teslacrypt | a9bcbc903b6a4fe98280f6de765c3362bdddc2fd49ce3312287c0a9ccdb4a526

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

820330e49a0f1aa4aca6fed989d07083_JaffaCakes118.exe
Size

352KB
MD5

820330e49a0f1aa4aca6fed989d07083
SHA1

a9a90a57252ae0ce4adf0a6d1b2a7de0cc4775d1
SHA256

a9bcbc903b6a4fe98280f6de765c3362bdddc2fd49ce3312287c0a9ccdb4a526
SHA512

425229479c423bcd16502954d851cbad8199fa2ac4fe1e8b2a029470e589bfbff41aab6ae9bea2216f4cb3c3fa69f1cc54c8f1747cf44d1d82551c875640930c
SSDEEP

6144:pMeb/EDtpBx1aRXJub19pf3gOURaJmf+ubexB3wLaYZSzvF:pTb/wtN1aRXJg1f3gO9Jm+u2BgeYkzv

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+uibug.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/6FEC71412767C9 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/6FEC71412767C9 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/6FEC71412767C9 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/6FEC71412767C9 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/6FEC71412767C9 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/6FEC71412767C9 http://yyre45dbvn2nhbefbmh.begumvelic.at/6FEC71412767C9 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/6FEC71412767C9

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/6FEC71412767C9

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/6FEC71412767C9

http://yyre45dbvn2nhbefbmh.begumvelic.at/6FEC71412767C9

http://xlowfznrg4wf7dli.ONION/6FEC71412767C9

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (883) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	820330e49a0f1aa4aca6fed989d07083_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	sumknuuhadbo.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+uibug.png	sumknuuhadbo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+uibug.txt	sumknuuhadbo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+uibug.html	sumknuuhadbo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+uibug.png	sumknuuhadbo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+uibug.txt	sumknuuhadbo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+uibug.html	sumknuuhadbo.exe

