teslacrypt | d898a79292edb0059156844e559cf65ab68819786b1d344dec42993851751740

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2024 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe
Size

396KB
MD5

8c23e7c480280c24c6b34c9c9bafc05d
SHA1

de75bf5f2115fb3399d2c94966218f91dd9c2362
SHA256

d898a79292edb0059156844e559cf65ab68819786b1d344dec42993851751740
SHA512

04a631fbd1a3aca23956e316716375a77328471025f8391971aa33315ad8245419231f3b9b95229b1999c24c240ae97436ba9fcc3216d1a5b63ff75de9e9edf5
SSDEEP

6144:4T3WR0F1lDPR+bJnm/jtowhxZWVrfQwBcTMMG26uw6fyQ7Q:4T3MA+bJmy4ZKfQRMh6

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+abjfu.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/BB72C570B0A63F5C 2. http://kkd47eh4hdjshb5t.angortra.at/BB72C570B0A63F5C 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/BB72C570B0A63F5C If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/BB72C570B0A63F5C 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/BB72C570B0A63F5C http://kkd47eh4hdjshb5t.angortra.at/BB72C570B0A63F5C http://ytrest84y5i456hghadefdsd.pontogrot.com/BB72C570B0A63F5C *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/BB72C570B0A63F5C

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/BB72C570B0A63F5C

http://kkd47eh4hdjshb5t.angortra.at/BB72C570B0A63F5C

http://ytrest84y5i456hghadefdsd.pontogrot.com/BB72C570B0A63F5C

http://xlowfznrg4wf7dli.ONION/BB72C570B0A63F5C

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (877) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exerumkvbjwjfwt.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	rumkvbjwjfwt.exe

Drops startup file 6 IoCs

Processes:

rumkvbjwjfwt.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+abjfu.html	rumkvbjwjfwt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+abjfu.png	rumkvbjwjfwt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+abjfu.txt	rumkvbjwjfwt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+abjfu.html	rumkvbjwjfwt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+abjfu.png	rumkvbjwjfwt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+abjfu.txt	rumkvbjwjfwt.exe

Executes dropped EXE 2 IoCs

Processes:

rumkvbjwjfwt.exerumkvbjwjfwt.exe

pid process

4604 rumkvbjwjfwt.exe
2124 rumkvbjwjfwt.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
4604	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

rumkvbjwjfwt.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\awcesemjpifk = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\rumkvbjwjfwt.exe\""	rumkvbjwjfwt.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

Processes:

8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exerumkvbjwjfwt.exe

description	pid	process	target process
PID 1848 set thread context of 5016	1848	8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe	8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe
PID 4604 set thread context of 2124	4604	rumkvbjwjfwt.exe	rumkvbjwjfwt.exe

Drops file in Program Files directory 64 IoCs

Processes:

