teslacrypt | 9b1622602d4ae8196316deeb91fbdd1346a4b31453f3762be119e24c84827217

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 11:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe
Size

388KB
MD5

a0340430d4b1c1f6dd4048ab98f2e4b2
SHA1

a43ff275972b4ed9b7f3ece61d7d49375db635e9
SHA256

9b1622602d4ae8196316deeb91fbdd1346a4b31453f3762be119e24c84827217
SHA512

54ca85bee0ded2a742c767565159c0e3121d8cd1d97cebc751d067b1ea45d9fca86b6d5acad5b472eddef23d20afcc8ae3497cdd411fd9f393d80e0c90f2cd8d
SSDEEP

12288:XhTjRwlkwFrnAEryLFcG3yBrZTRDgZ8zOhG6:p4DRw7325gPh

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+lkqpx.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/F17F99ED2972730 2. http://kkd47eh4hdjshb5t.angortra.at/F17F99ED2972730 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/F17F99ED2972730 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/F17F99ED2972730 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/F17F99ED2972730 http://kkd47eh4hdjshb5t.angortra.at/F17F99ED2972730 http://ytrest84y5i456hghadefdsd.pontogrot.com/F17F99ED2972730 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/F17F99ED2972730

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/F17F99ED2972730

http://kkd47eh4hdjshb5t.angortra.at/F17F99ED2972730

http://ytrest84y5i456hghadefdsd.pontogrot.com/F17F99ED2972730

http://xlowfznrg4wf7dli.ONION/F17F99ED2972730

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (894) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	nmvkxrcejson.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+lkqpx.png	nmvkxrcejson.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+lkqpx.txt	nmvkxrcejson.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+lkqpx.html	nmvkxrcejson.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+lkqpx.png	nmvkxrcejson.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+lkqpx.txt	nmvkxrcejson.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+lkqpx.html	nmvkxrcejson.exe

Executes dropped EXE 2 IoCs

pid	Process
3944	nmvkxrcejson.exe
1760	nmvkxrcejson.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\auhfykjfkqyv = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\nmvkxrcejson.exe\""	nmvkxrcejson.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5028 set thread context of 2556	5028	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	98
PID 3944 set thread context of 1760	3944	nmvkxrcejson.exe	103

