teslacrypt | 6f7c7b4f3bd9e6ce0dc0d4dd7662e35d8a2079dfe61b2febf2645b68fe11ee3f

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2024 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
Size

388KB
MD5

40707cdcd4220213b9ef2545043d6c99
SHA1

7f9d3ad1125de47368644e29b5d5cd515c6497e8
SHA256

6f7c7b4f3bd9e6ce0dc0d4dd7662e35d8a2079dfe61b2febf2645b68fe11ee3f
SHA512

0a3cda582f1a444ad78d5f09d4e204a753c74863bcbbbdf5c6ffcafa523b195ac4c6aa7922973cf2687b673e4e346f94b6525402db7380a4e53c3f8855480088
SSDEEP

6144:tYMk7V7PQkaYO0iNq/PimTBQNEETJYOo0DldfrvwmjcMVW5OouUI5KtrQ8POyU:tnSdO0iNEPn+TGOoYzwscMSOXUIJ

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+wmegn.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/C689C4D83559D785 2. http://kkd47eh4hdjshb5t.angortra.at/C689C4D83559D785 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/C689C4D83559D785 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/C689C4D83559D785 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/C689C4D83559D785 http://kkd47eh4hdjshb5t.angortra.at/C689C4D83559D785 http://ytrest84y5i456hghadefdsd.pontogrot.com/C689C4D83559D785 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/C689C4D83559D785

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/C689C4D83559D785

http://kkd47eh4hdjshb5t.angortra.at/C689C4D83559D785

http://ytrest84y5i456hghadefdsd.pontogrot.com/C689C4D83559D785

http://xlowfznrg4wf7dli.ONION/C689C4D83559D785

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (876) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exevilotinklltm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vilotinklltm.exe

Drops startup file 6 IoCs

Processes:

vilotinklltm.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+wmegn.png	vilotinklltm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+wmegn.txt	vilotinklltm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+wmegn.html	vilotinklltm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+wmegn.png	vilotinklltm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+wmegn.txt	vilotinklltm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+wmegn.html	vilotinklltm.exe

Executes dropped EXE 2 IoCs

Processes:

vilotinklltm.exevilotinklltm.exe

pid process

4460 vilotinklltm.exe
3648 vilotinklltm.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
4460	vilotinklltm.exe
3648	vilotinklltm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

vilotinklltm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\thefkhsqaigp = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\vilotinklltm.exe\""	vilotinklltm.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

Processes:

40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exevilotinklltm.exe

description	pid	process	target process
PID 908 set thread context of 3096	908	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
PID 4460 set thread context of 3648	4460	vilotinklltm.exe	vilotinklltm.exe

Drops file in Program Files directory 64 IoCs

Processes:

vilotinklltm.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-72_altform-unplated.png	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\Recovery+wmegn.png	vilotinklltm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\Recovery+wmegn.txt	vilotinklltm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\ADOMD.NET\Recovery+wmegn.txt	vilotinklltm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d9\Recovery+wmegn.png	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256.png	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\165.png	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-200_contrast-white.png	vilotinklltm.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_LogoSmall.scale-100.png	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Recovery+wmegn.png	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.scale-200.png	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+wmegn.txt	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailMediumTile.scale-100.png	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.scale-100_contrast-black.png	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\beeps\Recovery+wmegn.html	vilotinklltm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\Recovery+wmegn.png	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-48_altform-lightunplated.png	vilotinklltm.exe
File opened for modification	C:\Program Files\Crashpad\Recovery+wmegn.txt	vilotinklltm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack_eula.txt	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\Recovery+wmegn.png	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-200.png	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-125_contrast-black.png	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailSmallTile.scale-125.png	vilotinklltm.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\Recovery+wmegn.html	vilotinklltm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\Recovery+wmegn.html	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-125_contrast-black.png	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-125.png	vilotinklltm.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\Recovery+wmegn.png	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\avatar_default_large.png	vilotinklltm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\Recovery+wmegn.html	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-100_contrast-black.png	vilotinklltm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity.png	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\190.png	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\7.jpg	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-36_contrast-white.png	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_contrast-white.png	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Recovery+wmegn.html	vilotinklltm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\Recovery+wmegn.png	vilotinklltm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\Recovery+wmegn.png	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-400_contrast-black.png	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+wmegn.html	vilotinklltm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorMedTile.contrast-black_scale-125.png	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+wmegn.html	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Recovery+wmegn.png	vilotinklltm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\Recovery+wmegn.txt	vilotinklltm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\Recovery+wmegn.html	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-100.png	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\Recovery+wmegn.html	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\sr-cyrl-cs\Recovery+wmegn.html	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2020.1906.55.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+wmegn.png	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Recovery+wmegn.txt	vilotinklltm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\Recovery+wmegn.txt	vilotinklltm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\ui.js	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-16_altform-unplated.png	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-40_altform-unplated.png	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\MedTile.scale-100.png	vilotinklltm.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\Recovery+wmegn.txt	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\MedTile.scale-125.png	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-20.png	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosMedTile.scale-100.png	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-24.png	vilotinklltm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_AppList.targetsize-32_altform-unplated.png	vilotinklltm.exe

