teslacrypt | ff643671b6b76520a3a2478674914bd64ff41c7de9021e77bdeeb78df2b4a807

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2024 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb25ae4ad306c725f65805a5860afbc2_JaffaCakes118.exe
Size

348KB
MD5

fb25ae4ad306c725f65805a5860afbc2
SHA1

95f37a9897a9e87ebeac02af07dad74e065f5402
SHA256

ff643671b6b76520a3a2478674914bd64ff41c7de9021e77bdeeb78df2b4a807
SHA512

8f2e1467d576be29937bd58586b8e1678b68f17b51579610fc4d51aca8d80ae1491f3704a9f7459165197fec2b61b68a919e11477560aa9665fc4ac461d29eb7
SSDEEP

6144:9TXaPzWvU+vHkRBo1lY9djE7aQCzY6/4d2GOuSkvHCJ0nJFIARNeb9BDGkWi:6TAY9G7ao6MnOuSl6wNb9tGkn

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+ctpeb.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/1A1DE04B66E42540 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/1A1DE04B66E42540 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/1A1DE04B66E42540 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/1A1DE04B66E42540 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/1A1DE04B66E42540 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/1A1DE04B66E42540 http://yyre45dbvn2nhbefbmh.begumvelic.at/1A1DE04B66E42540 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/1A1DE04B66E42540

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/1A1DE04B66E42540

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/1A1DE04B66E42540

http://yyre45dbvn2nhbefbmh.begumvelic.at/1A1DE04B66E42540

http://xlowfznrg4wf7dli.ONION/1A1DE04B66E42540

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (893) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	fb25ae4ad306c725f65805a5860afbc2_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	xctoumqmwusn.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+ctpeb.png	xctoumqmwusn.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+ctpeb.txt	xctoumqmwusn.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+ctpeb.html	xctoumqmwusn.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+ctpeb.png	xctoumqmwusn.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+ctpeb.txt	xctoumqmwusn.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+ctpeb.html	xctoumqmwusn.exe

Executes dropped EXE 2 IoCs

pid	Process
1756	xctoumqmwusn.exe
4428	xctoumqmwusn.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fsethbq = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\xctoumqmwusn.exe"	xctoumqmwusn.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3096 set thread context of 4540	3096	fb25ae4ad306c725f65805a5860afbc2_JaffaCakes118.exe	97
PID 1756 set thread context of 4428	1756	xctoumqmwusn.exe	103

