teslacrypt | 32b673822967ed3f38c8a8f63a21398b6e04a3c3af299ee7d5c03b971015f107

Analysis

max time kernel
142s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a265dc8eadb3cd340233953eaaf4c15c_JaffaCakes118.exe
Size

276KB
MD5

a265dc8eadb3cd340233953eaaf4c15c
SHA1

c67a84227d4d85565ab8127f711b2610b014e27b
SHA256

32b673822967ed3f38c8a8f63a21398b6e04a3c3af299ee7d5c03b971015f107
SHA512

2d2fd12cd7e521df87ea47902b7a266cf440385edf02ad1610ec2457384fb2dce41014fdf2347252a9d7667102916ab8a173c36eb4da869e6eb2150c00fd06a4
SSDEEP

6144:i4EoMNAWiA9LBShpOGmt3CImh7dRZQ/f+WNZN0ivkcMM:i1ASx0hpuJmhh/Q/2WN/2nM

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+mllba.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/4391D85AF5B5553 2 - http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/4391D85AF5B5553 3 - http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/4391D85AF5B5553 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/4391D85AF5B5553 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/4391D85AF5B5553 http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/4391D85AF5B5553 http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/4391D85AF5B5553 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/4391D85AF5B5553

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/4391D85AF5B5553

http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/4391D85AF5B5553

http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/4391D85AF5B5553

http://xlowfznrg4wf7dli.ONION/4391D85AF5B5553

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (879) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	a265dc8eadb3cd340233953eaaf4c15c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	tlnxphjkuskx.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+mllba.txt	tlnxphjkuskx.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+mllba.html	tlnxphjkuskx.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+mllba.png	tlnxphjkuskx.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+mllba.txt	tlnxphjkuskx.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+mllba.html	tlnxphjkuskx.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+mllba.png	tlnxphjkuskx.exe

Executes dropped EXE 2 IoCs

pid	Process
444	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jevggag = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\tlnxphjkuskx.exe"	tlnxphjkuskx.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4956 set thread context of 2844	4956	a265dc8eadb3cd340233953eaaf4c15c_JaffaCakes118.exe	90
PID 444 set thread context of 1584	444	tlnxphjkuskx.exe	95