Drops file in Windows directory 2 IoCs

Processes:

40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\vilotinklltm.exe	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
File opened for modification	C:\Windows\vilotinklltm.exe	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exe40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exevilotinklltm.execmd.exevilotinklltm.exeNOTEPAD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vilotinklltm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vilotinklltm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

vilotinklltm.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings vilotinklltm.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1840 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	vilotinklltm.exe

pid	process
1840	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

vilotinklltm.exe

pid	process
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe
3648	vilotinklltm.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

3516 msedge.exe
3516 msedge.exe
3516 msedge.exe
3516 msedge.exe
3516 msedge.exe
3516 msedge.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exevilotinklltm.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3096	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
Token: SeDebugPrivilege	3648	vilotinklltm.exe
Token: SeIncreaseQuotaPrivilege	556	WMIC.exe
Token: SeSecurityPrivilege	556	WMIC.exe
Token: SeTakeOwnershipPrivilege	556	WMIC.exe
Token: SeLoadDriverPrivilege	556	WMIC.exe
Token: SeSystemProfilePrivilege	556	WMIC.exe
Token: SeSystemtimePrivilege	556	WMIC.exe
Token: SeProfSingleProcessPrivilege	556	WMIC.exe
Token: SeIncBasePriorityPrivilege	556	WMIC.exe
Token: SeCreatePagefilePrivilege	556	WMIC.exe
Token: SeBackupPrivilege	556	WMIC.exe
Token: SeRestorePrivilege	556	WMIC.exe
Token: SeShutdownPrivilege	556	WMIC.exe
Token: SeDebugPrivilege	556	WMIC.exe
Token: SeSystemEnvironmentPrivilege	556	WMIC.exe
Token: SeRemoteShutdownPrivilege	556	WMIC.exe
Token: SeUndockPrivilege	556	WMIC.exe
Token: SeManageVolumePrivilege	556	WMIC.exe
Token: 33	556	WMIC.exe
Token: 34	556	WMIC.exe
Token: 35	556	WMIC.exe
Token: 36	556	WMIC.exe
Token: SeIncreaseQuotaPrivilege	476	WMIC.exe
Token: SeSecurityPrivilege	476	WMIC.exe
Token: SeTakeOwnershipPrivilege	476	WMIC.exe
Token: SeLoadDriverPrivilege	476	WMIC.exe
Token: SeSystemProfilePrivilege	476	WMIC.exe
Token: SeSystemtimePrivilege	476	WMIC.exe
Token: SeProfSingleProcessPrivilege	476	WMIC.exe
Token: SeIncBasePriorityPrivilege	476	WMIC.exe
Token: SeCreatePagefilePrivilege	476	WMIC.exe
Token: SeBackupPrivilege	476	WMIC.exe
Token: SeRestorePrivilege	476	WMIC.exe
Token: SeShutdownPrivilege	476	WMIC.exe
Token: SeDebugPrivilege	476	WMIC.exe
Token: SeSystemEnvironmentPrivilege	476	WMIC.exe
Token: SeRemoteShutdownPrivilege	476	WMIC.exe
Token: SeUndockPrivilege	476	WMIC.exe
Token: SeManageVolumePrivilege	476	WMIC.exe
Token: 33	476	WMIC.exe
Token: 34	476	WMIC.exe
Token: 35	476	WMIC.exe
Token: 36	476	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exevilotinklltm.exevilotinklltm.exemsedge.exe

