teslacrypt | e37b974823a5def88d1b8857cbe4262ed60d59a7ef7b6854e407d6a2dc8cdc68

Analysis

max time kernel
138s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 10:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5e83d8209a8e06089d70e65901b7481_JaffaCakes118.exe
Size

328KB
MD5

e5e83d8209a8e06089d70e65901b7481
SHA1

dba4cc12a51f6ab845673de37756d2b3f31825e6
SHA256

e37b974823a5def88d1b8857cbe4262ed60d59a7ef7b6854e407d6a2dc8cdc68
SHA512

63b61ab3d5d26aaa318ae36a29dfc2107deedd6b340c54abbeec40b9598a5d6ea1743bdd6c320dddcbafcea5820b2620e4b0b9bfc4d5a45a8808c09b148503b2
SSDEEP

6144:EEKwa30luX+sChrlTxO9M4wt8lfJBXfvUmaeyfXMx3/mQ6YroqS8j6M54IaHSJ7+:jK8luX+ssxTI9WkxxvPWUpeG/+bIn70

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+gviuw.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/22133AB2B1D93D 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/22133AB2B1D93D 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/22133AB2B1D93D If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/22133AB2B1D93D 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/22133AB2B1D93D http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/22133AB2B1D93D http://yyre45dbvn2nhbefbmh.begumvelic.at/22133AB2B1D93D Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/22133AB2B1D93D

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/22133AB2B1D93D

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/22133AB2B1D93D

http://yyre45dbvn2nhbefbmh.begumvelic.at/22133AB2B1D93D

http://xlowfznrg4wf7dli.ONION/22133AB2B1D93D

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (861) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	evmtkhjvdxsi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	e5e83d8209a8e06089d70e65901b7481_JaffaCakes118.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+gviuw.png	evmtkhjvdxsi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+gviuw.txt	evmtkhjvdxsi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+gviuw.html	evmtkhjvdxsi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+gviuw.png	evmtkhjvdxsi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+gviuw.txt	evmtkhjvdxsi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+gviuw.html	evmtkhjvdxsi.exe

