teslacrypt | 535bc699baf41334ad3f15528af60df9a8421533068f3f09ed01df212b40b059

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 05:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b4d5982e3909f16967246c9fc4d2451_JaffaCakes118.exe
Size

376KB
MD5

2b4d5982e3909f16967246c9fc4d2451
SHA1

2bd2a2d29679fe8cf68ab8f00ae9ed58f1506c06
SHA256

535bc699baf41334ad3f15528af60df9a8421533068f3f09ed01df212b40b059
SHA512

01d8716520cab4c226135116cc716d5337b54bcfd672fed8ef727b02560ecd1a16c8602bafbdc75fb65eb49f8af9d3add0658c116b9a574fe2183e2f2f9c68cb
SSDEEP

6144:6e3rNhMeYq4CGRTs4kadSoKVStcmTVn57CpSCwsUbg62oXd:6Y5hMfqwTsTKcmTV5kINEx+d

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+olaqx.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/434147EBD91D22F4 2. http://kkd47eh4hdjshb5t.angortra.at/434147EBD91D22F4 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/434147EBD91D22F4 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/434147EBD91D22F4 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/434147EBD91D22F4 http://kkd47eh4hdjshb5t.angortra.at/434147EBD91D22F4 http://ytrest84y5i456hghadefdsd.pontogrot.com/434147EBD91D22F4 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/434147EBD91D22F4

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/434147EBD91D22F4

http://kkd47eh4hdjshb5t.angortra.at/434147EBD91D22F4

http://ytrest84y5i456hghadefdsd.pontogrot.com/434147EBD91D22F4

http://xlowfznrg4wf7dli.ONION/434147EBD91D22F4

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (868) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	2b4d5982e3909f16967246c9fc4d2451_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	oislmjanlxnc.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+olaqx.txt	oislmjanlxnc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+olaqx.html	oislmjanlxnc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+olaqx.png	oislmjanlxnc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+olaqx.txt	oislmjanlxnc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+olaqx.html	oislmjanlxnc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+olaqx.png	oislmjanlxnc.exe

Executes dropped EXE 2 IoCs

pid	Process
324	oislmjanlxnc.exe
2168	oislmjanlxnc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbatchmvdatx = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\oislmjanlxnc.exe\""	oislmjanlxnc.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1472 set thread context of 3584	1472	2b4d5982e3909f16967246c9fc4d2451_JaffaCakes118.exe	89
PID 324 set thread context of 2168	324	oislmjanlxnc.exe	95

