teslacrypt | 2d8e7d0a895c13a1d012b25b069a528481cd0d3c91b74689c61299f3b5a55232

Analysis

max time kernel
149s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 19:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe
Size

340KB
MD5

d35c98321d2f87f089b7d5c26174a10b
SHA1

2d7f432514ba316ecec7a8f372d0a75cb32f8fc0
SHA256

2d8e7d0a895c13a1d012b25b069a528481cd0d3c91b74689c61299f3b5a55232
SHA512

a467e624af472a2dc240dc325bef21b4dd435315dd765e9afd6f4134bd1c2482d23072e2057cc9ef60e9aad9107f6985bdacde3c92f0d68601b44ebf9990c40d
SSDEEP

6144:DrHbGlBfoXKBA4pOoGf75hK7d/X/CMmm/2ikfOmvA2CxjSJgE0ToC8uUsYEF7u2K:f7GliXAOJf75YtPhxd3dRMkz8rG4

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+rooqs.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/C1B4B0727CCC24D 2. http://tes543berda73i48fsdfsd.keratadze.at/C1B4B0727CCC24D 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/C1B4B0727CCC24D If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/C1B4B0727CCC24D 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/C1B4B0727CCC24D http://tes543berda73i48fsdfsd.keratadze.at/C1B4B0727CCC24D http://tt54rfdjhb34rfbnknaerg.milerteddy.com/C1B4B0727CCC24D *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/C1B4B0727CCC24D

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/C1B4B0727CCC24D

http://tes543berda73i48fsdfsd.keratadze.at/C1B4B0727CCC24D

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/C1B4B0727CCC24D

http://xlowfznrg4wf7dli.ONION/C1B4B0727CCC24D

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (869) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	gjfqalpicdxg.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+rooqs.png	gjfqalpicdxg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+rooqs.txt	gjfqalpicdxg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+rooqs.html	gjfqalpicdxg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+rooqs.png	gjfqalpicdxg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+rooqs.txt	gjfqalpicdxg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+rooqs.html	gjfqalpicdxg.exe

Executes dropped EXE 2 IoCs

pid	Process
4140	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhcxdxgdfnke = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\gjfqalpicdxg.exe\""	gjfqalpicdxg.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3088 set thread context of 4300	3088	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe	98
PID 4140 set thread context of 3200	4140	gjfqalpicdxg.exe	103