Executes dropped EXE 1 IoCs

pid	Process
4368	sumknuuhadbo.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dtbtqcu = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\sumknuuhadbo.exe"	sumknuuhadbo.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-32.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\Assets\MediumTile.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\8.0.2\_ReCoVeRy_+uibug.txt	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_ReCoVeRy_+uibug.txt	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\169.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fi-FI\View3d\_ReCoVeRy_+uibug.html	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_ReCoVeRy_+uibug.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\LargeTile.scale-200.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+uibug.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorSplashScreen.contrast-black_scale-100.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\LargeTile.scale-125.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\_ReCoVeRy_+uibug.txt	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteWideTile.scale-150.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\_ReCoVeRy_+uibug.html	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PlaceCard\contrast-white\_ReCoVeRy_+uibug.html	sumknuuhadbo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\_ReCoVeRy_+uibug.txt	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\_ReCoVeRy_+uibug.txt	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionLargeTile.scale-400.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailMediumTile.scale-125.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\_ReCoVeRy_+uibug.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\7.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\commerce\sms_failure_illustration.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Google.scale-400.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\_ReCoVeRy_+uibug.txt	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.scale-125.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_ReCoVeRy_+uibug.txt	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-60_contrast-white.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-32_contrast-black.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\75.jpg	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\_ReCoVeRy_+uibug.html	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Office365LogoWLockup.scale-140.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\SmallTile.scale-125.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Preview.scale-200_layoutdir-LTR.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\FaceReco_Illustration_SM.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\Doughboy.scale-250.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyView.scale-400.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\_ReCoVeRy_+uibug.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca\_ReCoVeRy_+uibug.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	sumknuuhadbo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\_ReCoVeRy_+uibug.txt	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\logo.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsWideTile.contrast-black_scale-100.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Light.scale-300.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\_ReCoVeRy_+uibug.txt	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\_ReCoVeRy_+uibug.html	sumknuuhadbo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_ReCoVeRy_+uibug.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\word_art\_ReCoVeRy_+uibug.txt	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LargeTile.scale-125_contrast-black.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileSmallSquare.scale-200.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageLargeTile.scale-150_contrast-black.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+uibug.txt	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-48_altform-unplated_contrast-white.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\iheart-radio.scale-100_contrast-white.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_ReCoVeRy_+uibug.html	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\ellipsis_16x16x32.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\MoviesAnywhereLogoWithTextLight.scale-200.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	sumknuuhadbo.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\_ReCoVeRy_+uibug.html	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xecd0.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedStoreLogo.scale-100_contrast-black.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Camera_Capture.m4a	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\203.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.scale-200.png	sumknuuhadbo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SmallTile.scale-100_contrast-white.png	sumknuuhadbo.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\sumknuuhadbo.exe	820330e49a0f1aa4aca6fed989d07083_JaffaCakes118.exe
File opened for modification	C:\Windows\sumknuuhadbo.exe	820330e49a0f1aa4aca6fed989d07083_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	820330e49a0f1aa4aca6fed989d07083_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sumknuuhadbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	sumknuuhadbo.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2100	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe
4368	sumknuuhadbo.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1652	820330e49a0f1aa4aca6fed989d07083_JaffaCakes118.exe
Token: SeDebugPrivilege	4368	sumknuuhadbo.exe
Token: SeIncreaseQuotaPrivilege	3248	WMIC.exe
Token: SeSecurityPrivilege	3248	WMIC.exe
Token: SeTakeOwnershipPrivilege	3248	WMIC.exe
Token: SeLoadDriverPrivilege	3248	WMIC.exe
Token: SeSystemProfilePrivilege	3248	WMIC.exe
Token: SeSystemtimePrivilege	3248	WMIC.exe
Token: SeProfSingleProcessPrivilege	3248	WMIC.exe
Token: SeIncBasePriorityPrivilege	3248	WMIC.exe
Token: SeCreatePagefilePrivilege	3248	WMIC.exe
Token: SeBackupPrivilege	3248	WMIC.exe
Token: SeRestorePrivilege	3248	WMIC.exe
Token: SeShutdownPrivilege	3248	WMIC.exe
Token: SeDebugPrivilege	3248	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3248	WMIC.exe
Token: SeRemoteShutdownPrivilege	3248	WMIC.exe
Token: SeUndockPrivilege	3248	WMIC.exe
Token: SeManageVolumePrivilege	3248	WMIC.exe
Token: 33	3248	WMIC.exe
Token: 34	3248	WMIC.exe
Token: 35	3248	WMIC.exe
Token: 36	3248	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3248	WMIC.exe
Token: SeSecurityPrivilege	3248	WMIC.exe
Token: SeTakeOwnershipPrivilege	3248	WMIC.exe
Token: SeLoadDriverPrivilege	3248	WMIC.exe
Token: SeSystemProfilePrivilege	3248	WMIC.exe
Token: SeSystemtimePrivilege	3248	WMIC.exe
Token: SeProfSingleProcessPrivilege	3248	WMIC.exe
Token: SeIncBasePriorityPrivilege	3248	WMIC.exe
Token: SeCreatePagefilePrivilege	3248	WMIC.exe
Token: SeBackupPrivilege	3248	WMIC.exe
Token: SeRestorePrivilege	3248	WMIC.exe
Token: SeShutdownPrivilege	3248	WMIC.exe
Token: SeDebugPrivilege	3248	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3248	WMIC.exe
Token: SeRemoteShutdownPrivilege	3248	WMIC.exe
Token: SeUndockPrivilege	3248	WMIC.exe
Token: SeManageVolumePrivilege	3248	WMIC.exe
Token: 33	3248	WMIC.exe
Token: 34	3248	WMIC.exe
Token: 35	3248	WMIC.exe
Token: 36	3248	WMIC.exe
Token: SeBackupPrivilege	4928	vssvc.exe
Token: SeRestorePrivilege	4928	vssvc.exe
Token: SeAuditPrivilege	4928	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1800	WMIC.exe
Token: SeSecurityPrivilege	1800	WMIC.exe
Token: SeTakeOwnershipPrivilege	1800	WMIC.exe
Token: SeLoadDriverPrivilege	1800	WMIC.exe
Token: SeSystemProfilePrivilege	1800	WMIC.exe
Token: SeSystemtimePrivilege	1800	WMIC.exe
Token: SeProfSingleProcessPrivilege	1800	WMIC.exe
Token: SeIncBasePriorityPrivilege	1800	WMIC.exe
Token: SeCreatePagefilePrivilege	1800	WMIC.exe
Token: SeBackupPrivilege	1800	WMIC.exe
Token: SeRestorePrivilege	1800	WMIC.exe
Token: SeShutdownPrivilege	1800	WMIC.exe
Token: SeDebugPrivilege	1800	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1800	WMIC.exe
Token: SeRemoteShutdownPrivilege	1800	WMIC.exe
Token: SeUndockPrivilege	1800	WMIC.exe
Token: SeManageVolumePrivilege	1800	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 4368	1652	820330e49a0f1aa4aca6fed989d07083_JaffaCakes118.exe	88
PID 1652 wrote to memory of 4368	1652	820330e49a0f1aa4aca6fed989d07083_JaffaCakes118.exe	88
PID 1652 wrote to memory of 4368	1652	820330e49a0f1aa4aca6fed989d07083_JaffaCakes118.exe	88
PID 1652 wrote to memory of 2400	1652	820330e49a0f1aa4aca6fed989d07083_JaffaCakes118.exe	89
PID 1652 wrote to memory of 2400	1652	820330e49a0f1aa4aca6fed989d07083_JaffaCakes118.exe	89
PID 1652 wrote to memory of 2400	1652	820330e49a0f1aa4aca6fed989d07083_JaffaCakes118.exe	89
PID 4368 wrote to memory of 3248	4368	sumknuuhadbo.exe	92
PID 4368 wrote to memory of 3248	4368	sumknuuhadbo.exe	92
PID 4368 wrote to memory of 2100	4368	sumknuuhadbo.exe	111
PID 4368 wrote to memory of 2100	4368	sumknuuhadbo.exe	111
PID 4368 wrote to memory of 2100	4368	sumknuuhadbo.exe	111
PID 4368 wrote to memory of 4552	4368	sumknuuhadbo.exe	112
PID 4368 wrote to memory of 4552	4368	sumknuuhadbo.exe	112
PID 4552 wrote to memory of 3572	4552	msedge.exe	113
PID 4552 wrote to memory of 3572	4552	msedge.exe	113
PID 4368 wrote to memory of 1800	4368	sumknuuhadbo.exe	114
PID 4368 wrote to memory of 1800	4368	sumknuuhadbo.exe	114
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 1536	4552	msedge.exe	116
PID 4552 wrote to memory of 4932	4552	msedge.exe	117
PID 4552 wrote to memory of 4932	4552	msedge.exe	117
PID 4552 wrote to memory of 4484	4552	msedge.exe	118
PID 4552 wrote to memory of 4484	4552	msedge.exe	118
PID 4552 wrote to memory of 4484	4552	msedge.exe	118
PID 4552 wrote to memory of 4484	4552	msedge.exe	118
PID 4552 wrote to memory of 4484	4552	msedge.exe	118

