teslacrypt | 9c5feadf74c3a5ce0b40d5402f0f1ded6aea80b517c016a179b02f38a22aa489

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24/11/2024, 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe
Size

376KB
MD5

97020660b63757de9c0e8ad51eed9acf
SHA1

bc75b2b04ec8591829a69a7634698c2d7ff406b5
SHA256

9c5feadf74c3a5ce0b40d5402f0f1ded6aea80b517c016a179b02f38a22aa489
SHA512

a6cc6b7c7c8d16419b826affc813ea5cff9501133c5bc386217fa686c35906404a937630bdbcdee193273e5c22872f891e1a40d332393480c8d684ea8bec0f67
SSDEEP

6144:ie3rNhMeYq4CGRTs4kadSoKVStcmTVn57CpSCwsUbg62oXd:iY5hMfqwTsTKcmTV5kINEx+d

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+ollwb.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/682EAFD4985674FD 2. http://kkd47eh4hdjshb5t.angortra.at/682EAFD4985674FD 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/682EAFD4985674FD If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/682EAFD4985674FD 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/682EAFD4985674FD http://kkd47eh4hdjshb5t.angortra.at/682EAFD4985674FD http://ytrest84y5i456hghadefdsd.pontogrot.com/682EAFD4985674FD *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/682EAFD4985674FD

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/682EAFD4985674FD

http://kkd47eh4hdjshb5t.angortra.at/682EAFD4985674FD

http://ytrest84y5i456hghadefdsd.pontogrot.com/682EAFD4985674FD

http://xlowfznrg4wf7dli.ONION/682EAFD4985674FD

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (891) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sjryudnmkoeb.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+ollwb.png	sjryudnmkoeb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+ollwb.txt	sjryudnmkoeb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+ollwb.html	sjryudnmkoeb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ollwb.png	sjryudnmkoeb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ollwb.txt	sjryudnmkoeb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ollwb.html	sjryudnmkoeb.exe

Executes dropped EXE 2 IoCs

pid	Process
5024	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mnnssspyjgpg = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\sjryudnmkoeb.exe\""	sjryudnmkoeb.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2128 set thread context of 848	2128	97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe	98
PID 5024 set thread context of 3048	5024	sjryudnmkoeb.exe	103