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\_ReCoVeRy_+ctpeb.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\_ReCoVeRy_+ctpeb.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\_ReCoVeRy_+ctpeb.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\LargeTile.scale-100.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewer\_ReCoVeRy_+ctpeb.html	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\_ReCoVeRy_+ctpeb.html	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe\_ReCoVeRy_+ctpeb.txt	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml\Assets\NoiseAsset_256X256_PNG.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Apply\_ReCoVeRy_+ctpeb.html	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_altform-unplated_contrast-black.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\_ReCoVeRy_+ctpeb.html	xctoumqmwusn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\_ReCoVeRy_+ctpeb.html	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\LargeTile.scale-200.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-80.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-150_contrast-white.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\_ReCoVeRy_+ctpeb.html	xctoumqmwusn.exe
File opened for modification	C:\Program Files\Common Files\_ReCoVeRy_+ctpeb.txt	xctoumqmwusn.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-140.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\SmallTile.scale-125.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-30_altform-unplated.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-256_altform-unplated_contrast-black_devicefamily-colorfulunplated.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40_altform-lightunplated.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\_ReCoVeRy_+ctpeb.txt	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageMedTile.scale-100_contrast-white.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\Win10\MicrosoftSolitaireSmallTile.scale-200.jpg	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\_ReCoVeRy_+ctpeb.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml\Assets\_ReCoVeRy_+ctpeb.txt	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\js\_ReCoVeRy_+ctpeb.txt	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\Dismiss.scale-64.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\ja-JP\_ReCoVeRy_+ctpeb.html	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-US\_ReCoVeRy_+ctpeb.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\_ReCoVeRy_+ctpeb.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+ctpeb.html	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_TileMediumSquare.scale-200.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleSmallTile.scale-100.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\_ReCoVeRy_+ctpeb.txt	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\_ReCoVeRy_+ctpeb.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\_ReCoVeRy_+ctpeb.html	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-24_altform-lightunplated.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\jfr\_ReCoVeRy_+ctpeb.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca\_ReCoVeRy_+ctpeb.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-16.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\SmallTile.scale-100.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-96_altform-unplated.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\vi-VN\_ReCoVeRy_+ctpeb.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailSmallTile.scale-400.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Fonts\_ReCoVeRy_+ctpeb.txt	xctoumqmwusn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\_ReCoVeRy_+ctpeb.txt	xctoumqmwusn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\_ReCoVeRy_+ctpeb.html	xctoumqmwusn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\_ReCoVeRy_+ctpeb.txt	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+ctpeb.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\PCHEALTH\ERRORREP\QSIGNOFF\_ReCoVeRy_+ctpeb.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-20_altform-unplated_contrast-white.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+ctpeb.