teslacrypt | ddc22b54761307cf1af200cbbfdedc44bb76aa3d876155c6570b1729a7eaaa57

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 01:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c7fc6b38e8f927f2a8e8888bbc3545c_JaffaCakes118.exe
Size

484KB
MD5

8c7fc6b38e8f927f2a8e8888bbc3545c
SHA1

b017d494790f3862a6851919f981e25dab8eebaa
SHA256

ddc22b54761307cf1af200cbbfdedc44bb76aa3d876155c6570b1729a7eaaa57
SHA512

7792e9b8029040eff7c7bb71cba4d938f7a6464276311adb5fd443ebbdafcb3533d7c120cfbab9ecd6b7e30762c37c5b3af1844f2b03db0cf6732a5dd02d0fad
SSDEEP

6144:0utAHuAX1/7zv+Ul4s/KFxhNDPPHf2TNhOAL68v6RD/Nqr49Jr:0xHu4/H6xhtPPHf2JhTxvU/4rI

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+ejcvu.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/96FFF5C260E2E018 2 - http://u54bbnhf354fbkh254tbkhjbgy8258gnkwerg.tahaplap.com/96FFF5C260E2E018 3 - http://w6bfg4hahn5bfnlsafgchkvg5fwsfvrt.hareuna.at/96FFF5C260E2E018 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/96FFF5C260E2E018 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/96FFF5C260E2E018 http://u54bbnhf354fbkh254tbkhjbgy8258gnkwerg.tahaplap.com/96FFF5C260E2E018 http://w6bfg4hahn5bfnlsafgchkvg5fwsfvrt.hareuna.at/96FFF5C260E2E018 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/96FFF5C260E2E018

URLs

http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/96FFF5C260E2E018

http://u54bbnhf354fbkh254tbkhjbgy8258gnkwerg.tahaplap.com/96FFF5C260E2E018

http://w6bfg4hahn5bfnlsafgchkvg5fwsfvrt.hareuna.at/96FFF5C260E2E018

http://xlowfznrg4wf7dli.ONION/96FFF5C260E2E018

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (869) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8c7fc6b38e8f927f2a8e8888bbc3545c_JaffaCakes118.exehhlysmkljybl.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	8c7fc6b38e8f927f2a8e8888bbc3545c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	hhlysmkljybl.exe

Drops startup file 6 IoCs

Processes:

hhlysmkljybl.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+ejcvu.txt	hhlysmkljybl.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+ejcvu.html	hhlysmkljybl.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+ejcvu.png	hhlysmkljybl.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+ejcvu.txt	hhlysmkljybl.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+ejcvu.html	hhlysmkljybl.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+ejcvu.png	hhlysmkljybl.exe

Executes dropped EXE 1 IoCs

Processes:

hhlysmkljybl.exe

pid	Process
4428	hhlysmkljybl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

hhlysmkljybl.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fawpleb = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\hhlysmkljybl.exe"	hhlysmkljybl.exe

Drops file in Program Files directory 64 IoCs

Processes:

