teslacrypt | ea7be43ae12bab3a5c3e00a568f3b3564c9225a056960048eda72f9f8f9f690e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2024 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5eb9cf3b138e8466071ec20a6722b5c_JaffaCakes118.exe
Size

336KB
MD5

a5eb9cf3b138e8466071ec20a6722b5c
SHA1

5b8db28fdc2e40fd67b3de164eb9d904122e5cef
SHA256

ea7be43ae12bab3a5c3e00a568f3b3564c9225a056960048eda72f9f8f9f690e
SHA512

499af2dfd9997cd737ebdd758d7c84e36084d5db5cf1f2eb032fd496b549e808303eb73275e9ddf378e966972c1ddbab03174ba5b9b97fd4c75c2ba1e5d14a24
SSDEEP

6144:81w0U6D6x4kyjf+g0uc2RTqWmx7Ikw9NShXvSmk2OpXaP/EBySkQ4:8i0Uu6ikyjcuk5y0hXaxpKkB

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+voroo.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/6E3FEF74CCA5B55 2. http://tes543berda73i48fsdfsd.keratadze.at/6E3FEF74CCA5B55 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/6E3FEF74CCA5B55 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/6E3FEF74CCA5B55 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/6E3FEF74CCA5B55 http://tes543berda73i48fsdfsd.keratadze.at/6E3FEF74CCA5B55 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/6E3FEF74CCA5B55 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/6E3FEF74CCA5B55

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/6E3FEF74CCA5B55

http://tes543berda73i48fsdfsd.keratadze.at/6E3FEF74CCA5B55

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/6E3FEF74CCA5B55

http://xlowfznrg4wf7dli.ONION/6E3FEF74CCA5B55

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (883) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	a5eb9cf3b138e8466071ec20a6722b5c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wcgajfqalpic.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+voroo.html	wcgajfqalpic.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+voroo.png	wcgajfqalpic.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+voroo.txt	wcgajfqalpic.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+voroo.html	wcgajfqalpic.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+voroo.png	wcgajfqalpic.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+voroo.txt	wcgajfqalpic.exe

Executes dropped EXE 2 IoCs

pid	Process
3872	wcgajfqalpic.exe
2900	wcgajfqalpic.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ckqiynhcxdxg = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\wcgajfqalpic.exe\""	wcgajfqalpic.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4080 set thread context of 3968	4080	a5eb9cf3b138e8466071ec20a6722b5c_JaffaCakes118.exe	98
PID 3872 set thread context of 2900	3872	wcgajfqalpic.exe	103