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSmallTile.scale-125.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\Recovery+rooqs.txt	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Fonts\Recovery+rooqs.txt	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-30_altform-unplated.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-200.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Recovery+rooqs.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_CN\Recovery+rooqs.txt	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-72_altform-fullcolor.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-200_contrast-white.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\Recovery+rooqs.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-150.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96_altform-unplated_devicefamily-colorfulunplated.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Recovery+rooqs.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\refresh_16x16x32.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Light.scale-100.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\Recovery+rooqs.txt	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupMedTile.scale-200.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\Recovery+rooqs.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lv-LV\View3d\Recovery+rooqs.txt	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailBadge.scale-200.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\Recovery+rooqs.html	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Recovery+rooqs.txt	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\Recovery+rooqs.html	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Recovery+rooqs.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sk-SK\View3d\Recovery+rooqs.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\LargeTile.scale-125_contrast-black.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_altform-unplated_contrast-black.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_altform-unplated_contrast-black.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Registration\Recovery+rooqs.html	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-30.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-125.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\MedTile.scale-125.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_~_kzf8qxf38zg5c\microsoft.system.package.metadata\Recovery+rooqs.txt	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailWideTile.scale-150.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\Recovery+rooqs.txt	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteLargeTile.scale-100.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\Recovery+rooqs.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\Recovery+rooqs.txt	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageSmallTile.scale-100.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\Recovery+rooqs.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FlagToastQuickAction.scale-80.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\Deleted\Recovery+rooqs.html	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\SplashScreen\Recovery+rooqs.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\Recovery+rooqs.html	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-180.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosLargeTile.scale-200.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\Recovery+rooqs.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-20.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\SmallTile.scale-200.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-80_altform-unplated.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\Recovery+rooqs.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Recovery+rooqs.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-140.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\Recovery+rooqs.txt	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+rooqs.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+rooqs.txt	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-30_altform-unplated_contrast-white.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-256.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\Recovery+rooqs.txt	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Recovery+rooqs.html	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-unplated.png	gjfqalpicdxg.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailSmallTile.scale-100.png	gjfqalpicdxg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\gjfqalpicdxg.exe	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe
File created	C:\Windows\gjfqalpicdxg.exe	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gjfqalpicdxg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gjfqalpicdxg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	gjfqalpicdxg.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1920	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe
3200	gjfqalpicdxg.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4300	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe
Token: SeDebugPrivilege	3200	gjfqalpicdxg.exe
Token: SeIncreaseQuotaPrivilege	3436	WMIC.exe
Token: SeSecurityPrivilege	3436	WMIC.exe
Token: SeTakeOwnershipPrivilege	3436	WMIC.exe
Token: SeLoadDriverPrivilege	3436	WMIC.exe
Token: SeSystemProfilePrivilege	3436	WMIC.exe
Token: SeSystemtimePrivilege	3436	WMIC.exe
Token: SeProfSingleProcessPrivilege	3436	WMIC.exe
Token: SeIncBasePriorityPrivilege	3436	WMIC.exe
Token: SeCreatePagefilePrivilege	3436	WMIC.exe
Token: SeBackupPrivilege	3436	WMIC.exe
Token: SeRestorePrivilege	3436	WMIC.exe
Token: SeShutdownPrivilege	3436	WMIC.exe
Token: SeDebugPrivilege	3436	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3436	WMIC.exe
Token: SeRemoteShutdownPrivilege	3436	WMIC.exe
Token: SeUndockPrivilege	3436	WMIC.exe
Token: SeManageVolumePrivilege	3436	WMIC.exe