hhlysmkljybl.exe

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-32_altform-lightunplated.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeLargeTile.scale-400.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-200.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.targetsize-40_altform-unplated_contrast-white.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\155.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-Toolkit\Images\_ReCoVeRy_+ejcvu.html	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_altform-unplated_contrast-white.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\_ReCoVeRy_+ejcvu.txt	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_altform-unplated_contrast-black.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarLargeTile.scale-125.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MicrosoftLogo.scale-200.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraLargeTile.scale-200.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailMediumTile.scale-100.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\WideTile.scale-100.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-80_altform-unplated_contrast-black.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_3.m4a	hhlysmkljybl.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\_ReCoVeRy_+ejcvu.txt	hhlysmkljybl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-140.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.scale-200.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubAppList.scale-125_contrast-white.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\illustration-UploadToOD.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\group_avatar_128x.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailSmallTile.scale-400.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\_ReCoVeRy_+ejcvu.html	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+ejcvu.txt	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-256_altform-unplated.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\es-ES\_ReCoVeRy_+ejcvu.txt	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-20_contrast-white.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\accessibilitychecker\_ReCoVeRy_+ejcvu.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_ReCoVeRy_+ejcvu.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-40_altform-unplated.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-200.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-72_altform-unplated_contrast-black.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WideTile.scale-125_contrast-black.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\en-US\meBoot.min.js	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\_ReCoVeRy_+ejcvu.html	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\_ReCoVeRy_+ejcvu.html	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+ejcvu.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	hhlysmkljybl.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\_ReCoVeRy_+ejcvu.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\_ReCoVeRy_+ejcvu.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-24.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\da-DK\View3d\_ReCoVeRy_+ejcvu.html	hhlysmkljybl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\_ReCoVeRy_+ejcvu.txt	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreLogo.scale-125_contrast-white.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\Weather_LogoSmall.scale-100.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_ReCoVeRy_+ejcvu.txt	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupSmallTile.scale-125.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\_ReCoVeRy_+ejcvu.txt	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\Fonts\_ReCoVeRy_+ejcvu.html	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\_ReCoVeRy_+ejcvu.html	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\_ReCoVeRy_+ejcvu.html	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleWideTile.scale-125.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\1850_32x32x32.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_Package_Light.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-60_altform-lightunplated.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+ejcvu.txt	hhlysmkljybl.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VGX\_ReCoVeRy_+ejcvu.html	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\MedTile.scale-125.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeTile.scale-100.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\WorldClockLargeTile.contrast-black_scale-200.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_altform-unplated_contrast-black_devicefamily-colorfulunplated.png	hhlysmkljybl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\_ReCoVeRy_+ejcvu.html	hhlysmkljybl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\thumb_light_environment.png	hhlysmkljybl.exe

Drops file in Windows directory 2 IoCs

Processes:

8c7fc6b38e8f927f2a8e8888bbc3545c_JaffaCakes118.exe

description	ioc	Process
File created	C:\Windows\hhlysmkljybl.exe	8c7fc6b38e8f927f2a8e8888bbc3545c_JaffaCakes118.exe
File opened for modification	C:\Windows\hhlysmkljybl.exe	8c7fc6b38e8f927f2a8e8888bbc3545c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

hhlysmkljybl.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	hhlysmkljybl.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
1368	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

hhlysmkljybl.exe

pid	Process
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe
4428	hhlysmkljybl.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid	Process
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

8c7fc6b38e8f927f2a8e8888bbc3545c_JaffaCakes118.exehhlysmkljybl.exeWMIC.exevssvc.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	720	8c7fc6b38e8f927f2a8e8888bbc3545c_JaffaCakes118.exe
Token: SeDebugPrivilege	4428	hhlysmkljybl.exe
Token: SeIncreaseQuotaPrivilege	644	WMIC.exe
Token: SeSecurityPrivilege	644	WMIC.exe
Token: SeTakeOwnershipPrivilege	644	WMIC.exe
Token: SeLoadDriverPrivilege	644	WMIC.exe
Token: SeSystemProfilePrivilege	644	WMIC.exe
Token: SeSystemtimePrivilege	644	WMIC.exe
Token: SeProfSingleProcessPrivilege	644	WMIC.exe
Token: SeIncBasePriorityPrivilege	644	WMIC.exe
Token: SeCreatePagefilePrivilege	644	WMIC.exe
Token: SeBackupPrivilege	644	WMIC.exe
Token: SeRestorePrivilege	644	WMIC.exe
Token: SeShutdownPrivilege	644	WMIC.exe
Token: SeDebugPrivilege	644	WMIC.exe
Token: SeSystemEnvironmentPrivilege	644	WMIC.exe
Token: SeRemoteShutdownPrivilege	644	WMIC.exe
Token: SeUndockPrivilege	644	WMIC.exe
Token: SeManageVolumePrivilege	644	WMIC.exe
Token: 33	644	WMIC.exe
Token: 34	644	WMIC.exe
Token: 35	644	WMIC.exe
Token: 36	644	WMIC.exe
Token: SeIncreaseQuotaPrivilege	644	WMIC.exe
Token: SeSecurityPrivilege	644	WMIC.exe
Token: SeTakeOwnershipPrivilege	644	WMIC.exe
Token: SeLoadDriverPrivilege	644	WMIC.exe
Token: SeSystemProfilePrivilege	644	WMIC.exe
Token: SeSystemtimePrivilege	644	WMIC.exe
Token: SeProfSingleProcessPrivilege	644	WMIC.exe
Token: SeIncBasePriorityPrivilege	644	WMIC.exe
Token: SeCreatePagefilePrivilege	644	WMIC.exe
Token: SeBackupPrivilege	644	WMIC.exe
Token: SeRestorePrivilege	644	WMIC.exe
Token: SeShutdownPrivilege	644	WMIC.exe
Token: SeDebugPrivilege	644	WMIC.exe
Token: SeSystemEnvironmentPrivilege	644	WMIC.exe
Token: SeRemoteShutdownPrivilege	644	WMIC.exe
Token: SeUndockPrivilege	644	WMIC.exe
Token: SeManageVolumePrivilege	644	WMIC.exe
Token: 33	644	WMIC.exe
Token: 34	644	WMIC.exe
Token: 35	644	WMIC.exe
Token: 36	644	WMIC.exe
Token: SeBackupPrivilege	1184	vssvc.exe
Token: SeRestorePrivilege	1184	vssvc.exe
Token: SeAuditPrivilege	1184	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4712	WMIC.exe
Token: SeSecurityPrivilege	4712	WMIC.exe
Token: SeTakeOwnershipPrivilege	4712	WMIC.exe
Token: SeLoadDriverPrivilege	4712	WMIC.exe
Token: SeSystemProfilePrivilege	4712	WMIC.exe
Token: SeSystemtimePrivilege	4712	WMIC.exe
Token: SeProfSingleProcessPrivilege	4712	WMIC.exe
Token: SeIncBasePriorityPrivilege	4712	WMIC.exe
Token: SeCreatePagefilePrivilege	4712	WMIC.exe
Token: SeBackupPrivilege	4712	WMIC.exe
Token: SeRestorePrivilege	4712	WMIC.exe
Token: SeShutdownPrivilege	4712	WMIC.exe
Token: SeDebugPrivilege	4712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4712	WMIC.exe
Token: SeRemoteShutdownPrivilege	4712	WMIC.exe
Token: SeUndockPrivilege	4712	WMIC.exe
Token: SeManageVolumePrivilege	4712	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	Process
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	Process
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8c7fc6b38e8f927f2a8e8888bbc3545c_JaffaCakes118.exehhlysmkljybl.exemsedge.exe

