teslacrypt | 9b1622602d4ae8196316deeb91fbdd1346a4b31453f3762be119e24c84827217

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe
Size

388KB
MD5

a0340430d4b1c1f6dd4048ab98f2e4b2
SHA1

a43ff275972b4ed9b7f3ece61d7d49375db635e9
SHA256

9b1622602d4ae8196316deeb91fbdd1346a4b31453f3762be119e24c84827217
SHA512

54ca85bee0ded2a742c767565159c0e3121d8cd1d97cebc751d067b1ea45d9fca86b6d5acad5b472eddef23d20afcc8ae3497cdd411fd9f393d80e0c90f2cd8d
SSDEEP

12288:XhTjRwlkwFrnAEryLFcG3yBrZTRDgZ8zOhG6:p4DRw7325gPh

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+qdxiw.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/CFBAE76551EA4233 2. http://kkd47eh4hdjshb5t.angortra.at/CFBAE76551EA4233 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/CFBAE76551EA4233 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/CFBAE76551EA4233 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/CFBAE76551EA4233 http://kkd47eh4hdjshb5t.angortra.at/CFBAE76551EA4233 http://ytrest84y5i456hghadefdsd.pontogrot.com/CFBAE76551EA4233 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/CFBAE76551EA4233

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/CFBAE76551EA4233

http://kkd47eh4hdjshb5t.angortra.at/CFBAE76551EA4233

http://ytrest84y5i456hghadefdsd.pontogrot.com/CFBAE76551EA4233

http://xlowfznrg4wf7dli.ONION/CFBAE76551EA4233

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (875) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	bsaobhvlnqea.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+qdxiw.png	bsaobhvlnqea.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+qdxiw.txt	bsaobhvlnqea.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+qdxiw.html	bsaobhvlnqea.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+qdxiw.png	bsaobhvlnqea.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+qdxiw.txt	bsaobhvlnqea.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+qdxiw.html	bsaobhvlnqea.exe

Executes dropped EXE 2 IoCs

pid	Process
2992	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dhiygtvrbpir = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\bsaobhvlnqea.exe\""	bsaobhvlnqea.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2344 set thread context of 1684	2344	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	98
PID 2992 set thread context of 392	2992	bsaobhvlnqea.exe	103