description	pid	process	target process
PID 908 wrote to memory of 3096	908	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
PID 908 wrote to memory of 3096	908	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
PID 908 wrote to memory of 3096	908	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
PID 908 wrote to memory of 3096	908	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
PID 908 wrote to memory of 3096	908	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
PID 908 wrote to memory of 3096	908	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
PID 908 wrote to memory of 3096	908	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
PID 908 wrote to memory of 3096	908	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
PID 908 wrote to memory of 3096	908	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
PID 908 wrote to memory of 3096	908	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
PID 3096 wrote to memory of 4460	3096	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe	vilotinklltm.exe
PID 3096 wrote to memory of 4460	3096	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe	vilotinklltm.exe
PID 3096 wrote to memory of 4460	3096	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe	vilotinklltm.exe
PID 3096 wrote to memory of 3036	3096	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe	cmd.exe
PID 3096 wrote to memory of 3036	3096	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe	cmd.exe
PID 3096 wrote to memory of 3036	3096	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe	cmd.exe
PID 4460 wrote to memory of 3648	4460	vilotinklltm.exe	vilotinklltm.exe
PID 4460 wrote to memory of 3648	4460	vilotinklltm.exe	vilotinklltm.exe
PID 4460 wrote to memory of 3648	4460	vilotinklltm.exe	vilotinklltm.exe
PID 4460 wrote to memory of 3648	4460	vilotinklltm.exe	vilotinklltm.exe
PID 4460 wrote to memory of 3648	4460	vilotinklltm.exe	vilotinklltm.exe
PID 4460 wrote to memory of 3648	4460	vilotinklltm.exe	vilotinklltm.exe
PID 4460 wrote to memory of 3648	4460	vilotinklltm.exe	vilotinklltm.exe
PID 4460 wrote to memory of 3648	4460	vilotinklltm.exe	vilotinklltm.exe
PID 4460 wrote to memory of 3648	4460	vilotinklltm.exe	vilotinklltm.exe
PID 4460 wrote to memory of 3648	4460	vilotinklltm.exe	vilotinklltm.exe
PID 3648 wrote to memory of 556	3648	vilotinklltm.exe	WMIC.exe
PID 3648 wrote to memory of 556	3648	vilotinklltm.exe	WMIC.exe
PID 3648 wrote to memory of 1840	3648	vilotinklltm.exe	NOTEPAD.EXE
PID 3648 wrote to memory of 1840	3648	vilotinklltm.exe	NOTEPAD.EXE
PID 3648 wrote to memory of 1840	3648	vilotinklltm.exe	NOTEPAD.EXE
PID 3648 wrote to memory of 3516	3648	vilotinklltm.exe	msedge.exe
PID 3648 wrote to memory of 3516	3648	vilotinklltm.exe	msedge.exe
PID 3516 wrote to memory of 1336	3516	msedge.exe	msedge.exe
PID 3516 wrote to memory of 1336	3516	msedge.exe	msedge.exe
PID 3648 wrote to memory of 476	3648	vilotinklltm.exe	WMIC.exe
PID 3648 wrote to memory of 476	3648	vilotinklltm.exe	WMIC.exe
PID 3516 wrote to memory of 2364	3516	msedge.exe	msedge.exe
PID 3516 wrote to memory of 2364	3516	msedge.exe	msedge.exe
PID 3516 wrote to memory of 2364	3516	msedge.exe	msedge.exe
PID 3516 wrote to memory of 2364	3516	msedge.exe	msedge.exe
PID 3516 wrote to memory of 2364	3516	msedge.exe	msedge.exe
PID 3516 wrote to memory of 2364	3516	msedge.exe	msedge.exe
PID 3516 wrote to memory of 2364	3516	msedge.exe	msedge.exe
PID 3516 wrote to memory of 2364	3516	msedge.exe	msedge.exe
PID 3516 wrote to memory of 2364	3516	msedge.exe	msedge.exe
PID 3516 wrote to memory of 2364	3516	msedge.exe	msedge.exe
PID 3516 wrote to memory of 2364	3516	msedge.exe	msedge.exe
PID 3516 wrote to memory of 2364	3516	msedge.exe	msedge.exe
PID 3516 wrote to memory of 2364	3516	msedge.exe	msedge.exe
PID 3516 wrote to memory of 2364	3516	msedge.exe	msedge.exe
PID 3516 wrote to memory of 2364	3516	msedge.exe	msedge.exe
PID 3516 wrote to memory of 2364	3516	msedge.exe	msedge.exe
PID 3516 wrote to memory of 2364	3516	msedge.exe	msedge.exe
PID 3516 wrote to memory of 2364	3516	msedge.exe	msedge.exe
PID 3516 wrote to memory of 2364	3516	msedge.exe	msedge.exe
PID 3516 wrote to memory of 2364	3516	msedge.exe	msedge.exe
PID 3516 wrote to memory of 2364	3516	msedge.exe	msedge.exe
PID 3516 wrote to memory of 2364	3516	msedge.exe	msedge.exe
PID 3516 wrote to memory of 2364	3516	msedge.exe	msedge.exe
PID 3516 wrote to memory of 2364	3516	msedge.exe	msedge.exe
PID 3516 wrote to memory of 2364	3516	msedge.exe	msedge.exe
PID 3516 wrote to memory of 2364	3516	msedge.exe	msedge.exe
PID 3516 wrote to memory of 2364	3516	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