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\_ReCoVeRy_+mllba.html	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\_ReCoVeRy_+mllba.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi\_ReCoVeRy_+mllba.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\8080_20x20x32.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-64_altform-unplated.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarMediumTile.scale-150.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Speech\en-GB\_ReCoVeRy_+mllba.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\_ReCoVeRy_+mllba.txt	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-256.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\_ReCoVeRy_+mllba.txt	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_contrast-black.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-30.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\SmallTile.scale-100.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-32_altform-lightunplated.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_altform-unplated_contrast-black.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\152.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\TagAlbumDefinitions\_ReCoVeRy_+mllba.txt	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxAccountsSmallTile.scale-100.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Toolkit\_ReCoVeRy_+mllba.txt	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-60_altform-unplated_contrast-white.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\_ReCoVeRy_+mllba.html	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\_ReCoVeRy_+mllba.txt	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\WideLogo.scale-100_contrast-black.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\Mozilla Firefox\_ReCoVeRy_+mllba.html	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\_ReCoVeRy_+mllba.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewComment.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\_ReCoVeRy_+mllba.txt	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-125.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-64_contrast-white.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-80_altform-unplated_contrast-white.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsSplashScreen.contrast-black_scale-125.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageMedTile.scale-150_contrast-white.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64_altform-unplated.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\_ReCoVeRy_+mllba.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_ReCoVeRy_+mllba.txt	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\Assets\_ReCoVeRy_+mllba.txt	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\_ReCoVeRy_+mllba.html	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\_ReCoVeRy_+mllba.html	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+mllba.txt	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-400_contrast-white.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+mllba.txt	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsStoreLogo.scale-200.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp9.scale-200.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_LogoSmall.targetsize-256.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-32_altform-unplated_contrast-black.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\_ReCoVeRy_+mllba.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\_ReCoVeRy_+mllba.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\185.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\_ReCoVeRy_+mllba.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.1813.0_neutral_~_8wekyb3d8bbwe\_ReCoVeRy_+mllba.txt	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-100_contrast-white.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-256_altform-unplated.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\WideTile.scale-125.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\dictation\_ReCoVeRy_+mllba.txt	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageMedTile.scale-400.