teslacrypt | b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29

Analysis

max time kernel
144s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2024 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe
Size

376KB
MD5

b09aca00a8dcded70eeac6ec2b497e60
SHA1

9247ba9335b88b4fc1d8febed66e92e4aad8317c
SHA256

b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29
SHA512

f3c2a80cb592a721f454773f8aed5ba09b96641325effaa92821be9a3d80e99522100610c10ce9d4dd8ab97a60f182b9e9a3a7d1dd18505658858dcb30ccef02
SSDEEP

6144:J+lMnaN9yLmfyoZjcbxstF8cIxnTYI4LVmKJ7t2AQeRi:8TN9xyomFstF8conTCLVzTZRi

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+fnupy.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/B509733E5AD8F70 2. http://tes543berda73i48fsdfsd.keratadze.at/B509733E5AD8F70 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/B509733E5AD8F70 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/B509733E5AD8F70 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/B509733E5AD8F70 http://tes543berda73i48fsdfsd.keratadze.at/B509733E5AD8F70 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/B509733E5AD8F70 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/B509733E5AD8F70

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/B509733E5AD8F70

http://tes543berda73i48fsdfsd.keratadze.at/B509733E5AD8F70

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/B509733E5AD8F70

http://xlowfznrg4wf7dli.ONION/B509733E5AD8F70

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (853) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	vbwafspmwjpl.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+fnupy.png	vbwafspmwjpl.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+fnupy.txt	vbwafspmwjpl.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+fnupy.html	vbwafspmwjpl.exe

Executes dropped EXE 2 IoCs

pid	Process
224	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wrqlixnmkleg = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\vbwafspmwjpl.exe\""	vbwafspmwjpl.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5016 set thread context of 2724	5016	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe	98
PID 224 set thread context of 1072	224	vbwafspmwjpl.exe	103