rumkvbjwjfwt.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\LockScreenLogo.scale-100.png	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\dictation\Recovery+abjfu.txt	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorStoreLogo.contrast-white_scale-100.png	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyView.scale-100.png	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Dark.scale-200.png	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\Recovery+abjfu.txt	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\Recovery+abjfu.html	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\offer_cards\Recovery+abjfu.html	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OrientationControlMiddleCircle.png	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.White.png	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\Recovery+abjfu.html	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\Recovery+abjfu.html	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\Recovery+abjfu.txt	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-100.png	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\Recovery+abjfu.txt	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-30_altform-unplated.png	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxBadge.scale-125.png	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\THMBNAIL.PNG	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+abjfu.html	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-125_contrast-white.png	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_contrast-white.png	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\Recovery+abjfu.txt	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxBadge.scale-100.png	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeBadge.scale-100.png	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-80.png	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\cacerts.pem	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\Recovery+abjfu.png	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-72_altform-unplated_contrast-black.png	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeLargeTile.scale-150.png	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\AppxMetadata\Recovery+abjfu.png	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\Recovery+abjfu.png	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Recovery+abjfu.png	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-300.png	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\WideTile.scale-200.png	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\Recovery+abjfu.html	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-60_contrast-white.png	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\uk-UA\Recovery+abjfu.txt	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\HoloAssets\HoloLens_HeadTracking.png	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\Recovery+abjfu.txt	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\Recovery+abjfu.txt	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Recovery+abjfu.png	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+abjfu.txt	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\Recovery+abjfu.html	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\SearchPlaceholder-light.png	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\import_google_contacts\Recovery+abjfu.txt	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\HoloTileAssets\Recovery+abjfu.html	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\Recovery+abjfu.html	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\Recovery+abjfu.png	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-72_altform-unplated.png	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\FetchingMail.scale-200.png	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\Recovery+abjfu.html	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+abjfu.txt	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\Recovery+abjfu.txt	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-256_altform-unplated_contrast-black.png	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\x86\Recovery+abjfu.png	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\Recovery+abjfu.txt	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-100_contrast-white.png	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\SmartSelect\AddStroke_Illustration.png	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\Recovery+abjfu.png	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-32_contrast-black.png	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-256.png	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Recovery+abjfu.png	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Schema\Recovery+abjfu.html	rumkvbjwjfwt.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\Recovery+abjfu.png	rumkvbjwjfwt.exe

Drops file in Windows directory 2 IoCs

Processes:

8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\rumkvbjwjfwt.exe	8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe
File created	C:\Windows\rumkvbjwjfwt.exe	8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exe8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exerumkvbjwjfwt.execmd.exerumkvbjwjfwt.exeNOTEPAD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rumkvbjwjfwt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rumkvbjwjfwt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

rumkvbjwjfwt.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings rumkvbjwjfwt.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1848 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	rumkvbjwjfwt.exe

pid	process
1848	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rumkvbjwjfwt.exe

pid	process
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe
2124	rumkvbjwjfwt.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

2336 msedge.exe
2336 msedge.exe
2336 msedge.exe
2336 msedge.exe
2336 msedge.exe
2336 msedge.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exerumkvbjwjfwt.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	5016	8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe
Token: SeDebugPrivilege	2124	rumkvbjwjfwt.exe
Token: SeIncreaseQuotaPrivilege	4348	WMIC.exe
Token: SeSecurityPrivilege	4348	WMIC.exe
Token: SeTakeOwnershipPrivilege	4348	WMIC.exe
Token: SeLoadDriverPrivilege	4348	WMIC.exe
Token: SeSystemProfilePrivilege	4348	WMIC.exe
Token: SeSystemtimePrivilege	4348	WMIC.exe
Token: SeProfSingleProcessPrivilege	4348	WMIC.exe
Token: SeIncBasePriorityPrivilege	4348	WMIC.exe
Token: SeCreatePagefilePrivilege	4348	WMIC.exe
Token: SeBackupPrivilege	4348	WMIC.exe
Token: SeRestorePrivilege	4348	WMIC.exe
Token: SeShutdownPrivilege	4348	WMIC.exe
Token: SeDebugPrivilege	4348	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4348	WMIC.exe
Token: SeRemoteShutdownPrivilege	4348	WMIC.exe
Token: SeUndockPrivilege	4348	WMIC.exe
Token: SeManageVolumePrivilege	4348	WMIC.exe
Token: 33	4348	WMIC.exe
Token: 34	4348	WMIC.exe
Token: 35	4348	WMIC.exe
Token: 36	4348	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4064	WMIC.exe
Token: SeSecurityPrivilege	4064	WMIC.exe
Token: SeTakeOwnershipPrivilege	4064	WMIC.exe
Token: SeLoadDriverPrivilege	4064	WMIC.exe
Token: SeSystemProfilePrivilege	4064	WMIC.exe
Token: SeSystemtimePrivilege	4064	WMIC.exe
Token: SeProfSingleProcessPrivilege	4064	WMIC.exe
Token: SeIncBasePriorityPrivilege	4064	WMIC.exe
Token: SeCreatePagefilePrivilege	4064	WMIC.exe
Token: SeBackupPrivilege	4064	WMIC.exe
Token: SeRestorePrivilege	4064	WMIC.exe
Token: SeShutdownPrivilege	4064	WMIC.exe
Token: SeDebugPrivilege	4064	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4064	WMIC.exe
Token: SeRemoteShutdownPrivilege	4064	WMIC.exe
Token: SeUndockPrivilege	4064	WMIC.exe
Token: SeManageVolumePrivilege	4064	WMIC.exe
Token: 33	4064	WMIC.exe
Token: 34	4064	WMIC.exe
Token: 35	4064	WMIC.exe
Token: 36	4064	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exerumkvbjwjfwt.exerumkvbjwjfwt.exemsedge.exe