vilotinklltm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vilotinklltm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	vilotinklltm.exe

C:\Users\Admin\AppData\Local\Temp\40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:908

C:\Users\Admin\AppData\Local\Temp\40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe"
2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3096

C:\Windows\vilotinklltm.exe
C:\Windows\vilotinklltm.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\vilotinklltm.exe
C:\Windows\vilotinklltm.exe
4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3648

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:556

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:1840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff825d746f8,0x7ff825d74708,0x7ff825d74718
6⤵
PID:1336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,17022548483191338222,15642473467267383460,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
6⤵
PID:2364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,17022548483191338222,15642473467267383460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
6⤵
PID:3636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,17022548483191338222,15642473467267383460,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
6⤵
PID:2448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17022548483191338222,15642473467267383460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
6⤵
PID:232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17022548483191338222,15642473467267383460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
6⤵
PID:1776

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,17022548483191338222,15642473467267383460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4144 /prefetch:8
6⤵
PID:2916

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,17022548483191338222,15642473467267383460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4144 /prefetch:8
6⤵
PID:1396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17022548483191338222,15642473467267383460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
6⤵
PID:3980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17022548483191338222,15642473467267383460,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
6⤵
PID:1284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17022548483191338222,15642473467267383460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
6⤵
PID:1032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17022548483191338222,15642473467267383460,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
6⤵
PID:4680

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:476

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\VILOTI~1.EXE
5⤵
- System Location Discovery: System Language Discovery
PID:4628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\40707C~1.EXE
3⤵
- System Location Discovery: System Language Discovery
PID:3036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3656

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\Recovery+wmegn.html

Filesize
9KB

MD5
41c5ace2dbe23bed6bb7d936a4b06b3a

SHA1
bd5d0de61bd245a1f1864598faaa982776b81a7f

SHA256
7073ddbd42edcf738c0f314fe3f99018125c07e36c16101d4450ddd565b85dce

SHA512
95d41da421cfeed93b6d124bde16a65724eb7ad71dab24afc20fa3b490ede04c31ed617ef8c1c26f3c52dc4843b291522beff9a5df538323218498eec3677b07

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+wmegn.png

Filesize
63KB

MD5
7d1f985518b86ddbec3fbb15942eedd8

SHA1
79d11c74f4e28f19de6111a2a3bc0c72d6da2e89

SHA256
9205cd36fe40e540596379cccc16020da9afbbbcf5750ee44a1daeec79982167

SHA512
1f7951190ba274d918c88f53a175489d7eb19c4ae60039a0c8fd356074263c1b89f525b8deed03f928308d0223f1e3d7d87d32b019093c2f618b184bf14bf1cd

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+wmegn.txt

Filesize
1KB

MD5
e47622354906085e1c64ae46fe0fe62d

SHA1
818b6901540855486d01384af3473fc5ffea4112

SHA256
4b4f96536892f370a2da1705c0f8ebec45bc5116a899509a1187e218b7eb22d8

SHA512
c5ecb0577b02fa01c7d45eb048cc2fed2bf452e60786539591206975fad5324572cfb6fbc0f4797abc61bf5d2ecaca2c8080947d7e73c75e10740764ca42d824

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
c317cf18d3b27d4cf23b694433866334

SHA1
d2789342d66228d3b64f453afa68edd5d7560617

SHA256
279985d783daa0c39b71f0acf19221f6426c799b5d8b4b4eb47d742b9685f2f3

SHA512
08631e05ed8d454763b5201bad3efaf3d9cd20c7e4d556b5c740d9a72a756aeee5afa6a98ac98a7d1acabf6a0711aba8ef4aafd5b2ae53ffad6caa6baa370ec1

