teslacrypt | ee5c846448eddad058793075600dc9926997b62a3a8d56432a6c059e9b1363fc

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2024, 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3d85f14ecf91860db6d7e8bd7d48430_JaffaCakes118.exe
Size

360KB
MD5

d3d85f14ecf91860db6d7e8bd7d48430
SHA1

faf1f9843c253b06b9dfabf7a9e5d365e60094ca
SHA256

ee5c846448eddad058793075600dc9926997b62a3a8d56432a6c059e9b1363fc
SHA512

16796001fd2fe9001c5d5eb8b077907a9d2bd975de7162c78da3e688c7588532268b18b220e60674c59890a3d4e55cbbbadda08d7ded0c19025be9c2ca6b5448
SSDEEP

6144:oDDhiP9TRiDh3pVFEy46iYxtLgVbYYwGaUMMJZmzAlxoYmEk5eyL/YsZQf6lMenT:uk19iDhZV2yWYxtLg+Y4MJZRGf5J7Ysf

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_RECoVERY_+ybexi.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/D2EE82B346A7395 2. http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/D2EE82B346A7395 3. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/D2EE82B346A7395 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/D2EE82B346A7395 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/D2EE82B346A7395 http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/D2EE82B346A7395 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/D2EE82B346A7395 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/D2EE82B346A7395

URLs

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/D2EE82B346A7395

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/D2EE82B346A7395

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/D2EE82B346A7395

http://xlowfznrg4wf7dli.ONION/D2EE82B346A7395

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (887) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	d3d85f14ecf91860db6d7e8bd7d48430_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	vjixiecmbteb.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+ybexi.txt	vjixiecmbteb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+ybexi.html	vjixiecmbteb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+ybexi.png	vjixiecmbteb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+ybexi.txt	vjixiecmbteb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+ybexi.html	vjixiecmbteb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+ybexi.png	vjixiecmbteb.exe

Executes dropped EXE 2 IoCs

pid	Process
4400	vjixiecmbteb.exe
3796	vjixiecmbteb.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhdaxifoqamt = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\vjixiecmbteb.exe\""	vjixiecmbteb.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4444 set thread context of 992	4444	d3d85f14ecf91860db6d7e8bd7d48430_JaffaCakes118.exe	98
PID 4400 set thread context of 3796	4400	vjixiecmbteb.exe	103