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\capture\Recovery+fnupy.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\Recovery+fnupy.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\Recovery+fnupy.html	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\ADOMD.NET\130\Recovery+fnupy.txt	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\Recovery+fnupy.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\Recovery+fnupy.html	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_contrast-black.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Light.scale-100.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\Recovery+fnupy.txt	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\AppxMetadata\Recovery+fnupy.html	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-125_contrast-white.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\Recovery+fnupy.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\Recovery+fnupy.html	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageWideTile.scale-400_contrast-white.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_altform-unplated_contrast-black.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\EnsoUI\Recovery+fnupy.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\Recovery+fnupy.html	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Light.scale-150.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\Recovery+fnupy.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\Recovery+fnupy.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml\Assets\Recovery+fnupy.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk\Recovery+fnupy.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\fonts\Recovery+fnupy.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\WinMetadata\Recovery+fnupy.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-30_altform-unplated_contrast-black.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.scale-200.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\Recovery+fnupy.html	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\Recovery+fnupy.txt	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageBadgeLogo.scale-400_contrast-black.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSplashLogo.scale-400.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Recovery+fnupy.html	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-standard\theme-light\Recovery+fnupy.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookWideTile.scale-150.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-64_altform-unplated_contrast-white.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-32_altform-fullcolor.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\javafx\Recovery+fnupy.txt	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+fnupy.html	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\LargeTile.scale-100.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_altform-unplated_contrast-black.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\remixCTA_welcome.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\Recovery+fnupy.txt	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageLargeTile.scale-100_contrast-black.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+fnupy.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2019.807.41.0_neutral_~_8wekyb3d8bbwe\Recovery+fnupy.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-200_contrast-high.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\Assets\Recovery+fnupy.html	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\Recovery+fnupy.txt	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\kk-KZ\Recovery+fnupy.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\Recovery+fnupy.txt	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-256_altform-unplated_contrast-white.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\Recovery+fnupy.txt	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Recovery+fnupy.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\Recovery+fnupy.txt	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\Recovery+fnupy.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\MissingAlbumArt.jpg	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\Recovery+fnupy.txt	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\Recovery+fnupy.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1036\Recovery+fnupy.html	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\Recovery+fnupy.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalMedTile.scale-200_contrast-black.png	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\Recovery+fnupy.html	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\it-IT\Recovery+fnupy.html	vbwafspmwjpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\2.jpg	vbwafspmwjpl.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\vbwafspmwjpl.exe	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe
File opened for modification	C:\Windows\vbwafspmwjpl.exe	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbwafspmwjpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbwafspmwjpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	vbwafspmwjpl.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4848	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe
1072	vbwafspmwjpl.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe
Token: SeDebugPrivilege	1072	vbwafspmwjpl.exe
Token: SeIncreaseQuotaPrivilege	3032	WMIC.exe
Token: SeSecurityPrivilege	3032	WMIC.exe
Token: SeTakeOwnershipPrivilege	3032	WMIC.exe
Token: SeLoadDriverPrivilege	3032	WMIC.exe
Token: SeSystemProfilePrivilege	3032	WMIC.exe
Token: SeSystemtimePrivilege	3032	WMIC.exe
Token: SeProfSingleProcessPrivilege	3032	WMIC.exe
Token: SeIncBasePriorityPrivilege	3032	WMIC.exe
Token: SeCreatePagefilePrivilege	3032	WMIC.exe
Token: SeBackupPrivilege	3032	WMIC.exe
Token: SeRestorePrivilege	3032	WMIC.exe
Token: SeShutdownPrivilege	3032	WMIC.exe
Token: SeDebugPrivilege	3032	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3032	WMIC.exe
Token: SeRemoteShutdownPrivilege	3032	WMIC.exe