description	pid	process	target process
PID 1848 wrote to memory of 5016	1848	8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe	8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe
PID 1848 wrote to memory of 5016	1848	8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe	8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe
PID 1848 wrote to memory of 5016	1848	8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe	8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe
PID 1848 wrote to memory of 5016	1848	8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe	8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe
PID 1848 wrote to memory of 5016	1848	8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe	8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe
PID 1848 wrote to memory of 5016	1848	8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe	8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe
PID 1848 wrote to memory of 5016	1848	8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe	8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe
PID 1848 wrote to memory of 5016	1848	8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe	8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe
PID 1848 wrote to memory of 5016	1848	8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe	8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe
PID 1848 wrote to memory of 5016	1848	8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe	8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe
PID 5016 wrote to memory of 4604	5016	8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe	rumkvbjwjfwt.exe
PID 5016 wrote to memory of 4604	5016	8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe	rumkvbjwjfwt.exe
PID 5016 wrote to memory of 4604	5016	8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe	rumkvbjwjfwt.exe
PID 5016 wrote to memory of 1512	5016	8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe	cmd.exe
PID 5016 wrote to memory of 1512	5016	8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe	cmd.exe
PID 5016 wrote to memory of 1512	5016	8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe	cmd.exe
PID 4604 wrote to memory of 2124	4604	rumkvbjwjfwt.exe	rumkvbjwjfwt.exe
PID 4604 wrote to memory of 2124	4604	rumkvbjwjfwt.exe	rumkvbjwjfwt.exe
PID 4604 wrote to memory of 2124	4604	rumkvbjwjfwt.exe	rumkvbjwjfwt.exe
PID 4604 wrote to memory of 2124	4604	rumkvbjwjfwt.exe	rumkvbjwjfwt.exe
PID 4604 wrote to memory of 2124	4604	rumkvbjwjfwt.exe	rumkvbjwjfwt.exe
PID 4604 wrote to memory of 2124	4604	rumkvbjwjfwt.exe	rumkvbjwjfwt.exe
PID 4604 wrote to memory of 2124	4604	rumkvbjwjfwt.exe	rumkvbjwjfwt.exe
PID 4604 wrote to memory of 2124	4604	rumkvbjwjfwt.exe	rumkvbjwjfwt.exe
PID 4604 wrote to memory of 2124	4604	rumkvbjwjfwt.exe	rumkvbjwjfwt.exe
PID 4604 wrote to memory of 2124	4604	rumkvbjwjfwt.exe	rumkvbjwjfwt.exe
PID 2124 wrote to memory of 4348	2124	rumkvbjwjfwt.exe	WMIC.exe
PID 2124 wrote to memory of 4348	2124	rumkvbjwjfwt.exe	WMIC.exe
PID 2124 wrote to memory of 1848	2124	rumkvbjwjfwt.exe	NOTEPAD.EXE
PID 2124 wrote to memory of 1848	2124	rumkvbjwjfwt.exe	NOTEPAD.EXE
PID 2124 wrote to memory of 1848	2124	rumkvbjwjfwt.exe	NOTEPAD.EXE
PID 2124 wrote to memory of 2336	2124	rumkvbjwjfwt.exe	msedge.exe
PID 2124 wrote to memory of 2336	2124	rumkvbjwjfwt.exe	msedge.exe
PID 2336 wrote to memory of 3900	2336	msedge.exe	msedge.exe
PID 2336 wrote to memory of 3900	2336	msedge.exe	msedge.exe
PID 2124 wrote to memory of 4064	2124	rumkvbjwjfwt.exe	WMIC.exe
PID 2124 wrote to memory of 4064	2124	rumkvbjwjfwt.exe	WMIC.exe
PID 2336 wrote to memory of 2964	2336	msedge.exe	msedge.exe
PID 2336 wrote to memory of 2964	2336	msedge.exe	msedge.exe
PID 2336 wrote to memory of 2964	2336	msedge.exe	msedge.exe
PID 2336 wrote to memory of 2964	2336	msedge.exe	msedge.exe
PID 2336 wrote to memory of 2964	2336	msedge.exe	msedge.exe
PID 2336 wrote to memory of 2964	2336	msedge.exe	msedge.exe
PID 2336 wrote to memory of 2964	2336	msedge.exe	msedge.exe
PID 2336 wrote to memory of 2964	2336	msedge.exe	msedge.exe
PID 2336 wrote to memory of 2964	2336	msedge.exe	msedge.exe
PID 2336 wrote to memory of 2964	2336	msedge.exe	msedge.exe
PID 2336 wrote to memory of 2964	2336	msedge.exe	msedge.exe
PID 2336 wrote to memory of 2964	2336	msedge.exe	msedge.exe
PID 2336 wrote to memory of 2964	2336	msedge.exe	msedge.exe
PID 2336 wrote to memory of 2964	2336	msedge.exe	msedge.exe
PID 2336 wrote to memory of 2964	2336	msedge.exe	msedge.exe
PID 2336 wrote to memory of 2964	2336	msedge.exe	msedge.exe
PID 2336 wrote to memory of 2964	2336	msedge.exe	msedge.exe
PID 2336 wrote to memory of 2964	2336	msedge.exe	msedge.exe
PID 2336 wrote to memory of 2964	2336	msedge.exe	msedge.exe
PID 2336 wrote to memory of 2964	2336	msedge.exe	msedge.exe
PID 2336 wrote to memory of 2964	2336	msedge.exe	msedge.exe
PID 2336 wrote to memory of 2964	2336	msedge.exe	msedge.exe
PID 2336 wrote to memory of 2964	2336	msedge.exe	msedge.exe
PID 2336 wrote to memory of 2964	2336	msedge.exe	msedge.exe
PID 2336 wrote to memory of 2964	2336	msedge.exe	msedge.exe
PID 2336 wrote to memory of 2964	2336	msedge.exe	msedge.exe
PID 2336 wrote to memory of 2964	2336	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