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-100.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\_RECoVERY_+ybexi.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSmallTile.scale-125.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_RECoVERY_+ybexi.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\LargeTile.scale-200.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\_RECoVERY_+ybexi.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PeopleSplashScreen.scale-125.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\_RECoVERY_+ybexi.txt	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Dark\IsoRight.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\_RECoVERY_+ybexi.html	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+ybexi.txt	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-32_altform-unplated.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\_RECoVERY_+ybexi.html	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-16.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Dark.scale-250.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeBadge.scale-400.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\keystore\_RECoVERY_+ybexi.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-150_contrast-black.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\_RECoVERY_+ybexi.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\_RECoVERY_+ybexi.txt	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\SplashScreen.scale-125.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\_RECoVERY_+ybexi.txt	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptySearch.scale-100.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageSplashScreen.scale-150_contrast-white.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\_RECoVERY_+ybexi.html	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LibrarySquare71x71Logo.scale-100_contrast-white.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\_RECoVERY_+ybexi.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sq-AL\View3d\_RECoVERY_+ybexi.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+ybexi.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\_RECoVERY_+ybexi.html	vjixiecmbteb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\_RECoVERY_+ybexi.html	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GameBar_StoreLogo.scale-125.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\_RECoVERY_+ybexi.html	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreLogo.scale-100.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-150.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-64_altform-unplated.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\_RECoVERY_+ybexi.txt	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\RunningLate.scale-80.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\_RECoVERY_+ybexi.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-125.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\157.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-24_altform-unplated.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\zh-TW\View3d\_RECoVERY_+ybexi.html	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSplashLogo.scale-250.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-125.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W6.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-125.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+ybexi.html	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-48_altform-lightunplated.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\_RECoVERY_+ybexi.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\_RECoVERY_+ybexi.txt	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\SmartSelect\Magic_Select_add_tool.mp4	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-30_altform-unplated.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\_RECoVERY_+ybexi.html	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\_RECoVERY_+ybexi.txt	vjixiecmbteb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\_RECoVERY_+ybexi.