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-60_altform-lightunplated.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-60.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ka\Recovery+ollwb.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\Recovery+ollwb.txt	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageSmallTile.scale-100_contrast-black.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-60_altform-unplated_contrast-black.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-100_contrast-white.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-30_altform-colorize.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Recovery+ollwb.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FetchingMail-Dark.scale-150.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\SmallTile.scale-200.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nn\Recovery+ollwb.html	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\jquery.jstree.js	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\Recovery+ollwb.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\typing\bubble\Recovery+ollwb.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Recovery+ollwb.html	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\js\Recovery+ollwb.txt	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\AppxMetadata\Recovery+ollwb.html	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\CloseOptimize.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\Recovery+ollwb.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\55.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_output\Recovery+ollwb.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\Recovery+ollwb.txt	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\Recovery+ollwb.html	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-100.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-16_contrast-white.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_altform-unplated_contrast-black.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailBadge.scale-125.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\SmallTile.scale-200.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\Recovery+ollwb.txt	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Google.scale-250.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-100.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\Recovery+ollwb.html	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsSmallTile.scale-125.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-16_altform-lightunplated.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\Recovery+ollwb.txt	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\Recovery+ollwb.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\Recovery+ollwb.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\Recovery+ollwb.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+ollwb.txt	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Date.targetsize-16_contrast-white.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\Recovery+ollwb.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GameBar_LargeTile.scale-125.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MotionController_Diagram_Lines.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-180.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\Recovery+ollwb.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Nose.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-16.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-256_altform-lightunplated.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+ollwb.txt	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Recovery+ollwb.txt	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailMediumTile.scale-100.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Outlook.scale-400.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\Recovery+ollwb.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageMedTile.scale-400_contrast-white.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fr-CA\View3d\Recovery+ollwb.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.513.0_neutral_~_8wekyb3d8bbwe\Recovery+ollwb.txt	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-30_altform-lightunplated.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\AppxMetadata\Recovery+ollwb.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-30.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-96_altform-unplated_contrast-black.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_contrast-white.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-30_altform-unplated.png	sjryudnmkoeb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Tented\Recovery+ollwb.txt	sjryudnmkoeb.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\sjryudnmkoeb.exe	97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe
File opened for modification	C:\Windows\sjryudnmkoeb.exe	97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sjryudnmkoeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sjryudnmkoeb.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sjryudnmkoeb.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4920	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe
3048	sjryudnmkoeb.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	848	97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe
Token: SeDebugPrivilege	3048	sjryudnmkoeb.exe
Token: SeIncreaseQuotaPrivilege	2260	WMIC.exe
Token: SeSecurityPrivilege	2260	WMIC.exe
Token: SeTakeOwnershipPrivilege	2260	WMIC.exe
Token: SeLoadDriverPrivilege	2260	WMIC.exe
Token: SeSystemProfilePrivilege	2260	WMIC.exe
Token: SeSystemtimePrivilege	2260	WMIC.exe