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\en-US\_ReCoVeRy_+ctpeb.html	xctoumqmwusn.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\_ReCoVeRy_+ctpeb.txt	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-16_altform-unplated_contrast-black.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\locimages\_ReCoVeRy_+ctpeb.txt	xctoumqmwusn.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.js	xctoumqmwusn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\_ReCoVeRy_+ctpeb.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\_ReCoVeRy_+ctpeb.html	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageMedTile.scale-125.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.scale-200.png	xctoumqmwusn.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailWideTile.scale-200.png	xctoumqmwusn.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\xctoumqmwusn.exe	fb25ae4ad306c725f65805a5860afbc2_JaffaCakes118.exe
File opened for modification	C:\Windows\xctoumqmwusn.exe	fb25ae4ad306c725f65805a5860afbc2_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb25ae4ad306c725f65805a5860afbc2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb25ae4ad306c725f65805a5860afbc2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xctoumqmwusn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xctoumqmwusn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	xctoumqmwusn.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
896	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe
4428	xctoumqmwusn.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4540	fb25ae4ad306c725f65805a5860afbc2_JaffaCakes118.exe
Token: SeDebugPrivilege	4428	xctoumqmwusn.exe
Token: SeIncreaseQuotaPrivilege	1392	WMIC.exe
Token: SeSecurityPrivilege	1392	WMIC.exe
Token: SeTakeOwnershipPrivilege	1392	WMIC.exe
Token: SeLoadDriverPrivilege	1392	WMIC.exe
Token: SeSystemProfilePrivilege	1392	WMIC.exe
Token: SeSystemtimePrivilege	1392	WMIC.exe
Token: SeProfSingleProcessPrivilege	1392	WMIC.exe
Token: SeIncBasePriorityPrivilege	1392	WMIC.exe
Token: SeCreatePagefilePrivilege	1392	WMIC.exe
Token: SeBackupPrivilege	1392	WMIC.exe
Token: SeRestorePrivilege	1392	WMIC.exe
Token: SeShutdownPrivilege	1392	WMIC.exe
Token: SeDebugPrivilege	1392	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1392	WMIC.exe
Token: SeRemoteShutdownPrivilege	1392	WMIC.exe
Token: SeUndockPrivilege	1392	WMIC.exe
Token: SeManageVolumePrivilege	1392	WMIC.exe
Token: 33	1392	WMIC.exe
Token: 34	1392	WMIC.exe
Token: 35	1392	WMIC.exe
Token: 36	1392	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1392	WMIC.exe
Token: SeSecurityPrivilege	1392	WMIC.exe
Token: SeTakeOwnershipPrivilege	1392	WMIC.exe
Token: SeLoadDriverPrivilege	1392	WMIC.exe
Token: SeSystemProfilePrivilege	1392	WMIC.exe
Token: SeSystemtimePrivilege	1392	WMIC.exe
Token: SeProfSingleProcessPrivilege	1392	WMIC.exe
Token: SeIncBasePriorityPrivilege	1392	WMIC.exe
Token: SeCreatePagefilePrivilege	1392	WMIC.exe
Token: SeBackupPrivilege	1392	WMIC.exe
Token: SeRestorePrivilege	1392	WMIC.exe
Token: SeShutdownPrivilege	1392	WMIC.exe
Token: SeDebugPrivilege	1392	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1392	WMIC.exe
Token: SeRemoteShutdownPrivilege	1392	WMIC.exe
Token: SeUndockPrivilege	1392	WMIC.exe
Token: SeManageVolumePrivilege	1392	WMIC.exe
Token: 33	1392	WMIC.exe
Token: 34	1392	WMIC.exe
Token: 35	1392	WMIC.exe
Token: 36	1392	WMIC.exe
Token: SeBackupPrivilege	2228	vssvc.exe
Token: SeRestorePrivilege	2228	vssvc.exe
Token: SeAuditPrivilege	2228	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3892	WMIC.exe
Token: SeSecurityPrivilege	3892	WMIC.exe
Token: SeTakeOwnershipPrivilege	3892	WMIC.exe
Token: SeLoadDriverPrivilege	3892	WMIC.exe
Token: SeSystemProfilePrivilege	3892	WMIC.exe
Token: SeSystemtimePrivilege	3892	WMIC.exe
Token: SeProfSingleProcessPrivilege	3892	WMIC.exe
Token: SeIncBasePriorityPrivilege	3892	WMIC.exe
Token: SeCreatePagefilePrivilege	3892	WMIC.exe
Token: SeBackupPrivilege	3892	WMIC.exe
Token: SeRestorePrivilege	3892	WMIC.exe
Token: SeShutdownPrivilege	3892	WMIC.exe
Token: SeDebugPrivilege	3892	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3892	WMIC.exe