Token: SeUndockPrivilege	3032	WMIC.exe
Token: SeManageVolumePrivilege	3032	WMIC.exe
Token: 33	3032	WMIC.exe
Token: 34	3032	WMIC.exe
Token: 35	3032	WMIC.exe
Token: 36	3032	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3032	WMIC.exe
Token: SeSecurityPrivilege	3032	WMIC.exe
Token: SeTakeOwnershipPrivilege	3032	WMIC.exe
Token: SeLoadDriverPrivilege	3032	WMIC.exe
Token: SeSystemProfilePrivilege	3032	WMIC.exe
Token: SeSystemtimePrivilege	3032	WMIC.exe
Token: SeProfSingleProcessPrivilege	3032	WMIC.exe
Token: SeIncBasePriorityPrivilege	3032	WMIC.exe
Token: SeCreatePagefilePrivilege	3032	WMIC.exe
Token: SeBackupPrivilege	3032	WMIC.exe
Token: SeRestorePrivilege	3032	WMIC.exe
Token: SeShutdownPrivilege	3032	WMIC.exe
Token: SeDebugPrivilege	3032	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3032	WMIC.exe
Token: SeRemoteShutdownPrivilege	3032	WMIC.exe
Token: SeUndockPrivilege	3032	WMIC.exe
Token: SeManageVolumePrivilege	3032	WMIC.exe
Token: 33	3032	WMIC.exe
Token: 34	3032	WMIC.exe
Token: 35	3032	WMIC.exe
Token: 36	3032	WMIC.exe
Token: SeBackupPrivilege	4232	vssvc.exe
Token: SeRestorePrivilege	4232	vssvc.exe
Token: SeAuditPrivilege	4232	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4040	WMIC.exe
Token: SeSecurityPrivilege	4040	WMIC.exe
Token: SeTakeOwnershipPrivilege	4040	WMIC.exe
Token: SeLoadDriverPrivilege	4040	WMIC.exe
Token: SeSystemProfilePrivilege	4040	WMIC.exe
Token: SeSystemtimePrivilege	4040	WMIC.exe
Token: SeProfSingleProcessPrivilege	4040	WMIC.exe
Token: SeIncBasePriorityPrivilege	4040	WMIC.exe
Token: SeCreatePagefilePrivilege	4040	WMIC.exe
Token: SeBackupPrivilege	4040	WMIC.exe
Token: SeRestorePrivilege	4040	WMIC.exe
Token: SeShutdownPrivilege	4040	WMIC.exe
Token: SeDebugPrivilege	4040	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4040	WMIC.exe
Token: SeRemoteShutdownPrivilege	4040	WMIC.exe
Token: SeUndockPrivilege	4040	WMIC.exe
Token: SeManageVolumePrivilege	4040	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 2724	5016	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe	98
PID 5016 wrote to memory of 2724	5016	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe	98
PID 5016 wrote to memory of 2724	5016	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe	98
PID 5016 wrote to memory of 2724	5016	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe	98
PID 5016 wrote to memory of 2724	5016	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe	98
PID 5016 wrote to memory of 2724	5016	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe	98
PID 5016 wrote to memory of 2724	5016	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe	98
PID 5016 wrote to memory of 2724	5016	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe	98
PID 5016 wrote to memory of 2724	5016	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe	98
PID 5016 wrote to memory of 2724	5016	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe	98
PID 2724 wrote to memory of 224	2724	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe	99
PID 2724 wrote to memory of 224	2724	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe	99
PID 2724 wrote to memory of 224	2724	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe	99
PID 2724 wrote to memory of 628	2724	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe	100
PID 2724 wrote to memory of 628	2724	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe	100
PID 2724 wrote to memory of 628	2724	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe	100
PID 224 wrote to memory of 1072	224	vbwafspmwjpl.exe	103
PID 224 wrote to memory of 1072	224	vbwafspmwjpl.exe	103
PID 224 wrote to memory of 1072	224	vbwafspmwjpl.exe	103
PID 224 wrote to memory of 1072	224	vbwafspmwjpl.exe	103
PID 224 wrote to memory of 1072	224	vbwafspmwjpl.exe	103
PID 224 wrote to memory of 1072	224	vbwafspmwjpl.exe	103
PID 224 wrote to memory of 1072	224	vbwafspmwjpl.exe	103
PID 224 wrote to memory of 1072	224	vbwafspmwjpl.exe	103
PID 224 wrote to memory of 1072	224	vbwafspmwjpl.exe	103
PID 224 wrote to memory of 1072	224	vbwafspmwjpl.exe	103
PID 1072 wrote to memory of 3032	1072	vbwafspmwjpl.exe	104
PID 1072 wrote to memory of 3032	1072	vbwafspmwjpl.exe	104
PID 1072 wrote to memory of 4848	1072	vbwafspmwjpl.exe	110
PID 1072 wrote to memory of 4848	1072	vbwafspmwjpl.exe	110
PID 1072 wrote to memory of 4848	1072	vbwafspmwjpl.exe	110
PID 1072 wrote to memory of 2812	1072	vbwafspmwjpl.exe	111
PID 1072 wrote to memory of 2812	1072	vbwafspmwjpl.exe	111
PID 2812 wrote to memory of 888	2812	msedge.exe	112
PID 2812 wrote to memory of 888	2812	msedge.exe	112
PID 1072 wrote to memory of 4040	1072	vbwafspmwjpl.exe	113
PID 1072 wrote to memory of 4040	1072	vbwafspmwjpl.exe	113
PID 2812 wrote to memory of 3732	2812	msedge.exe	116
PID 2812 wrote to memory of 3732	2812	msedge.exe	116
PID 2812 wrote to memory of 3732	2812	msedge.exe	116
PID 2812 wrote to memory of 3732	2812	msedge.exe	116
PID 2812 wrote to memory of 3732	2812	msedge.exe	116
PID 2812 wrote to memory of 3732	2812	msedge.exe	116
PID 2812 wrote to memory of 3732	2812	msedge.exe	116
PID 2812 wrote to memory of 3732	2812	msedge.exe	116
PID 2812 wrote to memory of 3732	2812	msedge.exe	116
PID 2812 wrote to memory of 3732	2812	msedge.exe	116
PID 2812 wrote to memory of 3732	2812	msedge.exe	116
PID 2812 wrote to memory of 3732	2812	msedge.exe	116
PID 2812 wrote to memory of 3732	2812	msedge.exe	116
PID 2812 wrote to memory of 3732	2812	msedge.exe	116
PID 2812 wrote to memory of 3732	2812	msedge.exe	116
PID 2812 wrote to memory of 3732	2812	msedge.exe	116
PID 2812 wrote to memory of 3732	2812	msedge.exe	116
PID 2812 wrote to memory of 3732	2812	msedge.exe	116
PID 2812 wrote to memory of 3732	2812	msedge.exe	116
PID 2812 wrote to memory of 3732	2812	msedge.exe	116
PID 2812 wrote to memory of 3732	2812	msedge.exe	116
PID 2812 wrote to memory of 3732	2812	msedge.exe	116
PID 2812 wrote to memory of 3732	2812	msedge.exe	116
PID 2812 wrote to memory of 3732	2812	msedge.exe	116
PID 2812 wrote to memory of 3732	2812	msedge.exe	116
PID 2812 wrote to memory of 3732	2812	msedge.exe	116
PID 2812 wrote to memory of 3732	2812	msedge.exe	116