Token: SeProfSingleProcessPrivilege	2260	WMIC.exe
Token: SeIncBasePriorityPrivilege	2260	WMIC.exe
Token: SeCreatePagefilePrivilege	2260	WMIC.exe
Token: SeBackupPrivilege	2260	WMIC.exe
Token: SeRestorePrivilege	2260	WMIC.exe
Token: SeShutdownPrivilege	2260	WMIC.exe
Token: SeDebugPrivilege	2260	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2260	WMIC.exe
Token: SeRemoteShutdownPrivilege	2260	WMIC.exe
Token: SeUndockPrivilege	2260	WMIC.exe
Token: SeManageVolumePrivilege	2260	WMIC.exe
Token: 33	2260	WMIC.exe
Token: 34	2260	WMIC.exe
Token: 35	2260	WMIC.exe
Token: 36	2260	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4644	WMIC.exe
Token: SeSecurityPrivilege	4644	WMIC.exe
Token: SeTakeOwnershipPrivilege	4644	WMIC.exe
Token: SeLoadDriverPrivilege	4644	WMIC.exe
Token: SeSystemProfilePrivilege	4644	WMIC.exe
Token: SeSystemtimePrivilege	4644	WMIC.exe
Token: SeProfSingleProcessPrivilege	4644	WMIC.exe
Token: SeIncBasePriorityPrivilege	4644	WMIC.exe
Token: SeCreatePagefilePrivilege	4644	WMIC.exe
Token: SeBackupPrivilege	4644	WMIC.exe
Token: SeRestorePrivilege	4644	WMIC.exe
Token: SeShutdownPrivilege	4644	WMIC.exe
Token: SeDebugPrivilege	4644	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4644	WMIC.exe
Token: SeRemoteShutdownPrivilege	4644	WMIC.exe
Token: SeUndockPrivilege	4644	WMIC.exe
Token: SeManageVolumePrivilege	4644	WMIC.exe
Token: 33	4644	WMIC.exe
Token: 34	4644	WMIC.exe
Token: 35	4644	WMIC.exe
Token: 36	4644	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 848	2128	97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe	98
PID 2128 wrote to memory of 848	2128	97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe	98
PID 2128 wrote to memory of 848	2128	97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe	98
PID 2128 wrote to memory of 848	2128	97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe	98
PID 2128 wrote to memory of 848	2128	97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe	98
PID 2128 wrote to memory of 848	2128	97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe	98
PID 2128 wrote to memory of 848	2128	97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe	98
PID 2128 wrote to memory of 848	2128	97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe	98
PID 2128 wrote to memory of 848	2128	97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe	98
PID 2128 wrote to memory of 848	2128	97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe	98
PID 848 wrote to memory of 5024	848	97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe	99
PID 848 wrote to memory of 5024	848	97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe	99
PID 848 wrote to memory of 5024	848	97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe	99
PID 848 wrote to memory of 4884	848	97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe	100
PID 848 wrote to memory of 4884	848	97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe	100
PID 848 wrote to memory of 4884	848	97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe	100
PID 5024 wrote to memory of 3048	5024	sjryudnmkoeb.exe	103
PID 5024 wrote to memory of 3048	5024	sjryudnmkoeb.exe	103
PID 5024 wrote to memory of 3048	5024	sjryudnmkoeb.exe	103
PID 5024 wrote to memory of 3048	5024	sjryudnmkoeb.exe	103
PID 5024 wrote to memory of 3048	5024	sjryudnmkoeb.exe	103
PID 5024 wrote to memory of 3048	5024	sjryudnmkoeb.exe	103
PID 5024 wrote to memory of 3048	5024	sjryudnmkoeb.exe	103
PID 5024 wrote to memory of 3048	5024	sjryudnmkoeb.exe	103
PID 5024 wrote to memory of 3048	5024	sjryudnmkoeb.exe	103
PID 5024 wrote to memory of 3048	5024	sjryudnmkoeb.exe	103
PID 3048 wrote to memory of 2260	3048	sjryudnmkoeb.exe	104
PID 3048 wrote to memory of 2260	3048	sjryudnmkoeb.exe	104
PID 3048 wrote to memory of 4920	3048	sjryudnmkoeb.exe	108
PID 3048 wrote to memory of 4920	3048	sjryudnmkoeb.exe	108
PID 3048 wrote to memory of 4920	3048	sjryudnmkoeb.exe	108
PID 3048 wrote to memory of 4012	3048	sjryudnmkoeb.exe	109
PID 3048 wrote to memory of 4012	3048	sjryudnmkoeb.exe	109
PID 4012 wrote to memory of 2020	4012	msedge.exe	110
PID 4012 wrote to memory of 2020	4012	msedge.exe	110
PID 3048 wrote to memory of 4644	3048	sjryudnmkoeb.exe	111
PID 3048 wrote to memory of 4644	3048	sjryudnmkoeb.exe	111
PID 4012 wrote to memory of 1752	4012	msedge.exe	113
PID 4012 wrote to memory of 1752	4012	msedge.exe	113
PID 4012 wrote to memory of 1752	4012	msedge.exe	113
PID 4012 wrote to memory of 1752	4012	msedge.exe	113
PID 4012 wrote to memory of 1752	4012	msedge.exe	113
PID 4012 wrote to memory of 1752	4012	msedge.exe	113
PID 4012 wrote to memory of 1752	4012	msedge.exe	113
PID 4012 wrote to memory of 1752	4012	msedge.exe	113
PID 4012 wrote to memory of 1752	4012	msedge.exe	113
PID 4012 wrote to memory of 1752	4012	msedge.exe	113
PID 4012 wrote to memory of 1752	4012	msedge.exe	113
PID 4012 wrote to memory of 1752	4012	msedge.exe	113
PID 4012 wrote to memory of 1752	4012	msedge.exe	113
PID 4012 wrote to memory of 1752	4012	msedge.exe	113
PID 4012 wrote to memory of 1752	4012	msedge.exe	113
PID 4012 wrote to memory of 1752	4012	msedge.exe	113
PID 4012 wrote to memory of 1752	4012	msedge.exe	113
PID 4012 wrote to memory of 1752	4012	msedge.exe	113
PID 4012 wrote to memory of 1752	4012	msedge.exe	113
PID 4012 wrote to memory of 1752	4012	msedge.exe	113
PID 4012 wrote to memory of 1752	4012	msedge.exe	113
PID 4012 wrote to memory of 1752	4012	msedge.exe	113
PID 4012 wrote to memory of 1752	4012	msedge.exe	113
PID 4012 wrote to memory of 1752	4012	msedge.exe	113
PID 4012 wrote to memory of 1752	4012	msedge.exe	113
PID 4012 wrote to memory of 1752	4012	msedge.exe	113
PID 4012 wrote to memory of 1752	4012	msedge.exe	113