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-16_altform-unplated_contrast-white.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uz-Latn-UZ\Recovery+lkqpx.html	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-GoogleCloudCache.scale-200.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Recovery+lkqpx.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\MedTile.scale-125.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_CN\Recovery+lkqpx.txt	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\MedTile.scale-125.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\Recovery+lkqpx.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-150_contrast-white.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-24_altform-lightunplated.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.targetsize-48.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\Recovery+lkqpx.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\Win10\SplashScreen.scale-125.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\Recovery+lkqpx.txt	nmvkxrcejson.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\gui\Recovery+lkqpx.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedStoreLogo.scale-100_contrast-white.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorMedTile.contrast-white_scale-125.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\Recovery+lkqpx.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Recovery+lkqpx.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-20_contrast-white.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Light.scale-400.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\Recovery+lkqpx.html	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\WideTile.scale-100.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\Recovery+lkqpx.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-16.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-64_altform-lightunplated.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\Recovery+lkqpx.html	nmvkxrcejson.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\te\Recovery+lkqpx.html	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\AppxMetadata\Recovery+lkqpx.html	nmvkxrcejson.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\Recovery+lkqpx.html	nmvkxrcejson.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\1033\Recovery+lkqpx.html	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\LargeTile.scale-125.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\Recovery+lkqpx.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Recovery+lkqpx.html	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+lkqpx.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\Logo.scale-200_contrast-black.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Recovery+lkqpx.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-48_altform-unplated_contrast-white.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\Recovery+lkqpx.html	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageBadgeLogo.scale-100.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+lkqpx.txt	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_altform-unplated_contrast-black_devicefamily-colorfulunplated.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\SmallTile.scale-100.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-96.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_contrast-black.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\Recovery+lkqpx.html	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\LargeTile.scale-125.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-standard\theme-light\Recovery+lkqpx.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\node_modules\reactxp-experimental-navigation\NavigationExperimental\Recovery+lkqpx.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_altform-unplated_contrast-black.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageWideTile.scale-150.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-48.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_contrast-black.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\Recovery+lkqpx.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-256_altform-unplated.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalStoreLogo.scale-200.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\Recovery+lkqpx.txt	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-16_altform-unplated.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Recovery+lkqpx.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-400_contrast-white.png	nmvkxrcejson.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-200.png	nmvkxrcejson.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\nmvkxrcejson.exe	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe
File opened for modification	C:\Windows\nmvkxrcejson.exe	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nmvkxrcejson.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nmvkxrcejson.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	nmvkxrcejson.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2420	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe
1760	nmvkxrcejson.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	2556	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe
Token: SeDebugPrivilege	1760	nmvkxrcejson.exe
Token: SeIncreaseQuotaPrivilege	3672	WMIC.exe
Token: SeSecurityPrivilege	3672	WMIC.exe
Token: SeTakeOwnershipPrivilege	3672	WMIC.exe
Token: SeLoadDriverPrivilege	3672	WMIC.exe
Token: SeSystemProfilePrivilege	3672	WMIC.exe
Token: SeSystemtimePrivilege	3672	WMIC.exe