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vbwafspmwjpl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	vbwafspmwjpl.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Users\Admin\AppData\Local\Temp\b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\vbwafspmwjpl.exe
    C:\Windows\vbwafspmwjpl.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:224
  - - C:\Windows\vbwafspmwjpl.exe
      C:\Windows\vbwafspmwjpl.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1072
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:4848
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2812
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd511346f8,0x7ffd51134708,0x7ffd51134718
        6⤵
        
        PID:888
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,7648881901407228082,10692639652485597748,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
        6⤵
        
        PID:3732
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,7648881901407228082,10692639652485597748,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
        6⤵
        
        PID:4500
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,7648881901407228082,10692639652485597748,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
        6⤵
        
        PID:2252
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7648881901407228082,10692639652485597748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2832 /prefetch:1
        6⤵
        
        PID:1432
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7648881901407228082,10692639652485597748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2848 /prefetch:1
        6⤵
        
        PID:444
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,7648881901407228082,10692639652485597748,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
        6⤵
        
        PID:3884
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,7648881901407228082,10692639652485597748,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
        6⤵
        
        PID:4560
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7648881901407228082,10692639652485597748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
        6⤵
        
        PID:4660
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7648881901407228082,10692639652485597748,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:1
        6⤵
        
        PID:1824
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7648881901407228082,10692639652485597748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
        6⤵
        
        PID:3128
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7648881901407228082,10692639652485597748,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:1
        6⤵
        
        PID:4120
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4040
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\VBWAFS~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:416
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\B09ACA~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:628

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\Recovery+fnupy.html

Filesize
11KB

MD5
9315e5ab05dad34319d12f4851840b52

SHA1
5f5a32a8832471cd0048943d1765d7f0647886b5

SHA256
325077c3b66c5f68fd8c09cd13b082d6e98efb6cd07677fad939c7d24a81f13e

SHA512
411e3244e140586e0944780d530be8820966fe662fb72d80444c7480f55e665dc0eb9a883c234ab8747f893f1533f6a6a9b288dd41705095b872e580e451b22c

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+fnupy.png

Filesize
64KB

MD5
361e06c3033477f1b27234e2937e0d9b

SHA1
f5b3dea80a5840bff1722b2a91b87893b7471c98

SHA256
43e735618ddfdcb14a183dcd2bf4098a50dfcf7b8641a1fe62f162f06f89a17a

SHA512
d7503d1a27aa4c0b7673cd61a3648743f7712315c25b996315e5281621ac16e66817d9b1f16684221a754662f9bb440c98ebec86f488321cb5dd64064762e223

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+fnupy.txt

Filesize
1KB

MD5
e8f2ef5d850ebb1e5946128348de7869

SHA1
2b7cfc28dfb290f7ca16d4dd54dcdca9db1b54fb

SHA256
1e32d37afc75c8a3cd28e0da82f8a5c49a437df92bc49ae1d742f3083560ed11

SHA512
5d29cfa45b9ddcfd31f31cd2a2de8c30c0c2e3f938d1bc613d952e4a8a078d2b097f75edaa4ad6f9b8baba4e33ea7d760208f5b9fdc5f6493cf837c9a91e062c

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
6f0f2bef95b69db94bd4cd625d81d384

SHA1
770d3b6d049f0bb89eae8af9d296db64f82c2c79

SHA256
4eb12485fa69b4cfb884bc5d16db13c4122710c30557b8498c7fc17b4937da12

SHA512
ae0ac3fa09b5813c6a6c5e24763d14bddfb45c3b38029dc7e0bb2e18fde0cb463d46cd75e568e7144f5ec650703758a3ab35a9014e138e352eb5144ce50b8adf

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
7c86a9221c43e86843bce13f1b6c4c31

SHA1
205abe2fb9cec3f2522d24e2271ef439f89c47f2

SHA256
01e0326c936d1cecabec6977ae64d3835b53923c4b2b3326e91b219aa8021c89

SHA512
78fa81487a3857853bb9b90aacd868eaa159b863f94cde14a134605204c9e7a4c47818635a36c67f70ea5a0ac0d3f633043018f25d11dd15000c3517a73ffec6

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
cb4ed55cf7f89183ea97deb7250478b6

SHA1
6807a8defda3d7b494a42f4dcaf7b43ea80e8e0a

SHA256
f02cd5c8304a1afa03244527e2745c2eb9d7eca963af8359ba05f98bf41a5a3e

SHA512
e3ef9bfadbfb63c8607509e3fca6c222fd397d350505384da0972a56570caf824b9ac68bc59a1d0ae1374f240c480f93f8bbaea7d81d7fed415f45cda50a3cd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
86c75a8492e4bfce6788a0a933f88817