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\subscription_intro\save-money.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-16_altform-unplated_contrast-black.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-200_contrast-white.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionWideTile.scale-150.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-16.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeMediumTile.scale-200.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageSmallTile.scale-200_contrast-black.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\jsaddins\Recovery+olaqx.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageWideTile.scale-400.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Recovery+olaqx.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\SlowMotionEditor\Views\Recovery+olaqx.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Recovery+olaqx.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Exchange.scale-300.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\Recovery+olaqx.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\Recovery+olaqx.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\th-TH\Recovery+olaqx.html	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\SmallTile.scale-100.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-36_altform-unplated.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\Recovery+olaqx.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\AppxMetadata\Recovery+olaqx.txt	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\contrast-standard\Recovery+olaqx.html	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\Recovery+olaqx.html	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_2019.716.2313.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\Recovery+olaqx.html	oislmjanlxnc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\Recovery+olaqx.txt	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxLargeTile.scale-125.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-GoogleCloudCache.scale-150.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\Recovery+olaqx.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_contrast-white.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeMediumTile.scale-200.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ImmersiveVideoPlayback\Content\Recovery+olaqx.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\Recovery+olaqx.txt	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSplashLogo.scale-300.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-80.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\Recovery+olaqx.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\168.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerMedTile.contrast-white_scale-125.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\Recovery+olaqx.txt	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageMedTile.scale-400.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-30.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-80_altform-unplated.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_TicketedEvent_Light.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sk-SK\Recovery+olaqx.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\Recovery+olaqx.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-60_altform-unplated.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_File_Transfer_Incoming.m4a	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.scale-200_contrast-black.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-64_altform-unplated.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+olaqx.html	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_contrast-white.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\LargeTile.scale-200.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Recovery+olaqx.html	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_altform-unplated_contrast-white.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeSmallTile.scale-400.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+olaqx.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\Recovery+olaqx.html	oislmjanlxnc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\QUERIES\Recovery+olaqx.html	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-60_contrast-black.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\el-GR\Recovery+olaqx.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteWideTile.scale-200.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-64_altform-unplated.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\Recovery+olaqx.html	oislmjanlxnc.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\Recovery+olaqx.txt	oislmjanlxnc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\MedTile.scale-200.png	oislmjanlxnc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt	oislmjanlxnc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\oislmjanlxnc.exe	2b4d5982e3909f16967246c9fc4d2451_JaffaCakes118.exe
File opened for modification	C:\Windows\oislmjanlxnc.exe	2b4d5982e3909f16967246c9fc4d2451_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b4d5982e3909f16967246c9fc4d2451_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b4d5982e3909f16967246c9fc4d2451_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oislmjanlxnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oislmjanlxnc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	oislmjanlxnc.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2568	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe
2168	oislmjanlxnc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	3584	2b4d5982e3909f16967246c9fc4d2451_JaffaCakes118.exe
Token: SeDebugPrivilege	2168	oislmjanlxnc.exe