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-100.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-100.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square150x150Logo.scale-125.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailMediumTile.scale-400.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\Recovery+voroo.html	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fil-PH\View3d\Recovery+voroo.html	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-60.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\Recovery+voroo.txt	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square150x150Logo.scale-100.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\Recovery+voroo.txt	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-30_altform-unplated_contrast-white.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-200_contrast-black.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-60_altform-unplated.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppPackageSmallTile.scale-125.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\50.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+voroo.html	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_contrast-white.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\Recovery+voroo.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\Recovery+voroo.html	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\WideTile.scale-125_contrast-white.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-white_scale-100.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\Recovery+voroo.html	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\Recovery+voroo.html	wcgajfqalpic.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity-dark.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_altform-unplated_contrast-white.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-125_contrast-white.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-150_contrast-white.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\Recovery+voroo.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\27.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PeopleAppStoreLogo.scale-125.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Recovery+voroo.html	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageMedTile.scale-150_contrast-black.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_~_kzf8qxf38zg5c\AppxMetadata\Recovery+voroo.html	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSmallTile.scale-200.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-250.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_SmallTile.scale-200.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\Recovery+voroo.html	wcgajfqalpic.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\Recovery+voroo.html	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailSmallTile.scale-150.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\LibrarySquare71x71Logo.scale-100.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\Recovery+voroo.txt	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-24_contrast-black.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageBadgeLogo.scale-125_contrast-white.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\en-us\Recovery+voroo.html	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-24.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\Internet Explorer\Recovery+voroo.txt	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Light.scale-150.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Fonts\Recovery+voroo.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\Recovery+voroo.txt	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockMedTile.contrast-white_scale-125.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Recovery+voroo.html	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\en-US\Recovery+voroo.txt	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailLargeTile.scale-100.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\video_offline_demo_page2.jpg	wcgajfqalpic.