Token: SeProfSingleProcessPrivilege	3672	WMIC.exe
Token: SeIncBasePriorityPrivilege	3672	WMIC.exe
Token: SeCreatePagefilePrivilege	3672	WMIC.exe
Token: SeBackupPrivilege	3672	WMIC.exe
Token: SeRestorePrivilege	3672	WMIC.exe
Token: SeShutdownPrivilege	3672	WMIC.exe
Token: SeDebugPrivilege	3672	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3672	WMIC.exe
Token: SeRemoteShutdownPrivilege	3672	WMIC.exe
Token: SeUndockPrivilege	3672	WMIC.exe
Token: SeManageVolumePrivilege	3672	WMIC.exe
Token: 33	3672	WMIC.exe
Token: 34	3672	WMIC.exe
Token: 35	3672	WMIC.exe
Token: 36	3672	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3372	WMIC.exe
Token: SeSecurityPrivilege	3372	WMIC.exe
Token: SeTakeOwnershipPrivilege	3372	WMIC.exe
Token: SeLoadDriverPrivilege	3372	WMIC.exe
Token: SeSystemProfilePrivilege	3372	WMIC.exe
Token: SeSystemtimePrivilege	3372	WMIC.exe
Token: SeProfSingleProcessPrivilege	3372	WMIC.exe
Token: SeIncBasePriorityPrivilege	3372	WMIC.exe
Token: SeCreatePagefilePrivilege	3372	WMIC.exe
Token: SeBackupPrivilege	3372	WMIC.exe
Token: SeRestorePrivilege	3372	WMIC.exe
Token: SeShutdownPrivilege	3372	WMIC.exe
Token: SeDebugPrivilege	3372	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3372	WMIC.exe
Token: SeRemoteShutdownPrivilege	3372	WMIC.exe
Token: SeUndockPrivilege	3372	WMIC.exe
Token: SeManageVolumePrivilege	3372	WMIC.exe
Token: 33	3372	WMIC.exe
Token: 34	3372	WMIC.exe
Token: 35	3372	WMIC.exe
Token: 36	3372	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 2556	5028	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	98
PID 5028 wrote to memory of 2556	5028	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	98
PID 5028 wrote to memory of 2556	5028	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	98
PID 5028 wrote to memory of 2556	5028	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	98
PID 5028 wrote to memory of 2556	5028	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	98
PID 5028 wrote to memory of 2556	5028	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	98
PID 5028 wrote to memory of 2556	5028	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	98
PID 5028 wrote to memory of 2556	5028	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	98
PID 5028 wrote to memory of 2556	5028	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	98
PID 5028 wrote to memory of 2556	5028	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	98
PID 2556 wrote to memory of 3944	2556	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	99
PID 2556 wrote to memory of 3944	2556	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	99
PID 2556 wrote to memory of 3944	2556	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	99
PID 2556 wrote to memory of 2424	2556	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	100
PID 2556 wrote to memory of 2424	2556	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	100
PID 2556 wrote to memory of 2424	2556	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	100
PID 3944 wrote to memory of 1760	3944	nmvkxrcejson.exe	103
PID 3944 wrote to memory of 1760	3944	nmvkxrcejson.exe	103
PID 3944 wrote to memory of 1760	3944	nmvkxrcejson.exe	103
PID 3944 wrote to memory of 1760	3944	nmvkxrcejson.exe	103
PID 3944 wrote to memory of 1760	3944	nmvkxrcejson.exe	103
PID 3944 wrote to memory of 1760	3944	nmvkxrcejson.exe	103
PID 3944 wrote to memory of 1760	3944	nmvkxrcejson.exe	103
PID 3944 wrote to memory of 1760	3944	nmvkxrcejson.exe	103
PID 3944 wrote to memory of 1760	3944	nmvkxrcejson.exe	103
PID 3944 wrote to memory of 1760	3944	nmvkxrcejson.exe	103
PID 1760 wrote to memory of 3672	1760	nmvkxrcejson.exe	104
PID 1760 wrote to memory of 3672	1760	nmvkxrcejson.exe	104
PID 1760 wrote to memory of 2420	1760	nmvkxrcejson.exe	108
PID 1760 wrote to memory of 2420	1760	nmvkxrcejson.exe	108
PID 1760 wrote to memory of 2420	1760	nmvkxrcejson.exe	108
PID 1760 wrote to memory of 4600	1760	nmvkxrcejson.exe	109
PID 1760 wrote to memory of 4600	1760	nmvkxrcejson.exe	109
PID 4600 wrote to memory of 3624	4600	msedge.exe	110
PID 4600 wrote to memory of 3624	4600	msedge.exe	110
PID 1760 wrote to memory of 3372	1760	nmvkxrcejson.exe	111
PID 1760 wrote to memory of 3372	1760	nmvkxrcejson.exe	111
PID 4600 wrote to memory of 4368	4600	msedge.exe	113
PID 4600 wrote to memory of 4368	4600	msedge.exe	113
PID 4600 wrote to memory of 4368	4600	msedge.exe	113
PID 4600 wrote to memory of 4368	4600	msedge.exe	113
PID 4600 wrote to memory of 4368	4600	msedge.exe	113
PID 4600 wrote to memory of 4368	4600	msedge.exe	113
PID 4600 wrote to memory of 4368	4600	msedge.exe	113
PID 4600 wrote to memory of 4368	4600	msedge.exe	113
PID 4600 wrote to memory of 4368	4600	msedge.exe	113
PID 4600 wrote to memory of 4368	4600	msedge.exe	113
PID 4600 wrote to memory of 4368	4600	msedge.exe	113
PID 4600 wrote to memory of 4368	4600	msedge.exe	113
PID 4600 wrote to memory of 4368	4600	msedge.exe	113
PID 4600 wrote to memory of 4368	4600	msedge.exe	113
PID 4600 wrote to memory of 4368	4600	msedge.exe	113
PID 4600 wrote to memory of 4368	4600	msedge.exe	113
PID 4600 wrote to memory of 4368	4600	msedge.exe	113
PID 4600 wrote to memory of 4368	4600	msedge.exe	113
PID 4600 wrote to memory of 4368	4600	msedge.exe	113
PID 4600 wrote to memory of 4368	4600	msedge.exe	113
PID 4600 wrote to memory of 4368	4600	msedge.exe	113
PID 4600 wrote to memory of 4368	4600	msedge.exe	113
PID 4600 wrote to memory of 4368	4600	msedge.exe	113
PID 4600 wrote to memory of 4368	4600	msedge.exe	113
PID 4600 wrote to memory of 4368	4600	msedge.exe	113
PID 4600 wrote to memory of 4368	4600	msedge.exe	113
PID 4600 wrote to memory of 4368	4600	msedge.exe	113