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sumknuuhadbo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	sumknuuhadbo.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\820330e49a0f1aa4aca6fed989d07083_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\820330e49a0f1aa4aca6fed989d07083_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\sumknuuhadbo.exe
  C:\Windows\sumknuuhadbo.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4368
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3248
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:2100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe756846f8,0x7ffe75684708,0x7ffe75684718
      4⤵
      PID:3572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,2357502516571749441,12524508622392130823,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
      4⤵
      PID:1536
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,2357502516571749441,12524508622392130823,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
      4⤵
      PID:4932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,2357502516571749441,12524508622392130823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
      4⤵
      PID:4484
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2357502516571749441,12524508622392130823,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
      4⤵
      PID:4140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2357502516571749441,12524508622392130823,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
      4⤵
      PID:880
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,2357502516571749441,12524508622392130823,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:8
      4⤵
      PID:3208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,2357502516571749441,12524508622392130823,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:8
      4⤵
      PID:4300
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2357502516571749441,12524508622392130823,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
      4⤵
      PID:2260
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2357502516571749441,12524508622392130823,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
      4⤵
      PID:4768
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2357502516571749441,12524508622392130823,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
      4⤵
      PID:4960
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2357502516571749441,12524508622392130823,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
      4⤵
      PID:4148
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1800
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\SUMKNU~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1164
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\820330~1.EXE
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2400