Token: SeRemoteShutdownPrivilege	3892	WMIC.exe
Token: SeUndockPrivilege	3892	WMIC.exe
Token: SeManageVolumePrivilege	3892	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 4540	3096	fb25ae4ad306c725f65805a5860afbc2_JaffaCakes118.exe	97
PID 3096 wrote to memory of 4540	3096	fb25ae4ad306c725f65805a5860afbc2_JaffaCakes118.exe	97
PID 3096 wrote to memory of 4540	3096	fb25ae4ad306c725f65805a5860afbc2_JaffaCakes118.exe	97
PID 3096 wrote to memory of 4540	3096	fb25ae4ad306c725f65805a5860afbc2_JaffaCakes118.exe	97
PID 3096 wrote to memory of 4540	3096	fb25ae4ad306c725f65805a5860afbc2_JaffaCakes118.exe	97
PID 3096 wrote to memory of 4540	3096	fb25ae4ad306c725f65805a5860afbc2_JaffaCakes118.exe	97
PID 3096 wrote to memory of 4540	3096	fb25ae4ad306c725f65805a5860afbc2_JaffaCakes118.exe	97
PID 3096 wrote to memory of 4540	3096	fb25ae4ad306c725f65805a5860afbc2_JaffaCakes118.exe	97
PID 3096 wrote to memory of 4540	3096	fb25ae4ad306c725f65805a5860afbc2_JaffaCakes118.exe	97
PID 3096 wrote to memory of 4540	3096	fb25ae4ad306c725f65805a5860afbc2_JaffaCakes118.exe	97
PID 4540 wrote to memory of 1756	4540	fb25ae4ad306c725f65805a5860afbc2_JaffaCakes118.exe	98
PID 4540 wrote to memory of 1756	4540	fb25ae4ad306c725f65805a5860afbc2_JaffaCakes118.exe	98
PID 4540 wrote to memory of 1756	4540	fb25ae4ad306c725f65805a5860afbc2_JaffaCakes118.exe	98
PID 4540 wrote to memory of 3968	4540	fb25ae4ad306c725f65805a5860afbc2_JaffaCakes118.exe	99
PID 4540 wrote to memory of 3968	4540	fb25ae4ad306c725f65805a5860afbc2_JaffaCakes118.exe	99
PID 4540 wrote to memory of 3968	4540	fb25ae4ad306c725f65805a5860afbc2_JaffaCakes118.exe	99
PID 1756 wrote to memory of 4428	1756	xctoumqmwusn.exe	103
PID 1756 wrote to memory of 4428	1756	xctoumqmwusn.exe	103
PID 1756 wrote to memory of 4428	1756	xctoumqmwusn.exe	103
PID 1756 wrote to memory of 4428	1756	xctoumqmwusn.exe	103
PID 1756 wrote to memory of 4428	1756	xctoumqmwusn.exe	103
PID 1756 wrote to memory of 4428	1756	xctoumqmwusn.exe	103
PID 1756 wrote to memory of 4428	1756	xctoumqmwusn.exe	103
PID 1756 wrote to memory of 4428	1756	xctoumqmwusn.exe	103
PID 1756 wrote to memory of 4428	1756	xctoumqmwusn.exe	103
PID 1756 wrote to memory of 4428	1756	xctoumqmwusn.exe	103
PID 4428 wrote to memory of 1392	4428	xctoumqmwusn.exe	104
PID 4428 wrote to memory of 1392	4428	xctoumqmwusn.exe	104
PID 4428 wrote to memory of 896	4428	xctoumqmwusn.exe	110
PID 4428 wrote to memory of 896	4428	xctoumqmwusn.exe	110
PID 4428 wrote to memory of 896	4428	xctoumqmwusn.exe	110
PID 4428 wrote to memory of 440	4428	xctoumqmwusn.exe	111
PID 4428 wrote to memory of 440	4428	xctoumqmwusn.exe	111
PID 440 wrote to memory of 3248	440	msedge.exe	112
PID 440 wrote to memory of 3248	440	msedge.exe	112
PID 4428 wrote to memory of 3892	4428	xctoumqmwusn.exe	113
PID 4428 wrote to memory of 3892	4428	xctoumqmwusn.exe	113
PID 440 wrote to memory of 1724	440	msedge.exe	115
PID 440 wrote to memory of 1724	440	msedge.exe	115
PID 440 wrote to memory of 1724	440	msedge.exe	115
PID 440 wrote to memory of 1724	440	msedge.exe	115
PID 440 wrote to memory of 1724	440	msedge.exe	115
PID 440 wrote to memory of 1724	440	msedge.exe	115
PID 440 wrote to memory of 1724	440	msedge.exe	115
PID 440 wrote to memory of 1724	440	msedge.exe	115
PID 440 wrote to memory of 1724	440	msedge.exe	115
PID 440 wrote to memory of 1724	440	msedge.exe	115
PID 440 wrote to memory of 1724	440	msedge.exe	115
PID 440 wrote to memory of 1724	440	msedge.exe	115
PID 440 wrote to memory of 1724	440	msedge.exe	115
PID 440 wrote to memory of 1724	440	msedge.exe	115
PID 440 wrote to memory of 1724	440	msedge.exe	115
PID 440 wrote to memory of 1724	440	msedge.exe	115
PID 440 wrote to memory of 1724	440	msedge.exe	115
PID 440 wrote to memory of 1724	440	msedge.exe	115
PID 440 wrote to memory of 1724	440	msedge.exe	115
PID 440 wrote to memory of 1724	440	msedge.exe	115
PID 440 wrote to memory of 1724	440	msedge.exe	115
PID 440 wrote to memory of 1724	440	msedge.exe	115
PID 440 wrote to memory of 1724	440	msedge.exe	115
PID 440 wrote to memory of 1724	440	msedge.exe	115
PID 440 wrote to memory of 1724	440	msedge.exe	115
PID 440 wrote to memory of 1724	440	msedge.exe	115
PID 440 wrote to memory of 1724	440	msedge.exe	115