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-60_altform-lightunplated.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+ybexi.html	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-200.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Simple\_RECoVERY_+ybexi.txt	vjixiecmbteb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\_RECoVERY_+ybexi.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-40.png	vjixiecmbteb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\es-MX\_RECoVERY_+ybexi.html	vjixiecmbteb.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\vjixiecmbteb.exe	d3d85f14ecf91860db6d7e8bd7d48430_JaffaCakes118.exe
File opened for modification	C:\Windows\vjixiecmbteb.exe	d3d85f14ecf91860db6d7e8bd7d48430_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3d85f14ecf91860db6d7e8bd7d48430_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vjixiecmbteb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vjixiecmbteb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3d85f14ecf91860db6d7e8bd7d48430_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	vjixiecmbteb.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2256	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe
3796	vjixiecmbteb.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	992	d3d85f14ecf91860db6d7e8bd7d48430_JaffaCakes118.exe
Token: SeDebugPrivilege	3796	vjixiecmbteb.exe
Token: SeIncreaseQuotaPrivilege	3228	WMIC.exe
Token: SeSecurityPrivilege	3228	WMIC.exe
Token: SeTakeOwnershipPrivilege	3228	WMIC.exe
Token: SeLoadDriverPrivilege	3228	WMIC.exe
Token: SeSystemProfilePrivilege	3228	WMIC.exe
Token: SeSystemtimePrivilege	3228	WMIC.exe
Token: SeProfSingleProcessPrivilege	3228	WMIC.exe
Token: SeIncBasePriorityPrivilege	3228	WMIC.exe
Token: SeCreatePagefilePrivilege	3228	WMIC.exe
Token: SeBackupPrivilege	3228	WMIC.exe
Token: SeRestorePrivilege	3228	WMIC.exe
Token: SeShutdownPrivilege	3228	WMIC.exe
Token: SeDebugPrivilege	3228	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3228	WMIC.exe
Token: SeRemoteShutdownPrivilege	3228	WMIC.exe
Token: SeUndockPrivilege	3228	WMIC.exe
Token: SeManageVolumePrivilege	3228	WMIC.exe
Token: 33	3228	WMIC.exe
Token: 34	3228	WMIC.exe
Token: 35	3228	WMIC.exe
Token: 36	3228	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3228	WMIC.exe
Token: SeSecurityPrivilege	3228	WMIC.exe
Token: SeTakeOwnershipPrivilege	3228	WMIC.exe
Token: SeLoadDriverPrivilege	3228	WMIC.exe
Token: SeSystemProfilePrivilege	3228	WMIC.exe
Token: SeSystemtimePrivilege	3228	WMIC.exe
Token: SeProfSingleProcessPrivilege	3228	WMIC.exe
Token: SeIncBasePriorityPrivilege	3228	WMIC.exe
Token: SeCreatePagefilePrivilege	3228	WMIC.exe
Token: SeBackupPrivilege	3228	WMIC.exe
Token: SeRestorePrivilege	3228	WMIC.exe
Token: SeShutdownPrivilege	3228	WMIC.exe
Token: SeDebugPrivilege	3228	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3228	WMIC.exe
Token: SeRemoteShutdownPrivilege	3228	WMIC.exe
Token: SeUndockPrivilege	3228	WMIC.exe
Token: SeManageVolumePrivilege	3228	WMIC.exe
Token: 33	3228	WMIC.exe
Token: 34	3228	WMIC.exe
Token: 35	3228	WMIC.exe
Token: 36	3228	WMIC.exe
Token: SeBackupPrivilege	3524	vssvc.exe
Token: SeRestorePrivilege	3524	vssvc.exe
Token: SeAuditPrivilege	3524	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4468	WMIC.exe
Token: SeSecurityPrivilege	4468	WMIC.exe
Token: SeTakeOwnershipPrivilege	4468	WMIC.exe
Token: SeLoadDriverPrivilege	4468	WMIC.exe
Token: SeSystemProfilePrivilege	4468	WMIC.exe
Token: SeSystemtimePrivilege	4468	WMIC.exe
Token: SeProfSingleProcessPrivilege	4468	WMIC.exe
Token: SeIncBasePriorityPrivilege	4468	WMIC.exe
Token: SeCreatePagefilePrivilege	4468	WMIC.exe
Token: SeBackupPrivilege	4468	WMIC.exe
Token: SeRestorePrivilege	4468	WMIC.exe
Token: SeShutdownPrivilege	4468	WMIC.exe
Token: SeDebugPrivilege	4468	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4468	WMIC.exe
Token: SeRemoteShutdownPrivilege	4468	WMIC.exe
Token: SeUndockPrivilege	4468	WMIC.exe