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Recovery+qdxiw.txt	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\THMBNAIL.PNG	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\gui\Recovery+qdxiw.html	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-16_altform-unplated.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-96_altform-unplated.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\LargeTile.scale-100.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\it\Recovery+qdxiw.txt	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.scale-100_contrast-white.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\Recovery+qdxiw.html	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_PT\Recovery+qdxiw.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\ssn_high_group_info.txt	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\FileAssociation\FileAssociation.targetsize-20.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\Recovery+qdxiw.txt	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleSmallTile.scale-100.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\Internet Explorer\Recovery+qdxiw.txt	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewer\Recovery+qdxiw.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\MixedRealityPortalStoreLogo.scale-125.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-64_altform-unplated.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-32.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Images\Recovery+qdxiw.html	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Recovery+qdxiw.html	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\Recovery+qdxiw.html	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageLargeTile.scale-150_contrast-black.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\Recovery+qdxiw.html	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeLargeTile.scale-150.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageLargeTile.scale-200.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\Recovery+qdxiw.txt	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\Recovery+qdxiw.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\Recovery+qdxiw.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\WideTile.scale-125.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageSplashScreen.scale-400_contrast-white.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\Recovery+qdxiw.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\messaging\bookmark_empty_state.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+qdxiw.txt	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-48_altform-unplated.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\Recovery+qdxiw.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-64.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-30_altform-lightunplated.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+qdxiw.html	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\x64\Recovery+qdxiw.html	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_targetsize-24.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-40_altform-unplated.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\WinMetadata\Recovery+qdxiw.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_AppList.targetsize-16_altform-unplated.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\Recovery+qdxiw.txt	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosSmallTile.contrast-white_scale-100.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSplashLogo.scale-150.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-80.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\Recovery+qdxiw.html	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalMedTile.scale-200_contrast-black.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Recovery+qdxiw.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-48_altform-unplated_contrast-white.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LibrarySquare150x150Logo.scale-200_contrast-black.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+qdxiw.txt	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\Recovery+qdxiw.html	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\Recovery+qdxiw.html	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\Recovery+qdxiw.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\Logo.scale-200_contrast-black.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ps\Recovery+qdxiw.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ml-IN\View3d\Recovery+qdxiw.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-125_contrast-black.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\LargeTile.scale-125_contrast-white.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailMediumTile.scale-200.png	bsaobhvlnqea.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\Recovery+qdxiw.png	bsaobhvlnqea.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\bsaobhvlnqea.exe	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe
File opened for modification	C:\Windows\bsaobhvlnqea.exe	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bsaobhvlnqea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bsaobhvlnqea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	bsaobhvlnqea.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2156	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe
392	bsaobhvlnqea.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	1684	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe
Token: SeDebugPrivilege	392	bsaobhvlnqea.exe
Token: SeIncreaseQuotaPrivilege	2932	WMIC.exe
Token: SeSecurityPrivilege	2932	WMIC.exe
Token: SeTakeOwnershipPrivilege	2932	WMIC.exe