rumkvbjwjfwt.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	rumkvbjwjfwt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	rumkvbjwjfwt.exe

C:\Users\Admin\AppData\Local\Temp\8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1848

C:\Users\Admin\AppData\Local\Temp\8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8c23e7c480280c24c6b34c9c9bafc05d_JaffaCakes118.exe"
2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\rumkvbjwjfwt.exe
C:\Windows\rumkvbjwjfwt.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\rumkvbjwjfwt.exe
C:\Windows\rumkvbjwjfwt.exe
4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2124

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:1848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a4f646f8,0x7ff9a4f64708,0x7ff9a4f64718
6⤵
PID:3900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,16122731966047045931,3023993695867188905,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
6⤵
PID:2964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,16122731966047045931,3023993695867188905,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
6⤵
PID:2036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,16122731966047045931,3023993695867188905,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
6⤵
PID:64

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,16122731966047045931,3023993695867188905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
6⤵
PID:4312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,16122731966047045931,3023993695867188905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
6⤵
PID:4524

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,16122731966047045931,3023993695867188905,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 /prefetch:8
6⤵
PID:4824

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,16122731966047045931,3023993695867188905,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 /prefetch:8
6⤵
PID:392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,16122731966047045931,3023993695867188905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
6⤵
PID:4424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,16122731966047045931,3023993695867188905,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
6⤵
PID:3348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,16122731966047045931,3023993695867188905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:1
6⤵
PID:4604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,16122731966047045931,3023993695867188905,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
6⤵
PID:4672

