbe53d5d16f1c782ee30dd91abc

SHA256
f41e29d48d567ed8d663f96e96ff36081fd35c84f0edd42ac87e6587cb7de5d5

SHA512
b49beb6561c3150d5e8c0a3f165359d766f7928d8cd81ee01f687fbd265762fbf4c9cdcd3b01bad407e86fc862f76f5525f266b74a69d612d5730f2ec122e5eb

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727665714398674.txt

Filesize
74KB

MD5
1b0e432a276edccf0c6d213c20bff94d

SHA1
6b77c320c57ab53418328c6d2e79375ad0a34808

SHA256
6a5fbf16e8785b5028ff74ed4379ac31fdf2cbdef372835b561637d854718503

SHA512
3bf31dc2298a441e704138f72e0d4a9e354a4c49ce52da59c33a63246c2dfdd17960c997c6ebd46760e49c6f8a3f089592c8af8c2d27a938d8bf59add69ae1e5

Download Submit
C:\Windows\roetihrelmsp.exe

Filesize
356KB

MD5
7bc8e9eb9f3d874764d2658b546abb61

SHA1
40b7e79add5449ac8b11b20ddeb338437a0d17bb

SHA256
d7a54e392cc051e8fae6d26431351d405fe9836e9467bde07187a8586e0e4fbb

SHA512
2f633cfd7194a11aaa68b7d42a31e95700d908a5af4c40616427d78afd5bebf56f0a9233bcde1cd500540bf5d553e5320aed1876a42dc934d74e1de3f7a7439d

Download Submit
memory/3416-17-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3416-10546-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3416-24-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3416-324-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3416-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3416-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3416-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3416-2684-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3416-2697-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3416-5339-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3416-10597-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3416-10556-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3416-8800-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3416-25-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3416-10547-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3416-10555-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3580-12-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3940-13-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3940-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3940-5-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3940-3-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3940-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4232-4-0x00000000020E0000-0x00000000020E4000-memory.dmp

Filesize
16KB

Download
memory/4232-0-0x00000000020E0000-0x00000000020E4000-memory.dmp

Filesize
16KB

Download
memory/4232-1-0x00000000020E0000-0x00000000020E4000-memory.dmp

Filesize
16KB

Download