Token: SeLoadDriverPrivilege	2932	WMIC.exe
Token: SeSystemProfilePrivilege	2932	WMIC.exe
Token: SeSystemtimePrivilege	2932	WMIC.exe
Token: SeProfSingleProcessPrivilege	2932	WMIC.exe
Token: SeIncBasePriorityPrivilege	2932	WMIC.exe
Token: SeCreatePagefilePrivilege	2932	WMIC.exe
Token: SeBackupPrivilege	2932	WMIC.exe
Token: SeRestorePrivilege	2932	WMIC.exe
Token: SeShutdownPrivilege	2932	WMIC.exe
Token: SeDebugPrivilege	2932	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2932	WMIC.exe
Token: SeRemoteShutdownPrivilege	2932	WMIC.exe
Token: SeUndockPrivilege	2932	WMIC.exe
Token: SeManageVolumePrivilege	2932	WMIC.exe
Token: 33	2932	WMIC.exe
Token: 34	2932	WMIC.exe
Token: 35	2932	WMIC.exe
Token: 36	2932	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1784	WMIC.exe
Token: SeSecurityPrivilege	1784	WMIC.exe
Token: SeTakeOwnershipPrivilege	1784	WMIC.exe
Token: SeLoadDriverPrivilege	1784	WMIC.exe
Token: SeSystemProfilePrivilege	1784	WMIC.exe
Token: SeSystemtimePrivilege	1784	WMIC.exe
Token: SeProfSingleProcessPrivilege	1784	WMIC.exe
Token: SeIncBasePriorityPrivilege	1784	WMIC.exe
Token: SeCreatePagefilePrivilege	1784	WMIC.exe
Token: SeBackupPrivilege	1784	WMIC.exe
Token: SeRestorePrivilege	1784	WMIC.exe
Token: SeShutdownPrivilege	1784	WMIC.exe
Token: SeDebugPrivilege	1784	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1784	WMIC.exe
Token: SeRemoteShutdownPrivilege	1784	WMIC.exe
Token: SeUndockPrivilege	1784	WMIC.exe
Token: SeManageVolumePrivilege	1784	WMIC.exe
Token: 33	1784	WMIC.exe
Token: 34	1784	WMIC.exe
Token: 35	1784	WMIC.exe
Token: 36	1784	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 1684	2344	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	98
PID 2344 wrote to memory of 1684	2344	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	98
PID 2344 wrote to memory of 1684	2344	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	98
PID 2344 wrote to memory of 1684	2344	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	98
PID 2344 wrote to memory of 1684	2344	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	98
PID 2344 wrote to memory of 1684	2344	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	98
PID 2344 wrote to memory of 1684	2344	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	98
PID 2344 wrote to memory of 1684	2344	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	98
PID 2344 wrote to memory of 1684	2344	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	98
PID 2344 wrote to memory of 1684	2344	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	98
PID 1684 wrote to memory of 2992	1684	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	99
PID 1684 wrote to memory of 2992	1684	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	99
PID 1684 wrote to memory of 2992	1684	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	99
PID 1684 wrote to memory of 3248	1684	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	100
PID 1684 wrote to memory of 3248	1684	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	100
PID 1684 wrote to memory of 3248	1684	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	100
PID 2992 wrote to memory of 392	2992	bsaobhvlnqea.exe	103
PID 2992 wrote to memory of 392	2992	bsaobhvlnqea.exe	103
PID 2992 wrote to memory of 392	2992	bsaobhvlnqea.exe	103
PID 2992 wrote to memory of 392	2992	bsaobhvlnqea.exe	103
PID 2992 wrote to memory of 392	2992	bsaobhvlnqea.exe	103
PID 2992 wrote to memory of 392	2992	bsaobhvlnqea.exe	103
PID 2992 wrote to memory of 392	2992	bsaobhvlnqea.exe	103
PID 2992 wrote to memory of 392	2992	bsaobhvlnqea.exe	103
PID 2992 wrote to memory of 392	2992	bsaobhvlnqea.exe	103
PID 2992 wrote to memory of 392	2992	bsaobhvlnqea.exe	103
PID 392 wrote to memory of 2932	392	bsaobhvlnqea.exe	104
PID 392 wrote to memory of 2932	392	bsaobhvlnqea.exe	104
PID 392 wrote to memory of 2156	392	bsaobhvlnqea.exe	108
PID 392 wrote to memory of 2156	392	bsaobhvlnqea.exe	108
PID 392 wrote to memory of 2156	392	bsaobhvlnqea.exe	108
PID 392 wrote to memory of 4928	392	bsaobhvlnqea.exe	109
PID 392 wrote to memory of 4928	392	bsaobhvlnqea.exe	109
PID 4928 wrote to memory of 3380	4928	msedge.exe	110
PID 4928 wrote to memory of 3380	4928	msedge.exe	110
PID 392 wrote to memory of 1784	392	bsaobhvlnqea.exe	111
PID 392 wrote to memory of 1784	392	bsaobhvlnqea.exe	111
PID 4928 wrote to memory of 940	4928	msedge.exe	113
PID 4928 wrote to memory of 940	4928	msedge.exe	113
PID 4928 wrote to memory of 940	4928	msedge.exe	113
PID 4928 wrote to memory of 940	4928	msedge.exe	113
PID 4928 wrote to memory of 940	4928	msedge.exe	113
PID 4928 wrote to memory of 940	4928	msedge.exe	113
PID 4928 wrote to memory of 940	4928	msedge.exe	113
PID 4928 wrote to memory of 940	4928	msedge.exe	113
PID 4928 wrote to memory of 940	4928	msedge.exe	113
PID 4928 wrote to memory of 940	4928	msedge.exe	113
PID 4928 wrote to memory of 940	4928	msedge.exe	113
PID 4928 wrote to memory of 940	4928	msedge.exe	113
PID 4928 wrote to memory of 940	4928	msedge.exe	113
PID 4928 wrote to memory of 940	4928	msedge.exe	113
PID 4928 wrote to memory of 940	4928	msedge.exe	113
PID 4928 wrote to memory of 940	4928	msedge.exe	113
PID 4928 wrote to memory of 940	4928	msedge.exe	113
PID 4928 wrote to memory of 940	4928	msedge.exe	113
PID 4928 wrote to memory of 940	4928	msedge.exe	113
PID 4928 wrote to memory of 940	4928	msedge.exe	113
PID 4928 wrote to memory of 940	4928	msedge.exe	113
PID 4928 wrote to memory of 940	4928	msedge.exe	113
PID 4928 wrote to memory of 940	4928	msedge.exe	113
PID 4928 wrote to memory of 940	4928	msedge.exe	113
PID 4928 wrote to memory of 940	4928	msedge.exe	113
PID 4928 wrote to memory of 940	4928	msedge.exe	113
PID 4928 wrote to memory of 940	4928	msedge.exe	113