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	xctoumqmwusn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	xctoumqmwusn.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\fb25ae4ad306c725f65805a5860afbc2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb25ae4ad306c725f65805a5860afbc2_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Users\Admin\AppData\Local\Temp\fb25ae4ad306c725f65805a5860afbc2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fb25ae4ad306c725f65805a5860afbc2_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Windows\xctoumqmwusn.exe
    C:\Windows\xctoumqmwusn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1756
  - - C:\Windows\xctoumqmwusn.exe
      C:\Windows\xctoumqmwusn.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4428
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:896
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:440
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff971c946f8,0x7ff971c94708,0x7ff971c94718
        6⤵
        
        PID:3248
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,197772501411073695,15551886169878923882,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
        6⤵
        
        PID:1724
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,197772501411073695,15551886169878923882,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
        6⤵
        
        PID:1204
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,197772501411073695,15551886169878923882,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
        6⤵
        
        PID:4480
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,197772501411073695,15551886169878923882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
        6⤵
        
        PID:4360
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,197772501411073695,15551886169878923882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
        6⤵
        
        PID:4160
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,197772501411073695,15551886169878923882,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
        6⤵
        
        PID:1160
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,197772501411073695,15551886169878923882,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
        6⤵
        
        PID:4220
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,197772501411073695,15551886169878923882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3852 /prefetch:1
        6⤵
        
        PID:3976
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,197772501411073695,15551886169878923882,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:1
        6⤵
        
        PID:844
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,197772501411073695,15551886169878923882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2844 /prefetch:1
        6⤵
        
        PID:2816
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,197772501411073695,15551886169878923882,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
        6⤵
        
        PID:1616
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3892
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\XCTOUM~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:436
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\FB25AE~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3968

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+ctpeb.html

Filesize
12KB

MD5
4dc9372c74fb9c4b8b7a7de8c99b1387

SHA1
d94db225baec209ab952423eba26fba72fd80150

SHA256
d61b841afca231fe41aa551e6e975f3edefe48ab1f89de5e14a03d600759e780

SHA512
32d50203a193b021b9f9f8ab5149bb71588d8faf30ee2c3bb4f9784d6decd387cdf4d095a418563d3124d583d153722cb69fdcebca86af3cb57cd231570a73e1

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+ctpeb.png

Filesize
65KB

MD5
6005e6aea6f20e9c9dea379f2df48832

SHA1
a198f89cc1c1925d6739f2ce7e53b802a14a8a43

SHA256
a55024860de8a393151c470ea42d6e44534e1e980121590fcbad6ea9c33d150b

SHA512
94936908ebdc6660742845452899bb972a720416f9332c681c843bf25efebe0c23fb99a05ba4caf0b6d212f53cd43deeac0f5a371b6bfd51633c905305c7361d

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+ctpeb.txt

Filesize
1KB

MD5
65fdf7984fb154d7bf0d6975f1039635

SHA1
3c2ccb22d270a3118b3ed80bbe9348389b87ff86

SHA256
b9f7c4e7b758df65e676e6b43eb4c90b82965f5150bd64f1e58b1f56c7ed0896

SHA512
a5c8edfe5405942284615f78024b6e1651ca27436ed7984761534bb8153a10556ceadddb813b883bbf7207f0526eb6ce1211556f570f46e71786d60787ef0846

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
660e6500b8ca68f38b2f1ea5d090a4c0

SHA1
59c028f0f406dae4dd688935a7509da5d2e044bb

SHA256
a5ba0db8205a8a85717448c57439297926290d6fbadaef623a7e37b1275ca820

SHA512
0061f9c99420b21d7cc108bad3d21ee39faaed51396d3dbe8922468f626dce18261a237f670f6ae459741afee84b211cfa568430fca834f824d02f0605cf7795

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
c596f2eb13473c665fe52ab618b2a8ef

SHA1
851ad93d5f134cb51e86a11103d9e280cd4a6097

SHA256
68b8df01928e2a4057f3c1d4a2401bf821e113c53673e172b1f0c035a4ac78d9

SHA512
992549e7f0748c4c1ec3cc3c65263a18772da7c2eadd501d782e41ed2f241a93586447169563387a83e4b601bb1f82e41cb0e02f5ae28c6c7582584bd1a3a922

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
c36f8ab9760b690c5e63a7840847a5d5

SHA1
802953c09422aea1746def5cfa3149b037c6b4de

SHA256
aacce3cca9e230ad431185af7a9cefaeec187ee37c1c92135e3e88554ee2d884

SHA512
fc18e915c9a50e8ce59f5a08f76cd5661d3b5a3e42d15581325624841c96be158175dccaf94c8e5552d4f66fa02815a7c4474d347ce032d5b51f01e44a5edf95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
14a268b83935ba740f5ea1949b40acbb