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	nmvkxrcejson.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	nmvkxrcejson.exe

C:\Users\Admin\AppData\Local\Temp\a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Users\Admin\AppData\Local\Temp\a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\nmvkxrcejson.exe
    C:\Windows\nmvkxrcejson.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3944
  - - C:\Windows\nmvkxrcejson.exe
      C:\Windows\nmvkxrcejson.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1760
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3672
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:2420
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4600
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff91d6346f8,0x7ff91d634708,0x7ff91d634718
        6⤵
        
        PID:3624
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,16484874687619640921,5862849620093933392,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1964 /prefetch:2
        6⤵
        
        PID:4368
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,16484874687619640921,5862849620093933392,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
        6⤵
        
        PID:796
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,16484874687619640921,5862849620093933392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
        6⤵
        
        PID:4916
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,16484874687619640921,5862849620093933392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
        6⤵
        
        PID:3572
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,16484874687619640921,5862849620093933392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
        6⤵
        
        PID:4372
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,16484874687619640921,5862849620093933392,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 /prefetch:8
        6⤵
        
        PID:3396
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,16484874687619640921,5862849620093933392,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 /prefetch:8
        6⤵
        
        PID:1072
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,16484874687619640921,5862849620093933392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
        6⤵
        
        PID:4476
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,16484874687619640921,5862849620093933392,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
        6⤵
        
        PID:4636
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,16484874687619640921,5862849620093933392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
        6⤵
        
        PID:3620
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,16484874687619640921,5862849620093933392,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
        6⤵
        
        PID:4616
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3372
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\NMVKXR~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3092
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\A03404~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1192

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\Recovery+lkqpx.html

Filesize
9KB

MD5
0c577cd9570a9e674ad61df155c1650d

SHA1
7535918a16a6348b2b2fec033c1c0f5ae585a44f

SHA256
5e791d0b6868d0b2020cb39abd333dfb72870a4a9bb07c38f56e72c3c15ed660

SHA512
1b4ec12931c5617d0c64811c1c7d1ca6b9971a2eb108641deded6c52d73974ef4adbc882fa8c6097239956a77ddb58829babbf80127068e8aeeb6b8bba54ca0d

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+lkqpx.png

Filesize
62KB

MD5
b10f2491c4fbc244f3739a6243f14545

SHA1
3599510e2d993010c3963f9ac523a94c41eb96c9

SHA256
a374f703b88bdd91f511163edfb026a6c182a5faf68e6d9e4030b04af33e71fc

SHA512
924d0dc0ac676a9367b2739d6b2c28f5e97a658694fd1b6d181bee21b0deceffa74eecce3c3a2921f02da50e12c1f81761a673a463c82ab1f431f5ef3a1dca52

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+lkqpx.txt

Filesize
1KB

MD5
3fb7f266732bc012498f7120e2924210

SHA1
7f5725b5f2eb6512fac96102516f401cc61a4fe0

SHA256
ad4a355a59d3511f4cdbb79348580c4633f59f8b04ae51ea1e87723825290ce6

SHA512
eedbddeed249fe04dd90651a2ec33cf1af84892ecce829ba16c4bb61b3e00cae1125f648bad85e4739bde60188c0642c64353e54b6a6d2913d7c3a64daa8d584

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
efd1b1bc4421ed0371ab292144e15d35

SHA1
3236450bbfe377a88bd1100973b3773b3f338d32

SHA256
b9fdb58c0b2d2cadc1ba16eddd213621cc0527f38fb5ec7003fceb1cf1296cfe

SHA512
97c49e11ec87424c8881cd9f417c80b4569ee3ab362c33246a6d21e3f1f21e211c9e68bdb380685bac721bab2e1bf3d656981bef35ad1b5c0470c7578a0855f0

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
06c600034342459e0449009cc9391eb7

SHA1
74af45ed894b2fd7cc3c52644d4b6d2f0fc683f9

SHA256
c925563c22e301638b47d2aef5d492608fbb55074d9d12a49457bcb3f697bc66

SHA512
68d62bfc8914a04ea0bec2b48d123cfe01e57a45c5c356950adb7d84163d70440c97600745887fd28133fb0a593f0d7538be2fa16161e1dc0a61add08a1d7911

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
eaf9561c3aaa8809b648f357bb13f8ad

SHA1
6e5a7464c402adfe0555ed6cce74062ce2761181

SHA256
647adc168aa4632ad937efcb3c4f4a742a7d6945b5bb1afca67bb47a131f28a5

SHA512
1cf16d5f301587cdc01c9cbe64113e87dac4b90e7c53ce0cb4406625d7fdc4861691f0febae529a1702da95bdba0377440e7e0bd741619096e6f638df5023e2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
de6d2b8803f0b80b49dec489a4cd0708