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sjryudnmkoeb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	sjryudnmkoeb.exe

C:\Users\Admin\AppData\Local\Temp\97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Windows\sjryudnmkoeb.exe
    C:\Windows\sjryudnmkoeb.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5024
  - - C:\Windows\sjryudnmkoeb.exe
      C:\Windows\sjryudnmkoeb.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3048
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:4920
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4012
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9accf46f8,0x7ff9accf4708,0x7ff9accf4718
        6⤵
        
        PID:2020
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,8487353089822278591,15472581280195637392,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
        6⤵
        
        PID:1752
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2016,8487353089822278591,15472581280195637392,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
        6⤵
        
        PID:4556
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2016,8487353089822278591,15472581280195637392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
        6⤵
        
        PID:2252
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,8487353089822278591,15472581280195637392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
        6⤵
        
        PID:2696
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,8487353089822278591,15472581280195637392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
        6⤵
        
        PID:4376
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,8487353089822278591,15472581280195637392,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8
        6⤵
        
        PID:4384
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,8487353089822278591,15472581280195637392,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8
        6⤵
        
        PID:3960
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,8487353089822278591,15472581280195637392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
        6⤵
        
        PID:1164
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,8487353089822278591,15472581280195637392,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
        6⤵
        
        PID:1136
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,8487353089822278591,15472581280195637392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
        6⤵
        
        PID:4472
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,8487353089822278591,15472581280195637392,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
        6⤵
        
        PID:4392
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4644
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\SJRYUD~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4280
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\970206~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:264

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\Recovery+ollwb.html

Filesize
7KB

MD5
fbc9bab797f6a26726f4e6c1fb8a4c51

SHA1
316a391ae3c92be3c0ba9f0b4b8a236e14c16983

SHA256
3dfe802129f5f1dcfda3222eb24a5523938d6634b74186cad70d16b12c78b7fd

SHA512
21a30727fb28f80728e40c1ca9495d29279019f6234f0bbc1c9aa44696d3a3511f47c9895878fab650e8e08caabeaae33f37962c9010f89cd0803355a3723758

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+ollwb.png

Filesize
63KB

MD5
3aa2b08a4d097d85c6df64acc6637dfa

SHA1
3b8064c3915d9c00af6ecb6ac10d0155424ad790

SHA256
fff0c3b2c78fa6d104e92a3b94bb0bd5551febdb865c98f1beec0729d1170343

SHA512
b7bfa14e91d74f7990e3cd0afe2eb1e0f644075b58a45218190979b881056b793590ea20584297899410d9970cb80c87d21b671b079a361748285b3269fefa9b

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+ollwb.txt

Filesize
1KB

MD5
21802e2285329ffa2834857489cd5988

SHA1
63e71ef88a6226dd1b5efb6828b84ca767fb2f50

SHA256
cb734225b26907e2e76de0e76fc826979403b781876200a272ae3b2ce42e19c8

SHA512
760145c6ea99f87be18d769e227be7d523aeb90fe6f82b26a526524b61be36e4f8d36d4ed61c292c07e1fd857225e06e7935009ac3733499435dc179be5bbfb2

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
012c28e82b12ef656634e330da6c667f

SHA1
65f42fc92d364b323ef8bf4a36548e6df2b833c0

SHA256
c182545e83d43b356f151ca0c6a4c9c6aa4566740de38904b266e9d9baa4a0be

SHA512
2f61b57aae6b4b06e1ba34d5a1a3e7f3558ca9794b4327601a0028508789f9e90222daad812d24238487e902e9e600157318edbbf0af6f32759234b7bee38245

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
98fe303ce3dd70b793f1d7561eabaee5

SHA1
8ef195c404e72275c7d000f87e2a7abcff823a8a

SHA256
2c08f202469d344573dca2cea6625d27c2fbf81e8585b756e0887dc0a05ac432

SHA512
1b32da9049c6da290620c77683b63a7fbfc3599a98a712a46b50ddd15c0c912df1af1e54aae31cfaae56e6e4072b0d92602464084a3595ac45e30cab04124af5

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
a9693ff7baf81f52a36e3f176f9cb996