Token: 33	3436	WMIC.exe
Token: 34	3436	WMIC.exe
Token: 35	3436	WMIC.exe
Token: 36	3436	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3436	WMIC.exe
Token: SeSecurityPrivilege	3436	WMIC.exe
Token: SeTakeOwnershipPrivilege	3436	WMIC.exe
Token: SeLoadDriverPrivilege	3436	WMIC.exe
Token: SeSystemProfilePrivilege	3436	WMIC.exe
Token: SeSystemtimePrivilege	3436	WMIC.exe
Token: SeProfSingleProcessPrivilege	3436	WMIC.exe
Token: SeIncBasePriorityPrivilege	3436	WMIC.exe
Token: SeCreatePagefilePrivilege	3436	WMIC.exe
Token: SeBackupPrivilege	3436	WMIC.exe
Token: SeRestorePrivilege	3436	WMIC.exe
Token: SeShutdownPrivilege	3436	WMIC.exe
Token: SeDebugPrivilege	3436	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3436	WMIC.exe
Token: SeRemoteShutdownPrivilege	3436	WMIC.exe
Token: SeUndockPrivilege	3436	WMIC.exe
Token: SeManageVolumePrivilege	3436	WMIC.exe
Token: 33	3436	WMIC.exe
Token: 34	3436	WMIC.exe
Token: 35	3436	WMIC.exe
Token: 36	3436	WMIC.exe
Token: SeBackupPrivilege	1744	vssvc.exe
Token: SeRestorePrivilege	1744	vssvc.exe
Token: SeAuditPrivilege	1744	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1428	WMIC.exe
Token: SeSecurityPrivilege	1428	WMIC.exe
Token: SeTakeOwnershipPrivilege	1428	WMIC.exe
Token: SeLoadDriverPrivilege	1428	WMIC.exe
Token: SeSystemProfilePrivilege	1428	WMIC.exe
Token: SeSystemtimePrivilege	1428	WMIC.exe
Token: SeProfSingleProcessPrivilege	1428	WMIC.exe
Token: SeIncBasePriorityPrivilege	1428	WMIC.exe
Token: SeCreatePagefilePrivilege	1428	WMIC.exe
Token: SeBackupPrivilege	1428	WMIC.exe
Token: SeRestorePrivilege	1428	WMIC.exe
Token: SeShutdownPrivilege	1428	WMIC.exe
Token: SeDebugPrivilege	1428	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1428	WMIC.exe
Token: SeRemoteShutdownPrivilege	1428	WMIC.exe
Token: SeUndockPrivilege	1428	WMIC.exe
Token: SeManageVolumePrivilege	1428	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3088 wrote to memory of 4300	3088	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe	98
PID 3088 wrote to memory of 4300	3088	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe	98
PID 3088 wrote to memory of 4300	3088	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe	98
PID 3088 wrote to memory of 4300	3088	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe	98
PID 3088 wrote to memory of 4300	3088	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe	98
PID 3088 wrote to memory of 4300	3088	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe	98
PID 3088 wrote to memory of 4300	3088	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe	98
PID 3088 wrote to memory of 4300	3088	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe	98
PID 3088 wrote to memory of 4300	3088	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe	98
PID 4300 wrote to memory of 4140	4300	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe	99
PID 4300 wrote to memory of 4140	4300	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe	99
PID 4300 wrote to memory of 4140	4300	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe	99
PID 4300 wrote to memory of 4576	4300	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe	100
PID 4300 wrote to memory of 4576	4300	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe	100
PID 4300 wrote to memory of 4576	4300	d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe	100
PID 4140 wrote to memory of 3200	4140	gjfqalpicdxg.exe	103
PID 4140 wrote to memory of 3200	4140	gjfqalpicdxg.exe	103
PID 4140 wrote to memory of 3200	4140	gjfqalpicdxg.exe	103
PID 4140 wrote to memory of 3200	4140	gjfqalpicdxg.exe	103
PID 4140 wrote to memory of 3200	4140	gjfqalpicdxg.exe	103
PID 4140 wrote to memory of 3200	4140	gjfqalpicdxg.exe	103
PID 4140 wrote to memory of 3200	4140	gjfqalpicdxg.exe	103
PID 4140 wrote to memory of 3200	4140	gjfqalpicdxg.exe	103
PID 4140 wrote to memory of 3200	4140	gjfqalpicdxg.exe	103
PID 3200 wrote to memory of 3436	3200	gjfqalpicdxg.exe	104
PID 3200 wrote to memory of 3436	3200	gjfqalpicdxg.exe	104
PID 3200 wrote to memory of 1920	3200	gjfqalpicdxg.exe	111
PID 3200 wrote to memory of 1920	3200	gjfqalpicdxg.exe	111
PID 3200 wrote to memory of 1920	3200	gjfqalpicdxg.exe	111
PID 3200 wrote to memory of 468	3200	gjfqalpicdxg.exe	112
PID 3200 wrote to memory of 468	3200	gjfqalpicdxg.exe	112
PID 468 wrote to memory of 3372	468	msedge.exe	113
PID 468 wrote to memory of 3372	468	msedge.exe	113
PID 3200 wrote to memory of 1428	3200	gjfqalpicdxg.exe	114
PID 3200 wrote to memory of 1428	3200	gjfqalpicdxg.exe	114
PID 468 wrote to memory of 232	468	msedge.exe	117
PID 468 wrote to memory of 232	468	msedge.exe	117
PID 468 wrote to memory of 232	468	msedge.exe	117
PID 468 wrote to memory of 232	468	msedge.exe	117
PID 468 wrote to memory of 232	468	msedge.exe	117
PID 468 wrote to memory of 232	468	msedge.exe	117
PID 468 wrote to memory of 232	468	msedge.exe	117
PID 468 wrote to memory of 232	468	msedge.exe	117
PID 468 wrote to memory of 232	468	msedge.exe	117
PID 468 wrote to memory of 232	468	msedge.exe	117
PID 468 wrote to memory of 232	468	msedge.exe	117
PID 468 wrote to memory of 232	468	msedge.exe	117
PID 468 wrote to memory of 232	468	msedge.exe	117
PID 468 wrote to memory of 232	468	msedge.exe	117
PID 468 wrote to memory of 232	468	msedge.exe	117
PID 468 wrote to memory of 232	468	msedge.exe	117
PID 468 wrote to memory of 232	468	msedge.exe	117
PID 468 wrote to memory of 232	468	msedge.exe	117
PID 468 wrote to memory of 232	468	msedge.exe	117
PID 468 wrote to memory of 232	468	msedge.exe	117
PID 468 wrote to memory of 232	468	msedge.exe	117
PID 468 wrote to memory of 232	468	msedge.exe	117
PID 468 wrote to memory of 232	468	msedge.exe	117
PID 468 wrote to memory of 232	468	msedge.exe	117
PID 468 wrote to memory of 232	468	msedge.exe	117
PID 468 wrote to memory of 232	468	msedge.exe	117
PID 468 wrote to memory of 232	468	msedge.exe	117
PID 468 wrote to memory of 232	468	msedge.exe	117
PID 468 wrote to memory of 232	468	msedge.exe	117