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\Recovery+voroo.html	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt	wcgajfqalpic.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\Recovery+voroo.txt	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Light.scale-250.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\BadgeLogo.scale-200_contrast-black.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\Recovery+voroo.html	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-400.png	wcgajfqalpic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockMedTile.contrast-black_scale-100.png	wcgajfqalpic.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\wcgajfqalpic.exe	a5eb9cf3b138e8466071ec20a6722b5c_JaffaCakes118.exe
File opened for modification	C:\Windows\wcgajfqalpic.exe	a5eb9cf3b138e8466071ec20a6722b5c_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcgajfqalpic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcgajfqalpic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5eb9cf3b138e8466071ec20a6722b5c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5eb9cf3b138e8466071ec20a6722b5c_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	wcgajfqalpic.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3920	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe
2900	wcgajfqalpic.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3968	a5eb9cf3b138e8466071ec20a6722b5c_JaffaCakes118.exe
Token: SeDebugPrivilege	2900	wcgajfqalpic.exe
Token: SeIncreaseQuotaPrivilege	1372	WMIC.exe
Token: SeSecurityPrivilege	1372	WMIC.exe
Token: SeTakeOwnershipPrivilege	1372	WMIC.exe
Token: SeLoadDriverPrivilege	1372	WMIC.exe
Token: SeSystemProfilePrivilege	1372	WMIC.exe
Token: SeSystemtimePrivilege	1372	WMIC.exe
Token: SeProfSingleProcessPrivilege	1372	WMIC.exe
Token: SeIncBasePriorityPrivilege	1372	WMIC.exe
Token: SeCreatePagefilePrivilege	1372	WMIC.exe
Token: SeBackupPrivilege	1372	WMIC.exe
Token: SeRestorePrivilege	1372	WMIC.exe
Token: SeShutdownPrivilege	1372	WMIC.exe
Token: SeDebugPrivilege	1372	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1372	WMIC.exe
Token: SeRemoteShutdownPrivilege	1372	WMIC.exe
Token: SeUndockPrivilege	1372	WMIC.exe
Token: SeManageVolumePrivilege	1372	WMIC.exe
Token: 33	1372	WMIC.exe
Token: 34	1372	WMIC.exe
Token: 35	1372	WMIC.exe
Token: 36	1372	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1372	WMIC.exe
Token: SeSecurityPrivilege	1372	WMIC.exe
Token: SeTakeOwnershipPrivilege	1372	WMIC.exe
Token: SeLoadDriverPrivilege	1372	WMIC.exe
Token: SeSystemProfilePrivilege	1372	WMIC.exe
Token: SeSystemtimePrivilege	1372	WMIC.exe
Token: SeProfSingleProcessPrivilege	1372	WMIC.exe
Token: SeIncBasePriorityPrivilege	1372	WMIC.exe
Token: SeCreatePagefilePrivilege	1372	WMIC.exe
Token: SeBackupPrivilege	1372	WMIC.exe
Token: SeRestorePrivilege	1372	WMIC.exe
Token: SeShutdownPrivilege	1372	WMIC.exe
Token: SeDebugPrivilege	1372	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1372	WMIC.exe
Token: SeRemoteShutdownPrivilege	1372	WMIC.exe
Token: SeUndockPrivilege	1372	WMIC.exe
Token: SeManageVolumePrivilege	1372	WMIC.exe
Token: 33	1372	WMIC.exe
Token: 34	1372	WMIC.exe
Token: 35	1372	WMIC.exe
Token: 36	1372	WMIC.exe
Token: SeBackupPrivilege	4168	vssvc.exe
Token: SeRestorePrivilege	4168	vssvc.exe
Token: SeAuditPrivilege	4168	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4004	WMIC.exe
Token: SeSecurityPrivilege	4004	WMIC.exe
Token: SeTakeOwnershipPrivilege	4004	WMIC.exe
Token: SeLoadDriverPrivilege	4004	WMIC.exe
Token: SeSystemProfilePrivilege	4004	WMIC.exe
Token: SeSystemtimePrivilege	4004	WMIC.exe
Token: SeProfSingleProcessPrivilege	4004	WMIC.exe
Token: SeIncBasePriorityPrivilege	4004	WMIC.exe
Token: SeCreatePagefilePrivilege	4004	WMIC.exe
Token: SeBackupPrivilege	4004	WMIC.exe
Token: SeRestorePrivilege	4004	WMIC.exe
Token: SeShutdownPrivilege	4004	WMIC.exe
Token: SeDebugPrivilege	4004	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4004	WMIC.exe
Token: SeRemoteShutdownPrivilege	4004	WMIC.exe
Token: SeUndockPrivilege	4004	WMIC.exe