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireLargeTile.scale-100.jpg	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-64_altform-unplated.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\archives\_ReCoVeRy_+mllba.html	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\GenericEnglish-2.jpg	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-200_contrast-black.png	tlnxphjkuskx.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uk\_ReCoVeRy_+mllba.png	tlnxphjkuskx.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\tlnxphjkuskx.exe	a265dc8eadb3cd340233953eaaf4c15c_JaffaCakes118.exe
File opened for modification	C:\Windows\tlnxphjkuskx.exe	a265dc8eadb3cd340233953eaaf4c15c_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a265dc8eadb3cd340233953eaaf4c15c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a265dc8eadb3cd340233953eaaf4c15c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tlnxphjkuskx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tlnxphjkuskx.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	tlnxphjkuskx.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5104	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe
1584	tlnxphjkuskx.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	a265dc8eadb3cd340233953eaaf4c15c_JaffaCakes118.exe
Token: SeDebugPrivilege	1584	tlnxphjkuskx.exe
Token: SeIncreaseQuotaPrivilege	2736	WMIC.exe
Token: SeSecurityPrivilege	2736	WMIC.exe
Token: SeTakeOwnershipPrivilege	2736	WMIC.exe
Token: SeLoadDriverPrivilege	2736	WMIC.exe
Token: SeSystemProfilePrivilege	2736	WMIC.exe
Token: SeSystemtimePrivilege	2736	WMIC.exe
Token: SeProfSingleProcessPrivilege	2736	WMIC.exe
Token: SeIncBasePriorityPrivilege	2736	WMIC.exe
Token: SeCreatePagefilePrivilege	2736	WMIC.exe
Token: SeBackupPrivilege	2736	WMIC.exe
Token: SeRestorePrivilege	2736	WMIC.exe
Token: SeShutdownPrivilege	2736	WMIC.exe
Token: SeDebugPrivilege	2736	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2736	WMIC.exe
Token: SeRemoteShutdownPrivilege	2736	WMIC.exe
Token: SeUndockPrivilege	2736	WMIC.exe
Token: SeManageVolumePrivilege	2736	WMIC.exe
Token: 33	2736	WMIC.exe
Token: 34	2736	WMIC.exe
Token: 35	2736	WMIC.exe
Token: 36	2736	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2736	WMIC.exe
Token: SeSecurityPrivilege	2736	WMIC.exe
Token: SeTakeOwnershipPrivilege	2736	WMIC.exe
Token: SeLoadDriverPrivilege	2736	WMIC.exe
Token: SeSystemProfilePrivilege	2736	WMIC.exe
Token: SeSystemtimePrivilege	2736	WMIC.exe
Token: SeProfSingleProcessPrivilege	2736	WMIC.exe
Token: SeIncBasePriorityPrivilege	2736	WMIC.exe
Token: SeCreatePagefilePrivilege	2736	WMIC.exe
Token: SeBackupPrivilege	2736	WMIC.exe
Token: SeRestorePrivilege	2736	WMIC.exe
Token: SeShutdownPrivilege	2736	WMIC.exe
Token: SeDebugPrivilege	2736	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2736	WMIC.exe
Token: SeRemoteShutdownPrivilege	2736	WMIC.exe
Token: SeUndockPrivilege	2736	WMIC.exe
Token: SeManageVolumePrivilege	2736	WMIC.exe
Token: 33	2736	WMIC.exe
Token: 34	2736	WMIC.exe
Token: 35	2736	WMIC.exe
Token: 36	2736	WMIC.exe
Token: SeBackupPrivilege	320	vssvc.exe
Token: SeRestorePrivilege	320	vssvc.exe
Token: SeAuditPrivilege	320	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2520	WMIC.exe
Token: SeSecurityPrivilege	2520	WMIC.exe
Token: SeTakeOwnershipPrivilege	2520	WMIC.exe
Token: SeLoadDriverPrivilege	2520	WMIC.exe
Token: SeSystemProfilePrivilege	2520	WMIC.exe
Token: SeSystemtimePrivilege	2520	WMIC.exe
Token: SeProfSingleProcessPrivilege	2520	WMIC.exe
Token: SeIncBasePriorityPrivilege	2520	WMIC.exe
Token: SeCreatePagefilePrivilege	2520	WMIC.exe
Token: SeBackupPrivilege	2520	WMIC.exe
Token: SeRestorePrivilege	2520	WMIC.exe
Token: SeShutdownPrivilege	2520	WMIC.exe
Token: SeDebugPrivilege	2520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2520	WMIC.exe
Token: SeRemoteShutdownPrivilege	2520	WMIC.exe
Token: SeUndockPrivilege	2520	WMIC.exe
Token: SeManageVolumePrivilege	2520	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 2844	4956	a265dc8eadb3cd340233953eaaf4c15c_JaffaCakes118.exe	90