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gjfqalpicdxg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	gjfqalpicdxg.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Users\Admin\AppData\Local\Temp\d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Windows\gjfqalpicdxg.exe
    C:\Windows\gjfqalpicdxg.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4140
  - - C:\Windows\gjfqalpicdxg.exe
      C:\Windows\gjfqalpicdxg.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3200
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3436
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:1920
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:468
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffae3446f8,0x7fffae344708,0x7fffae344718
        6⤵
        
        PID:3372
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,3665991410947919599,1673893366281734408,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
        6⤵
        
        PID:232
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,3665991410947919599,1673893366281734408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
        6⤵
        
        PID:2432
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,3665991410947919599,1673893366281734408,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
        6⤵
        
        PID:4808
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3665991410947919599,1673893366281734408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
        6⤵
        
        PID:4280
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3665991410947919599,1673893366281734408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
        6⤵
        
        PID:208
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,3665991410947919599,1673893366281734408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
        6⤵
        
        PID:3716
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,3665991410947919599,1673893366281734408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
        6⤵
        
        PID:1500
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3665991410947919599,1673893366281734408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
        6⤵
        
        PID:2440
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3665991410947919599,1673893366281734408,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
        6⤵
        
        PID:2208
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3665991410947919599,1673893366281734408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
        6⤵
        
        PID:1800
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3665991410947919599,1673893366281734408,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
        6⤵
        
        PID:2312
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1428
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\GJFQAL~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4812
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\D35C98~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4576

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1980

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\Recovery+rooqs.html

Filesize
11KB

MD5
8ba3072fded06403b4d64d757f103311

SHA1
b0c4ab28cb3cb5d9d4cb651bb6d043ce6322860a

SHA256
d43da05e4301f442aa3532a24c7aa7170f1bed7a029572807b736a2575593f40

SHA512
4914258d878ba5e4b33f0322727851721747e7d981c0303877b3d3d62d289930948546a37f272d3910a8342ef2cc671cf13de851291d6987285bb0da2e2bc646

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+rooqs.png

Filesize
61KB

MD5
05d6a4be27cb670dc4e5dc465e6b3b0e

SHA1
ef7c1a12039bad0f9473a1be3a46f89fc85e3437

SHA256
20697f9f5092e28d69e4dd822b6d190bf32d329bb35f676a95f8327803f27c0c

SHA512
583f9dc33a9f792a7e8fff13ccaca5309a622e6d82731de41b14de68f8b17323a63cd6d0299144b365c6d8446149ea3d7ce720e71577b69dec49483b613d3335

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+rooqs.txt

Filesize
1KB

MD5
16b9eb490170a0268bc886da4a5f5c40

SHA1
5ae77ca3b14e2401973a4160cbe6a7322b3476d2

SHA256
b65ec84924b4c2714db75321ef362f3b0e5adf961489c56bd634cdd4dda536fa

SHA512
f1306400420c6969fb9d107d176e317543828e10dea94300e5164314089abdf072f53c7711806d70a8cd32139af17242ee1928eedf52091b9d2919ffb09d9a91

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
612f634bee49fcaa302facaa06e6e766

SHA1
ad3be4ab056888d63743aebd55c55716deef00e7

SHA256
d9712b1ad2765ea953bbb91f432fb4e1a0b750f23d312f812a3a67d9da9358f4

SHA512
6b5e00dfe0bc3ca5e16b026b3636bb3ee99e51d7ae1c0f2c9549547e6bb4b909124376ada681ad1a668671e64c3c03c733f9ede173fa1f0ed7a6235384d7894f

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
b3fc6b90d7cdabd789029f8436283106

SHA1
14e2127a2c4445fbc8f32437a71d1e0c5283b666

SHA256
30a5e27ff6e1d381944e593745bd9eaf3fe7295590334f45c1ce9cd654b1d8c9

SHA512
a8f70a6bef8c7e24baae0985e827b930eba6e819429910bc345a79a63880c551ea646347c9f32ef540afd0c15f165bcf9cf042ff4dcdc0d328f7daa9b0005121

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
3afb5e93d267cc590b99491c36e78c71

SHA1
80f30a3d0f7467a56c67cf336beac566f826fa43

SHA256
ee4b4571d1afeb9954c93c277c2be2654b3a6d644ed39feb6e15e79713876678

SHA512
b1d762e46ab3a6d7c9c173b30e738d8290c9dcbf590acd3fe0a469d49107030da7dbbe3e19c1b32d17661b51f8ff703fd80cffeeafd70bbd7cadbc5193fa7f1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a816219bbe34332458d4aad7b18892c8