SHA1
a964fe1adec12f8a3c59cd69ecdff6e4075e9d18

SHA256
d1ce9ec509a61cb0bea432fcb445045e65f7ae91ab78ca0da07c61d89a05dd11

SHA512
c08180c2957d71c66aafeaf0c4b3dad4525c946cd8d40d09f496b2cb12620b054984a6b2588f0b5bfc3ba4b419535c65de868c70c8c13bf77813d6d487a462e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3b4af2db-772c-4bfc-b6ee-37922dd66798.tmp

Filesize
5KB

MD5
2424efc63756260cac1ea9a798beeb14

SHA1
cb094575895089735ab80038f395f59f5bd766d2

SHA256
e7b8af9501853f507cc84c02a1f70186a6b4ffaeba41254239d083b48ebe1c57

SHA512
bd2f13af888698b53b69e0535b709d2931963079dfa2152c8b687d5caf38f2b145c25768c65a0027c17a87da31182d9de224b74570f84ed4b530a351f4aa596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
260087d1fe0926ec33e3c57fc956cde5

SHA1
e2d0eb10cf478534834351c19f5bbf7d759fc898

SHA256
b50e35860e54fec839ed8ff37175f4e0a8bb3abb50bf77c203e6597e001bef41

SHA512
75f6d8c130df847c55eb3c5d60eb62bb6a8d0e4ec5b82ca6d3f2cdf83972fe77b31b86d18f07b7fdbba9ee282790ee5506c9cd36e76e365803cf9a01b9d0cd9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
29efa02236986958cc1f46bccec7379c

SHA1
35635dbfb9a298641c399dbd9a18a2943791d542

SHA256
4843652785fc85957329802afbae8c1a5a0b132a131d353c24fb167b25b74dc1

SHA512
1f1fb132f3d397836289a42fac542eaf0acfabc21594bc55cd2bbbfee16b6d0b924fee93fd00f78a0835f60e5ef3b523e679210687b1829580c3d136d339edb6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662898920525.txt

Filesize
77KB

MD5
eb2f739c4740f5d6a00e2996107625bf

SHA1
0d9819aa300f6158263a3ab6e1ed21dbbc13b246

SHA256
1950ff9bce8a50584916d708069caa3c1f5c4d32e1bcdcd6db2fd99ae52c306d

SHA512
0ff18ec5e97900bff2fa7c051ec80e8dc805a370240938c2d8b017a71cd7ec0f0411679b9892bb3d89c205366a10fffa22418738266b0d0ad1bdfcd00aa0388f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727672984949051.txt

Filesize
74KB

MD5
edf7288ce24869c51aab6c4cb336ef93

SHA1
9adcd8a5f472bc28734909ef37d4e13ab8a3bcc1

SHA256
3ee95c7963214d9041430ee984e648340b43a76c6738e72dde7a8330c2462ef2

SHA512
0ef1f00fa36429996de6a0308db2c7de041d999756f5ee344fb87affacfc810711cac35e7279979c879eeed1e187231bb225f22ab17923b441a26a9f0e26615c

Download Submit
C:\Windows\sjryudnmkoeb.exe

Filesize
376KB

MD5
97020660b63757de9c0e8ad51eed9acf

SHA1
bc75b2b04ec8591829a69a7634698c2d7ff406b5

SHA256
9c5feadf74c3a5ce0b40d5402f0f1ded6aea80b517c016a179b02f38a22aa489

SHA512
a6cc6b7c7c8d16419b826affc813ea5cff9501133c5bc386217fa686c35906404a937630bdbcdee193273e5c22872f891e1a40d332393480c8d684ea8bec0f67

Download Submit
memory/848-4-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/848-6-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/848-13-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/848-3-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/848-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2128-5-0x0000000000C30000-0x0000000000C33000-memory.dmp

Filesize
12KB

Download
memory/2128-1-0x0000000000C30000-0x0000000000C33000-memory.dmp

Filesize
12KB

Download
memory/2128-0-0x0000000000C30000-0x0000000000C33000-memory.dmp

Filesize
12KB

Download
memory/3048-17-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3048-7570-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3048-4409-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3048-2395-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3048-10278-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3048-10769-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3048-10770-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3048-10778-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3048-10779-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3048-2391-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3048-569-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3048-25-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3048-23-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3048-10820-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3048-20-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3048-19-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3048-18-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/5024-12-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download