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\RUMKVB~1.EXE
5⤵
- System Location Discovery: System Language Discovery
PID:3200

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\8C23E7~1.EXE
3⤵
- System Location Discovery: System Language Discovery
PID:1512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\Recovery+abjfu.html

Filesize
9KB

MD5
b961497f15946c35b9d19139053f7351

SHA1
a0de981f107c788b150efec0102e71cd81637b9d

SHA256
b53c3d95ec6b334933b0b6735787837be43849a32e691846dc90adfc235a171d

SHA512
e1f8046a46584fc487bde43267a906d05e04e62991b4e9195ddf46ce4267985727a88fe48d4fcc2a3a9c49e96732124f2aa7b2120a54e521811707ffddaa477a

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+abjfu.png

Filesize
63KB

MD5
e532fbb0fec030bbc58420c5f0c2dff2

SHA1
5cc8dc503ee222612dd6ffbf51a997f29d28734d

SHA256
bf22f50b59c5aefc78c0bcab9d38a1463669bd67c5760e6af8a5ee532fd48882

SHA512
6b44c6bf0024bf9552c9b7fba5474806f27e6ceb907720bd87455f818372c644c85f4fb995a804105a32a1952a5f0a3e134e37fa754292f39f03f5eb1b335d30

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+abjfu.txt

Filesize
1KB

MD5
c807de1f615174c3dfc9bc4de384f0e7

SHA1
8defc647d7179c3b8c88f94e0c0b41b7451e485c

SHA256
db75a7c7dcd4cf4b137535de54394d4bbf318bf7279a41958be9cd33575c9347

SHA512
9a76a4d2cacb7db3a6be44f96f01b8e7007e9171aef3c5e6721177d6a3b563b5d3dd9ee816d30fc57d1d425f733e40860c01c6cbb04078f0e49b0563b883c93c

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
3c50c82cf9508b362592d521bb7ecde3

SHA1
e6098062c647cafd9ae07db72dd02635b8a658a8

SHA256
24524d0875dc1f82e9e6955cda1e583ce733ddb0061bac618253b7d779bb788c

SHA512
b145523891eb2fb53532bfdc9e29e13b6a79bab9dd9134d0a3fbd8ce2d642f08577d8b53774d27569899118fede00913f744a0c8f28fe6f4546afab0441f17ae

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
e76aa19a36882deafd56f3314ac81e17

SHA1
96d09b78181166026d6c375e91f246d9488eb96d

SHA256
6f7736099a40a0dc068648e0db46d82b722b0934f251b6ecc724e55fa94aec91

SHA512
7a89437b5204153df001b7a39817d2afa640847748fe92f5258e6ce6cf9123790dd461f80f79409185c06c8b0bb4b1370679d77f265ae3e86a3f135e61bedb19

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
c7d8c91a4cdda8be6274f530c50d24d1

SHA1
b769cf7ef75266c1ea12c2cb99341d396c68b12b

SHA256
c7cef4deaeb1bbfc6652a26db1b3baf70b7eb374e0dd75aa65e8e4ed7c44f80c

SHA512
6dbcce09d476f581a8c7e2c549905d478cd0890e2a518738722a4430a78519bd0162b6b62049ff35f02ce067844912c84576895112714f6c7cc1be767b624f51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
72c9191e73a523ae201d0224287c22e3

SHA1
b1b167e71b34601304831acb04992bbcf89e52cf

SHA256
a2fa207e4d6b347ec7fb9677a65afe36eacd14a731e7072496c297a25b92e25b

SHA512
2f1cbfdd068549b3bc1ce479ac8a5e62c8b23a6b1a20b63a1e21412e709548ff59876cc2e8f5e2c7e51fee972f2123f4623b7642482cb1fc25fd834e8fd8ad02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4e3a0e1fa8ad357bebd0adad49772f3c

