teslacrypt | 5343947829609f69e84fe7e8172c38ee018ede3c9898d4895275f596ac54320d

Analysis

max time kernel
150s
max time network
158s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
03-11-2023 00:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

demo_teslacrypt.exe
Size

360KB
MD5

9ce01dfbf25dfea778e57d8274675d6f
SHA1

1bd767beb5bc36b396ca6405748042640ad57526
SHA256

5343947829609f69e84fe7e8172c38ee018ede3c9898d4895275f596ac54320d
SHA512

d6ba89c1f221a94e3061bc4da896760d99935a7c766b8e4e30146266cf3356acd883835e75dbb86574bc869c83d381c8f63f23392101f6062bba4343af49978b
SSDEEP

6144:4qZbqZToxIizLBZ6R56VkGM4ceLJ5vs5JGJceO/QCErIiuNAvwu:4qZb8oR3D6R5QHXZJy/Q50imAvB

Score

10^/10

teslacrypt persistence ransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+yrkky.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/89DF05129DE5C71 2. http://tes543berda73i48fsdfsd.keratadze.at/89DF05129DE5C71 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/89DF05129DE5C71 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/89DF05129DE5C71 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/89DF05129DE5C71 http://tes543berda73i48fsdfsd.keratadze.at/89DF05129DE5C71 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/89DF05129DE5C71 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/89DF05129DE5C71

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/89DF05129DE5C71

http://tes543berda73i48fsdfsd.keratadze.at/89DF05129DE5C71

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/89DF05129DE5C71

http://xlowfznrg4wf7dli.ONION/89DF05129DE5C71

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (177) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2172	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2676	hcfhrexsntpa.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvdacbqdlyjj = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\hcfhrexsntpa.exe\""	hcfhrexsntpa.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\_RECOVERY_+yrkky.png	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\_RECOVERY_+yrkky.txt	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground.wmv	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIcon.png	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\_RECOVERY_+yrkky.html	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.png	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-next-static.png	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\_RECOVERY_+yrkky.png	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fil.pak	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\_RECOVERY_+yrkky.png	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-BR.pak	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoBeta.png	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\_RECOVERY_+yrkky.png	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\_RECOVERY_+yrkky.png	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoCanary.png	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\_RECOVERY_+yrkky.html	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\_RECOVERY_+yrkky.txt	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureA.png	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_SelectionSubpicture.png	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data\_RECOVERY_+yrkky.txt	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\_RECOVERY_+yrkky.txt	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\_RECOVERY_+yrkky.txt	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\button-highlight.png	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\el.pak	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\_RECOVERY_+yrkky.png	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\_RECOVERY_+yrkky.html	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\_RECOVERY_+yrkky.png	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\_RECOVERY_+yrkky.txt	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\_RECOVERY_+yrkky.png	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\_RECOVERY_+yrkky.txt	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\bandwidth.png	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\_RECOVERY_+yrkky.txt	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\_RECOVERY_+yrkky.png	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\_RECOVERY_+yrkky.png	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-back-static.png	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop.wmv	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\id.pak	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-highlight.png	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_ButtonGraphic.png	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\_RECOVERY_+yrkky.html	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\_RECOVERY_+yrkky.txt	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\_RECOVERY_+yrkky.html	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\_RECOVERY_+yrkky.txt	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\MainMenuButtonIcon.png	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\_RECOVERY_+yrkky.html	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\_RECOVERY_+yrkky.html	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\_RECOVERY_+yrkky.txt	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\layers.png	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passportcover.png	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\_RECOVERY_+yrkky.html	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-back-static.png	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\_RECOVERY_+yrkky.txt	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Internet Explorer\images\_RECOVERY_+yrkky.txt	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\_RECOVERY_+yrkky.txt	hcfhrexsntpa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\_RECOVERY_+yrkky.txt	hcfhrexsntpa.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\hcfhrexsntpa.exe	demo_teslacrypt.exe
File opened for modification	C:\Windows\hcfhrexsntpa.exe	demo_teslacrypt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe
2676	hcfhrexsntpa.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	2216	demo_teslacrypt.exe
Token: SeDebugPrivilege	2676	hcfhrexsntpa.exe
Token: SeIncreaseQuotaPrivilege	2596	WMIC.exe
Token: SeSecurityPrivilege	2596	WMIC.exe
Token: SeTakeOwnershipPrivilege	2596	WMIC.exe
Token: SeLoadDriverPrivilege	2596	WMIC.exe
Token: SeSystemProfilePrivilege	2596	WMIC.exe
Token: SeSystemtimePrivilege	2596	WMIC.exe
Token: SeProfSingleProcessPrivilege	2596	WMIC.exe
Token: SeIncBasePriorityPrivilege	2596	WMIC.exe
Token: SeCreatePagefilePrivilege	2596	WMIC.exe
Token: SeBackupPrivilege	2596	WMIC.exe
Token: SeRestorePrivilege	2596	WMIC.exe
Token: SeShutdownPrivilege	2596	WMIC.exe
Token: SeDebugPrivilege	2596	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2596	WMIC.exe
Token: SeRemoteShutdownPrivilege	2596	WMIC.exe
Token: SeUndockPrivilege	2596	WMIC.exe
Token: SeManageVolumePrivilege	2596	WMIC.exe
Token: 33	2596	WMIC.exe
Token: 34	2596	WMIC.exe
Token: 35	2596	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2596	WMIC.exe
Token: SeSecurityPrivilege	2596	WMIC.exe
Token: SeTakeOwnershipPrivilege	2596	WMIC.exe
Token: SeLoadDriverPrivilege	2596	WMIC.exe
Token: SeSystemProfilePrivilege	2596	WMIC.exe
Token: SeSystemtimePrivilege	2596	WMIC.exe
Token: SeProfSingleProcessPrivilege	2596	WMIC.exe
Token: SeIncBasePriorityPrivilege	2596	WMIC.exe
Token: SeCreatePagefilePrivilege	2596	WMIC.exe
Token: SeBackupPrivilege	2596	WMIC.exe
Token: SeRestorePrivilege	2596	WMIC.exe
Token: SeShutdownPrivilege	2596	WMIC.exe
Token: SeDebugPrivilege	2596	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2596	WMIC.exe
Token: SeRemoteShutdownPrivilege	2596	WMIC.exe
Token: SeUndockPrivilege	2596	WMIC.exe
Token: SeManageVolumePrivilege	2596	WMIC.exe
Token: 33	2596	WMIC.exe
Token: 34	2596	WMIC.exe
Token: 35	2596	WMIC.exe
Token: SeBackupPrivilege	2576	vssvc.exe
Token: SeRestorePrivilege	2576	vssvc.exe
Token: SeAuditPrivilege	2576	vssvc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2676	2216	demo_teslacrypt.exe	28
PID 2216 wrote to memory of 2676	2216	demo_teslacrypt.exe	28
PID 2216 wrote to memory of 2676	2216	demo_teslacrypt.exe	28
PID 2216 wrote to memory of 2676	2216	demo_teslacrypt.exe	28
PID 2216 wrote to memory of 2172	2216	demo_teslacrypt.exe	29
PID 2216 wrote to memory of 2172	2216	demo_teslacrypt.exe	29
PID 2216 wrote to memory of 2172	2216	demo_teslacrypt.exe	29
PID 2216 wrote to memory of 2172	2216	demo_teslacrypt.exe	29
PID 2676 wrote to memory of 2596	2676	hcfhrexsntpa.exe	33
PID 2676 wrote to memory of 2596	2676	hcfhrexsntpa.exe	33
PID 2676 wrote to memory of 2596	2676	hcfhrexsntpa.exe	33
PID 2676 wrote to memory of 2596	2676	hcfhrexsntpa.exe	33

