teslacrypt | 1cf433abd42285879b502b2d01958fff3fe4ad687a0e7c1fba243ffbffe7f34e

Analysis

max time kernel
148s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2024 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exe
Size

356KB
MD5

a8e0b0186e5159aa8a772e8d4169d3f3
SHA1

7c1f0f6fc4fd2669717e632652ff8a99fb093e69
SHA256

1cf433abd42285879b502b2d01958fff3fe4ad687a0e7c1fba243ffbffe7f34e
SHA512

01fa49ff7921b380f0390a1ba9c4beff61278685d9caabe188d84977b73fffe7ffe51360677fbaa0319c0e4d4387804c665a7671ad63e4f8a8bc6c8ae0fe55fa
SSDEEP

6144:rOWcl+ocAAe1EAnT43osv0pnzKK+PDncAuLELquaWVzsHA93Wo8nswPm22fwh:rFeq0F+PzcOLyWRsHA93/oswe

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+bhsmt.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/78573DAA2AFB23A 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/78573DAA2AFB23A 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/78573DAA2AFB23A If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/78573DAA2AFB23A 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/78573DAA2AFB23A http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/78573DAA2AFB23A http://yyre45dbvn2nhbefbmh.begumvelic.at/78573DAA2AFB23A Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/78573DAA2AFB23A

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/78573DAA2AFB23A

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/78573DAA2AFB23A

http://yyre45dbvn2nhbefbmh.begumvelic.at/78573DAA2AFB23A

http://xlowfznrg4wf7dli.ONION/78573DAA2AFB23A

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (879) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exekwgbswhampgk.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	kwgbswhampgk.exe

Drops startup file 6 IoCs

Processes:

kwgbswhampgk.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+bhsmt.png	kwgbswhampgk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+bhsmt.txt	kwgbswhampgk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+bhsmt.html	kwgbswhampgk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+bhsmt.png	kwgbswhampgk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+bhsmt.txt	kwgbswhampgk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+bhsmt.html	kwgbswhampgk.exe

Executes dropped EXE 2 IoCs

Processes:

kwgbswhampgk.exekwgbswhampgk.exe

pid	Process
1368	kwgbswhampgk.exe
1804	kwgbswhampgk.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

kwgbswhampgk.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yjhvqox = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\kwgbswhampgk.exe"	kwgbswhampgk.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

Processes:

a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exekwgbswhampgk.exe

description	pid	Process	procid_target
PID 4284 set thread context of 3080	4284	a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exe	98
PID 1368 set thread context of 1804	1368	kwgbswhampgk.exe	103

Drops file in Program Files directory 64 IoCs

Processes:

kwgbswhampgk.exe

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\af-ZA\View3d\_ReCoVeRy_+bhsmt.txt	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Date.targetsize-64_contrast-white.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Programmer.targetsize-64_contrast-white.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailMediumTile.scale-100.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+bhsmt.html	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-24_altform-unplated.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\_ReCoVeRy_+bhsmt.txt	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\images\Square44x44Logo.scale-100.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-30_altform-unplated_contrast-white.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\people\kennethMarchand.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosWideTile.contrast-black_scale-200.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-72.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.UI\_ReCoVeRy_+bhsmt.html	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-200.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\ADOMD.NET\_ReCoVeRy_+bhsmt.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Square150x150Logo.scale-100.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+bhsmt.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+bhsmt.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\_ReCoVeRy_+bhsmt.txt	kwgbswhampgk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\modules\_ReCoVeRy_+bhsmt.html	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\Weather_SplashScreen.scale-100.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\_ReCoVeRy_+bhsmt.txt	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailMediumTile.scale-100.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sr-Latn-RS\View3d\_ReCoVeRy_+bhsmt.html	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Outlook.scale-300.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Light.scale-100.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarSmallTile.scale-150.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\_ReCoVeRy_+bhsmt.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+bhsmt.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\_ReCoVeRy_+bhsmt.html	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupLargeTile.scale-125.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\_ReCoVeRy_+bhsmt.txt	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72_altform-unplated.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\TimerWideTile.contrast-white_scale-200.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Sounds\_ReCoVeRy_+bhsmt.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-200_contrast-white.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\_ReCoVeRy_+bhsmt.txt	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square150x150\_ReCoVeRy_+bhsmt.txt	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\2876_20x20x32.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+bhsmt.html	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\cs-CZ\View3d\_ReCoVeRy_+bhsmt.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sk.pak	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+bhsmt.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\WideTile.scale-200.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-64_altform-lightunplated.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\loc_archives\en-gb\_ReCoVeRy_+bhsmt.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupSmallTile.scale-100.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreLogo.scale-125_contrast-white.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uz-Latn-UZ\View3d\_ReCoVeRy_+bhsmt.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FirstRunMailBlurred.layoutdir-LTR.jpg	kwgbswhampgk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\_ReCoVeRy_+bhsmt.txt	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\7739_20x20x32.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\es-ES\_ReCoVeRy_+bhsmt.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense_eula.txt	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp8.scale-125.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+bhsmt.html	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-125.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notetagsUI\_ReCoVeRy_+bhsmt.html	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_ReCoVeRy_+bhsmt.html	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-16_contrast-white.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ContactPhoto.scale-140.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-64.png	kwgbswhampgk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENFR\_ReCoVeRy_+bhsmt.html	kwgbswhampgk.exe