SHA1
9590e9f72ed3fefcbba85eee597093cbcf79b7d6

SHA256
d41a5b72bc148b78e1452df30fbee9240d9668609d022a81e17772312c927eb6

SHA512
d24b808bb8e5c11454bc03e1ef52271ab8b241414cf2b8e9402974d5b517d0e3194488fcaddd8564d206f3543acb16c23d8ed44384c43a9ba23363149ebb4e9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8d3be07a22d71e3d9f344f952a922481

SHA1
f63f870ede451aa1416b0eff76be120008bd1635

SHA256
5b48e146d0556d82a546e0eeacb3e05554c2b15c27244d2cbe9c42553c30ba26

SHA512
fba221fdaa376601414ee1b92718eda0f11a4d2354ae4ef54cabdfa66ba77d0ed920820416ae4fc228bcbaba2d45a96c4842351d52be1787f26152e9db824d62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
41c7129155062f2b656350c184f347e4

SHA1
a740108acd743a8c20a8b5bb96c2b92ab3d736fc

SHA256
13eeb6b4b0339587eb532244297c9bb06542ad5a811a5c7e8955e29ae5b648ed

SHA512
5e8704d3114e61015fbbbd73656f56f7f73dfc18dfe67007b774abfed6779b18cd3ce94bf9df32f3eb7316af5fbd5c04b1237f98e6a9bd28cee016f62f46cb7e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662820354407.txt

Filesize
77KB

MD5
afe9ec0093e57c36f26fbccc16de17a7

SHA1
e4d493b2d651beb13a2798fbcb06bc57c18bb871

SHA256
6d267ceb561d269e77aecd2ee28958edf6ea19c091154fb30f61b61d4c49abde

SHA512
81bdd7d78510ebb47c2389c645a701d613b009bcab5abfe70606739f8622ca682a9a77ea6226e7194116a34a3d7012c571e741dd6d427c8d367093ce13346007

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727664176773847.txt

Filesize
48KB

MD5
5772c7675fdf5e20175c79859127ed9b

SHA1
33f856faee7f5c17815afec1d2d33d19b5a13900

SHA256
b72c77176a49869d5bb63a0c5163a02fd7d15a27864f85ad2d5c3d5175957e1b

SHA512
ded95f9e29ca0ad7ef7a7e5340e716ad5bf2067d9fcfabebef84f32ecc0e7ec6aac154d8cf1fe72e927d8594456e7df7c200749874f51d46bae0c5fc55506c71

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727672589120253.txt

Filesize
75KB

MD5
78e72f8457bea73144e91c5c722cbdcf

SHA1
9fbffa03bd14003b32c4e82d6bdd44b374af7046

SHA256
070c9b07393612439eeeff392a0e2be9556aa6c1cabb85604f52b5c58882ca53

SHA512
9f857c7cb94a100fed10c7a15cb7fd0d0c620de5ba7101a04c00a9017e8cb5d3f5954dd316f7ea8c5ab51b3bcdfe3171b82dcc4c6244686d72a2bf5b8683006d

Download Submit
C:\Windows\gjfqalpicdxg.exe

Filesize
340KB

MD5
d35c98321d2f87f089b7d5c26174a10b

SHA1
2d7f432514ba316ecec7a8f372d0a75cb32f8fc0

SHA256
2d8e7d0a895c13a1d012b25b069a528481cd0d3c91b74689c61299f3b5a55232

SHA512
a467e624af472a2dc240dc325bef21b4dd435315dd765e9afd6f4134bd1c2482d23072e2057cc9ef60e9aad9107f6985bdacde3c92f0d68601b44ebf9990c40d

Download Submit
memory/3088-0-0x00000000024D0000-0x00000000024D3000-memory.dmp

Filesize
12KB

Download
memory/3088-4-0x00000000024D0000-0x00000000024D3000-memory.dmp

Filesize
12KB

Download
memory/3088-1-0x00000000024D0000-0x00000000024D3000-memory.dmp

Filesize
12KB

Download
memory/3200-17-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3200-10578-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3200-2653-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3200-2835-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3200-2846-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3200-5861-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3200-25-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3200-20-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3200-18-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3200-9588-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3200-10577-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3200-23-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3200-10587-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3200-10586-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3200-19-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3200-10631-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4140-12-0x0000000000400000-0x000000000081D000-memory.dmp

Filesize
4.1MB

Download
memory/4300-6-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4300-13-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4300-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4300-3-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4300-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download