teslacrypt | 0dc6abd75029b2feb75b9aad880a69b165b1a07fc8b95e99b0d05ca2a415a418

Analysis

max time kernel
142s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de6da54416ced336416b258d5e857d66_JaffaCakes118.exe
Size

336KB
MD5

de6da54416ced336416b258d5e857d66
SHA1

8a409c57dd33e03f70e2e583a9d4a31892316a14
SHA256

0dc6abd75029b2feb75b9aad880a69b165b1a07fc8b95e99b0d05ca2a415a418
SHA512

4e38b95ade98d984910e8c5902a896934c1e7d46814b5f02fc66581c2bda19068257f5b169cc56acabfa6c809ce21143e19de82caa1acf69610025960495c7b7
SSDEEP

6144:p1w0U6D6x4kyjf+g0uc2RTqWmx7Ikw9NShXvSmk2OpXaP/EBySkQ4:pi0Uu6ikyjcuk5y0hXaxpKkB

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+genah.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/38DB2B7A6AF3F13 2. http://tes543berda73i48fsdfsd.keratadze.at/38DB2B7A6AF3F13 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/38DB2B7A6AF3F13 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/38DB2B7A6AF3F13 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/38DB2B7A6AF3F13 http://tes543berda73i48fsdfsd.keratadze.at/38DB2B7A6AF3F13 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/38DB2B7A6AF3F13 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/38DB2B7A6AF3F13

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/38DB2B7A6AF3F13

http://tes543berda73i48fsdfsd.keratadze.at/38DB2B7A6AF3F13

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/38DB2B7A6AF3F13

http://xlowfznrg4wf7dli.ONION/38DB2B7A6AF3F13

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (869) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	de6da54416ced336416b258d5e857d66_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	oinklltmlnxp.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+genah.html	oinklltmlnxp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+genah.png	oinklltmlnxp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+genah.txt	oinklltmlnxp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+genah.html	oinklltmlnxp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+genah.png	oinklltmlnxp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+genah.txt	oinklltmlnxp.exe

Executes dropped EXE 2 IoCs

pid	Process
1100	oinklltmlnxp.exe
2176	oinklltmlnxp.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\khsqaigpnief = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\oinklltmlnxp.exe\""	oinklltmlnxp.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3612 set thread context of 3124	3612	de6da54416ced336416b258d5e857d66_JaffaCakes118.exe	98
PID 1100 set thread context of 2176	1100	oinklltmlnxp.exe	103