Drops file in Windows directory 2 IoCs

Processes:

a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exe

description	ioc	Process
File created	C:\Windows\kwgbswhampgk.exe	a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exe
File opened for modification	C:\Windows\kwgbswhampgk.exe	a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exea8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exekwgbswhampgk.execmd.exekwgbswhampgk.exeNOTEPAD.EXEcmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kwgbswhampgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kwgbswhampgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

kwgbswhampgk.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	kwgbswhampgk.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
2256	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

kwgbswhampgk.exe

pid	Process
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe
1804	kwgbswhampgk.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid	Process
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exekwgbswhampgk.exeWMIC.exevssvc.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	3080	a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exe
Token: SeDebugPrivilege	1804	kwgbswhampgk.exe
Token: SeIncreaseQuotaPrivilege	1980	WMIC.exe
Token: SeSecurityPrivilege	1980	WMIC.exe
Token: SeTakeOwnershipPrivilege	1980	WMIC.exe
Token: SeLoadDriverPrivilege	1980	WMIC.exe
Token: SeSystemProfilePrivilege	1980	WMIC.exe
Token: SeSystemtimePrivilege	1980	WMIC.exe
Token: SeProfSingleProcessPrivilege	1980	WMIC.exe
Token: SeIncBasePriorityPrivilege	1980	WMIC.exe
Token: SeCreatePagefilePrivilege	1980	WMIC.exe
Token: SeBackupPrivilege	1980	WMIC.exe
Token: SeRestorePrivilege	1980	WMIC.exe
Token: SeShutdownPrivilege	1980	WMIC.exe
Token: SeDebugPrivilege	1980	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1980	WMIC.exe
Token: SeRemoteShutdownPrivilege	1980	WMIC.exe
Token: SeUndockPrivilege	1980	WMIC.exe
Token: SeManageVolumePrivilege	1980	WMIC.exe
Token: 33	1980	WMIC.exe
Token: 34	1980	WMIC.exe
Token: 35	1980	WMIC.exe
Token: 36	1980	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1980	WMIC.exe
Token: SeSecurityPrivilege	1980	WMIC.exe
Token: SeTakeOwnershipPrivilege	1980	WMIC.exe
Token: SeLoadDriverPrivilege	1980	WMIC.exe
Token: SeSystemProfilePrivilege	1980	WMIC.exe
Token: SeSystemtimePrivilege	1980	WMIC.exe
Token: SeProfSingleProcessPrivilege	1980	WMIC.exe
Token: SeIncBasePriorityPrivilege	1980	WMIC.exe
Token: SeCreatePagefilePrivilege	1980	WMIC.exe
Token: SeBackupPrivilege	1980	WMIC.exe
Token: SeRestorePrivilege	1980	WMIC.exe
Token: SeShutdownPrivilege	1980	WMIC.exe
Token: SeDebugPrivilege	1980	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1980	WMIC.exe
Token: SeRemoteShutdownPrivilege	1980	WMIC.exe
Token: SeUndockPrivilege	1980	WMIC.exe
Token: SeManageVolumePrivilege	1980	WMIC.exe
Token: 33	1980	WMIC.exe
Token: 34	1980	WMIC.exe
Token: 35	1980	WMIC.exe
Token: 36	1980	WMIC.exe
Token: SeBackupPrivilege	4428	vssvc.exe
Token: SeRestorePrivilege	4428	vssvc.exe
Token: SeAuditPrivilege	4428	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1240	WMIC.exe
Token: SeSecurityPrivilege	1240	WMIC.exe
Token: SeTakeOwnershipPrivilege	1240	WMIC.exe
Token: SeLoadDriverPrivilege	1240	WMIC.exe
Token: SeSystemProfilePrivilege	1240	WMIC.exe
Token: SeSystemtimePrivilege	1240	WMIC.exe
Token: SeProfSingleProcessPrivilege	1240	WMIC.exe
Token: SeIncBasePriorityPrivilege	1240	WMIC.exe
Token: SeCreatePagefilePrivilege	1240	WMIC.exe
Token: SeBackupPrivilege	1240	WMIC.exe
Token: SeRestorePrivilege	1240	WMIC.exe
Token: SeShutdownPrivilege	1240	WMIC.exe
Token: SeDebugPrivilege	1240	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1240	WMIC.exe
Token: SeRemoteShutdownPrivilege	1240	WMIC.exe
Token: SeUndockPrivilege	1240	WMIC.exe
Token: SeManageVolumePrivilege	1240	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	Process
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	Process
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exea8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exekwgbswhampgk.exekwgbswhampgk.exemsedge.exe