Executes dropped EXE 1 IoCs

pid	Process
2236	evmtkhjvdxsi.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gamkxrm = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\evmtkhjvdxsi.exe"	evmtkhjvdxsi.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\_ReCoVeRy_+gviuw.html	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\_ReCoVeRy_+gviuw.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageSmallTile.scale-200_contrast-black.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_~_8wekyb3d8bbwe\_ReCoVeRy_+gviuw.html	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+gviuw.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_ReCoVeRy_+gviuw.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactNative\Tracing\_ReCoVeRy_+gviuw.html	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+gviuw.txt	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailSmallTile.scale-125.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\MoviesAnywhereLogoWithTextDark.scale-125.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nb-NO\View3d\_ReCoVeRy_+gviuw.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-64_altform-lightunplated.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notetagsUI\main.js	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\System\ole db\_ReCoVeRy_+gviuw.html	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-64_altform-unplated.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\_ReCoVeRy_+gviuw.txt	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_contrast-white.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\_ReCoVeRy_+gviuw.html	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TinyTile.scale-125_contrast-white.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\fonts\_ReCoVeRy_+gviuw.html	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\BadgeLogo.scale-100.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Kiss.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\jscripts\_ReCoVeRy_+gviuw.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-96_altform-unplated.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\SlowMotionEditor\Views\_ReCoVeRy_+gviuw.html	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\iheart-radio.scale-125_contrast-white.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe81b.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionLargeTile.scale-200.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\_ReCoVeRy_+gviuw.html	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\Assets\_ReCoVeRy_+gviuw.txt	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\es-ES\_ReCoVeRy_+gviuw.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Exchange.scale-100.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_StoreLogo.scale-200.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-24.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.scale-100.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_altform-unplated_contrast-white.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubAppList.scale-100_contrast-black.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\_ReCoVeRy_+gviuw.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\_ReCoVeRy_+gviuw.txt	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-40_altform-unplated_contrast-black.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailBadge.scale-150.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gd\_ReCoVeRy_+gviuw.html	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.scale-100.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare150x150Logo.scale-200_contrast-black.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp6.scale-125.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\images\PaySquare44x44Logo.targetsize-24_altform-unplated.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+gviuw.txt	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\_ReCoVeRy_+gviuw.txt	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\_ReCoVeRy_+gviuw.txt	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\_ReCoVeRy_+gviuw.txt	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailWideTile.scale-200.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Retail\Windows_Insider_Ninjacat_Unicorn-128x128.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_altform-unplated_contrast-black_devicefamily-colorfulunplated.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\1033\_ReCoVeRy_+gviuw.txt	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\_ReCoVeRy_+gviuw.html	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-96.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-60.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+gviuw.html	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\Timer3Sec.targetsize-16.png	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_ReCoVeRy_+gviuw.txt	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\_ReCoVeRy_+gviuw.txt	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\_ReCoVeRy_+gviuw.html	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ps\_ReCoVeRy_+gviuw.html	evmtkhjvdxsi.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Light.scale-125.png	evmtkhjvdxsi.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\evmtkhjvdxsi.exe	e5e83d8209a8e06089d70e65901b7481_JaffaCakes118.exe
File created	C:\Windows\evmtkhjvdxsi.exe	e5e83d8209a8e06089d70e65901b7481_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	evmtkhjvdxsi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5e83d8209a8e06089d70e65901b7481_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	evmtkhjvdxsi.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2456	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe
2236	evmtkhjvdxsi.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3268	e5e83d8209a8e06089d70e65901b7481_JaffaCakes118.exe
Token: SeDebugPrivilege	2236	evmtkhjvdxsi.exe
Token: SeIncreaseQuotaPrivilege	5012	WMIC.exe
Token: SeSecurityPrivilege	5012	WMIC.exe
Token: SeTakeOwnershipPrivilege	5012	WMIC.exe
Token: SeLoadDriverPrivilege	5012	WMIC.exe
Token: SeSystemProfilePrivilege	5012	WMIC.exe
Token: SeSystemtimePrivilege	5012	WMIC.exe
Token: SeProfSingleProcessPrivilege	5012	WMIC.exe
Token: SeIncBasePriorityPrivilege	5012	WMIC.exe
Token: SeCreatePagefilePrivilege	5012	WMIC.exe
Token: SeBackupPrivilege	5012	WMIC.exe
Token: SeRestorePrivilege	5012	WMIC.exe
Token: SeShutdownPrivilege	5012	WMIC.exe
Token: SeDebugPrivilege	5012	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5012	WMIC.exe
Token: SeRemoteShutdownPrivilege	5012	WMIC.exe
Token: SeUndockPrivilege	5012	WMIC.exe
Token: SeManageVolumePrivilege	5012	WMIC.exe
Token: 33	5012	WMIC.exe
Token: 34	5012	WMIC.exe
Token: 35	5012	WMIC.exe
Token: 36	5012	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5012	WMIC.exe
Token: SeSecurityPrivilege	5012	WMIC.exe
Token: SeTakeOwnershipPrivilege	5012	WMIC.exe
Token: SeLoadDriverPrivilege	5012	WMIC.exe
Token: SeSystemProfilePrivilege	5012	WMIC.exe
Token: SeSystemtimePrivilege	5012	WMIC.exe
Token: SeProfSingleProcessPrivilege	5012	WMIC.exe
Token: SeIncBasePriorityPrivilege	5012	WMIC.exe
Token: SeCreatePagefilePrivilege	5012	WMIC.exe
Token: SeBackupPrivilege	5012	WMIC.exe
Token: SeRestorePrivilege	5012	WMIC.exe
Token: SeShutdownPrivilege	5012	WMIC.exe
Token: SeDebugPrivilege	5012	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5012	WMIC.exe
Token: SeRemoteShutdownPrivilege	5012	WMIC.exe
Token: SeUndockPrivilege	5012	WMIC.exe
Token: SeManageVolumePrivilege	5012	WMIC.exe
Token: 33	5012	WMIC.exe
Token: 34	5012	WMIC.exe
Token: 35	5012	WMIC.exe
Token: 36	5012	WMIC.exe
Token: SeBackupPrivilege	1064	vssvc.exe
Token: SeRestorePrivilege	1064	vssvc.exe
Token: SeAuditPrivilege	1064	vssvc.exe
Token: SeIncreaseQuotaPrivilege	296	WMIC.exe
Token: SeSecurityPrivilege	296	WMIC.exe
Token: SeTakeOwnershipPrivilege	296	WMIC.exe
Token: SeLoadDriverPrivilege	296	WMIC.exe
Token: SeSystemProfilePrivilege	296	WMIC.exe
Token: SeSystemtimePrivilege	296	WMIC.exe
Token: SeProfSingleProcessPrivilege	296	WMIC.exe
Token: SeIncBasePriorityPrivilege	296	WMIC.exe
Token: SeCreatePagefilePrivilege	296	WMIC.exe
Token: SeBackupPrivilege	296	WMIC.exe
Token: SeRestorePrivilege	296	WMIC.exe
Token: SeShutdownPrivilege	296	WMIC.exe
Token: SeDebugPrivilege	296	WMIC.exe
Token: SeSystemEnvironmentPrivilege	296	WMIC.exe
Token: SeRemoteShutdownPrivilege	296	WMIC.exe
Token: SeUndockPrivilege	296	WMIC.exe
Token: SeManageVolumePrivilege	296	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3268 wrote to memory of 2236	3268	e5e83d8209a8e06089d70e65901b7481_JaffaCakes118.exe	84
PID 3268 wrote to memory of 2236	3268	e5e83d8209a8e06089d70e65901b7481_JaffaCakes118.exe	84
PID 3268 wrote to memory of 2236	3268	e5e83d8209a8e06089d70e65901b7481_JaffaCakes118.exe	84
PID 3268 wrote to memory of 3432	3268	e5e83d8209a8e06089d70e65901b7481_JaffaCakes118.exe	86
PID 3268 wrote to memory of 3432	3268	e5e83d8209a8e06089d70e65901b7481_JaffaCakes118.exe	86
PID 3268 wrote to memory of 3432	3268	e5e83d8209a8e06089d70e65901b7481_JaffaCakes118.exe	86
PID 2236 wrote to memory of 5012	2236	evmtkhjvdxsi.exe	88
PID 2236 wrote to memory of 5012	2236	evmtkhjvdxsi.exe	88
PID 2236 wrote to memory of 2456	2236	evmtkhjvdxsi.exe	108
PID 2236 wrote to memory of 2456	2236	evmtkhjvdxsi.exe	108
PID 2236 wrote to memory of 2456	2236	evmtkhjvdxsi.exe	108
PID 2236 wrote to memory of 4892	2236	evmtkhjvdxsi.exe	109
PID 2236 wrote to memory of 4892	2236	evmtkhjvdxsi.exe	109
PID 4892 wrote to memory of 2608	4892	msedge.exe	110
PID 4892 wrote to memory of 2608	4892	msedge.exe	110
PID 2236 wrote to memory of 296	2236	evmtkhjvdxsi.exe	111
PID 2236 wrote to memory of 296	2236	evmtkhjvdxsi.exe	111
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 1184	4892	msedge.exe	114
PID 4892 wrote to memory of 4520	4892	msedge.exe	115
PID 4892 wrote to memory of 4520	4892	msedge.exe	115
PID 4892 wrote to memory of 2892	4892	msedge.exe	116
PID 4892 wrote to memory of 2892	4892	msedge.exe	116
PID 4892 wrote to memory of 2892	4892	msedge.exe	116
PID 4892 wrote to memory of 2892	4892	msedge.exe	116
PID 4892 wrote to memory of 2892	4892	msedge.exe	116