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+uibug.html

Filesize
12KB

MD5
562e574d5aeba3487f0da6fa6cbbb00c

SHA1
85a6750f795870a92ea355c65596f3eca8bc251b

SHA256
e3369ea7a083991048650f9a09f8d97984dfc3369c49c07d57e9a929783275ba

SHA512
620528eb44f062b194609a629295752211ab9b6e36eaecfec9f078bf5e5b690131c237664b437f0ee3aca3e31273adf0830940b0218c5679a0d5440a5f718b00

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+uibug.png

Filesize
64KB

MD5
7f42aba16e49019d4d77411d1f6aadb2

SHA1
50fa53fe51673e60c973f8a306c96268f4f23457

SHA256
726813ddb3156d5b2f6db8ea7753d335bb275342f274d27293d01087fde92d89

SHA512
43fa0051958276ec1c914ff4d69aa2b94c5aad4aa8c11d6d6ed873a57d224d04840ac84096bb31cfb62d9519d60a05d8d054b99a991f4691faa750985b17417c

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+uibug.txt

Filesize
1KB

MD5
f19988687dade794cb548287f6a5b96b

SHA1
4ff1f9ad18dfa056cb583313952b1b36d3d40160

SHA256
33c9bc85259d8c4ba5ccca0df8e15f9cf3d6466e8a95d0109c0e4a7e08befd43

SHA512
905390fb71645f758e915543c7fc85c71e568b22bbb6e89d4abe48bad46710904e43f9375ebde1695c6070603f4f5545263055e9a26fb0a3b043cbf4e5c5651d

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
e89dbebf24ebbccc8ad7a9cada7b30e6

SHA1
33a0f2db3b01fa222787f84055c2925da6a4d28f

SHA256
0af17eafc1b76b10477373acf968e5af6d30e9eb9f869fb3c32ec793e5b51633

SHA512
ce130154df11f6aa68310849d005d205f386131759544be8fe3fbf61adf1cff44a6d56c92ca93517b354e87c69a334e02d312fd68c341a6057355e7b53bf3749

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
6814e96c4dcf534f78cb8db832fba1ec

SHA1
5d5a63608461c3f2e5e39e9839df113ef020b86e

SHA256
9126c7926a571d2964d9d64308ffd72be0b39c52d3c1a6a635bcf54d044e55ae

SHA512
5604095afa531d190944d296e4d7a09e0186bba26c93fa10af61b7d470daadf8a8a9defb6fe69eedfd0f943b151f4278081937afd03b74dcea17105b03c78b23

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
6088a30cf6c7e39fdde1e98dabb99fcd

SHA1
0d6d5401623c3315c647b74737f06395fefc94d0

SHA256
c204932b965301ee531cc2397afcd8f5955fd69b341be66ef78d174f7013e728

SHA512
fba53d70b2a49afe26418c3575e03e16af68cc08a96aca80b6b889b8b8e88bd6cc7a4c6e9c966b223003e612308919f634170e3429250b706bad6c976e189338

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
91f81e78dffe2dee982f3d672a9f2a1e