Token: SeManageVolumePrivilege	4004	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 3968	4080	a5eb9cf3b138e8466071ec20a6722b5c_JaffaCakes118.exe	98
PID 4080 wrote to memory of 3968	4080	a5eb9cf3b138e8466071ec20a6722b5c_JaffaCakes118.exe	98
PID 4080 wrote to memory of 3968	4080	a5eb9cf3b138e8466071ec20a6722b5c_JaffaCakes118.exe	98
PID 4080 wrote to memory of 3968	4080	a5eb9cf3b138e8466071ec20a6722b5c_JaffaCakes118.exe	98
PID 4080 wrote to memory of 3968	4080	a5eb9cf3b138e8466071ec20a6722b5c_JaffaCakes118.exe	98
PID 4080 wrote to memory of 3968	4080	a5eb9cf3b138e8466071ec20a6722b5c_JaffaCakes118.exe	98
PID 4080 wrote to memory of 3968	4080	a5eb9cf3b138e8466071ec20a6722b5c_JaffaCakes118.exe	98
PID 4080 wrote to memory of 3968	4080	a5eb9cf3b138e8466071ec20a6722b5c_JaffaCakes118.exe	98
PID 4080 wrote to memory of 3968	4080	a5eb9cf3b138e8466071ec20a6722b5c_JaffaCakes118.exe	98
PID 3968 wrote to memory of 3872	3968	a5eb9cf3b138e8466071ec20a6722b5c_JaffaCakes118.exe	99
PID 3968 wrote to memory of 3872	3968	a5eb9cf3b138e8466071ec20a6722b5c_JaffaCakes118.exe	99
PID 3968 wrote to memory of 3872	3968	a5eb9cf3b138e8466071ec20a6722b5c_JaffaCakes118.exe	99
PID 3968 wrote to memory of 2848	3968	a5eb9cf3b138e8466071ec20a6722b5c_JaffaCakes118.exe	100
PID 3968 wrote to memory of 2848	3968	a5eb9cf3b138e8466071ec20a6722b5c_JaffaCakes118.exe	100
PID 3968 wrote to memory of 2848	3968	a5eb9cf3b138e8466071ec20a6722b5c_JaffaCakes118.exe	100
PID 3872 wrote to memory of 2900	3872	wcgajfqalpic.exe	103
PID 3872 wrote to memory of 2900	3872	wcgajfqalpic.exe	103
PID 3872 wrote to memory of 2900	3872	wcgajfqalpic.exe	103
PID 3872 wrote to memory of 2900	3872	wcgajfqalpic.exe	103
PID 3872 wrote to memory of 2900	3872	wcgajfqalpic.exe	103
PID 3872 wrote to memory of 2900	3872	wcgajfqalpic.exe	103
PID 3872 wrote to memory of 2900	3872	wcgajfqalpic.exe	103
PID 3872 wrote to memory of 2900	3872	wcgajfqalpic.exe	103
PID 3872 wrote to memory of 2900	3872	wcgajfqalpic.exe	103
PID 2900 wrote to memory of 1372	2900	wcgajfqalpic.exe	104
PID 2900 wrote to memory of 1372	2900	wcgajfqalpic.exe	104
PID 2900 wrote to memory of 3920	2900	wcgajfqalpic.exe	110
PID 2900 wrote to memory of 3920	2900	wcgajfqalpic.exe	110
PID 2900 wrote to memory of 3920	2900	wcgajfqalpic.exe	110
PID 2900 wrote to memory of 2540	2900	wcgajfqalpic.exe	111
PID 2900 wrote to memory of 2540	2900	wcgajfqalpic.exe	111
PID 2540 wrote to memory of 4992	2540	msedge.exe	112
PID 2540 wrote to memory of 4992	2540	msedge.exe	112
PID 2900 wrote to memory of 4004	2900	wcgajfqalpic.exe	113
PID 2900 wrote to memory of 4004	2900	wcgajfqalpic.exe	113
PID 2540 wrote to memory of 2640	2540	msedge.exe	116
PID 2540 wrote to memory of 2640	2540	msedge.exe	116
PID 2540 wrote to memory of 2640	2540	msedge.exe	116
PID 2540 wrote to memory of 2640	2540	msedge.exe	116
PID 2540 wrote to memory of 2640	2540	msedge.exe	116
PID 2540 wrote to memory of 2640	2540	msedge.exe	116
PID 2540 wrote to memory of 2640	2540	msedge.exe	116
PID 2540 wrote to memory of 2640	2540	msedge.exe	116
PID 2540 wrote to memory of 2640	2540	msedge.exe	116
PID 2540 wrote to memory of 2640	2540	msedge.exe	116
PID 2540 wrote to memory of 2640	2540	msedge.exe	116
PID 2540 wrote to memory of 2640	2540	msedge.exe	116
PID 2540 wrote to memory of 2640	2540	msedge.exe	116
PID 2540 wrote to memory of 2640	2540	msedge.exe	116
PID 2540 wrote to memory of 2640	2540	msedge.exe	116
PID 2540 wrote to memory of 2640	2540	msedge.exe	116
PID 2540 wrote to memory of 2640	2540	msedge.exe	116
PID 2540 wrote to memory of 2640	2540	msedge.exe	116
PID 2540 wrote to memory of 2640	2540	msedge.exe	116
PID 2540 wrote to memory of 2640	2540	msedge.exe	116
PID 2540 wrote to memory of 2640	2540	msedge.exe	116
PID 2540 wrote to memory of 2640	2540	msedge.exe	116
PID 2540 wrote to memory of 2640	2540	msedge.exe	116
PID 2540 wrote to memory of 2640	2540	msedge.exe	116
PID 2540 wrote to memory of 2640	2540	msedge.exe	116
PID 2540 wrote to memory of 2640	2540	msedge.exe	116
PID 2540 wrote to memory of 2640	2540	msedge.exe	116
PID 2540 wrote to memory of 2640	2540	msedge.exe	116
PID 2540 wrote to memory of 2640	2540	msedge.exe	116