description	pid	Process	procid_target
PID 720 wrote to memory of 4428	720	8c7fc6b38e8f927f2a8e8888bbc3545c_JaffaCakes118.exe	86
PID 720 wrote to memory of 4428	720	8c7fc6b38e8f927f2a8e8888bbc3545c_JaffaCakes118.exe	86
PID 720 wrote to memory of 4428	720	8c7fc6b38e8f927f2a8e8888bbc3545c_JaffaCakes118.exe	86
PID 720 wrote to memory of 2704	720	8c7fc6b38e8f927f2a8e8888bbc3545c_JaffaCakes118.exe	87
PID 720 wrote to memory of 2704	720	8c7fc6b38e8f927f2a8e8888bbc3545c_JaffaCakes118.exe	87
PID 720 wrote to memory of 2704	720	8c7fc6b38e8f927f2a8e8888bbc3545c_JaffaCakes118.exe	87
PID 4428 wrote to memory of 644	4428	hhlysmkljybl.exe	92
PID 4428 wrote to memory of 644	4428	hhlysmkljybl.exe	92
PID 4428 wrote to memory of 1368	4428	hhlysmkljybl.exe	109
PID 4428 wrote to memory of 1368	4428	hhlysmkljybl.exe	109
PID 4428 wrote to memory of 1368	4428	hhlysmkljybl.exe	109
PID 4428 wrote to memory of 4740	4428	hhlysmkljybl.exe	110
PID 4428 wrote to memory of 4740	4428	hhlysmkljybl.exe	110
PID 4740 wrote to memory of 4964	4740	msedge.exe	111
PID 4740 wrote to memory of 4964	4740	msedge.exe	111
PID 4428 wrote to memory of 4712	4428	hhlysmkljybl.exe	112
PID 4428 wrote to memory of 4712	4428	hhlysmkljybl.exe	112
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 1800	4740	msedge.exe	114
PID 4740 wrote to memory of 2480	4740	msedge.exe	115
PID 4740 wrote to memory of 2480	4740	msedge.exe	115
PID 4740 wrote to memory of 4280	4740	msedge.exe	116
PID 4740 wrote to memory of 4280	4740	msedge.exe	116
PID 4740 wrote to memory of 4280	4740	msedge.exe	116
PID 4740 wrote to memory of 4280	4740	msedge.exe	116
PID 4740 wrote to memory of 4280	4740	msedge.exe	116