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\Recovery+genah.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\Recovery+genah.txt	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.scale-200.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-200_contrast-black.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\Recovery+genah.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Recovery+genah.html	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-200.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_~_8wekyb3d8bbwe\Recovery+genah.txt	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Light.scale-200.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENES\Recovery+genah.txt	oinklltmlnxp.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Recovery+genah.html	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\MoveToFolderToastQuickAction.scale-80.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\Recovery+genah.txt	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Recovery+genah.html	oinklltmlnxp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\winsdkfb\Images\fb_blank_profile_portrait.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Recovery+genah.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\Recovery+genah.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\Recovery+genah.txt	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\4.jpg	oinklltmlnxp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\Recovery+genah.html	oinklltmlnxp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\Recovery+genah.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+genah.txt	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\MutableBackup\Recovery+genah.txt	oinklltmlnxp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	oinklltmlnxp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\Recovery+genah.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\jfr\Recovery+genah.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\Recovery+genah.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-200_contrast-black.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Light.scale-400.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\Recovery+genah.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-64_altform-unplated.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-100_contrast-white.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\2876_24x24x32.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailLargeTile.scale-400.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-32_altform-unplated_contrast-black.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-64_contrast-high.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.contrast-white_scale-200.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-36_altform-unplated.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\Mutable\Recovery+genah.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedSplash.scale-200_contrast-white.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_TicketedEvent.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-125.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\Recovery+genah.txt	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-60_contrast-white.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-400_contrast-black.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\kn-IN\View3d\Recovery+genah.txt	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\Recovery+genah.txt	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-30.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-40_contrast-high.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\Recovery+genah.txt	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\7734_20x20x32.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosLogoExtensions.targetsize-64.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Recovery+genah.html	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\pstn\Recovery+genah.txt	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FetchingMail-Dark.scale-150.