description	pid	Process	procid_target
PID 4284 wrote to memory of 3080	4284	a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exe	98
PID 4284 wrote to memory of 3080	4284	a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exe	98
PID 4284 wrote to memory of 3080	4284	a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exe	98
PID 4284 wrote to memory of 3080	4284	a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exe	98
PID 4284 wrote to memory of 3080	4284	a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exe	98
PID 4284 wrote to memory of 3080	4284	a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exe	98
PID 4284 wrote to memory of 3080	4284	a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exe	98
PID 4284 wrote to memory of 3080	4284	a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exe	98
PID 4284 wrote to memory of 3080	4284	a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exe	98
PID 4284 wrote to memory of 3080	4284	a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exe	98
PID 3080 wrote to memory of 1368	3080	a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exe	99
PID 3080 wrote to memory of 1368	3080	a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exe	99
PID 3080 wrote to memory of 1368	3080	a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exe	99
PID 3080 wrote to memory of 3416	3080	a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exe	100
PID 3080 wrote to memory of 3416	3080	a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exe	100
PID 3080 wrote to memory of 3416	3080	a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exe	100
PID 1368 wrote to memory of 1804	1368	kwgbswhampgk.exe	103
PID 1368 wrote to memory of 1804	1368	kwgbswhampgk.exe	103
PID 1368 wrote to memory of 1804	1368	kwgbswhampgk.exe	103
PID 1368 wrote to memory of 1804	1368	kwgbswhampgk.exe	103
PID 1368 wrote to memory of 1804	1368	kwgbswhampgk.exe	103
PID 1368 wrote to memory of 1804	1368	kwgbswhampgk.exe	103
PID 1368 wrote to memory of 1804	1368	kwgbswhampgk.exe	103
PID 1368 wrote to memory of 1804	1368	kwgbswhampgk.exe	103
PID 1368 wrote to memory of 1804	1368	kwgbswhampgk.exe	103
PID 1368 wrote to memory of 1804	1368	kwgbswhampgk.exe	103
PID 1804 wrote to memory of 1980	1804	kwgbswhampgk.exe	104
PID 1804 wrote to memory of 1980	1804	kwgbswhampgk.exe	104
PID 1804 wrote to memory of 2256	1804	kwgbswhampgk.exe	111
PID 1804 wrote to memory of 2256	1804	kwgbswhampgk.exe	111
PID 1804 wrote to memory of 2256	1804	kwgbswhampgk.exe	111
PID 1804 wrote to memory of 2920	1804	kwgbswhampgk.exe	112
PID 1804 wrote to memory of 2920	1804	kwgbswhampgk.exe	112
PID 2920 wrote to memory of 5068	2920	msedge.exe	113
PID 2920 wrote to memory of 5068	2920	msedge.exe	113
PID 1804 wrote to memory of 1240	1804	kwgbswhampgk.exe	114
PID 1804 wrote to memory of 1240	1804	kwgbswhampgk.exe	114
PID 2920 wrote to memory of 64	2920	msedge.exe	117
PID 2920 wrote to memory of 64	2920	msedge.exe	117
PID 2920 wrote to memory of 64	2920	msedge.exe	117
PID 2920 wrote to memory of 64	2920	msedge.exe	117
PID 2920 wrote to memory of 64	2920	msedge.exe	117
PID 2920 wrote to memory of 64	2920	msedge.exe	117
PID 2920 wrote to memory of 64	2920	msedge.exe	117
PID 2920 wrote to memory of 64	2920	msedge.exe	117
PID 2920 wrote to memory of 64	2920	msedge.exe	117
PID 2920 wrote to memory of 64	2920	msedge.exe	117
PID 2920 wrote to memory of 64	2920	msedge.exe	117
PID 2920 wrote to memory of 64	2920	msedge.exe	117
PID 2920 wrote to memory of 64	2920	msedge.exe	117
PID 2920 wrote to memory of 64	2920	msedge.exe	117
PID 2920 wrote to memory of 64	2920	msedge.exe	117
PID 2920 wrote to memory of 64	2920	msedge.exe	117
PID 2920 wrote to memory of 64	2920	msedge.exe	117
PID 2920 wrote to memory of 64	2920	msedge.exe	117
PID 2920 wrote to memory of 64	2920	msedge.exe	117
PID 2920 wrote to memory of 64	2920	msedge.exe	117
PID 2920 wrote to memory of 64	2920	msedge.exe	117
PID 2920 wrote to memory of 64	2920	msedge.exe	117
PID 2920 wrote to memory of 64	2920	msedge.exe	117
PID 2920 wrote to memory of 64	2920	msedge.exe	117
PID 2920 wrote to memory of 64	2920	msedge.exe	117
PID 2920 wrote to memory of 64	2920	msedge.exe	117
PID 2920 wrote to memory of 64	2920	msedge.exe	117