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

hhlysmkljybl.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	hhlysmkljybl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	hhlysmkljybl.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8c7fc6b38e8f927f2a8e8888bbc3545c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8c7fc6b38e8f927f2a8e8888bbc3545c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:720
- C:\Windows\hhlysmkljybl.exe
  C:\Windows\hhlysmkljybl.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4428
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:644
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1368
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4740
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff984546f8,0x7fff98454708,0x7fff98454718
      4⤵
      PID:4964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,17514514139252790665,14391751457791549610,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
      4⤵
      PID:1800
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,17514514139252790665,14391751457791549610,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
      4⤵
      PID:2480
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,17514514139252790665,14391751457791549610,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
      4⤵
      PID:4280
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17514514139252790665,14391751457791549610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
      4⤵
      PID:2324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17514514139252790665,14391751457791549610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
      4⤵
      PID:2012
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,17514514139252790665,14391751457791549610,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:8
      4⤵
      PID:2888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,17514514139252790665,14391751457791549610,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:8
      4⤵
      PID:2788
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17514514139252790665,14391751457791549610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
      4⤵
      PID:5100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17514514139252790665,14391751457791549610,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
      4⤵
      PID:700
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17514514139252790665,14391751457791549610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
      4⤵
      PID:2240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17514514139252790665,14391751457791549610,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
      4⤵
      PID:552
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4712
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\HHLYSM~1.EXE
    3⤵
    PID:3852
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\8C7FC6~1.EXE
  2⤵
  PID:2704

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+ejcvu.html

Filesize
11KB

MD5
5bf82f21389e2e3760eef9db32a81cdb

SHA1
cd8a259e03a6b97e4920408d138b9c5d318c919a

SHA256
c2b84cf3d36baed5fc9ef33f28bbc54d558201b211bb579acfacab9aeaa670c1

SHA512
599660d064e5adb854e1ef0b05782edb918e78d920de4af5f507dbe4a0a3b93e030050271f9453bf9be857c41339627a77db9f8a4e5c9f6288e9d0110eacd1c3

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+ejcvu.png

Filesize
64KB

MD5
3d05068b7ca88498d3edbc74b760922d

SHA1
4d1ce3897183102d5afcddce7b908e446efd59cd

SHA256
f7e7f5e5d51b4080f5f2efa51b8156274617f31675cf6f4bb785ea4c2cf54453

SHA512
91ce9eb70133c1ad479605cb3530f9a1a50714b679d82219f7f051f9a526c978a69ede35afa8479f59c82ca207623a8e081ab0115455204cba17d8afb2f670c0

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+ejcvu.txt

Filesize
1KB

MD5
5482d72f36bc8a966520d2ddb1119b50

SHA1
f7b536c309906c5d59966d673306ea8b3349fb6c

SHA256
52a85ab7aaee867bb080c5bcc2f10eabfc001cbe41275280665fc4ef5718c6e7

SHA512
61a21d8f06607ed02b636c30209c23ba6c219650a7cb8d0a97c0e3e2f21fb3898caffb33897799899183903e4742e81f0438c5097ae3b3510964bbef8bcd74b6

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
e537a26594b61bc83bd5ca6cc5d561d7

SHA1
ee8e5ce40ab8e6740388f9197cc7ed4c8c13dd51

SHA256
8bc52031d9ad8ef1e3467b0dd41ea7347829a10237191226e81a7b906074e73e

SHA512
9befeefd5a43e0f1369a9082dcff79f87d5fd0a2c9ef8a0d93053d2dc7379cb354f49fab955d7baaa3e1b73c61cdd4e1ea9c92e7ea7206d3cb791fb543a18dec

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
52e191812b06a98dadc4f4ac8972bd37

SHA1
fa037260e9311a3724d37a4188a51dbf2f125d53

SHA256
095cca37e2bfa142b7a03dfe3da743dcfdcfb532f36c7c980bb92f05065f092b

SHA512
3b568db5c253d126fbf3d1eea0ebd1359a13302afa790420bac5b066f33bd58e380da8d6eb975ecf3fddfd65cadec49fc3f8e1c29fb30a801cea973123a142c5