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru\Recovery+genah.txt	oinklltmlnxp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\Recovery+genah.html	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-100_contrast-black.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\Recovery+genah.html	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\Recovery+genah.txt	oinklltmlnxp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-100.png	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Recovery+genah.txt	oinklltmlnxp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeBadge.scale-125.png	oinklltmlnxp.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\oinklltmlnxp.exe	de6da54416ced336416b258d5e857d66_JaffaCakes118.exe
File opened for modification	C:\Windows\oinklltmlnxp.exe	de6da54416ced336416b258d5e857d66_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de6da54416ced336416b258d5e857d66_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de6da54416ced336416b258d5e857d66_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oinklltmlnxp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oinklltmlnxp.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	oinklltmlnxp.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
772	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe
2176	oinklltmlnxp.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3124	de6da54416ced336416b258d5e857d66_JaffaCakes118.exe
Token: SeDebugPrivilege	2176	oinklltmlnxp.exe
Token: SeIncreaseQuotaPrivilege	1096	WMIC.exe
Token: SeSecurityPrivilege	1096	WMIC.exe
Token: SeTakeOwnershipPrivilege	1096	WMIC.exe
Token: SeLoadDriverPrivilege	1096	WMIC.exe
Token: SeSystemProfilePrivilege	1096	WMIC.exe
Token: SeSystemtimePrivilege	1096	WMIC.exe
Token: SeProfSingleProcessPrivilege	1096	WMIC.exe
Token: SeIncBasePriorityPrivilege	1096	WMIC.exe
Token: SeCreatePagefilePrivilege	1096	WMIC.exe
Token: SeBackupPrivilege	1096	WMIC.exe
Token: SeRestorePrivilege	1096	WMIC.exe
Token: SeShutdownPrivilege	1096	WMIC.exe
Token: SeDebugPrivilege	1096	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1096	WMIC.exe
Token: SeRemoteShutdownPrivilege	1096	WMIC.exe
Token: SeUndockPrivilege	1096	WMIC.exe
Token: SeManageVolumePrivilege	1096	WMIC.exe
Token: 33	1096	WMIC.exe
Token: 34	1096	WMIC.exe
Token: 35	1096	WMIC.exe
Token: 36	1096	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1096	WMIC.exe
Token: SeSecurityPrivilege	1096	WMIC.exe
Token: SeTakeOwnershipPrivilege	1096	WMIC.exe
Token: SeLoadDriverPrivilege	1096	WMIC.exe
Token: SeSystemProfilePrivilege	1096	WMIC.exe
Token: SeSystemtimePrivilege	1096	WMIC.exe
Token: SeProfSingleProcessPrivilege	1096	WMIC.exe
Token: SeIncBasePriorityPrivilege	1096	WMIC.exe
Token: SeCreatePagefilePrivilege	1096	WMIC.exe
Token: SeBackupPrivilege	1096	WMIC.exe
Token: SeRestorePrivilege	1096	WMIC.exe
Token: SeShutdownPrivilege	1096	WMIC.exe
Token: SeDebugPrivilege	1096	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1096	WMIC.exe
Token: SeRemoteShutdownPrivilege	1096	WMIC.exe
Token: SeUndockPrivilege	1096	WMIC.exe
Token: SeManageVolumePrivilege	1096	WMIC.exe
Token: 33	1096	WMIC.exe
Token: 34	1096	WMIC.exe
Token: 35	1096	WMIC.exe
Token: 36	1096	WMIC.exe
Token: SeBackupPrivilege	232	vssvc.exe
Token: SeRestorePrivilege	232	vssvc.exe
Token: SeAuditPrivilege	232	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1756	WMIC.exe
Token: SeSecurityPrivilege	1756	WMIC.exe
Token: SeTakeOwnershipPrivilege	1756	WMIC.exe
Token: SeLoadDriverPrivilege	1756	WMIC.exe
Token: SeSystemProfilePrivilege	1756	WMIC.exe
Token: SeSystemtimePrivilege	1756	WMIC.exe
Token: SeProfSingleProcessPrivilege	1756	WMIC.exe
Token: SeIncBasePriorityPrivilege	1756	WMIC.exe
Token: SeCreatePagefilePrivilege	1756	WMIC.exe
Token: SeBackupPrivilege	1756	WMIC.exe
Token: SeRestorePrivilege	1756	WMIC.exe
Token: SeShutdownPrivilege	1756	WMIC.exe
Token: SeDebugPrivilege	1756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1756	WMIC.exe
Token: SeRemoteShutdownPrivilege	1756	WMIC.exe
Token: SeUndockPrivilege	1756	WMIC.exe