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bsaobhvlnqea.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	bsaobhvlnqea.exe

C:\Users\Admin\AppData\Local\Temp\a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Users\Admin\AppData\Local\Temp\a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\bsaobhvlnqea.exe
    C:\Windows\bsaobhvlnqea.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\bsaobhvlnqea.exe
      C:\Windows\bsaobhvlnqea.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:392
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:2156
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4928
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffc283b46f8,0x7ffc283b4708,0x7ffc283b4718
        6⤵
        
        PID:3380
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,11876136119243961260,12872567203537082547,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
        6⤵
        
        PID:940
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,11876136119243961260,12872567203537082547,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
        6⤵
        
        PID:3352
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,11876136119243961260,12872567203537082547,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
        6⤵
        
        PID:2404
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11876136119243961260,12872567203537082547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
        6⤵
        
        PID:3676
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11876136119243961260,12872567203537082547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
        6⤵
        
        PID:636
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,11876136119243961260,12872567203537082547,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
        6⤵
        
        PID:2896
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,11876136119243961260,12872567203537082547,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
        6⤵
        
        PID:3240
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11876136119243961260,12872567203537082547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
        6⤵
        
        PID:3872
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11876136119243961260,12872567203537082547,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
        6⤵
        
        PID:1492
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11876136119243961260,12872567203537082547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
        6⤵
        
        PID:1172
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11876136119243961260,12872567203537082547,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
        6⤵
        
        PID:4312
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\BSAOBH~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3088
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\A03404~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3248

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:64

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\Recovery+qdxiw.html

Filesize
9KB

MD5
bb28793be49bf07dcd7059e4fd8c30e6

SHA1
5de690fd9dcdc3134189347d44519f1f8bc29e08

SHA256
6e130424069da3c24d86c6e331ef853bfc47b0a4b8d983d3acef53a0269600b6

SHA512
5bf848fe9202ade9b9453bad693ba75345c6f14d40a1f6bf9ad1e58a910d5620ff77bfcd1d26ecc91fd29055f666ab92f3514a54f778e83775ffe92547a5de37

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+qdxiw.png

Filesize
63KB

MD5
b507ceb7bc866423d4128c7d6dd8f277

SHA1
45e914063c2533e68c5fa40f38a1a140adff6e18

SHA256
8f221a6704536b9d348ea3b8ffb5c63756f23b867b1d6aa542a3667165044acf

SHA512
da96acaee6bab2fa7a2a57dc54208bb7b6579a94c6865d06ad13577e4fa1bcd5e7cd3353475de4eca0bd250f2e4f42d30bd3a078d2cce2e0b4639b08543a55d5

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+qdxiw.txt

Filesize
1KB

MD5
740d9262c752fd577e6def534145543e

SHA1
f78d21b0f8eb31af349dc9ab7b83bbc1330badab

SHA256
53fe273e8cefbd6ba07803352025068edace9dde87655f1f85aee4e8fcde63d4

SHA512
6a6da3e616a8f38c5c1b5e659ee74d1b9b66f50c04231171f66fe170c73b240a78859eb732822f488d122a713ad1b3d3e934362d186a26e2a05e41ac17e188a3

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
25463d972a4e0f4facc4ff59df3bb352

SHA1
7049fcf844f583c1262ce555b712feb903cd3c4a

SHA256
0d566245fafb55e98388c324ebf8ba8a0eae5a3cb56b6da21a8f3a56ecb4af7c

SHA512
a7375c2cf78e8498fee6ea3c2fe4b0034c1cb51ffd8114cfecbc5d174e34de8e66da51efe64092872c00f6e13b78f6e0c1d4abcfd195ba822045b39c6fea9c26

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
c6e7266d1cb41903f23472f599081bde

SHA1
060f2803ca0e2770c7fb004ce260e37becc21fb7

SHA256
2d5280c6a722291019275d148aba3cb30558d704cdc75aaf3ccc282f7caf0e3b

SHA512
1a72d8e12e2df5115ec192d5de430974ac198490cb31ea2dbc576f653c20bed0b4540762816904e0eee4cdada227154ba688d2f9eb34e7aa02c681a1feb0e36a

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
dc9eea63872386e3d872bc5e43aa4e99

SHA1
4679a5509d057f2a7f0e7fded20658bd12240800

SHA256
20e31aaef509061d68b5ed05ff79b161c1ccb3ddc13146d40376b277ab7b4228

SHA512
85d836f9e1cb67d3f178d3ab4b7e8e5909dd0315468c5bb6bff52e4476358e0283ee2e1258b0ee2e32d84b11d045336f400e124ac4575a76243591bbb0bc754b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8d23adbb668d9cf7f5b09e2cd1036f7c