PID 4956 wrote to memory of 2844	4956	a265dc8eadb3cd340233953eaaf4c15c_JaffaCakes118.exe	90
PID 4956 wrote to memory of 2844	4956	a265dc8eadb3cd340233953eaaf4c15c_JaffaCakes118.exe	90
PID 4956 wrote to memory of 2844	4956	a265dc8eadb3cd340233953eaaf4c15c_JaffaCakes118.exe	90
PID 4956 wrote to memory of 2844	4956	a265dc8eadb3cd340233953eaaf4c15c_JaffaCakes118.exe	90
PID 4956 wrote to memory of 2844	4956	a265dc8eadb3cd340233953eaaf4c15c_JaffaCakes118.exe	90
PID 4956 wrote to memory of 2844	4956	a265dc8eadb3cd340233953eaaf4c15c_JaffaCakes118.exe	90
PID 4956 wrote to memory of 2844	4956	a265dc8eadb3cd340233953eaaf4c15c_JaffaCakes118.exe	90
PID 4956 wrote to memory of 2844	4956	a265dc8eadb3cd340233953eaaf4c15c_JaffaCakes118.exe	90
PID 4956 wrote to memory of 2844	4956	a265dc8eadb3cd340233953eaaf4c15c_JaffaCakes118.exe	90
PID 2844 wrote to memory of 444	2844	a265dc8eadb3cd340233953eaaf4c15c_JaffaCakes118.exe	91
PID 2844 wrote to memory of 444	2844	a265dc8eadb3cd340233953eaaf4c15c_JaffaCakes118.exe	91
PID 2844 wrote to memory of 444	2844	a265dc8eadb3cd340233953eaaf4c15c_JaffaCakes118.exe	91
PID 2844 wrote to memory of 2040	2844	a265dc8eadb3cd340233953eaaf4c15c_JaffaCakes118.exe	92
PID 2844 wrote to memory of 2040	2844	a265dc8eadb3cd340233953eaaf4c15c_JaffaCakes118.exe	92
PID 2844 wrote to memory of 2040	2844	a265dc8eadb3cd340233953eaaf4c15c_JaffaCakes118.exe	92
PID 444 wrote to memory of 1584	444	tlnxphjkuskx.exe	95
PID 444 wrote to memory of 1584	444	tlnxphjkuskx.exe	95
PID 444 wrote to memory of 1584	444	tlnxphjkuskx.exe	95
PID 444 wrote to memory of 1584	444	tlnxphjkuskx.exe	95
PID 444 wrote to memory of 1584	444	tlnxphjkuskx.exe	95
PID 444 wrote to memory of 1584	444	tlnxphjkuskx.exe	95
PID 444 wrote to memory of 1584	444	tlnxphjkuskx.exe	95
PID 444 wrote to memory of 1584	444	tlnxphjkuskx.exe	95
PID 444 wrote to memory of 1584	444	tlnxphjkuskx.exe	95
PID 444 wrote to memory of 1584	444	tlnxphjkuskx.exe	95
PID 1584 wrote to memory of 2736	1584	tlnxphjkuskx.exe	96
PID 1584 wrote to memory of 2736	1584	tlnxphjkuskx.exe	96
PID 1584 wrote to memory of 5104	1584	tlnxphjkuskx.exe	101
PID 1584 wrote to memory of 5104	1584	tlnxphjkuskx.exe	101
PID 1584 wrote to memory of 5104	1584	tlnxphjkuskx.exe	101
PID 1584 wrote to memory of 1516	1584	tlnxphjkuskx.exe	102
PID 1584 wrote to memory of 1516	1584	tlnxphjkuskx.exe	102
PID 1516 wrote to memory of 3580	1516	msedge.exe	103
PID 1516 wrote to memory of 3580	1516	msedge.exe	103
PID 1584 wrote to memory of 2520	1584	tlnxphjkuskx.exe	104
PID 1584 wrote to memory of 2520	1584	tlnxphjkuskx.exe	104
PID 1584 wrote to memory of 1844	1584	tlnxphjkuskx.exe	106
PID 1584 wrote to memory of 1844	1584	tlnxphjkuskx.exe	106
PID 1584 wrote to memory of 1844	1584	tlnxphjkuskx.exe	106
PID 1516 wrote to memory of 2116	1516	msedge.exe	108
PID 1516 wrote to memory of 2116	1516	msedge.exe	108
PID 1516 wrote to memory of 2116	1516	msedge.exe	108
PID 1516 wrote to memory of 2116	1516	msedge.exe	108
PID 1516 wrote to memory of 2116	1516	msedge.exe	108
PID 1516 wrote to memory of 2116	1516	msedge.exe	108
PID 1516 wrote to memory of 2116	1516	msedge.exe	108
PID 1516 wrote to memory of 2116	1516	msedge.exe	108
PID 1516 wrote to memory of 2116	1516	msedge.exe	108
PID 1516 wrote to memory of 2116	1516	msedge.exe	108
PID 1516 wrote to memory of 2116	1516	msedge.exe	108
PID 1516 wrote to memory of 2116	1516	msedge.exe	108
PID 1516 wrote to memory of 2116	1516	msedge.exe	108
PID 1516 wrote to memory of 2116	1516	msedge.exe	108
PID 1516 wrote to memory of 2116	1516	msedge.exe	108
PID 1516 wrote to memory of 2116	1516	msedge.exe	108
PID 1516 wrote to memory of 2116	1516	msedge.exe	108
PID 1516 wrote to memory of 2116	1516	msedge.exe	108
PID 1516 wrote to memory of 2116	1516	msedge.exe	108
PID 1516 wrote to memory of 2116	1516	msedge.exe	108
PID 1516 wrote to memory of 2116	1516	msedge.exe	108
PID 1516 wrote to memory of 2116	1516	msedge.exe	108
PID 1516 wrote to memory of 2116	1516	msedge.exe	108
PID 1516 wrote to memory of 2116	1516	msedge.exe	108