Token: SeManageVolumePrivilege	1756	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3612 wrote to memory of 3124	3612	de6da54416ced336416b258d5e857d66_JaffaCakes118.exe	98
PID 3612 wrote to memory of 3124	3612	de6da54416ced336416b258d5e857d66_JaffaCakes118.exe	98
PID 3612 wrote to memory of 3124	3612	de6da54416ced336416b258d5e857d66_JaffaCakes118.exe	98
PID 3612 wrote to memory of 3124	3612	de6da54416ced336416b258d5e857d66_JaffaCakes118.exe	98
PID 3612 wrote to memory of 3124	3612	de6da54416ced336416b258d5e857d66_JaffaCakes118.exe	98
PID 3612 wrote to memory of 3124	3612	de6da54416ced336416b258d5e857d66_JaffaCakes118.exe	98
PID 3612 wrote to memory of 3124	3612	de6da54416ced336416b258d5e857d66_JaffaCakes118.exe	98
PID 3612 wrote to memory of 3124	3612	de6da54416ced336416b258d5e857d66_JaffaCakes118.exe	98
PID 3612 wrote to memory of 3124	3612	de6da54416ced336416b258d5e857d66_JaffaCakes118.exe	98
PID 3124 wrote to memory of 1100	3124	de6da54416ced336416b258d5e857d66_JaffaCakes118.exe	99
PID 3124 wrote to memory of 1100	3124	de6da54416ced336416b258d5e857d66_JaffaCakes118.exe	99
PID 3124 wrote to memory of 1100	3124	de6da54416ced336416b258d5e857d66_JaffaCakes118.exe	99
PID 3124 wrote to memory of 2468	3124	de6da54416ced336416b258d5e857d66_JaffaCakes118.exe	100
PID 3124 wrote to memory of 2468	3124	de6da54416ced336416b258d5e857d66_JaffaCakes118.exe	100
PID 3124 wrote to memory of 2468	3124	de6da54416ced336416b258d5e857d66_JaffaCakes118.exe	100
PID 1100 wrote to memory of 2176	1100	oinklltmlnxp.exe	103
PID 1100 wrote to memory of 2176	1100	oinklltmlnxp.exe	103
PID 1100 wrote to memory of 2176	1100	oinklltmlnxp.exe	103
PID 1100 wrote to memory of 2176	1100	oinklltmlnxp.exe	103
PID 1100 wrote to memory of 2176	1100	oinklltmlnxp.exe	103
PID 1100 wrote to memory of 2176	1100	oinklltmlnxp.exe	103
PID 1100 wrote to memory of 2176	1100	oinklltmlnxp.exe	103
PID 1100 wrote to memory of 2176	1100	oinklltmlnxp.exe	103
PID 1100 wrote to memory of 2176	1100	oinklltmlnxp.exe	103
PID 2176 wrote to memory of 1096	2176	oinklltmlnxp.exe	104
PID 2176 wrote to memory of 1096	2176	oinklltmlnxp.exe	104
PID 2176 wrote to memory of 772	2176	oinklltmlnxp.exe	110
PID 2176 wrote to memory of 772	2176	oinklltmlnxp.exe	110
PID 2176 wrote to memory of 772	2176	oinklltmlnxp.exe	110
PID 2176 wrote to memory of 4092	2176	oinklltmlnxp.exe	111
PID 2176 wrote to memory of 4092	2176	oinklltmlnxp.exe	111
PID 4092 wrote to memory of 1420	4092	msedge.exe	112
PID 4092 wrote to memory of 1420	4092	msedge.exe	112
PID 2176 wrote to memory of 1756	2176	oinklltmlnxp.exe	113
PID 2176 wrote to memory of 1756	2176	oinklltmlnxp.exe	113
PID 4092 wrote to memory of 5024	4092	msedge.exe	116
PID 4092 wrote to memory of 5024	4092	msedge.exe	116
PID 4092 wrote to memory of 5024	4092	msedge.exe	116
PID 4092 wrote to memory of 5024	4092	msedge.exe	116
PID 4092 wrote to memory of 5024	4092	msedge.exe	116
PID 4092 wrote to memory of 5024	4092	msedge.exe	116
PID 4092 wrote to memory of 5024	4092	msedge.exe	116
PID 4092 wrote to memory of 5024	4092	msedge.exe	116
PID 4092 wrote to memory of 5024	4092	msedge.exe	116
PID 4092 wrote to memory of 5024	4092	msedge.exe	116
PID 4092 wrote to memory of 5024	4092	msedge.exe	116
PID 4092 wrote to memory of 5024	4092	msedge.exe	116
PID 4092 wrote to memory of 5024	4092	msedge.exe	116
PID 4092 wrote to memory of 5024	4092	msedge.exe	116
PID 4092 wrote to memory of 5024	4092	msedge.exe	116
PID 4092 wrote to memory of 5024	4092	msedge.exe	116
PID 4092 wrote to memory of 5024	4092	msedge.exe	116
PID 4092 wrote to memory of 5024	4092	msedge.exe	116
PID 4092 wrote to memory of 5024	4092	msedge.exe	116
PID 4092 wrote to memory of 5024	4092	msedge.exe	116
PID 4092 wrote to memory of 5024	4092	msedge.exe	116
PID 4092 wrote to memory of 5024	4092	msedge.exe	116
PID 4092 wrote to memory of 5024	4092	msedge.exe	116
PID 4092 wrote to memory of 5024	4092	msedge.exe	116
PID 4092 wrote to memory of 5024	4092	msedge.exe	116
PID 4092 wrote to memory of 5024	4092	msedge.exe	116
PID 4092 wrote to memory of 5024	4092	msedge.exe	116
PID 4092 wrote to memory of 5024	4092	msedge.exe	116
PID 4092 wrote to memory of 5024	4092	msedge.exe	116