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
62c5e4184ee1ee928a6d2778c850c140

SHA1
636447abbf344557bdc17df25c4fb615edf7e228

SHA256
a11901e61fbe4450e60241e5dc20f2032c2f6c3f5e514f34ec39bc5281954c8a

SHA512
c681c443e20aacf24166af05937a3bb913baedbc83aa27848e8284cc73abed6c39e2df4dcac305136cab31a609ec7355be7e842940622470d84c2531b6bf41b3

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
7beee0078ac9aaf779bd749686ff9753

SHA1
dc4eeaa86bb21d579381383f94f9a7e975ef3f0a

SHA256
f0ef975b209a66b179b61fc1fa7304d46a2881960db116756bbf5372449ea656

SHA512
a70946ec312673dbb8e99facffdaadf7f4702d5bac512603a0cd1a27947dc44173537bd4293a3b8f5ce02b345d51ff766fa0dc3295bc4c91ca3bb46bb73bc49b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9e6f3f133ef8e40f60d1189e33063466

SHA1
d5327d87606c4685c4cc562af8b28b2bf57e39e0

SHA256
0f614ba9fc3e0914ffecf4e4033c95b162217bbde4a88d4ee49b5c659b9e088e

SHA512
236d578d6b5ca40218bc988d4e4d53a858edbcd53df8a634e6364ce26d0990dc9ff22c9013a74c6b2a1bd1572c234fe5d06def55fac35e6b0b8151427bf4b2ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b2cfb53f9a49fd7183a918ce9ccf10c0

SHA1
d5c7e54c132fff7c64131fadda37dd3e559bf1bf

SHA256
8b54c37632236e505c7133626c8dcd354dff0749f0c9e1623e0ddc71d5f7b634

SHA512
dc2687114f23354b572275e9472bac35cfce82047e14908f29a5e5c5db836066f3313bb43d1ae17392668870ac87e9b612311149bba3f4042e6b515e82dd5664

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
038e09a1cff564f3e43384511f1a6d16

SHA1
d70e0529ff497d159a9805fcc40995045dc0b7bf

SHA256
77364f010a58587fa47a18febbde2f78a96a5e297cc11df87db8acf39dfa74b2

SHA512
5cfc21871189c908754ef2a48a14a25822f06c22f98d635b9ffd9251e41e936f0da7720a5be845a3f716cde6241a760186b2f9ae9b866b4b34a51644d78f335a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727665766873969.txt

Filesize
74KB

MD5
43581398cd4abe88d9268cd69ee71d12

SHA1
128df1b153c3ddc7305e8099a64c0088838bf478

SHA256
1608630ab45004fae7f57e4ce2a8d2b0de9b9fab7cb4dd631f273488a97f3c0a

SHA512
b6f71e54a132a4529404dcecca8ad75421d9f0861561330c73a5898c2221514e376bcde755391aa3dc9c96c03901534af7bfbb7d275d6706ad1ce2a4bb2a8415

Download Submit
C:\Windows\vilotinklltm.exe

Filesize
388KB

MD5
40707cdcd4220213b9ef2545043d6c99

SHA1
7f9d3ad1125de47368644e29b5d5cd515c6497e8

SHA256
6f7c7b4f3bd9e6ce0dc0d4dd7662e35d8a2079dfe61b2febf2645b68fe11ee3f

SHA512
0a3cda582f1a444ad78d5f09d4e204a753c74863bcbbbdf5c6ffcafa523b195ac4c6aa7922973cf2687b673e4e346f94b6525402db7380a4e53c3f8855480088

Download Submit
memory/908-0-0x0000000000EA0000-0x0000000000EA3000-memory.dmp

Filesize
12KB

Download
memory/908-5-0x0000000000EA0000-0x0000000000EA3000-memory.dmp

Filesize
12KB

Download
memory/908-1-0x0000000000EA0000-0x0000000000EA3000-memory.dmp

Filesize
12KB

Download
memory/3096-13-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3096-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3096-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3096-3-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3096-4-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3648-10825-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3648-10835-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3648-3077-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3648-6125-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3648-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3648-9731-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3648-25-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3648-10826-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3648-10834-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3648-3076-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3648-17-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3648-598-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3648-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3648-10875-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3648-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3648-23-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4460-12-0x0000000000400000-0x000000000085C000-memory.dmp

Filesize
4.4MB

Download