teslacrypt | 65de2df558ebb2488ba1e50bc6fa2ccd2a168fa322b86387e9849b24772fef61

Analysis

max time kernel
142s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-10-2024 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e1521accd328e43641c8c71ebbde64c_JaffaCakes118.exe
Size

360KB
MD5

6e1521accd328e43641c8c71ebbde64c
SHA1

7a82cfbb067c0b189dc1fa10e916fe763a5e8356
SHA256

65de2df558ebb2488ba1e50bc6fa2ccd2a168fa322b86387e9849b24772fef61
SHA512

827cc80559b04443904fdee9aea46ef7bc22dc28f89369b83a9508a9b54de7d30b627c71740f6a8ac9f89f49d9a614dc3fa84bad57d9fbb934b4e00ced60e4e2
SSDEEP

6144:z6qgoL9xGn4FfcPhe6szbYKMGFtOf7ipZz/aYIZC3FqTzELSyH5vuNAvwu:h9xGbKMAIf7i7vF3FqnEpvmAvB

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_RECOVERY_+cmyds.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/FA345C116F8B4BEE 2. http://tes543berda73i48fsdfsd.keratadze.at/FA345C116F8B4BEE 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/FA345C116F8B4BEE If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/FA345C116F8B4BEE 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/FA345C116F8B4BEE http://tes543berda73i48fsdfsd.keratadze.at/FA345C116F8B4BEE http://tt54rfdjhb34rfbnknaerg.milerteddy.com/FA345C116F8B4BEE *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/FA345C116F8B4BEE

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/FA345C116F8B4BEE

http://tes543berda73i48fsdfsd.keratadze.at/FA345C116F8B4BEE

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/FA345C116F8B4BEE

http://xlowfznrg4wf7dli.ONION/FA345C116F8B4BEE

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (878) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	6e1521accd328e43641c8c71ebbde64c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	nlxqbdycgofa.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+cmyds.png	nlxqbdycgofa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+cmyds.txt	nlxqbdycgofa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+cmyds.html	nlxqbdycgofa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+cmyds.png	nlxqbdycgofa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+cmyds.txt	nlxqbdycgofa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+cmyds.html	nlxqbdycgofa.exe