SHA1
83027fd2a430dfee0d9f733cdec0b6bf95495ba9

SHA256
1cb9caca1021fc17b8cf3410acb96a119c8368e6e0275e480bd1e3ab145003af

SHA512
c7911aaf006740101068ee4c95be67b18d96d89b2c8f90b6d3b03c23203a215b6b399243982ad82840fc9a10357f5ac640d6779e804c7d4b956c5ba454a28763

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
93053a4d6b133269cb7d4c7cb4a47c57

SHA1
55cca658b82d8409142af2c29b212de5db5471ef

SHA256
7aafea48c0943ff1dafc63f0f3587d98fa743791697617209ddf6dcd77bc57da

SHA512
c156c83015bf47bbd426de538f4c632876c224e8667926d86980375a7645f971a8a538ff98ffd99d2f2b790db0e586c81982e66d24309e00590f59ef91cb101c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662820354407.txt

Filesize
77KB

MD5
de91bcec1f791bef606bd7a7c06949e8

SHA1
27e4976c1053c5e387c478e624f2eae43844ea9e

SHA256
312d68d2e26bc388130ffb56d40a8c89eee94c5a9bdfc29bbfe9063e1c9cbcc8

SHA512
186c8ec8d338db71b8acec2ca0fc77650e7e3cf36c0cc8937dd1fc7509518a7459ccc9f46adda2043189bfc128e021cd0ba399ad65b351974f3620057cafcd39

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727664176773847.txt

Filesize
48KB

MD5
400b3d60189a5cbba5de00c35d1d0267

SHA1
6ed3b7cd2976f8932aea385d62688c9b82e474e6

SHA256
0a8207d508225c9ff7edaba0c2b2ce5a294c20412066364e053de58dfd276351

SHA512
40042badb77e8eb57abe454d98fb6dbe2e60cf51d6c14a91b2d4b4a1efe27f09fc810da82521905451158da92b7cb1b8543164ab9067b7dc24794deb3842a400

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727672589120253.txt

Filesize
75KB

MD5
4055b1dec5be2e06a7fe2255e11cd976

SHA1
3df067c9d6c4d858c7ead81e5ca6b6f7e445bd40

SHA256
dea5f363eb96453087d6829d58b64266b56ae0566fcb6ee4ab09e7d9dfc0387b

SHA512
4a3556053f49c4e1653d0875598342ea7dfb2dc0e6fcf8a3abe80e32157d785b654a730a0cd88bfe1a123a404dc25701538af9ca5fc077d4500005a2dd6ccab9

Download Submit
C:\Windows\rumkvbjwjfwt.exe

Filesize
396KB

MD5
8c23e7c480280c24c6b34c9c9bafc05d

SHA1
de75bf5f2115fb3399d2c94966218f91dd9c2362

SHA256
d898a79292edb0059156844e559cf65ab68819786b1d344dec42993851751740

SHA512
04a631fbd1a3aca23956e316716375a77328471025f8391971aa33315ad8245419231f3b9b95229b1999c24c240ae97436ba9fcc3216d1a5b63ff75de9e9edf5

Download Submit
\??\pipe\LOCAL\crashpad_2336_KNQNIHIHIGNXLEFF

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1848-0-0x0000000000820000-0x0000000000823000-memory.dmp

Filesize
12KB

Download
memory/1848-4-0x0000000000820000-0x0000000000823000-memory.dmp

Filesize
12KB

Download
memory/1848-1-0x0000000000820000-0x0000000000823000-memory.dmp

Filesize
12KB

Download
memory/2124-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2124-10814-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2124-26-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2124-2758-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2124-2769-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2124-5349-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2124-24-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2124-21-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2124-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2124-8794-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2124-10813-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2124-418-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2124-10822-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2124-10823-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2124-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2124-10865-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4604-12-0x0000000000400000-0x0000000000620000-memory.dmp

Filesize
2.1MB

Download
memory/5016-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/5016-15-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/5016-5-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/5016-3-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/5016-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download