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	tlnxphjkuskx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	tlnxphjkuskx.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a265dc8eadb3cd340233953eaaf4c15c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a265dc8eadb3cd340233953eaaf4c15c_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Users\Admin\AppData\Local\Temp\a265dc8eadb3cd340233953eaaf4c15c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a265dc8eadb3cd340233953eaaf4c15c_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\tlnxphjkuskx.exe
    C:\Windows\tlnxphjkuskx.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:444
  - - C:\Windows\tlnxphjkuskx.exe
      C:\Windows\tlnxphjkuskx.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1584
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:5104
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1516
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0e9946f8,0x7ffc0e994708,0x7ffc0e994718
        6⤵
        
        PID:3580
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,8675736778157960893,13586592133182541261,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
        6⤵
        
        PID:2116
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,8675736778157960893,13586592133182541261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
        6⤵
        
        PID:324
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,8675736778157960893,13586592133182541261,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2588 /prefetch:8
        6⤵
        
        PID:4780
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8675736778157960893,13586592133182541261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
        6⤵
        
        PID:1520
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8675736778157960893,13586592133182541261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
        6⤵
        
        PID:3904
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,8675736778157960893,13586592133182541261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 /prefetch:8
        6⤵
        
        PID:4420
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,8675736778157960893,13586592133182541261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 /prefetch:8
        6⤵
        
        PID:1336
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8675736778157960893,13586592133182541261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
        6⤵
        
        PID:1116
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8675736778157960893,13586592133182541261,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
        6⤵
        
        PID:1180
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8675736778157960893,13586592133182541261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:1
        6⤵
        
        PID:2520
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8675736778157960893,13586592133182541261,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
        6⤵
        
        PID:2808
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\TLNXPH~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1844
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\A265DC~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2040

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+mllba.html

Filesize
11KB

MD5
e2a1d830bd4d54bf3efff798a826bed8

SHA1
115df80bb63997a0db7b96cc2fcb17c540f9654e

SHA256
f74c135862e470f6d87ec568636bbc5ffb63899bf43821b52ee814b4bc061ebf

SHA512
2fcbc54e2fdf2632e408c5cda2b56311937fc6014fea0bc97730a43fd8648ba989b0dfefe7437166fede5ed51247660c6af931dd88b9ea86ff94e443400b4659

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+mllba.png

Filesize
64KB

MD5
96198a13a314a0a9ddebbc798988f150

SHA1
5d55b38c0419facbf0efffdac06969cc033b91b8

SHA256
ce1c2f1e6ea5acd8b7f6c4d0f3a38f37d92cfa88b88feafb7e5acc0b6731280d

SHA512
d5f9d1161ffd751d1e74f9e736da65d99ff8dd2a690398312462cdb79914e605c76ab7b24b0e1f0aef22f712e1a15ce139b4757a9945bb04a6f6740e881bb870

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+mllba.txt

Filesize
1KB

MD5
1259c9542b1cc7fa88ea827fcf525d1d

SHA1
84d7dcf44db25886a88f6940af1f7157780dae79

SHA256
4576431ad7d35fd77c56a64764537ba9c966cdaa04e869f242ffacfc7ff51c9a

SHA512
1ada9f3ea9a46a938dbf590ad28d6db8ff16fb1a2d8ee9f61accd0339ef9811ef90d4f6b7aa9b29779a82d7b218ceae8f96f90e62e1a4f6cee25e97d248da7c8

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
aaa925bc592604c13e8b09612a80ab81

SHA1
a4db599d50c8a5dc5f7899e504445f5f92ad710e

SHA256
af00280b256cc1d8b8373dd802bc1ccc8e8442a7c9cd1850d17b99acb92959ef

SHA512
a709e4cb3133fb5bc3b3b111fae7594ac38e0c286205cd92d29bfdaac7340a2f595347981c01697c585753002b338aca7579edde62b1f42bf346fe64f87b9bf9

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
d0b5dd694b0a61c0c3b5d29171baf7d7

SHA1
f6a05834db6f196dc993a5be22c7df1d33900076

SHA256
6452166860614af26b79e5a6cda66de103bf563bef15b300d3fddb98f3f3710f

SHA512
73149866a56dc5288d6ee7bb55475841b164bd3fa7e5e0345d753aaf2fac02a63fccab8ad37fc44debda1c85346b9e47df206d6096b8cf02a1861162614cdc2f

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
7cc7d33bb9f4ee317d3d556aecffa5cd

SHA1
f2921dc23f7040ec27c47ee2555f009d7f2a3885

SHA256
5acf8d37873962ee96744782f43d769e9a5e8d31a1250fd6c66606598aee6347

SHA512
15cf80d98b90f361fc776d3db491da64a1abdcc4ff484ae1dedc189e1de938c231015a883a1f97bc9bd47acfd0f764a8202edab186987422040f4bc5d07d144f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f3efd7514d3769614d49cda224d1299b