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

kwgbswhampgk.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	kwgbswhampgk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	kwgbswhampgk.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Users\Admin\AppData\Local\Temp\a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a8e0b0186e5159aa8a772e8d4169d3f3_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3080
- - C:\Windows\kwgbswhampgk.exe
    C:\Windows\kwgbswhampgk.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1368
  - - C:\Windows\kwgbswhampgk.exe
      C:\Windows\kwgbswhampgk.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1804
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:2256
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2920
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeb40146f8,0x7ffeb4014708,0x7ffeb4014718
        6⤵
        
        PID:5068
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,18443021825290824301,12441687301019351296,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
        6⤵
        
        PID:64
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,18443021825290824301,12441687301019351296,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
        6⤵
        
        PID:4924
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,18443021825290824301,12441687301019351296,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8
        6⤵
        
        PID:4436
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18443021825290824301,12441687301019351296,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2804 /prefetch:1
        6⤵
        
        PID:3216
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18443021825290824301,12441687301019351296,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2816 /prefetch:1
        6⤵
        
        PID:1708
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,18443021825290824301,12441687301019351296,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
        6⤵
        
        PID:4812
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,18443021825290824301,12441687301019351296,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
        6⤵
        
        PID:4188
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18443021825290824301,12441687301019351296,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:1
        6⤵
        
        PID:2356
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18443021825290824301,12441687301019351296,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
        6⤵
        
        PID:1980
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18443021825290824301,12441687301019351296,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
        6⤵
        
        PID:2044
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18443021825290824301,12441687301019351296,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
        6⤵
        
        PID:3016
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\KWGBSW~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4476
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\A8E0B0~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3416

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+bhsmt.html

Filesize
12KB

MD5
c5f218a6c6b1409ac9ffec700dee2d23

SHA1
96e3a7bd15ebdbab8c40de3574d20ff69ccbf46b

SHA256
b3a57c79a62fbec304c350da5ff7a9921a3387446313489590363f0f538add8d

SHA512
3a16cf9f1abb6c4e3ac197214d7b8861535b859efb4bfd3ba0f8ca25ad1f3c021735a05b08670be127a44d2e6c21e05e9414d91655a800f3ae4bf92bce8707c6

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+bhsmt.png

Filesize
64KB

MD5
7449b9e21d90ef3c0f8e0b4762c670d2

SHA1
ce2b44a63a96ac3feab9432afdb59c3d04044547

SHA256
241b33d3db70dc5804c4ca1410bbe4dc9e1dfa8a9bac5445065e1b6820364238

SHA512
962eb5b13d25bd700fb86ad7c6c7850bd2d0fefcdbd80ddfffd1df9c16d25f1c10ed9a39b3e27d3aec2124ac538cf7840e5931bb82ad9e355ad829bd86857104

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+bhsmt.txt

Filesize
1KB

MD5
2705f4c1ade4d1264e88674ba6e2b6c7

SHA1
36984177e3318a88cb4bfc215924229b6345f9a5

SHA256
d89941bb1542268b0884ed92fd800705fd21e6adf7524e9ad8f92e6231676201

SHA512
587aa4400ef8657312aff37de633385e6a887796b1855b46efa34ebab42fbe2bfec7562ba5a5dde1f96ff0e136c82dd7d2c63d720b2dae3502ea8919d611c2e5

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
eb848036542ba5c74545736cfb81059d

SHA1
68eda12f5ff2520f79a296322322fa672a77b75a

SHA256
10919ccefaf92225738b87ecb67ad3554e94ccb24e80f0c9d43cd8421e88b872

SHA512
e8d3aadf9ef396eb7e05e51b71516dd5db8d80692d2314dfc109555b289101b449832ac7bd1255b612ad66ee29d224ab254624fe6e6f9db82b9b92cdfd3fb165

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
6da97533860506991d692f2d5f1cec52

SHA1
e4573ec0fb97e13aac6ac3f1259cfb357e766d83

SHA256
a951f33a0c8d39aecb3aadee74479ceb909062682f9b9dc1cd3a14623cfaea98

SHA512
03e92c2573c9e953d34af28b77d02332ce5ea66cfda8080c33e2f471d5362afaf7479ae8c1e89405bbe871da610f957dbd54808d06e7b26e11ee0afa934641e4

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
32dcaeef54d5f2ef902bd0d158a00e81

SHA1
8555ee7e85aa247bfbd389b6f52e38b741859078

SHA256
cfe08253a6675066434b3fa3766c068ab25b0ac28fef120326b46c770c6ef0e9

SHA512
b31175d8746683115f753431dd66b703127911300a0ba0a7df46f6ea33b449619005327fa93bc7a995580df079b22bb1396322193e90a58b8d59b42cc2a90c47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
865e40565eea4d5b3cd0d838bb43c413

SHA1
d2a7a6b016e2fcbef8eafb623903e4425eac24b9

SHA256
3e6d1d92948f1f73c368d24d3e041a1aafcb17f018028b75a5678d38c096e07d

SHA512
b2ec7f27f576463c7d223c1568109e30253e9fe4d7ff658408f36a73e6b81be795e6f539dec768eca1fe2ea417bf1453f34fc93f81a98286846a9ee191e73b54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
64b1546b3d546909781886f706b476e4