Token: SeIncreaseQuotaPrivilege	772	WMIC.exe
Token: SeSecurityPrivilege	772	WMIC.exe
Token: SeTakeOwnershipPrivilege	772	WMIC.exe
Token: SeLoadDriverPrivilege	772	WMIC.exe
Token: SeSystemProfilePrivilege	772	WMIC.exe
Token: SeSystemtimePrivilege	772	WMIC.exe
Token: SeProfSingleProcessPrivilege	772	WMIC.exe
Token: SeIncBasePriorityPrivilege	772	WMIC.exe
Token: SeCreatePagefilePrivilege	772	WMIC.exe
Token: SeBackupPrivilege	772	WMIC.exe
Token: SeRestorePrivilege	772	WMIC.exe
Token: SeShutdownPrivilege	772	WMIC.exe
Token: SeDebugPrivilege	772	WMIC.exe
Token: SeSystemEnvironmentPrivilege	772	WMIC.exe
Token: SeRemoteShutdownPrivilege	772	WMIC.exe
Token: SeUndockPrivilege	772	WMIC.exe
Token: SeManageVolumePrivilege	772	WMIC.exe
Token: 33	772	WMIC.exe
Token: 34	772	WMIC.exe
Token: 35	772	WMIC.exe
Token: 36	772	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5092	WMIC.exe
Token: SeSecurityPrivilege	5092	WMIC.exe
Token: SeTakeOwnershipPrivilege	5092	WMIC.exe
Token: SeLoadDriverPrivilege	5092	WMIC.exe
Token: SeSystemProfilePrivilege	5092	WMIC.exe
Token: SeSystemtimePrivilege	5092	WMIC.exe
Token: SeProfSingleProcessPrivilege	5092	WMIC.exe
Token: SeIncBasePriorityPrivilege	5092	WMIC.exe
Token: SeCreatePagefilePrivilege	5092	WMIC.exe
Token: SeBackupPrivilege	5092	WMIC.exe
Token: SeRestorePrivilege	5092	WMIC.exe
Token: SeShutdownPrivilege	5092	WMIC.exe
Token: SeDebugPrivilege	5092	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5092	WMIC.exe
Token: SeRemoteShutdownPrivilege	5092	WMIC.exe
Token: SeUndockPrivilege	5092	WMIC.exe
Token: SeManageVolumePrivilege	5092	WMIC.exe
Token: 33	5092	WMIC.exe
Token: 34	5092	WMIC.exe
Token: 35	5092	WMIC.exe
Token: 36	5092	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 3584	1472	2b4d5982e3909f16967246c9fc4d2451_JaffaCakes118.exe	89
PID 1472 wrote to memory of 3584	1472	2b4d5982e3909f16967246c9fc4d2451_JaffaCakes118.exe	89
PID 1472 wrote to memory of 3584	1472	2b4d5982e3909f16967246c9fc4d2451_JaffaCakes118.exe	89
PID 1472 wrote to memory of 3584	1472	2b4d5982e3909f16967246c9fc4d2451_JaffaCakes118.exe	89
PID 1472 wrote to memory of 3584	1472	2b4d5982e3909f16967246c9fc4d2451_JaffaCakes118.exe	89
PID 1472 wrote to memory of 3584	1472	2b4d5982e3909f16967246c9fc4d2451_JaffaCakes118.exe	89
PID 1472 wrote to memory of 3584	1472	2b4d5982e3909f16967246c9fc4d2451_JaffaCakes118.exe	89
PID 1472 wrote to memory of 3584	1472	2b4d5982e3909f16967246c9fc4d2451_JaffaCakes118.exe	89
PID 1472 wrote to memory of 3584	1472	2b4d5982e3909f16967246c9fc4d2451_JaffaCakes118.exe	89
PID 1472 wrote to memory of 3584	1472	2b4d5982e3909f16967246c9fc4d2451_JaffaCakes118.exe	89
PID 3584 wrote to memory of 324	3584	2b4d5982e3909f16967246c9fc4d2451_JaffaCakes118.exe	90
PID 3584 wrote to memory of 324	3584	2b4d5982e3909f16967246c9fc4d2451_JaffaCakes118.exe	90
PID 3584 wrote to memory of 324	3584	2b4d5982e3909f16967246c9fc4d2451_JaffaCakes118.exe	90
PID 3584 wrote to memory of 4540	3584	2b4d5982e3909f16967246c9fc4d2451_JaffaCakes118.exe	91
PID 3584 wrote to memory of 4540	3584	2b4d5982e3909f16967246c9fc4d2451_JaffaCakes118.exe	91
PID 3584 wrote to memory of 4540	3584	2b4d5982e3909f16967246c9fc4d2451_JaffaCakes118.exe	91
PID 324 wrote to memory of 2168	324	oislmjanlxnc.exe	95
PID 324 wrote to memory of 2168	324	oislmjanlxnc.exe	95
PID 324 wrote to memory of 2168	324	oislmjanlxnc.exe	95
PID 324 wrote to memory of 2168	324	oislmjanlxnc.exe	95
PID 324 wrote to memory of 2168	324	oislmjanlxnc.exe	95
PID 324 wrote to memory of 2168	324	oislmjanlxnc.exe	95
PID 324 wrote to memory of 2168	324	oislmjanlxnc.exe	95
PID 324 wrote to memory of 2168	324	oislmjanlxnc.exe	95
PID 324 wrote to memory of 2168	324	oislmjanlxnc.exe	95
PID 324 wrote to memory of 2168	324	oislmjanlxnc.exe	95
PID 2168 wrote to memory of 772	2168	oislmjanlxnc.exe	96
PID 2168 wrote to memory of 772	2168	oislmjanlxnc.exe	96
PID 2168 wrote to memory of 2568	2168	oislmjanlxnc.exe	100
PID 2168 wrote to memory of 2568	2168	oislmjanlxnc.exe	100
PID 2168 wrote to memory of 2568	2168	oislmjanlxnc.exe	100
PID 2168 wrote to memory of 4236	2168	oislmjanlxnc.exe	101
PID 2168 wrote to memory of 4236	2168	oislmjanlxnc.exe	101
PID 4236 wrote to memory of 4952	4236	msedge.exe	102
PID 4236 wrote to memory of 4952	4236	msedge.exe	102
PID 2168 wrote to memory of 5092	2168	oislmjanlxnc.exe	103
PID 2168 wrote to memory of 5092	2168	oislmjanlxnc.exe	103
PID 4236 wrote to memory of 2152	4236	msedge.exe	105
PID 4236 wrote to memory of 2152	4236	msedge.exe	105
PID 4236 wrote to memory of 2152	4236	msedge.exe	105
PID 4236 wrote to memory of 2152	4236	msedge.exe	105
PID 4236 wrote to memory of 2152	4236	msedge.exe	105
PID 4236 wrote to memory of 2152	4236	msedge.exe	105
PID 4236 wrote to memory of 2152	4236	msedge.exe	105
PID 4236 wrote to memory of 2152	4236	msedge.exe	105
PID 4236 wrote to memory of 2152	4236	msedge.exe	105
PID 4236 wrote to memory of 2152	4236	msedge.exe	105
PID 4236 wrote to memory of 2152	4236	msedge.exe	105
PID 4236 wrote to memory of 2152	4236	msedge.exe	105
PID 4236 wrote to memory of 2152	4236	msedge.exe	105
PID 4236 wrote to memory of 2152	4236	msedge.exe	105
PID 4236 wrote to memory of 2152	4236	msedge.exe	105
PID 4236 wrote to memory of 2152	4236	msedge.exe	105
PID 4236 wrote to memory of 2152	4236	msedge.exe	105
PID 4236 wrote to memory of 2152	4236	msedge.exe	105
PID 4236 wrote to memory of 2152	4236	msedge.exe	105
PID 4236 wrote to memory of 2152	4236	msedge.exe	105
PID 4236 wrote to memory of 2152	4236	msedge.exe	105
PID 4236 wrote to memory of 2152	4236	msedge.exe	105
PID 4236 wrote to memory of 2152	4236	msedge.exe	105
PID 4236 wrote to memory of 2152	4236	msedge.exe	105
PID 4236 wrote to memory of 2152	4236	msedge.exe	105
PID 4236 wrote to memory of 2152	4236	msedge.exe	105
PID 4236 wrote to memory of 2152	4236	msedge.exe	105