SHA1
56d0b4026a9e34a4aa0bed4d634c4090b4f9de0d

SHA256
b3f761118afeaa89802b9d1c46dde161f59409ab3c6c0f32c45f81aac2876664

SHA512
3ee07343141082d7a7a386d5271a5b85e92cdfb008ce66616a97daa8c49a120606fc971570e0505fbe610eae345af70334557bd7ea8d36fe595c8794655137d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c1d9515244d202a3b3f5157d23209851

SHA1
0cdc988e3e125ed1bbbe8ee72e7b02f896ced84e

SHA256
42f2da871b75b1b2730ce84b24b1e50acbd6b128886cfa140c4f9218a27158d0

SHA512
cc15e688141fcbe43b2f312ac9d08b12340400a96a14899f7a3b459e3662cee1ec6e8d15a724c477eaff5079953e22080c6e511b68134f40dabeafe1252165ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
500a003bf2e120495e801d027312f6d1

SHA1
b76043d6eb06aaf0a8e8f849b1eae11bd51d41ae

SHA256
b6c05ef96a7f714ea75c315f1f280dc3528d4a6b480953577799d2abc376cf64

SHA512
f4feb477afe4d207fa4030683d6f8c2c49f290f5043705a1713af1a7bb88e0a3b30a7cfa6d1c8d6170607d3e22fbf9ae5dfcc7b2313eeb4a0f9441fd1c8c8f12

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656067266351.txt

Filesize
77KB

MD5
de9e63aac746fe8afe7a90a5cf9ce5a8

SHA1
c38647c4c49f2154ac63adc4162867f2e634ac7d

SHA256
f68196a4e44f8199357f2e6897cdb3e56add9aa9b1ac53260b966ad6cfa9866e

SHA512
3b22e3fda2dde9d8d3fddb6c29b7ec8e7dfcc2efb85cf0e76877049ba7ef3e8892fd7ec08515046e1311b04fdeb0fd0b873ec38cd8003c07c114d3c71bd2a17e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727665714398674.txt

Filesize
74KB

MD5
d40a1e4b55afbcce89729c19c1a0ca34

SHA1
0712b23020b4ec431bab9aebafe90d209b448576

SHA256
9ce21d092612cec60fadc770cef280d8b4e39c9a3446577710fbc46cba63b2f8

SHA512
373f3237ad92c2f800251efc4b04bcdf331f45bd6041c0d634e1393006868d34ac67baa3f6fd64df33c8872da8cb495727dca82fe0973e302cd1ef20d5b56344

Download Submit
C:\Windows\tlnxphjkuskx.exe

Filesize
276KB

MD5
a265dc8eadb3cd340233953eaaf4c15c

SHA1
c67a84227d4d85565ab8127f711b2610b014e27b

SHA256
32b673822967ed3f38c8a8f63a21398b6e04a3c3af299ee7d5c03b971015f107

SHA512
2d2fd12cd7e521df87ea47902b7a266cf440385edf02ad1610ec2457384fb2dce41014fdf2347252a9d7667102916ab8a173c36eb4da869e6eb2150c00fd06a4

Download Submit
memory/444-12-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1584-17-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1584-10633-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1584-24-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1584-22-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1584-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1584-2396-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1584-2397-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1584-4598-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1584-7741-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1584-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1584-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1584-38-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1584-10635-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1584-10643-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1584-10644-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1584-10656-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2844-13-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2844-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2844-5-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2844-3-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2844-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4956-0-0x0000000000630000-0x0000000000635000-memory.dmp

Filesize
20KB

Download
memory/4956-4-0x0000000000630000-0x0000000000635000-memory.dmp

Filesize
20KB

Download
memory/4956-1-0x0000000000630000-0x0000000000635000-memory.dmp

Filesize
20KB

Download