Executes dropped EXE 1 IoCs

pid	Process
3556	nlxqbdycgofa.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chyxtyyrsljj = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\nlxqbdycgofa.exe\""	nlxqbdycgofa.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.scale-200.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-32_altform-unplated.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\AppxMetadata\_RECOVERY_+cmyds.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\_RECOVERY_+cmyds.txt	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.scale-125.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_RECOVERY_+cmyds.txt	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\_RECOVERY_+cmyds.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Snooze.scale-80.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\_RECOVERY_+cmyds.txt	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Microsoft.Support.SDK\Assets\VALoading.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxLargeTile.scale-125.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\_RECOVERY_+cmyds.txt	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.513.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECOVERY_+cmyds.html	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\AboutAdsGenericBackgroundImage.jpg	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-32_altform-unplated.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-24_altform-lightunplated.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\_RECOVERY_+cmyds.txt	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\_RECOVERY_+cmyds.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-20_contrast-white.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\da-DK\_RECOVERY_+cmyds.html	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\_RECOVERY_+cmyds.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\_RECOVERY_+cmyds.txt	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedMedTile.scale-100_contrast-black.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_altform-unplated_contrast-black.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-30_altform-fullcolor.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Google.scale-150.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeMediumTile.scale-150.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-64_altform-unplated.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\fr-FR\_RECOVERY_+cmyds.txt	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\_RECOVERY_+cmyds.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\AppxMetadata\_RECOVERY_+cmyds.txt	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\_RECOVERY_+cmyds.html	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\_RECOVERY_+cmyds.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\AppxMetadata\_RECOVERY_+cmyds.html	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_RECOVERY_+cmyds.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ca-ES\_RECOVERY_+cmyds.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sk-SK\_RECOVERY_+cmyds.txt	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\LargeTile.scale-125.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\_RECOVERY_+cmyds.txt	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedLargeTile.scale-200_contrast-black.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.targetsize-40_altform-unplated_contrast-white.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_scale-200.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Dark.scale-150.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\_RECOVERY_+cmyds.html	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewComment.White.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\whatsnewsrc\script\_RECOVERY_+cmyds.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.scale-150.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\_RECOVERY_+cmyds.html	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-24.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-16_contrast-black.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-40_altform-lightunplated.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-80_altform-unplated.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-100.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.scale-200_contrast-white.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_contrast-white.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\_RECOVERY_+cmyds.txt	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSplashLogo.scale-300.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\Office365LogoWLockup.scale-140.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_RECOVERY_+cmyds.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\_RECOVERY_+cmyds.txt	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\da-DK\_RECOVERY_+cmyds.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-80_altform-colorize.png	nlxqbdycgofa.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptySearch.scale-100.png	nlxqbdycgofa.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\nlxqbdycgofa.exe	6e1521accd328e43641c8c71ebbde64c_JaffaCakes118.exe
File opened for modification	C:\Windows\nlxqbdycgofa.exe	6e1521accd328e43641c8c71ebbde64c_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e1521accd328e43641c8c71ebbde64c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nlxqbdycgofa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	nlxqbdycgofa.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2948	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe
3556	nlxqbdycgofa.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1356	6e1521accd328e43641c8c71ebbde64c_JaffaCakes118.exe
Token: SeDebugPrivilege	3556	nlxqbdycgofa.exe
Token: SeIncreaseQuotaPrivilege	1516	WMIC.exe
Token: SeSecurityPrivilege	1516	WMIC.exe
Token: SeTakeOwnershipPrivilege	1516	WMIC.exe
Token: SeLoadDriverPrivilege	1516	WMIC.exe
Token: SeSystemProfilePrivilege	1516	WMIC.exe
Token: SeSystemtimePrivilege	1516	WMIC.exe
Token: SeProfSingleProcessPrivilege	1516	WMIC.exe
Token: SeIncBasePriorityPrivilege	1516	WMIC.exe
Token: SeCreatePagefilePrivilege	1516	WMIC.exe
Token: SeBackupPrivilege	1516	WMIC.exe
Token: SeRestorePrivilege	1516	WMIC.exe
Token: SeShutdownPrivilege	1516	WMIC.exe
Token: SeDebugPrivilege	1516	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1516	WMIC.exe
Token: SeRemoteShutdownPrivilege	1516	WMIC.exe
Token: SeUndockPrivilege	1516	WMIC.exe
Token: SeManageVolumePrivilege	1516	WMIC.exe
Token: 33	1516	WMIC.exe
Token: 34	1516	WMIC.exe
Token: 35	1516	WMIC.exe
Token: 36	1516	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1516	WMIC.exe
Token: SeSecurityPrivilege	1516	WMIC.exe
Token: SeTakeOwnershipPrivilege	1516	WMIC.exe
Token: SeLoadDriverPrivilege	1516	WMIC.exe
Token: SeSystemProfilePrivilege	1516	WMIC.exe
Token: SeSystemtimePrivilege	1516	WMIC.exe
Token: SeProfSingleProcessPrivilege	1516	WMIC.exe
Token: SeIncBasePriorityPrivilege	1516	WMIC.exe
Token: SeCreatePagefilePrivilege	1516	WMIC.exe
Token: SeBackupPrivilege	1516	WMIC.exe
Token: SeRestorePrivilege	1516	WMIC.exe
Token: SeShutdownPrivilege	1516	WMIC.exe
Token: SeDebugPrivilege	1516	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1516	WMIC.exe
Token: SeRemoteShutdownPrivilege	1516	WMIC.exe
Token: SeUndockPrivilege	1516	WMIC.exe
Token: SeManageVolumePrivilege	1516	WMIC.exe
Token: 33	1516	WMIC.exe
Token: 34	1516	WMIC.exe
Token: 35	1516	WMIC.exe
Token: 36	1516	WMIC.exe
Token: SeBackupPrivilege	3788	vssvc.exe
Token: SeRestorePrivilege	3788	vssvc.exe
Token: SeAuditPrivilege	3788	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2912	WMIC.exe
Token: SeSecurityPrivilege	2912	WMIC.exe
Token: SeTakeOwnershipPrivilege	2912	WMIC.exe
Token: SeLoadDriverPrivilege	2912	WMIC.exe
Token: SeSystemProfilePrivilege	2912	WMIC.exe
Token: SeSystemtimePrivilege	2912	WMIC.exe
Token: SeProfSingleProcessPrivilege	2912	WMIC.exe
Token: SeIncBasePriorityPrivilege	2912	WMIC.exe
Token: SeCreatePagefilePrivilege	2912	WMIC.exe
Token: SeBackupPrivilege	2912	WMIC.exe
Token: SeRestorePrivilege	2912	WMIC.exe
Token: SeShutdownPrivilege	2912	WMIC.exe
Token: SeDebugPrivilege	2912	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2912	WMIC.exe
Token: SeRemoteShutdownPrivilege	2912	WMIC.exe
Token: SeUndockPrivilege	2912	WMIC.exe
Token: SeManageVolumePrivilege	2912	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 3556	1356	6e1521accd328e43641c8c71ebbde64c_JaffaCakes118.exe	87
PID 1356 wrote to memory of 3556	1356	6e1521accd328e43641c8c71ebbde64c_JaffaCakes118.exe	87
PID 1356 wrote to memory of 3556	1356	6e1521accd328e43641c8c71ebbde64c_JaffaCakes118.exe	87
PID 1356 wrote to memory of 1072	1356	6e1521accd328e43641c8c71ebbde64c_JaffaCakes118.exe	88
PID 1356 wrote to memory of 1072	1356	6e1521accd328e43641c8c71ebbde64c_JaffaCakes118.exe	88
PID 1356 wrote to memory of 1072	1356	6e1521accd328e43641c8c71ebbde64c_JaffaCakes118.exe	88
PID 3556 wrote to memory of 1516	3556	nlxqbdycgofa.exe	90
PID 3556 wrote to memory of 1516	3556	nlxqbdycgofa.exe	90
PID 3556 wrote to memory of 2948	3556	nlxqbdycgofa.exe	108
PID 3556 wrote to memory of 2948	3556	nlxqbdycgofa.exe	108
PID 3556 wrote to memory of 2948	3556	nlxqbdycgofa.exe	108
PID 3556 wrote to memory of 4876	3556	nlxqbdycgofa.exe	109
PID 3556 wrote to memory of 4876	3556	nlxqbdycgofa.exe	109
PID 4876 wrote to memory of 3996	4876	msedge.exe	110
PID 4876 wrote to memory of 3996	4876	msedge.exe	110
PID 3556 wrote to memory of 2912	3556	nlxqbdycgofa.exe	111
PID 3556 wrote to memory of 2912	3556	nlxqbdycgofa.exe	111
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 996	4876	msedge.exe	114
PID 4876 wrote to memory of 2676	4876	msedge.exe	115
PID 4876 wrote to memory of 2676	4876	msedge.exe	115
PID 4876 wrote to memory of 4816	4876	msedge.exe	116
PID 4876 wrote to memory of 4816	4876	msedge.exe	116
PID 4876 wrote to memory of 4816	4876	msedge.exe	116
PID 4876 wrote to memory of 4816	4876	msedge.exe	116
PID 4876 wrote to memory of 4816	4876	msedge.exe	116