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	oinklltmlnxp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	oinklltmlnxp.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\de6da54416ced336416b258d5e857d66_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\de6da54416ced336416b258d5e857d66_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Users\Admin\AppData\Local\Temp\de6da54416ced336416b258d5e857d66_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\de6da54416ced336416b258d5e857d66_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3124
- - C:\Windows\oinklltmlnxp.exe
    C:\Windows\oinklltmlnxp.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1100
  - - C:\Windows\oinklltmlnxp.exe
      C:\Windows\oinklltmlnxp.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2176
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:772
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4092
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa965d46f8,0x7ffa965d4708,0x7ffa965d4718
        6⤵
        
        PID:1420
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,1898319300761815376,5566109567600786654,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
        6⤵
        
        PID:5024
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,1898319300761815376,5566109567600786654,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
        6⤵
        
        PID:1476
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,1898319300761815376,5566109567600786654,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
        6⤵
        
        PID:3604
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,1898319300761815376,5566109567600786654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
        6⤵
        
        PID:1176
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,1898319300761815376,5566109567600786654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
        6⤵
        
        PID:1464
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,1898319300761815376,5566109567600786654,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
        6⤵
        
        PID:840
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,1898319300761815376,5566109567600786654,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
        6⤵
        
        PID:4676
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,1898319300761815376,5566109567600786654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
        6⤵
        
        PID:3936
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,1898319300761815376,5566109567600786654,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
        6⤵
        
        PID:4364
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,1898319300761815376,5566109567600786654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
        6⤵
        
        PID:1644
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,1898319300761815376,5566109567600786654,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
        6⤵
        
        PID:4916
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\OINKLL~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:920
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\DE6DA5~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2468

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\Recovery+genah.html

Filesize
11KB

MD5
0379396790585017a7233896e70df5b8

SHA1
dc2959aa4c7c9ea005ad5aa3486df32424707dfb

SHA256
b719b3dcb00ac0f507654f11afd3718bc7fcd847533a07dd93412c98a1409196

SHA512
8967da2e0e88a68b777c1eafd16ab638ca7178e6051d594a845993ee6b56881fa647feb60ca2b1cf37f6d8c98ec7705b2420a6be0df0a31d257b585e762556df

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+genah.png

Filesize
62KB

MD5
196dffa3e29eaaeae28d2cce20f1ba1f

SHA1
975ba9ddd6a0cbfef7268b8065efc334fc33db0e

SHA256
332cdee0106b88794a087ae91df7425d91853e93db996b005515805952b34fc3

SHA512
36cb6ba3ae5acf67b7089af5ccec3219c597b8558212c2bc26bcf2084dcd00d859f415ac4cb35258af3e0052d582e5d6bb6ead62d8efe6105833f271312c7f46

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+genah.txt

Filesize
1KB

MD5
0f25d6a990f349bae3804b116a1ad6a9

SHA1
711316aee182227fecea1f88b717cb8cf5c64be9

SHA256
c772487a22f0f6c259045f87bde1cd3573336d3cf138c10ae72421c2aaedf966

SHA512
9b1dee67d13ee7a76c2b355b8b16d7d9ea6fc2260fa277b3f3da48f72c42b67316b9e355933fe8a959bd0171f481c6bf84524ecbace518f0522cf8a9f0e0cfa7

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
a055ed183faa9f7b7463a611d8032086

SHA1
0eb551969e1da02402d972d888a7adf4e2af9fcd

SHA256
62708d12a7a808e25798550e9c2cb04b4687e0cc47602541bf032dd73d5fbb8d

SHA512
49550a64278d170376a1a6c8bd34a998c018706c1bb097649ac1b4e37c8322fac6be8409b19c15af995401a61fd59eb7478da222f475916d11097e99cd24d627

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
a79fb5894ed9b33d974c1cd304dd206a

SHA1
2d79f1990950ab6dde5a374ac479544639330cb4

SHA256
724f87d5faa9e0209541f2e9238843b5dad2949b04fb0c67a3dfaf1d645d308e

SHA512
f2e201fee62f67fd2cd159040f5092e8a6af32a462c59269a276f7ad08ad9cbe2d8e032f93b423ec838d7abdb1bea2cf9d8206c3651f5e3e9dddda834d28146f

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
5e33a36781b5a94eabcfd2b085f0e440

SHA1
babe410df18950522cdbd700d0ab4dae2edb3baa

SHA256
5a9c17a6dfbe9cf8b303bccaf57f810617e039ae9eee3ce87f755bd01a5d5a5d

SHA512
6e1f02f46f205252de2ac60919a276f6a6103d9dcab8dc45772112454a09543565599507899f38d877ac69a0b87b17cc2375309a6955f946f9bfab52f47cdbdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2abd4adf599d46bfa3e770a83b332484