SHA1
07737de0cca93c721af3735589bee8089600d7ef

SHA256
47c90c15159a02f4bbb9d6a65526ea6dfa862415c4e83bc3143d3f534d11f678

SHA512
43c8ec59448b445a592af5855e76ec6c30ec6307a48c1022e7a9fc6abc931267cf3be90319932d858e1ffd91b266d9d7112df575f2ddda63029d46562d186ec7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fa51653c871ef96417ac6d0e83266ba2

SHA1
14c2ec00590d416df0d954609ce63623689cdbee

SHA256
a22b271954922cc367b5563f35db9b96eb6bef2f73e6e111813167f15069a579

SHA512
b53ce47412d566bd5431c1df683787a3dc955f260816e1ddada90f7d858765991318ec6ad971a9d8a63ba2739695d6f1d8dfdcd84cebbf4c46bf1f871e80cd31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4419224454ce47b9212ad3cf96a44fcd

SHA1
3e15d320a2115fe8588adbdf340bd808ecf26533

SHA256
e46a579632008dbac6faa58d92be6038883ebd12aac1d9c22385ad3e3bae4eaf

SHA512
8b0eaa60d85bbef271cd4a179a9250b4c8b587e02c53e8ebf8037d12b954568cd44a7c0f633eb2e7052b201db3fee1c61f59ea4c983751921c05180537d165ac

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727658865736960.txt

Filesize
77KB

MD5
c6abfbc70947a355d58adf84801cf10c

SHA1
d41ff09789d4354c17e15d637079414de3b54608

SHA256
554a6066f54d80ad76159456404d8ff9eef9c5900f488d877a66796253ebb14f

SHA512
6c74162317a3b03a7d7c0e8821c4efd727097f597cd529b60617401d02296f68ac091feef116c93bcdd8144d9e2a0e1679340f11c82dbafb23083d5cf9e37587

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727660257997193.txt

Filesize
47KB

MD5
e44fd8c29b89fe30f7db428ccd66c93e

SHA1
e1257a278891045367dd67a7abb656d0b68d8236

SHA256
f2dd8dcd46822f2290d01851a87fe8453c09cdcd5f6c8e6f14bdb7602495756c

SHA512
c1374c85fc2b6b73c4840ec573c7c50207b7d913dbd7b25d3824f72ad8ab5ae0effc5133d6f8b0906fbd9d88b38765b7527cb4d9aa71aebd56cb7634046eb82d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727667861810871.txt

Filesize
74KB

MD5
dbd2900ca59ca029ffe2ad8e97587a88

SHA1
a39453a968c334d159dd1e48ba99c421b062a8c8

SHA256
944e615d4540ee7dcd8a19c88da74b09362ffc7d01a1bfe031f1cccc2cd2b082

SHA512
1d7c6cdded3a74e7ff5e6093e23da4f845bfa37c4a8ecce9a74ea1d7eb7e0976eaadaae33b41c39007d5f6786ddca5c400d62ab7065439d2a3b04d407ba84503

Download Submit
C:\Windows\bsaobhvlnqea.exe

Filesize
388KB

MD5
a0340430d4b1c1f6dd4048ab98f2e4b2

SHA1
a43ff275972b4ed9b7f3ece61d7d49375db635e9

SHA256
9b1622602d4ae8196316deeb91fbdd1346a4b31453f3762be119e24c84827217

SHA512
54ca85bee0ded2a742c767565159c0e3121d8cd1d97cebc751d067b1ea45d9fca86b6d5acad5b472eddef23d20afcc8ae3497cdd411fd9f393d80e0c90f2cd8d

Download Submit
memory/392-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/392-10532-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/392-557-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/392-22-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/392-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/392-17-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/392-2644-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/392-2645-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/392-5204-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/392-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/392-10590-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/392-10543-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/392-8561-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/392-24-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/392-10533-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/392-10541-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1684-13-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1684-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1684-5-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1684-3-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1684-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2344-4-0x00000000006F0000-0x00000000006F3000-memory.dmp

Filesize
12KB

Download
memory/2344-0-0x00000000006F0000-0x00000000006F3000-memory.dmp

Filesize
12KB

Download
memory/2344-1-0x00000000006F0000-0x00000000006F3000-memory.dmp

Filesize
12KB

Download
memory/2992-12-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download