Token: SeManageVolumePrivilege	4468	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 992	4444	d3d85f14ecf91860db6d7e8bd7d48430_JaffaCakes118.exe	98
PID 4444 wrote to memory of 992	4444	d3d85f14ecf91860db6d7e8bd7d48430_JaffaCakes118.exe	98
PID 4444 wrote to memory of 992	4444	d3d85f14ecf91860db6d7e8bd7d48430_JaffaCakes118.exe	98
PID 4444 wrote to memory of 992	4444	d3d85f14ecf91860db6d7e8bd7d48430_JaffaCakes118.exe	98
PID 4444 wrote to memory of 992	4444	d3d85f14ecf91860db6d7e8bd7d48430_JaffaCakes118.exe	98
PID 4444 wrote to memory of 992	4444	d3d85f14ecf91860db6d7e8bd7d48430_JaffaCakes118.exe	98
PID 4444 wrote to memory of 992	4444	d3d85f14ecf91860db6d7e8bd7d48430_JaffaCakes118.exe	98
PID 4444 wrote to memory of 992	4444	d3d85f14ecf91860db6d7e8bd7d48430_JaffaCakes118.exe	98
PID 4444 wrote to memory of 992	4444	d3d85f14ecf91860db6d7e8bd7d48430_JaffaCakes118.exe	98
PID 992 wrote to memory of 4400	992	d3d85f14ecf91860db6d7e8bd7d48430_JaffaCakes118.exe	99
PID 992 wrote to memory of 4400	992	d3d85f14ecf91860db6d7e8bd7d48430_JaffaCakes118.exe	99
PID 992 wrote to memory of 4400	992	d3d85f14ecf91860db6d7e8bd7d48430_JaffaCakes118.exe	99
PID 992 wrote to memory of 2908	992	d3d85f14ecf91860db6d7e8bd7d48430_JaffaCakes118.exe	100
PID 992 wrote to memory of 2908	992	d3d85f14ecf91860db6d7e8bd7d48430_JaffaCakes118.exe	100
PID 992 wrote to memory of 2908	992	d3d85f14ecf91860db6d7e8bd7d48430_JaffaCakes118.exe	100
PID 4400 wrote to memory of 3796	4400	vjixiecmbteb.exe	103
PID 4400 wrote to memory of 3796	4400	vjixiecmbteb.exe	103
PID 4400 wrote to memory of 3796	4400	vjixiecmbteb.exe	103
PID 4400 wrote to memory of 3796	4400	vjixiecmbteb.exe	103
PID 4400 wrote to memory of 3796	4400	vjixiecmbteb.exe	103
PID 4400 wrote to memory of 3796	4400	vjixiecmbteb.exe	103
PID 4400 wrote to memory of 3796	4400	vjixiecmbteb.exe	103
PID 4400 wrote to memory of 3796	4400	vjixiecmbteb.exe	103
PID 4400 wrote to memory of 3796	4400	vjixiecmbteb.exe	103
PID 3796 wrote to memory of 3228	3796	vjixiecmbteb.exe	104
PID 3796 wrote to memory of 3228	3796	vjixiecmbteb.exe	104
PID 3796 wrote to memory of 2256	3796	vjixiecmbteb.exe	111
PID 3796 wrote to memory of 2256	3796	vjixiecmbteb.exe	111
PID 3796 wrote to memory of 2256	3796	vjixiecmbteb.exe	111
PID 3796 wrote to memory of 1128	3796	vjixiecmbteb.exe	112
PID 3796 wrote to memory of 1128	3796	vjixiecmbteb.exe	112
PID 1128 wrote to memory of 2984	1128	msedge.exe	113
PID 1128 wrote to memory of 2984	1128	msedge.exe	113
PID 3796 wrote to memory of 4468	3796	vjixiecmbteb.exe	114
PID 3796 wrote to memory of 4468	3796	vjixiecmbteb.exe	114
PID 1128 wrote to memory of 3576	1128	msedge.exe	117
PID 1128 wrote to memory of 3576	1128	msedge.exe	117
PID 1128 wrote to memory of 3576	1128	msedge.exe	117
PID 1128 wrote to memory of 3576	1128	msedge.exe	117
PID 1128 wrote to memory of 3576	1128	msedge.exe	117
PID 1128 wrote to memory of 3576	1128	msedge.exe	117
PID 1128 wrote to memory of 3576	1128	msedge.exe	117
PID 1128 wrote to memory of 3576	1128	msedge.exe	117
PID 1128 wrote to memory of 3576	1128	msedge.exe	117
PID 1128 wrote to memory of 3576	1128	msedge.exe	117
PID 1128 wrote to memory of 3576	1128	msedge.exe	117
PID 1128 wrote to memory of 3576	1128	msedge.exe	117
PID 1128 wrote to memory of 3576	1128	msedge.exe	117
PID 1128 wrote to memory of 3576	1128	msedge.exe	117
PID 1128 wrote to memory of 3576	1128	msedge.exe	117
PID 1128 wrote to memory of 3576	1128	msedge.exe	117
PID 1128 wrote to memory of 3576	1128	msedge.exe	117
PID 1128 wrote to memory of 3576	1128	msedge.exe	117
PID 1128 wrote to memory of 3576	1128	msedge.exe	117
PID 1128 wrote to memory of 3576	1128	msedge.exe	117
PID 1128 wrote to memory of 3576	1128	msedge.exe	117
PID 1128 wrote to memory of 3576	1128	msedge.exe	117
PID 1128 wrote to memory of 3576	1128	msedge.exe	117
PID 1128 wrote to memory of 3576	1128	msedge.exe	117
PID 1128 wrote to memory of 3576	1128	msedge.exe	117
PID 1128 wrote to memory of 3576	1128	msedge.exe	117
PID 1128 wrote to memory of 3576	1128	msedge.exe	117
PID 1128 wrote to memory of 3576	1128	msedge.exe	117
PID 1128 wrote to memory of 3576	1128	msedge.exe	117