SHA1
0971027968c9fbe46fc07870bc1a47056d9059b6

SHA256
f390c4fbfbfccf7ca92764a8269239836fe0ff057bb0d56bb7550364dbe95a57

SHA512
0cf5796be89555eeb01930c760a8f57fed2b7d849e379388cd45a688811d1d2b360bd2ed6b0d336485f3816e4b5fdc390224ef6c955f671e6d896c6e1ddd49f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6404741e5d5cb795cf821764f75f9420

SHA1
d4dcdd721a800a60dd9eedd433ad53268577e5b4

SHA256
fc3ef296e35b8ff370e489710d6f475ad60b9e00b93547f747ee7391713e721a

SHA512
90dd5a5c87bf3cdc4bc29296a4ef4988a1ad2de6844eeef9344d59d81e97a69f4e495ac8f46a5f63a281ad4f616000cd9102a66afc6db6e70310efed6f083cf8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727658865736960.txt

Filesize
77KB

MD5
af0942ec94abe1d27777e6b6e7274380

SHA1
0d0183cbc24e02326b640d3b6c37fdaec55fc44f

SHA256
3412a2dcecd3817dea89fcad64de4e2d75d224adc3f09f8fb69553166da57883

SHA512
5af46b813d7955f7fef0bfeebb8fd7243b0743a344d2ec1269340d9d534ecab765196427b09fc859854b1d297da9738e60057e73e1174bcb1c1762ccf453362b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727660257997193.txt

Filesize
47KB

MD5
df12edc03b88c09e87ab0218792d6083

SHA1
b4046fdf9d1b3e0eb42608ba90d89f7c525bd346

SHA256
26cb042175ef9043f25d9d3c89eb27fbcb33d353a28cfc66282da90ab0b5bbfa

SHA512
f670c1ba389ae28abe07ea7b4043857f82f550a408a505a99e63f88ba98b3eec8fed7249cf95a1cdaf564977882e29f52e97a8403e5adef508b1ac29779e5662

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727667861810871.txt

Filesize
74KB

MD5
58c9d6b63f4d60941c62ed6caa5ab686

SHA1
6817ed67769aceb17db76f2cce41d2ebbf89c33f

SHA256
aec422e9558fafd3d8f0b183247c32eac2ff6c89c929225a3696165de9aa0cca

SHA512
5ba10126ce1869a68412d434142066f2bcaea4465b63eadc808d30cc965191ba20eb141b3878ee93e84be9275c81f336b6bf74df7a4549b3078aac2bfb333ee8

Download Submit
C:\Windows\kwgbswhampgk.exe

Filesize
356KB

MD5
a8e0b0186e5159aa8a772e8d4169d3f3

SHA1
7c1f0f6fc4fd2669717e632652ff8a99fb093e69

SHA256
1cf433abd42285879b502b2d01958fff3fe4ad687a0e7c1fba243ffbffe7f34e

SHA512
01fa49ff7921b380f0390a1ba9c4beff61278685d9caabe188d84977b73fffe7ffe51360677fbaa0319c0e4d4387804c665a7671ad63e4f8a8bc6c8ae0fe55fa

Download Submit
\??\pipe\LOCAL\crashpad_2920_WWDAJEPOKBNHXMHM

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1368-12-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1804-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1804-8441-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1804-25-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1804-23-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1804-22-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1804-2559-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1804-2560-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1804-5145-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1804-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1804-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1804-10809-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1804-263-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1804-10757-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1804-10758-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1804-10766-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1804-10767-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3080-15-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3080-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3080-5-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3080-3-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3080-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4284-0-0x00000000020E0000-0x00000000020E4000-memory.dmp

Filesize
16KB

Download
memory/4284-4-0x00000000020E0000-0x00000000020E4000-memory.dmp

Filesize
16KB

Download
memory/4284-1-0x00000000020E0000-0x00000000020E4000-memory.dmp

Filesize
16KB

Download