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	nlxqbdycgofa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	nlxqbdycgofa.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6e1521accd328e43641c8c71ebbde64c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6e1521accd328e43641c8c71ebbde64c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Windows\nlxqbdycgofa.exe
  C:\Windows\nlxqbdycgofa.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3556
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1516
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:2948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeb29d46f8,0x7ffeb29d4708,0x7ffeb29d4718
      4⤵
      PID:3996
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,17149489234014365239,16750352799137047455,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
      4⤵
      PID:996
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,17149489234014365239,16750352799137047455,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
      4⤵
      PID:2676
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,17149489234014365239,16750352799137047455,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
      4⤵
      PID:4816
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17149489234014365239,16750352799137047455,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
      4⤵
      PID:636
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17149489234014365239,16750352799137047455,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
      4⤵
      PID:4144
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,17149489234014365239,16750352799137047455,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
      4⤵
      PID:4696
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,17149489234014365239,16750352799137047455,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
      4⤵
      PID:972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17149489234014365239,16750352799137047455,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
      4⤵
      PID:4756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17149489234014365239,16750352799137047455,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
      4⤵
      PID:4008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17149489234014365239,16750352799137047455,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
      4⤵
      PID:3708
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17149489234014365239,16750352799137047455,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
      4⤵
      PID:2068
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\NLXQBD~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4824
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\6E1521~1.EXE
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1072