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
5056683b9161b79044499a576cb96ae5

SHA1
37b9c517e842597b5c3f5b0b249b29070baaa25b

SHA256
5c47d3bc9843bdca34d383ddad944e31a11f73953336b4ae2c4f46bdfde7d8a5

SHA512
a87aa44f7823b3035e1367b6beb54e528c0fbfc24baa5ce2a79a56fea1ad882f111aaba9a7e6d6bb580f92ce56350a51f082295e348229db9e808e73d385dccf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
74c796c0c791ad3d51f9d281dc43388f

SHA1
7ee1dd36b6d22e7dd00e8861380106b6a4c86b59

SHA256
de5ce099f0fa7e91399a04fd56564c43b9c90c60cff62a3dd819706776a519e7

SHA512
b4d84ae696daa70a08134efee17872846d24c37fc4de49b0c773cc4281f84e640f957a0069fc3f1720dd8fdc1fd28f8366734e8dcc8ea00313f001f7535347b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
deeda2629b1c5690f1f800cee457f3a3

SHA1
60c567545cf7f67c5bbed24e35c36f0320122476

SHA256
cb47c9a501122b962620879e6d2cbe426c8316ecc4e9c9e5afb0f8415be33aa9

SHA512
123c78a0ddf8cc5ee1cd6ed55e18560c38006c36346f251c6fd2e0caa39d67472038a92b278e7aa773f1f8c81680b1bd50d8d8ca53429e6d223641c0a77c5498

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
346d77977fe902e197e799f15756245a

SHA1
9cb46ba5d4bcb2c06f761c678025bdc40fca8ed9

SHA256
86b63f0f0318b265127a0ff5f78b6d8a97a141d4196925a4eb988d0cc42ff6ca

SHA512
75188e9890fcfcc2b525228dbc7da53feb1fc61d51d8bf2f7de93fc20eb99626cae4e7817ce2c397bff42248a71059d4841c64e39ec5fb558bb9bd68e2099463

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596440659070499.txt

Filesize
47KB

MD5
eba9a6e2f3f8e59d1035508430572e73

SHA1
805e68e8f53f2a0edb1c2d0a5d99de77b2c48fac

SHA256
b24a189bd779ec7fbd4c64b5642d8391718b4e3bc6d6e36a3ad631f9ed3bef38

SHA512
e432dc49844b2a2fec0da22a58152d0bb0ee214c2dc5805b9d0550626e0f79ef3b62137493e93714b9fb81681fc494636f83624bd4b1d443d02e81f968588e06

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596449628541770.txt

Filesize
75KB

MD5
b912d16a6d31a509af3b9b862aa82bbb

SHA1
5ab72ffa181d27fd86be4c05ebc8d1144c2207f5

SHA256
24f19084831246f61f802c954fb8bf7c1650f188c0c09cc0045a8fbe6b6223a7

SHA512
5c5db030add7164a2109d031e9318a147f309b3bf971bf29e192d343643c61bbb1ebcf364b80deb017ffa8c14da65f76890a32079949fbf9aaabc16ca3eba44d

Download Submit
C:\Windows\hhlysmkljybl.exe

Filesize
484KB

MD5
8c7fc6b38e8f927f2a8e8888bbc3545c

SHA1
b017d494790f3862a6851919f981e25dab8eebaa

SHA256
ddc22b54761307cf1af200cbbfdedc44bb76aa3d876155c6570b1729a7eaaa57

SHA512
7792e9b8029040eff7c7bb71cba4d938f7a6464276311adb5fd443ebbdafcb3533d7c120cfbab9ecd6b7e30762c37c5b3af1844f2b03db0cf6732a5dd02d0fad

Download Submit
\??\pipe\LOCAL\crashpad_4740_XIQQYOBWRJIAGALD

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/720-9-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/720-0-0x00000000021C0000-0x0000000002246000-memory.dmp

Filesize
536KB

Download
memory/720-10-0x00000000021C0000-0x0000000002246000-memory.dmp

Filesize
536KB

Download
memory/720-1-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4428-10344-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4428-14-0x0000000002190000-0x0000000002216000-memory.dmp

Filesize
536KB

Download
memory/4428-10388-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4428-10147-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4428-7392-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4428-4551-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4428-1305-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download