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	oislmjanlxnc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	oislmjanlxnc.exe

C:\Users\Admin\AppData\Local\Temp\2b4d5982e3909f16967246c9fc4d2451_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2b4d5982e3909f16967246c9fc4d2451_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Users\Admin\AppData\Local\Temp\2b4d5982e3909f16967246c9fc4d2451_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2b4d5982e3909f16967246c9fc4d2451_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Windows\oislmjanlxnc.exe
    C:\Windows\oislmjanlxnc.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:324
  - - C:\Windows\oislmjanlxnc.exe
      C:\Windows\oislmjanlxnc.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2168
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:2568
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4236
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c3146f8,0x7ffe3c314708,0x7ffe3c314718
        6⤵
        
        PID:4952
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,6683275560763384869,14012321246599081341,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
        6⤵
        
        PID:2152
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,6683275560763384869,14012321246599081341,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
        6⤵
        
        PID:4476
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,6683275560763384869,14012321246599081341,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
        6⤵
        
        PID:860
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6683275560763384869,14012321246599081341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
        6⤵
        
        PID:2728
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6683275560763384869,14012321246599081341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
        6⤵
        
        PID:4532
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,6683275560763384869,14012321246599081341,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
        6⤵
        
        PID:2284
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,6683275560763384869,14012321246599081341,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
        6⤵
        
        PID:3896
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6683275560763384869,14012321246599081341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
        6⤵
        
        PID:2756
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6683275560763384869,14012321246599081341,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
        6⤵
        
        PID:3024
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6683275560763384869,14012321246599081341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
        6⤵
        
        PID:4704
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6683275560763384869,14012321246599081341,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
        6⤵
        
        PID:1924
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5092
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\OISLMJ~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3540
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2B4D59~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4540

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\Recovery+olaqx.html

Filesize
7KB

MD5
598ca1e0f00ee20c6adff9effd6b6558

SHA1
ce8c8adc5b904566e06b9c7dfacac8193b53688f

SHA256
c6ae8fe61ed7b9386259accf009543d2efe2d7132df7021ca2832fa7ce4b0a21

SHA512
f35d1b30ed6f96277a4b0954f276d8187f90d423f6d17e7c1e5c8995961ac788e2c00f6c4f840eaf80e38c0b0cae9b5fc683534c6c38181e59811e97cc1ab947

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+olaqx.png

Filesize
63KB

MD5
b0ba353d0c35e861e2963d0478528210

SHA1
21cbeb2d4662e4d2297efc9d4ad2226f201ff02d

SHA256
b7bc748bc7044776c5b9fd2fefba9d722e68a4bd653720247140c22e825b8994

SHA512
62c39c73b91aa6fe6953990a66bf2a5467f98ce0fbcf548aa55de6372ffddc5db51b60d6a2523d48802669013e9eda3937669ff611be471e0847681d5b280754

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+olaqx.txt

Filesize
1KB

MD5
aa1e2da8633771873ca13f0c23c054f3

SHA1
f82b7eb17711294785a71bb7a8b92ad7a5ed8ec7

SHA256
59332d6a5557d4c165d6db8b88ffff347e50325683f7fb40c72477c0247c4af3

SHA512
96394a6d5ddfcfb69abe92d08be5dfb52ce369596081392a1f3d1deb2e1bf50086a4b088f600794012a34d4c5d21e81e5b267818ba898077a2e2088ed88c6d06

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
286eea15c2e0a8c4f8d95afad7a60a3b

SHA1
98395bc35838931d7170dde32d7340dafea5e88d

SHA256
51bf68ec14f5bac37e6f73e6d5dc2635c95262c65f2753b925dabe0639101ef9

SHA512
2c17e316be52e38744cde7a33666752bafa1c207880ba7808b2a15556acbf65f9cae191dd02bd4e36361d85ca2d6c5261adc5282530a9c384914765ef4c953aa

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
4ebc1f02838653a3c4898f25e3e349ef

SHA1
b544c4d04a59bfd93dac8914cdb2cc35c3bae7c9

SHA256
8776cfa82e24574306b87ba0748a07822ca446a2cd858029d344189076069859

SHA512
597bbcf5699fc8ae59bc44845b5fe3f720da0beca7032f9c4ce789b7da626ffa5053b908d4621076c5022e741e649b66130ebcbc454a0d8f7a5323cac59d47de

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
044f9af58c6218acbf2a66dc92043fb4