SHA1
71dfd78e8ed365ba4f93d471badf39f0be287581

SHA256
6ed9d12637d8ba002020da781c302eb9dd39f9d4b0f054d5ef31a78abef3e639

SHA512
0ddf34bf386c827772fe4ecc707731290099d18a704c9b073d25d208c2a4f710169bbef7289912ffc734af20357a192f300a4c277180f43ed1e96519f5e9d034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1b0c19537795457a0368f3736bd99bd1

SHA1
d1b919d7987271fc5e744e00b39deab3930b3dc1

SHA256
b43d44e9a70e3d0b11adfc8988ebb78c8027bf6021098f0f584f0fdd7db62969

SHA512
9e2ec7f63b33f3412901ee022b1c1e72e7097610073a2724047f38cfac9d36035fca73ef5f9fbe5adfa236e033d1a436c7fc9ccfa015c532865b2e0996e7cbf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bc91482191db5ff4e404bf223afaa3e5

SHA1
71c9a1d65909ba9be50200a38230eb00133ece2c

SHA256
a569315f913a542262d82c7f7ad932c5e60c60c25bc4acfbe50d4345b5cd5eaa

SHA512
4552532ca61f8e3b7830569ffab98250e341d1cee1c9b5f8e9c99dc59bd7bef00ba53587071113e0365fdaa9efa86ee1230b611805ee5615835eed789f7611c9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727658865736960.txt

Filesize
77KB

MD5
33d47619621912cdfb2c5877070a2714

SHA1
75b56ca1137c81a34d2d2a245bf5a5bec25c4e74

SHA256
3d9a0b3e246dabd75a99bea34bc3eccad52e96e2ee834f861e96f30a07c64975

SHA512
c88eb5d897acf1130a4494d1a10bfa792a24a4eddab9ae860c77768e9ef8da00aa8cc94dabd3842bb3c5d53b1373424a725bd5cac563f4fce555162e0cb0a68d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727660257997193.txt

Filesize
47KB

MD5
0d858bb03dafee8082344d96f9b79de2

SHA1
cd7c255734e64fea4931ec9a76785b2eeb2046c9

SHA256
d38def3394993c6255c1f2bf099287f9da6f982af31a4bf8252527a23e662521

SHA512
ef90fe9022c992bbf9fd4e84e48ee528fdfc8b07090b5a8879bb75f40f8d2ce4161401b46643e7bf67ed1adb5133625963fe6b446900ffceb94a232a0c142a80

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727667861810871.txt

Filesize
74KB

MD5
95c76528e29c472eabcab841a2f94da6

SHA1
fff7386f6efa2afe63ff1ebef78ea2ec6cffd1cd

SHA256
154526ca0cd2aa0b70b780ccf57ba6086fb9ba7eea054662403cbc90c4681afb

SHA512
d4d4bc37a67c8da85e2586e6715471669bd22722a00c6351727c1974a2a7fe992d8264ad88c732fb77a66ac00efa573d5afa500c6ae0bd7f5854006ff798cb86

Download Submit
C:\Windows\xctoumqmwusn.exe

Filesize
348KB

MD5
fb25ae4ad306c725f65805a5860afbc2

SHA1
95f37a9897a9e87ebeac02af07dad74e065f5402

SHA256
ff643671b6b76520a3a2478674914bd64ff41c7de9021e77bdeeb78df2b4a807

SHA512
8f2e1467d576be29937bd58586b8e1678b68f17b51579610fc4d51aca8d80ae1491f3704a9f7459165197fec2b61b68a919e11477560aa9665fc4ac461d29eb7

Download Submit
memory/1756-12-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/3096-0-0x0000000002260000-0x0000000002264000-memory.dmp

Filesize
16KB

Download
memory/3096-4-0x0000000002260000-0x0000000002264000-memory.dmp

Filesize
16KB

Download
memory/3096-1-0x0000000002260000-0x0000000002264000-memory.dmp

Filesize
16KB

Download
memory/4428-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4428-10787-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4428-2212-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4428-2210-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4428-4287-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4428-7484-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4428-25-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4428-24-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4428-21-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4428-10358-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4428-10786-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4428-262-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4428-10795-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4428-10797-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4428-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4428-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4428-10838-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4540-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4540-15-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4540-5-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4540-3-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4540-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download