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	evmtkhjvdxsi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	evmtkhjvdxsi.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e5e83d8209a8e06089d70e65901b7481_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e5e83d8209a8e06089d70e65901b7481_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3268
- C:\Windows\evmtkhjvdxsi.exe
  C:\Windows\evmtkhjvdxsi.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2236
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5012
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:2456
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4892
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc39a46f8,0x7ffbc39a4708,0x7ffbc39a4718
      4⤵
      PID:2608
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,12210550593688738288,15549824366891158153,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
      4⤵
      PID:1184
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,12210550593688738288,15549824366891158153,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
      4⤵
      PID:4520
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,12210550593688738288,15549824366891158153,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
      4⤵
      PID:2892
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12210550593688738288,15549824366891158153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1480 /prefetch:1
      4⤵
      PID:4632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12210550593688738288,15549824366891158153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
      4⤵
      PID:4764
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,12210550593688738288,15549824366891158153,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
      4⤵
      PID:1000
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,12210550593688738288,15549824366891158153,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
      4⤵
      PID:2860
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12210550593688738288,15549824366891158153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
      4⤵
      PID:4496
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12210550593688738288,15549824366891158153,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
      4⤵
      PID:2632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12210550593688738288,15549824366891158153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
      4⤵
      PID:1432
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12210550593688738288,15549824366891158153,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
      4⤵
      PID:4556
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:296
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\EVMTKH~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4844
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\E5E83D~1.EXE
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3432