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3788

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_RECOVERY_+cmyds.html

Filesize
11KB

MD5
af60650b7969da09ed4aa1af7963beb1

SHA1
86c82b652f7a186fe3d649a9fbf9a06e5de1186c

SHA256
7457bbe9c8312b437368fd9a4d16f0ac0e81b401cf705da6691de9569f5080d8

SHA512
9008a752ea03e559d791ed57382d62201a41042af5a576f29250c40d2d88ee58a6abeee076f696dfd4c4f28b5d40d18fc5043ca3f541a20a2bb974e5ce7bbc37

Download Submit
C:\Program Files\7-Zip\Lang\_RECOVERY_+cmyds.png

Filesize
62KB

MD5
579111462711fd01c522ab5c413e08cc

SHA1
6b8e988c768c4df2306f676e7b504fbec9435499

SHA256
293f31b1edbf23048422590b6460341f5e2f81a2fae56c4d68fb856ec3a6182e

SHA512
0c1cb7d95c1ec5845944ad58b442b798f8960ac329265bb1d09e99747bd518276b07930e2dc4737e6938d7492cca83ba137aa969bd5c63e41fc6b0045e1e83ee

Download Submit
C:\Program Files\7-Zip\Lang\_RECOVERY_+cmyds.txt

Filesize
1KB

MD5
f53208698780897fba25671c14547427

SHA1
d5f7dc11e2858d178292251b7f400872f57e1ca9

SHA256
3b13dfb59c8dc6f7b6ff46ffd3ed5579fa84cef08981a22749c430506a771780

SHA512
6b0654dac2a5ad3f4639ae23de50a818def637a6356f2ab7cdabe9fec61e0c3098587522e9ff530689c4c44af53ff4c9bfb3ba00951df96417bb9f23c8d22541

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
ec218befff216f4169e61261585e0d32

SHA1
b7fe0abb345409c27ac2ec62b776700dfd799083

SHA256
134e71304ac417377ebda264a27546340fcec3a817820986dbc11222a301c39c

SHA512
f534b322f63f94d2eefa41243075d90f05e8c765f2d9249688f56a9ec726d16c8e78cf484136386bb80c264e5add7f548d835ee88bb1c9aa098e99ab69e62839

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
94eab476852097e4cf6cfc265a7677e7

SHA1
8e9d8b2b0048267ae6ecba9e2bb69769a615a9b0

SHA256
fac3e0ad4e4e5226a9ae9b543b927a1db82803e8422a9f69f3b30eaa01351f33

SHA512
951bb34c15c366ec77441b8a118737b772a9e86cf0e43cd969a08651c25183087209c439deb6e0cae58a70303a24cd4f98451301a1be9f8eeefe8672797c0275

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
726446a97ccfce5ff37eb17575b20294

SHA1
1dc33d07336180e172ea78cb32e2c99ebc140605

SHA256
a1279c79a4da600f734e168ceca98fab33b9793a5ca82d8027c9ecb6c9c8efdf

SHA512
e178b0e63aa5fd7d13215678a06cb55fdac3b07e4644739856b9136f86e1dfbb3dd7e6333c729174edec22cfc3f62f5d2967afa9d26fc9a77f5d9d8e36798d73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e693eb0dd06c07d27cc256a45709eb42