SHA1
cb84b10c785404acf59084965cf6edf85a6f4b8b

SHA256
47ebd77d021881c3d02e48c0eec834b02895dd721767fefc6e71157378bf9a07

SHA512
3c41871a116162f6c7c604e0c071879b16fa7e0afb6e99b9c5875915280e1587622bcc51ae100a36b35021f214d1797f5012fd95ff9368b5b0b610dfd1892842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7cc464dd44b73f2bfe36f75fc8f7c945

SHA1
2ffe8454384b0b8e2322d8e6c6c2c65cee274bc1

SHA256
b65802d6a221a1e92f83b83267045fce0a8de24970a7132233fd5132fee277fe

SHA512
a7c0cd3ae25fa45eae9f58247bedf05f685bbeda7f3863c11dfb7de75576cb2633ed17e2bec0c89f9c6453ba877248a3de2715121fbcfd36672a8d6bc7667ab7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c982c06daeb3c3311a921cf761247532

SHA1
864fc66520923377acb405feea41e7f4ec3a33a0

SHA256
fe4dd86f0f7f8b3c9f252ce7c0c314b353c6ec1e802a0c14f9098a70d2df360a

SHA512
bfd5aa23d704ab225a9857a1547ce71ed70bf8582225eac9601da4a24e93f3b4b6670b9efdeaac880f66f50ff7f962ea86ec42f42f72cbe8302ee79893d4a17e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662898920525.txt

Filesize
77KB

MD5
fed58b7792c1d353d8c309d07a340697

SHA1
07b2ba374c1874714971f2cb95f5d48b98072b45

SHA256
eff4fb5030891e349bc5ef0453c42f923026f903e209f37e5b5d99f40133076b

SHA512
7386f10f0f1e3065c2ec1128625fb34ce60d4326fa14c2f5424b50c807fea09c7075a9f7e99b5ff202c020b84fcad6bcaa4de4f262a5d32834f5e60022ec57d4

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727672984949051.txt

Filesize
74KB

MD5
a61285805253e7c227bb7ebd78042e84

SHA1
e5b8fd16770366bc8497b9d4d608b3d14c11c344

SHA256
9c2d86ea67bfd060658a7b6adb7c167953da31863943ee185c26b767056a5a9b

SHA512
058d270ff1febbe095ce148af82b263b8469b4c4bb78f202dff273a34eda1ab140fb8532e8c16978a8ab4dd9a9bc73a5b51f57e58812f6e95bf8cc1619f9eb62

Download Submit
C:\Windows\oinklltmlnxp.exe

Filesize
336KB

MD5
de6da54416ced336416b258d5e857d66

SHA1
8a409c57dd33e03f70e2e583a9d4a31892316a14

SHA256
0dc6abd75029b2feb75b9aad880a69b165b1a07fc8b95e99b0d05ca2a415a418

SHA512
4e38b95ade98d984910e8c5902a896934c1e7d46814b5f02fc66581c2bda19068257f5b169cc56acabfa6c809ce21143e19de82caa1acf69610025960495c7b7

Download Submit
memory/1100-11-0x0000000000400000-0x0000000000748000-memory.dmp

Filesize
3.3MB

Download
memory/2176-18-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2176-10715-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2176-22-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2176-1653-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2176-2281-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2176-2280-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2176-4619-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2176-7830-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2176-19-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2176-16-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2176-10509-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2176-24-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2176-10716-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2176-10724-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2176-10725-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2176-10787-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2176-17-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3124-12-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3124-4-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3124-3-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3124-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3124-1-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3612-5-0x00000000007F0000-0x00000000007F3000-memory.dmp

Filesize
12KB

Download
memory/3612-0-0x00000000007F0000-0x00000000007F3000-memory.dmp

Filesize
12KB

Download