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+gviuw.html

Filesize
12KB

MD5
834e395bbdbafa529f134179ed9c3f80

SHA1
75fab0249da6410edc926c946edbc8657d8771e9

SHA256
dd947ea4d6af7b2aae2ec98449f48f83766a10de906b500273449f7b2fde7107

SHA512
a0ea25f36bb1ebd1a3769aee57d908cce8e30b2539a21fdf078ae12f04f1ffff621c555abf61de368c527332acb5c88fd9524cb247aafc722cdb22b42479b9a1

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+gviuw.png

Filesize
64KB

MD5
651bd8cee7d529c031f1af6f68b481e2

SHA1
08a2f6a47f1a27db85d0338b70a90bc7b27fe61a

SHA256
01792f2a4aa9ba45866321ee85ab0a3920b219b743312737fa045aca763e224e

SHA512
90f207f8c78bc84c35cc6d2571385fbd0cd186b374025b1c99e41e6847e1ef77d6308c134d5a01d302913aef810eb325bbfb60614546d7cb3b6e2b79765d3f9a

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+gviuw.txt

Filesize
1KB

MD5
0292b4d22f4e8266f436747c97153e3a

SHA1
edaa7429c5e86490b06aaaedfce43b0c073efb9b

SHA256
155bc57300ad27993be1c773699b82c823268b053e45f0141f5d3ec46cea14b1

SHA512
b675c1cec1e9a503aa7bfb1097cc516592cf28dcc442ac47528e97bc5679680427f99b50bb1439d0036967d9fa7ea7268682b2b75b2b0eed3bd2ae32fa51a047

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
0a43c323890130f787795c98314c5009

SHA1
32c56e77d59772811f52252d8c957c796da556ef

SHA256
6c2006d8bdfc537e2869991158cbf1e1835f75a4572616670bb775f3242ab1f2

SHA512
f72faed97a6c87ab71b3b0023b3901f0f5f1180d64b1a772967e66e685c61db235a7ff233b03c3c37c980b8ea4e048d58c0f435c538c625a50e25b5ae23f2e88

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
e19e995f65d45550cea1ada24ed41f5e

SHA1
56b076e353d12978f2685eb35f5ae792055a32a9

SHA256
66a3e6b51a9b1f7dd53f7ee195c9a2a68b5f608963938aecee3f778014775ba8

SHA512
0653807f1b591b3bd524ea8645e63ab0fa2478650771c3cc6b2df760cc2b49a8da774db78d1055e00036ce2dc95e97ed0a2034fb687b227d7ea5f7793d04ed26