SHA1
a39e553f32d3b5b763c840a4bc3e59288f0cbf71

SHA256
ef97c22a28151f7e1579eb03e2bc71d952a5f252a5bef540d53ca25f6c162a56

SHA512
30b1fb12540aa1eb6844b03388b1a74fe61c120e431e55283cba771cb651e091a0f4e9ab7de58d8f6ca96e303bc048cc13e8602f22a2c58342f3e94c33f88b5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2c664e84d130a42a272c38e8ef019d94

SHA1
0e19ae0bbd8899387ecbaf930617fe7ad2724675

SHA256
83555106b8b515333264f57291b8bc79d8c254f6defb9acfd7243605d5ad1a64

SHA512
20553ba8d28b03aea146214fb67e8808f2a9b0cc04743c1ab9ae63641b8804663928072fdfdf691144e7895e53451f461d45a9a9c8be41455efbe9963f2b1bcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2cdeb93a38eedd473ea4a745585b7750

SHA1
f3d1f00e32209b62ea177cd84a85f4649963ed93

SHA256
305650f0589cf55d303141845469e0183599b99565cd72edf84726b92f2ff57c

SHA512
7eb85b14fd49bdcad0457d51f5914717ed1c51d4543e4e6bc0776e772484b25a3a346ccb4b0ad09cac09fdc378b168aae88e2f239a892dc2ad182890dadbc57d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727658865736960.txt

Filesize
77KB

MD5
c5eea69d5cb701431b6fe5fd254726bd

SHA1
419134fc8dbc0dd138dea295f86067f9d61f2fe2

SHA256
e5e5b9c3ffa007cc7da86ff1ef8486b7ae166181dc600ecc43fca03d1341f870

SHA512
a831ead60c1639e3e158f1c060c7820292fc4f7c4a2ee465111b0d626617fa586cedd8a605744cd6a34ef9c5838d1cdd0ba41e72547c3a911108ac88ea0683de

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727660257997193.txt

Filesize
47KB

MD5
671a5db2d7c44cf72f72c9c27af149fe

SHA1
5df541801d074ade0c730ecb6c60a28482948810

SHA256
dd75badbc8737144050278bd8b84d573ece79f0e2910e263a668e30d8282d971

SHA512
37c2ca973cfe96b3405aefa2d3370376cc54140c73be3c40fe4162434d44165509ee604a9b308f0ef9cfbcb9b2f66b91be5f6eb16bd83bc4dad696f9339496dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727667861810871.txt

Filesize
74KB

MD5
ea15a537884390425421bb86c256bc73

SHA1
030d18f93ae5af5322e8055355021cec9776942f

SHA256
d7f9d1890f1e30c2034971b006c0e59f366cd00e28637789a86292af3138459a

SHA512
58e27db5bf68c42c08333d3d2850a4d07fc0ec451223f5a21ffaedf74e46a35eabb4ebe656f0f381d70623413b9eedd65b25d65eadc7fc228c6a2b10c63e5895

Download Submit
C:\Windows\nmvkxrcejson.exe

Filesize
388KB

MD5
a0340430d4b1c1f6dd4048ab98f2e4b2

SHA1
a43ff275972b4ed9b7f3ece61d7d49375db635e9

SHA256
9b1622602d4ae8196316deeb91fbdd1346a4b31453f3762be119e24c84827217

SHA512
54ca85bee0ded2a742c767565159c0e3121d8cd1d97cebc751d067b1ea45d9fca86b6d5acad5b472eddef23d20afcc8ae3497cdd411fd9f393d80e0c90f2cd8d

Download Submit
memory/1760-17-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1760-8677-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1760-23-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1760-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1760-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1760-2651-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1760-2650-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1760-5237-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1760-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1760-10838-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1760-10796-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1760-507-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1760-10786-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1760-10787-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1760-10795-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2556-13-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2556-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2556-5-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2556-3-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2556-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3944-12-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/5028-0-0x0000000000D90000-0x0000000000D93000-memory.dmp

Filesize
12KB

Download
memory/5028-4-0x0000000000D90000-0x0000000000D93000-memory.dmp

Filesize
12KB

Download
memory/5028-1-0x0000000000D90000-0x0000000000D93000-memory.dmp

Filesize
12KB

Download