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vjixiecmbteb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	vjixiecmbteb.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d3d85f14ecf91860db6d7e8bd7d48430_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d3d85f14ecf91860db6d7e8bd7d48430_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Users\Admin\AppData\Local\Temp\d3d85f14ecf91860db6d7e8bd7d48430_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d3d85f14ecf91860db6d7e8bd7d48430_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:992
- - C:\Windows\vjixiecmbteb.exe
    C:\Windows\vjixiecmbteb.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4400
  - - C:\Windows\vjixiecmbteb.exe
      C:\Windows\vjixiecmbteb.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3796
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3228
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:2256
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1128
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffcd8f546f8,0x7ffcd8f54708,0x7ffcd8f54718
        6⤵
        
        PID:2984
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,16625294183539143501,12276841595032344440,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2
        6⤵
        
        PID:3576
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,16625294183539143501,12276841595032344440,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
        6⤵
        
        PID:736
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,16625294183539143501,12276841595032344440,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
        6⤵
        
        PID:4996
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,16625294183539143501,12276841595032344440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
        6⤵
        
        PID:208
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,16625294183539143501,12276841595032344440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
        6⤵
        
        PID:284
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,16625294183539143501,12276841595032344440,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
        6⤵
        
        PID:2844
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,16625294183539143501,12276841595032344440,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
        6⤵
        
        PID:708
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,16625294183539143501,12276841595032344440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
        6⤵
        
        PID:4728
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,16625294183539143501,12276841595032344440,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
        6⤵
        
        PID:1884
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,16625294183539143501,12276841595032344440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
        6⤵
        
        PID:4928
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,16625294183539143501,12276841595032344440,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
        6⤵
        
        PID:2868
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4468
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\VJIXIE~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3676
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\D3D85F~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2908

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:296

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_RECoVERY_+ybexi.html

Filesize
11KB

MD5
d5ef0117b9987f0e747889420d946a22

SHA1
df2e256e00fcb774dceeb83bf6bc5c86eec11061

SHA256
c963371efd73e40542de9823d7e8131810aa6055766c321b2b30d8d830efa772

SHA512
44a48f5fbe25211c2bdf276fcc85a9e562d8852c79aefc8b1c3647e37df68333a4c01c283e2622c3bb8ec8460837dd690670928e4bf91dcb3df4ee8f331787cc

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+ybexi.png

Filesize
64KB

MD5
1259063cbde26bfad8f4d10deb96f489

SHA1
245620141687e1cf031e66a4b4d48595a762c71e

SHA256
a96517f7eda2264348e575b9d69c675c2c8317b5c494c6146f0f8cb884dc2ee0

SHA512
f5a84cd14c2d979ebe8ff345afeb076bdc1a7eb91ca7c1d3b20278880202e00418bb28177ff19b3f9ac28f706c514b8e7a9c529a759fcf58e7aae937f79fad80

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+ybexi.txt

Filesize
1KB

MD5
3ac519a68713f25297bc36979513ff41

SHA1
e43eddc75b41bad487d4838d9df69b2b81cd9b6b

SHA256
bdfd53f762dad82c04ac38d8f56e0989e33d07708d19b24a7685a5e5d88e3c39

SHA512
771043b28f9d03d7c86386248fc34f271c4134642a4d2c994d70f0e381e68fa8c7aa138bf10f4f1c7d49d3034fa643d225ddb4a5d6bc0da6ae59111b71664d08

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
088f7352bcd5aff5b197c383a2c347e2

SHA1
6e84885d485c76a77e8a5bc96cf88e96d31b040f

SHA256
0d28f75f724b24a4b94e31a0959cb54409f693eff6dcdecbb0e328567c9b900a

SHA512
5dcef17398b27db2466dd0e20684eaa34bdc758ee83425014e0921b1341d907ba11ac7255e023952b60a1fca9165bb270dae2312dc47610a71413a35af2e61b8

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
3f31f4302f36d966e4aacae389173975

SHA1
debe287bf5d5b8c07c7408c9e8dda33ebcdc74c5

SHA256
2d91af6c9d55aca8114835eb72b283f14453917819b3c164e7f5236f24b05c09

SHA512
f5f82d5a78bc0f2780349f9f3ac290c2dcc7c543a297b28febf507116ff7dabc38d1542e52e83172b1103168aab2b57833efbfd784ed408dd053ce4b78c87cc5

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
a2701d7c1a702b4f4282a429f6ef3c6d

SHA1
1fc37ce3b68810ecbae9197b65fbbf72a136ab33

SHA256
6c0a96e8f6ba0ac41bddb3fb5b8691e10ae28dbcd20348853890f5d994a0ffaf

SHA512
7d5843cfa253ed035751aa3b6c0c3f0571182f6e99746439e04135db9173a6fb8712e0964c33b4f889fe415594772868fae308d2df75affe7c5b105e4609a888

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e331504a70e9ea4eaa5112489adbc42a

SHA1
2dd8eccae6d8339a36a07b138386319f29533210

SHA256
b5027356de48162d6016837af57b970ee7fdaf1a10a5d9c702c2ae6d2755b70e

SHA512
d91f6577748aae19b246addce0357fb4d73ed388c306352c361973ba8efb2519da4c34901ac5ddd05362fb2790375c1d2a96d58fb88bf2c97a67d7fa0e90350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2fccc6a692352c59ee92ea4da87d1a42