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
99f397bf4df98dda16a04e6d098f8f90

SHA1
91204631a8343fd8ea800c390b93ea270b5cdfe8

SHA256
c8467f6b8fadb96bf285165932540e233a73dcf446e8238f44c598acbfcc086c

SHA512
26068ec690d7fc018bcfc9e6c2f4a83ebe290a8307d975c4ab5088ca0e886cd0c675871a2eac279bb0242fcbe0df8a3fad6d8442c74e90bb63854cc855afd1a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0a9dc42e4013fc47438e96d24beb8eff

SHA1
806ab26d7eae031a58484188a7eb1adab06457fc

SHA256
58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

SHA512
868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8b2d4b83e1efa93c58226943c91a0ec8

SHA1
a1a0fe9a11f3119ff15c530ee3ce6cf0ce345d0f

SHA256
dd67a0fe4985050d1e2c85805e457d2980e1b4632d5e08185f0ce0c46fe83c57

SHA512
cd8992e706384467516a2045db6a3f635d61466d17530a363864e4b6e932d3d11627e652110536b2bc40a4eaa667c3be5a65c7d68bbc66475e731752c80e3e98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7fc0cc722dd528f260f78542e4bf5610

SHA1
d164292cfd190514c5448bec6bac4ff9dcffa6d1

SHA256
9733ab8dac2270e5057bdd36cef8dc197f890cc3b1a31f9add027173857697e6

SHA512
2e2c6f75ac64159ce1b8c8af04e97429abb63487706564cb7bd4e864edd5266cd465598455398d38d86817173aa9d4930fce9fd3caab2433962bea1fe58e1fe3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0af86c1cf754c5ea4734d687a198fe70

SHA1
ecec31f4f0965dab9333555aaa6df0bd2f775097

SHA256
856014a35faad0b4bdcddbdf46bd2c6d620e90cd8a2e101d7fa02ac84daf3ce5

SHA512
9f0c1c37aaee336680e084d0bc7c088b2c14026300e8b047aa606eab6523b86a70891bd5d02b4435a84f1a8c2f5474728358bf70e7a9f24ed6e250f73f28edf8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727665885684530.txt

Filesize
74KB

MD5
cf65b29c995583b9dac73b09b7ba2dfd

SHA1
3c37ff9c5afe729d1dc674c71d1cdc707f64dc43

SHA256
ce23412f0d73b845c443f4e8c0a58e61e9553bf4abe2e56cd2348718f361fafd

SHA512
47515786cb98ca8b54e0a344728d608333d872d5a6fa6bbe309857c582cd4b73a334b9eb92ee50ebc224b683c2f8200ce0b96133ddf48b747ed7e62934f09f63

Download Submit
C:\Windows\evmtkhjvdxsi.exe

Filesize
328KB

MD5
e5e83d8209a8e06089d70e65901b7481

SHA1
dba4cc12a51f6ab845673de37756d2b3f31825e6

SHA256
e37b974823a5def88d1b8857cbe4262ed60d59a7ef7b6854e407d6a2dc8cdc68

SHA512
63b61ab3d5d26aaa318ae36a29dfc2107deedd6b340c54abbeec40b9598a5d6ea1743bdd6c320dddcbafcea5820b2620e4b0b9bfc4d5a45a8808c09b148503b2

Download Submit
memory/2236-10495-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2236-9191-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2236-5662-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2236-2781-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2236-10539-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2236-12-0x0000000002120000-0x00000000021A6000-memory.dmp

Filesize
536KB

Download
memory/3268-1-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/3268-14-0x0000000002230000-0x00000000022B6000-memory.dmp

Filesize
536KB

Download
memory/3268-13-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/3268-0-0x0000000002230000-0x00000000022B6000-memory.dmp

Filesize
536KB

Download