SHA1
2316edcb5b970e11b4afea6abf83085608ff5f69

SHA256
295ba0034a27c7353220b197e71a676a5180dfa906b42d34238550c2fa593b54

SHA512
2640d99b331dc3630ff2663f1437ead5582df008504b43f0d26fd90ef26363b4090b1377e29a4920c5802b953afced32a01237a3e862b322d19752b9e386ed17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c4fae2bdbfb55d82e7bfbf7f810b6947

SHA1
31803c78115648fc61075eb59c64d079bcabd883

SHA256
1938c78caa55ac010cb490c890473ea57834dd26b852cfde44261ee9d3f5b4e2

SHA512
5bf68dce1cd284696d1f59a4a994f4495b4d8875e438b11ab1d7274283219d92238c728c733a0e20625b170db3883139e7cf8e77e78788dc9d29eb53cc0acbfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ec23b5c14b67a961c8fb47d36515a08a

SHA1
95cdf6038ae5b89c4e70361ab9b16e1bc4a7d352

SHA256
34fc3ebf151ea695226c4665f78b7b7efad83301405c36b9e55d0a1dafe57a94

SHA512
9027879679174d78dda26b7f27b55043b9d12ecc44eced0fa2bd46cf355a75653824d272279e31d64f6e75782121defcb30de0c34152149fbe45317e7d2d2309

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9907e673834553bcd3eaeeaa951cc6cf

SHA1
aac63541d5d0a3e8830f48b2dba86f7b9891e6c5

SHA256
fc7501e5e56b79d6178d8d579723c51a2b3dda9da921c4d4e66e3b18a34ad599

SHA512
06db0a7c44f16d0170d06a46d91aab13a7661aa2073e8d97a52f1d9c5f4507e9ab38d8db40507a591f9c008ff249439bf53587865ba73a79583efb950f1cc6a3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662820354407.txt

Filesize
77KB

MD5
a257e4c7e866759345eb22547e0601af

SHA1
ce607f862cce9d627664b34a3fdc6220b2756831

SHA256
c0a77b48c481a4200cf36ed1ffe6f24e941399f0d965f6a8da0f943a45ee29dd

SHA512
b22a0231b1449ffb51acb951037b1e755d763ded38bd6d004f7497201b447072747346710a2fd30a078188b3919a9d0ee1291931fe3ba7b33921674bbc8a5f55

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727664176773847.txt

Filesize
48KB

MD5
383c868216ff959800dd01c363df212c

SHA1
15b9e6ccc4ed94b16f6f15b07439758a61497767

SHA256
4fb2bc4de5a5671d540488ca95d0c59d02a301ea63cbb1d6b8ad56d39dedad82

SHA512
1d6d4f85edc81dfe2ca992ac8d5384852cb708fd845c1a0007f1928e0a97f198a11e3e9f0ac631011c2019ba7c9a1fe838fde81474db82db0d1ccebd191d6743

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727672589120253.txt

Filesize
75KB

MD5
c6b091dfcfdbd744d77bb6137ad5e822

SHA1
2d256626a68f5c46264344ade6872463ab5ab631

SHA256
7059d55da760ccdd675853f677c799e4112d20b4602eff8160f735f46a5df27c

SHA512
0bd58364b5cbb8d0bbeb8a68034af39aa98bfaf06f138efbf2eac084360c169a82f56db0d8f1ed4c2d6282ce3e6328ec6c592694cdde1aad0eda1608d2d8c820

Download Submit
C:\Windows\oislmjanlxnc.exe

Filesize
376KB

MD5
2b4d5982e3909f16967246c9fc4d2451

SHA1
2bd2a2d29679fe8cf68ab8f00ae9ed58f1506c06

SHA256
535bc699baf41334ad3f15528af60df9a8421533068f3f09ed01df212b40b059

SHA512
01d8716520cab4c226135116cc716d5337b54bcfd672fed8ef727b02560ecd1a16c8602bafbdc75fb65eb49f8af9d3add0658c116b9a574fe2183e2f2f9c68cb

Download Submit
memory/324-12-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/1472-5-0x0000000000C30000-0x0000000000C33000-memory.dmp

Filesize
12KB

Download
memory/1472-0-0x0000000000C30000-0x0000000000C33000-memory.dmp

Filesize
12KB

Download
memory/1472-1-0x0000000000C30000-0x0000000000C33000-memory.dmp

Filesize
12KB

Download
memory/2168-17-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2168-10581-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2168-2997-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2168-3397-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2168-5797-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2168-24-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2168-22-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2168-21-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2168-9367-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2168-10572-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2168-10573-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2168-2995-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2168-10582-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2168-19-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2168-18-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2168-10671-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3584-6-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3584-4-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3584-3-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3584-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3584-13-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download