SHA1
a26b12a6a13526cf95e429c174bed4a7a1ed1e36

SHA256
d2316e82594c4939d0f60c11155163078f94cdfae14765a2a3619544e300816c

SHA512
395014e624f0a3b9b319e2fb2806fcb4f6ad19aee393dca288a1f5dd03a501cb2acbce44a0d9b7d6dc309cb891f02fe54cd0745e5ecbdac1f9c34c6f49fcc23f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6bb1f5daa110d49cdf99955fe21a5b4a

SHA1
6a8837fe66d5a2ef58bfb15c6962bed399f077d4

SHA256
9984e25c63e001ddf5f85dbb0d3364f8ff3cceac1ebe7df93eeb68058c41fb97

SHA512
a59c6f3f281b9ff72acfe19bdd9a1d45f6af6b1aa144f991d89c42ef989038fc75c92009df17f97d671ea9aded5a25b137859a5bd8c29b5f1abbaecb46d56668

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656298443196.txt

Filesize
77KB

MD5
b87b28367807cb80fdd7fa9f8c192192

SHA1
27a37c063e9c392d01efa416db79c0f60025af77

SHA256
be1e10e4961f9b6efc3b5c7331305285fbe97003c5d6c6c12ef1fd20ea594611

SHA512
baab6a02a1b1d1571a1ae51b1c29b39e62db88da17297f680d50afb90aa0975d95f1f1de8dd5cd58034524aff31cc3f927abba436f5237c78b69fe72ce18e2b1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727657999741523.txt

Filesize
47KB

MD5
0ea018b3303b01985194cb176580dfa8

SHA1
093587744b830d47b943de3e8013f67c443e21fb

SHA256
24c39b98d26b9a62530c9ec474c67e47101f693747dcb400825af45be9563a8d

SHA512
4a361ca8aa3c0c7ce6d9189074cc586fa91ffc4c803b51b791295bb29f64820c20924293cba08d4bf7f4597950a8e7aa3d4c983a85b9e80b8b01adc022921f3b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727666039184869.txt

Filesize
74KB

MD5
10115554f6b52e7a5083c298c7c9f8da

SHA1
ada96c9a001613d2fea7649fb0999276df00bb7d

SHA256
35abea60cde23daabf07790abad7dd9a8fc501e9057a9e81839d85f249d751f9

SHA512
9a3c6b425f70dfdaaf3bd98e7b14b43aed286a7da52cc00470cfb8827a4fa6f2f1f9c3bc046b05e88467be57fb74f3db5520f012fcb6e8fa8ec1ff48aaf6138c

Download Submit
C:\Windows\vjixiecmbteb.exe

Filesize
360KB

MD5
d3d85f14ecf91860db6d7e8bd7d48430

SHA1
faf1f9843c253b06b9dfabf7a9e5d365e60094ca

SHA256
ee5c846448eddad058793075600dc9926997b62a3a8d56432a6c059e9b1363fc

SHA512
16796001fd2fe9001c5d5eb8b077907a9d2bd975de7162c78da3e688c7588532268b18b220e60674c59890a3d4e55cbbbadda08d7ded0c19025be9c2ca6b5448

Download Submit
memory/992-13-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/992-6-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/992-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/992-4-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/992-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3796-17-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3796-10560-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3796-2604-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3796-5209-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3796-917-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3796-25-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3796-23-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3796-8650-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3796-10559-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3796-2597-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3796-10568-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3796-10570-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3796-20-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3796-19-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3796-18-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3796-10611-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4400-12-0x0000000000400000-0x0000000000871000-memory.dmp

Filesize
4.4MB

Download
memory/4444-0-0x00000000025C0000-0x00000000025C3000-memory.dmp

Filesize
12KB

Download
memory/4444-3-0x00000000025C0000-0x00000000025C3000-memory.dmp

Filesize
12KB

Download
memory/4444-1-0x00000000025C0000-0x00000000025C3000-memory.dmp

Filesize
12KB

Download