SHA1
fc5948cafe8fcd157ea88a75efdd65864ae395d1

SHA256
05d5eda6cac9a169ad3b7813d2b4b67761c5f9f567ef7b99d2fd0df438a0a0e8

SHA512
0db6e9cd29af94195183f9fe776e2c64b36abf95962ebb70479fb727141845bab8f4a083699955e88c90ecf01a10a55034ee50f51a317d3dd3a0573bf3777448

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7b37fcb6195dfde087e1d3f413ff71c8

SHA1
72a2d4ade4391842e9e303f1d463b7f35cc48f89

SHA256
547b850deadc7d50d28b3a23c7d3cbedccdfb75c0fde1b4e6b15e53be07e8e59

SHA512
272a393f1d150f62e6e292b51e6d9ae4b84de68ddbdd9199e77673ed36986a913fe8f672b7abee8f43d8c33f9adba532b7ee2a9cfef547e6f7cb58892e149685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cdc625abb82d4acddf4aa855dec72d5a

SHA1
8682ff8454e8f18072aacd91cd7e32d6e035aa25

SHA256
8d412f32f08b6686826eb432df9ffb7d3e78e22236cf852389b7c418dc9e2bee

SHA512
fed1b7fad0392b1c293bf62a27805cf1e04e97cb56705bef330bdfea934a55d02dcd085d0f423999045036a387427eb8a7f281efba0581f75c194e7bf7fadb74

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656298443196.txt

Filesize
77KB

MD5
06595c2deab82e085f2833cb608e5dfe

SHA1
9dba9365cb41c0c17189394c1d714732db0275f1

SHA256
f0a66f17e2be780bf1d5f183fdd3969edb7fec3e1d136ef41e1a04bbd253c222

SHA512
930c272968b040ee655445a1ac9327f7e80c4c5c9fc09a698ad6473a59cdb62ae708bba0400b36c5155145dd71a726f4a3f07258ef6726235ca2d01c50692f1b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727657999741523.txt

Filesize
47KB

MD5
7358dff6ac70d848a7bf29c0a9851e78

SHA1
e5a7f809258a960e6bc0d260fa4175fd16f0ecdb

SHA256
5a3a75cfee37e0927f7efea9ba2b40e8afd232937f6e4783da3650d5c1ec491c

SHA512
39370fd77386772be06b8c00aaeb6c64d4cba3d25cf3abe9a89ddb9234817d9224b812dfb8bb0372a0f813eb679a8cfa87f9e15706965500c0094d193a7d0bac

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727666039184869.txt

Filesize
74KB

MD5
549b9375396bf69343d3280ca7791d9f

SHA1
24e3960fac8dd68a5f168805ad86eb76a4bd59bd

SHA256
ab92573aff17e7ef486b17e0f31ba0567f37795614fe4b314f7601fd25bc668d

SHA512
fd4448d722e23988653625639953a156b505d2308c392564a56d1a524811affe24ede337a9197c6b00958431614a8af2ddeba732222931b7d2ccd2f96795afb0

Download Submit
C:\Windows\vbwafspmwjpl.exe

Filesize
376KB

MD5
b09aca00a8dcded70eeac6ec2b497e60

SHA1
9247ba9335b88b4fc1d8febed66e92e4aad8317c

SHA256
b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29

SHA512
f3c2a80cb592a721f454773f8aed5ba09b96641325effaa92821be9a3d80e99522100610c10ce9d4dd8ab97a60f182b9e9a3a7d1dd18505658858dcb30ccef02

Download Submit
memory/224-12-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download
memory/1072-17-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1072-9050-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1072-25-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1072-23-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1072-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1072-2743-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1072-2744-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1072-5442-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1072-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1072-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1072-10504-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1072-599-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1072-10452-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1072-10453-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1072-10461-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1072-10462-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2724-13-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2724-5-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2724-4-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2724-3-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2724-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/5016-6-0x00000000029E0000-0x00000000029E3000-memory.dmp

Filesize
12KB

Download
memory/5016-0-0x00000000029E0000-0x00000000029E3000-memory.dmp

Filesize
12KB

Download
memory/5016-1-0x00000000029E0000-0x00000000029E3000-memory.dmp

Filesize
12KB

Download