SHA1
9e2f4af70c07109d5a4540df4c7a7b62c1fb7c84

SHA256
bfc004f5560ec2e404c322646f04d44794f22b8b283c857b33bd343f722fa303

SHA512
3034171b3f1150fb96b34693380b5ec6cec421b55ae93c79e6b3823e4df82c35564f9e1129c2f490cd58b3c2ccf687181250133808b825809ff4d7bcb70b93a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
53ef152eff81522121403aea74f89631

SHA1
a8eba06094d2ee1880804c3bc6c89cd367b4c1e0

SHA256
73b37d01a78d46643dc92da2ceb948b5bcbfef4b234962e0121a46ef05d8d647

SHA512
4c2b9cae82f5453e0e33d4ca7460140a742e74c829e1ac19d6222fde35c34cf07186893f1650f94482dc052aab00c19e16d7ec5bbff0cff56da9abb15e0f1ea5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7d16ab98b3469fc97bd88977aab0ea8e

SHA1
3801a0dfcb329413c2256bf768dbe314ca6b8a49

SHA256
e19ce755f77f259fbf0d160c79258c2ae5357dbcd525f8ce19b201e2ae62e6d5

SHA512
bf206e1154a5d868e1f861d09bcffb87a1e3210f7361623a2731a3206be396fc234e19fcc2cc766b1e6abb7910912aac48993fa979aaa67c3e7e5c7539eb083e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727658865736960.txt

Filesize
77KB

MD5
bbbeb01e1b8979af4543cd8ba6a1479b

SHA1
d4ed21a7ffced682dec14b3a5d2462e9c5741ee6

SHA256
08fa833a02841b75993b3c7b5ccd6c127becd3ecfd4e80329877418456fed0e1

SHA512
2f895f598ec89a332e9456e6fb957f81852270c115a2a34b4f57d0497c2c57cc801364c00bc12093a077e89eb58f27650708c87cd63bf32bdd45a2d2d2d16925

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727660257997193.txt

Filesize
47KB

MD5
b7b43240de5d790a32dcebe84a323a4d

SHA1
4c313da412915e6803d37433fea5d5a643eee04a

SHA256
0404baf04fffb4054c198c4b3cdeccdc8374f2f0ea63c653d65eff5a3afeffc5

SHA512
b7668476017f7e888db7254f16ecc568c53e3b1fa26fc0316b2c19dd8ebae5a95f3732ac1abb648a1e2dd101ec0c2e7680c856689a2162816acab09f28aa0ac0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727667861810871.txt

Filesize
74KB

MD5
226e996722e0d621ba1f87c6b3b4f2f8

SHA1
7076384e627de946592d0dc6e7cc719e5d833f15

SHA256
401e5d513645e4e0c661bbb75ece5fd88f5b5c8014a66084e70adda956a6e8d5

SHA512
c6e816616b11f23391771b90cecc134a8ead480e28cd4a235d05868bbdb2ef67c383579ed2737ad843f463806623b60828e8fb48651ee5b7bbcef5cbd4c7b972

Download Submit
C:\Windows\nlxqbdycgofa.exe

Filesize
360KB

MD5
6e1521accd328e43641c8c71ebbde64c

SHA1
7a82cfbb067c0b189dc1fa10e916fe763a5e8356

SHA256
65de2df558ebb2488ba1e50bc6fa2ccd2a168fa322b86387e9849b24772fef61

SHA512
827cc80559b04443904fdee9aea46ef7bc22dc28f89369b83a9508a9b54de7d30b627c71740f6a8ac9f89f49d9a614dc3fa84bad57d9fbb934b4e00ced60e4e2

Download Submit
memory/1356-0-0x00000000022F0000-0x0000000002375000-memory.dmp

Filesize
532KB

Download
memory/1356-2-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1356-10-0x00000000022F0000-0x0000000002375000-memory.dmp

Filesize
532KB

Download
memory/1356-9-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3556-4957-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3556-8271-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3556-10743-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3556-10747-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3556-11-0x0000000002150000-0x00000000021D5000-memory.dmp

Filesize
532KB

Download
memory/3556-2380-0x0000000002150000-0x00000000021D5000-memory.dmp

Filesize
532KB

Download
memory/3556-2373-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3556-10793-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download