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wcgajfqalpic.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	wcgajfqalpic.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a5eb9cf3b138e8466071ec20a6722b5c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a5eb9cf3b138e8466071ec20a6722b5c_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Users\Admin\AppData\Local\Temp\a5eb9cf3b138e8466071ec20a6722b5c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a5eb9cf3b138e8466071ec20a6722b5c_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Windows\wcgajfqalpic.exe
    C:\Windows\wcgajfqalpic.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3872
  - - C:\Windows\wcgajfqalpic.exe
      C:\Windows\wcgajfqalpic.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2900
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:3920
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2540
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ffcc88346f8,0x7ffcc8834708,0x7ffcc8834718
        6⤵
        
        PID:4992
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,9679406819540321901,8237464729367874649,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
        6⤵
        
        PID:2640
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,9679406819540321901,8237464729367874649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
        6⤵
        
        PID:696
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,9679406819540321901,8237464729367874649,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
        6⤵
        
        PID:4480
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9679406819540321901,8237464729367874649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
        6⤵
        
        PID:1612
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9679406819540321901,8237464729367874649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
        6⤵
        
        PID:1536
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,9679406819540321901,8237464729367874649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 /prefetch:8
        6⤵
        
        PID:4356
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,9679406819540321901,8237464729367874649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 /prefetch:8
        6⤵
        
        PID:3464
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9679406819540321901,8237464729367874649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
        6⤵
        
        PID:748
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9679406819540321901,8237464729367874649,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
        6⤵
        
        PID:3620
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9679406819540321901,8237464729367874649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
        6⤵
        
        PID:3472
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9679406819540321901,8237464729367874649,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
        6⤵
        
        PID:4336
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4004
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\WCGAJF~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5036
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\A5EB9C~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2848

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\Recovery+voroo.html

Filesize
11KB

MD5
2253ba7c71dd1ba299e4e3ea86394a64

SHA1
ed93e6344c26ce8861312534bf1ff89ec7d18139

SHA256
6880b64adb7758e4b635724df3d68505d72439f47f50db3544891f5626e2d42a

SHA512
674f6328c9dbb221345790b08e206ee723b3d8532058c9f111c30f17cef1d0b081876e5732d641cef5c71ddddbce2f0c1d678a0c98e8a35d2a0268b2751189b0

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+voroo.png

Filesize
62KB

MD5
7518431bc716d41f42f54b218da9d100

SHA1
7f24333bf48eafc8c2012aa16056d3dd616b4c2c

SHA256
b656cc5670d565086e752d70b199c0ad704f957997dfdc3ca3f68e5436bd2c59

SHA512
aa2446fce86417f6ba71e4d399bde712d125480b61f748b7725739cb5544ad80db08737b7acca951bb5b5892a57a257cad899d06c9bbf8f08e9f913ba14111ac

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+voroo.txt

Filesize
1KB

MD5
989a002c9ff819fe13bc9d11163d1e02

SHA1
47ade859d7ecbec6713cfd4414302abce07f85c1

SHA256
18afb6e5b1ca7b9e8b0c9cfa79af6ef1e2c353001f638c9412bd35fe50f9460b

SHA512
6fd7460967ebe3bb1641b9f064b3ce25aa296a2c233dda92f8933cce2e728b4c807dc3d78d4402b459dde2d7d1813572ae6ba4460982182c5eee965e5a326fbf

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
195a2d4969d318db3016dc75db3de298

SHA1
c63cdd563a5cc7ef8f745dddf592807cb5d1eb42

SHA256
d7da94e8f3f4eaa4d555fc11ad650a6444147f569a2a7547f95ed341eda236ff

SHA512
f313772d9f862fce3238b2bbef762c0eff5921fd2d0cac39efd7fb634140b1209a5fec2785308991406478f67af30b919e4a7350988df62c1c182bfa9feadd0c

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
cd447c350b09aa24d048a7839acaab28

SHA1
3d0b92db991cde75dee190db1ef7df16b0ee6776

SHA256
12af4470b573372842601da085a223118ce0fe5f73249c82f14772639ff6da9b

SHA512
d8a53ef2c2013b2e51b1f93f313717328d9e6b76796b31ddd02687f72c9333a951b3c7fd186b69a3964633a42e4e66e9f34829647ca5615543795c156a0fba57

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
93dc61ba412a52ec91675371445c3780

SHA1
2e5b194243d394d57da9607d8b3e4b3bea0b4765

SHA256
6d500c3e5163e3f57858f2f4be64bc8c736f5bd9a70146668730ee2e20231cb1

SHA512
8d8694290592cb98abac9d049c68cb56f316d1d8f4d4e3ba6a4f57edd8f260c7025ed302c6813278c023d9aa646f2044eca9204c2ae116b2e593e687696eafd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
52ba05215a22afcba95085ea711f8918

SHA1
b5219a45a315493e75e0ce7aab21f0f16490acaa

SHA256
af74042512d6407418e856907a17fd3d20a8c9a03ad0a7cbfd67fc0ee9cf813e

SHA512
fb319fbc8967bac06de22d549248f085bc3a4283f19c494f02eb392f62d14e9b466e5d7df902375db48a0a632dda3c1e88459d0ab2ba37c42a6f9c031f23d417