SHA1
8d73692d65b56c9797b85d2773e849bf9c52abdb

SHA256
49bda08eead1d0162fbaee092f68de91f8b99dd031b2a1de24721248459aab82

SHA512
3ade527b35d2f9d548b86aef21f3f410af165661e748b40d473a81ca229e54d41439fbaf723af835bd8f20a1c332a58b7230f2067e7d197c0b38956c5c79201d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1cb0cff55d3a740b103fdde49a3f3a39

SHA1
2775aafb097fef6128a891c32884ba07749ae9f4

SHA256
73656a0e91fb3ed6932706bb3ae0c1b177e933179c216eeeb899dae01f0b2962

SHA512
3bbcbd430bea0439032f6ac0a9871054c5c3760ed8c16f4f67b6bc4f8a882ab00e58811df29af76b143fd42cc82f82528779e034ad750ff505271a0efa459502

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bed38100814aa913a851345041057755

SHA1
0ea6cb9bc2d3b3fe034690bd940bb8f9f2505e54

SHA256
43acc1ac04b954cb683391d11169c9bb1ee3413ab5b8b6d67fb7294004ca3c9a

SHA512
e93b624a620006c706aac02618a8b32598596628cb56290fc583bbf50fbcc8b9930a627feadbcd9a7b2040d1a609cfdd6a704c37ac4ec420d006d708160c85d2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727658865736960.txt

Filesize
77KB

MD5
c8b786995c51e03d5be5d23b50db3d86

SHA1
3f102a31a29631006e97027e99ece683adb924b3

SHA256
bddee87adaf9af9c05841309c17719fe3bfc1dbb1b6774748e2fea74a900e95a

SHA512
d752a8478d693d7bd64f8a70f70bc7f38cea94a6f98b1176814374b875b75574c942f5e928d8166341210e74b652004e1d9588bfd797224ef089c97a45b41fd2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727660257997193.txt

Filesize
47KB

MD5
2c17bb962804a8227772371d91c5674a

SHA1
b50707144ca779d419e3febdc20977106ba2b3c6

SHA256
10e58586a343316c462cd26267bf206b9f59e9b917025d821bb69a13ff922af6

SHA512
146bc2c988838600907706eb1c2bcd7885b88d2055a70405098520475d588fda3b17bccf871a432943768f5e71096898ca4200c5a52038b06de977c9e9b394c8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727667861810871.txt

Filesize
74KB

MD5
deb9498c06b019b95ef2ac66deb07a36

SHA1
181a889dce16631ab1e8fc55ef34b187b7117492

SHA256
916893c0d3c9614d025b62c6247df566bd30fd4ba486d760747a0347981314b4

SHA512
11d46dc659aac2506a0c0223bac5f34f7ac94a9e7c00b54feaef2eecacdf48c8e17988b92aa749c4640e59121afcaf8226ecf4a1aaf9bc3fe6c427eca9144b95

Download Submit
C:\Windows\sumknuuhadbo.exe

Filesize
352KB

MD5
820330e49a0f1aa4aca6fed989d07083

SHA1
a9a90a57252ae0ce4adf0a6d1b2a7de0cc4775d1

SHA256
a9bcbc903b6a4fe98280f6de765c3362bdddc2fd49ce3312287c0a9ccdb4a526

SHA512
425229479c423bcd16502954d851cbad8199fa2ac4fe1e8b2a029470e589bfbff41aab6ae9bea2216f4cb3c3fa69f1cc54c8f1747cf44d1d82551c875640930c

Download Submit
memory/1652-9-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1652-0-0x0000000002240000-0x00000000022C6000-memory.dmp

Filesize
536KB

Download
memory/1652-10-0x0000000002240000-0x00000000022C6000-memory.dmp

Filesize
536KB

Download
memory/1652-2-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4368-5156-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4368-10716-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4368-10702-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4368-8521-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4368-10747-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4368-2354-0x0000000002130000-0x00000000021B6000-memory.dmp

Filesize
536KB

Download
memory/4368-2350-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4368-11-0x0000000002130000-0x00000000021B6000-memory.dmp

Filesize
536KB

Download