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f77a1ffae34fca123d4dcb1380da3328

SHA1
21d7dc3f26fb461317810f4347a71f98fc1a1f9c

SHA256
0feffad04f7b4554bd743580199d0fcc651951901afb0c6c411a4f2949a8564c

SHA512
b86b1909e5315f312657a23d6508b88fa846148286ccf8cdb0a3f0586ca7cdb994b5c1caf676f8d176b18b80f8f2a20f15c7329437e1181703a3ddc597b3bd6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\d5e438f3-3afa-4a33-a55c-90d8ad058bf5.tmp

Filesize
10KB

MD5
6a421f5138e40d0b3566acb370899177

SHA1
2d50ef9a3f0095d1104c1e60f52f15111f6fedef

SHA256
8ef76f01c49d96d8df6db23ecd334068b67797bd4a12607e088312e1d5afcf84

SHA512
c600b30e1ed204b9cf486f20a2dc02a5a9f2ded06664ced686fd7c837b505f2f8f02900cbab820d09ad49bb0a142307f49304c8fc5871c8e47d2c95967f902d9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656298443196.txt

Filesize
77KB

MD5
55a39f672fac445c21e35b96ea58d74c

SHA1
e6d416686e1d451a282de7e3b80783996d280d7b

SHA256
2a35a9bd24d3c1d31f5fef7b44f841bfe60acf5b7ffec21c81f53b6048af0ebc

SHA512
56a3f342077c1be9c73648150b5c8b4027efcba2f618dcf365c48e227ac750d6ad9a72a5fc748e79801f44c82b8034ab3c0c4e87b001e2b198e591c4875ca01a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727657999741523.txt

Filesize
47KB

MD5
30567389fa3dc9a315c40dbe74e255a6

SHA1
5a6eda7f40eb7cb6f885399a7c14e83c7918ae8b

SHA256
821e2b90ecbc5b06c3a1300c6ba2f26772f0074af2bd5e17c7ca8ae7c0a79791

SHA512
055a5028addaadb00884b97ba617ae2d3de5c6cff2c9fc8507be9cdecfac53eb329488b70dc9b47615e1158e30316822d7e0b7277f3bec797b824b324e2e0258

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727666039184869.txt

Filesize
74KB

MD5
8133a3a31f4f7cbbd045cba896373402

SHA1
de3851041b2f0d29f90c74e6322c07970a6e6436

SHA256
7566029648ee7ee9b272f7506190c5377abcbda8d675221a5ad6901fd36c118c

SHA512
80b3973ae717619fdb76d92205ffd04a6d8f5bf54c55c80c0736f3c01ddc8aeef8a31dac54bed0ea006d2c25363fe93e702a67443dde47744b3d08b48a3c88d3

Download Submit
C:\Windows\wcgajfqalpic.exe

Filesize
336KB

MD5
a5eb9cf3b138e8466071ec20a6722b5c

SHA1
5b8db28fdc2e40fd67b3de164eb9d904122e5cef

SHA256
ea7be43ae12bab3a5c3e00a568f3b3564c9225a056960048eda72f9f8f9f690e

SHA512
499af2dfd9997cd737ebdd758d7c84e36084d5db5cf1f2eb032fd496b549e808303eb73275e9ddf378e966972c1ddbab03174ba5b9b97fd4c75c2ba1e5d14a24

Download Submit
memory/2900-19-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2900-8171-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2900-22-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2900-20-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2900-1521-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2900-2515-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2900-2516-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2900-4870-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2900-17-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2900-10639-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2900-18-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2900-24-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2900-10587-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2900-10589-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2900-10597-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2900-10598-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3872-11-0x0000000000400000-0x0000000000748000-memory.dmp

Filesize
3.3MB

Download
memory/3968-14-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3968-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3968-4-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3968-3-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3968-1-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4080-0-0x0000000000A10000-0x0000000000A13000-memory.dmp

Filesize
12KB

Download
memory/4080-2-0x0000000000A10000-0x0000000000A13000-memory.dmp

Filesize
12KB

Download