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	hcfhrexsntpa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	hcfhrexsntpa.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\demo_teslacrypt.exe
"C:\Users\Admin\AppData\Local\Temp\demo_teslacrypt.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\hcfhrexsntpa.exe
  C:\Windows\hcfhrexsntpa.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2676
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\DEMO_T~1.EXE
  2⤵
  - Deletes itself
  PID:2172

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+yrkky.html

Filesize
11KB

MD5
f1e85c5f434e51617b253eac8464038b

SHA1
6a0ddd470cb1d5b961983ffa3508bdff754e1b40

SHA256
85925a0081b5a9f82fbf39e28e18b0927646160d18712a24bf8b7628695234b9

SHA512
da679ddb4009b1c9b2de156baa63b4a796ce2a022e8b77c996d1b173e0356f63c20386020059fade3bb643291e8029f925bae6908e722e69efdd82b9778033c3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+yrkky.png

Filesize
62KB

MD5
96873dabc6f13826ba861d1598daa812

SHA1
419b9218434715fddc050bb7f930fc946e028cf6

SHA256
98c409031dce833a557317aaba2d31f45ff7656502e79ef7c5d56c6f6198f66d

SHA512
0f3bdcb62dac75e62a7b5fb0bb92853926976b14520e7e5fd997a5243638990dd62c53775bd205db58afbaf19398a5396dea4c073d10f465f2eb15bcacb0756e

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+yrkky.txt

Filesize
1KB

MD5
623d44fabc781dcae5704d1302ca02a8

SHA1
f908d83fd80792850ffbc39b8096c95889e56b9c

SHA256
9157ed0e40a7c16b5224d56bd3a12cef375258dc31a8c52f86cef5440540ec33

SHA512
da22f0016386b73000a956788b2f412088eba23e9a3c2230dfd3589210ee910634c145360a5fafe3107ba0a48ada45699f3998de1cdd34e88005e497ab96145f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
877a65dde1d273aee342178032bd1cc3

SHA1
875d5c8832021e4d32a9a81632953f719d6dfe7d

SHA256
3e46872112e8581354b80eefebeb7de103c75b7a3ed1fc20344c445131c79455

SHA512
dfcf0dac3084012a7f38fd1a7b2b644c1b1f8df79494bd465855951262b35fd6a9c0b767f9aa7e6319210cdfaeb43ba65934f76f6db6d0093a05dc0845f019c9

Download Submit
C:\Windows\hcfhrexsntpa.exe

Filesize
360KB

MD5
9ce01dfbf25dfea778e57d8274675d6f

SHA1
1bd767beb5bc36b396ca6405748042640ad57526

SHA256
5343947829609f69e84fe7e8172c38ee018ede3c9898d4895275f596ac54320d

SHA512
d6ba89c1f221a94e3061bc4da896760d99935a7c766b8e4e30146266cf3356acd883835e75dbb86574bc869c83d381c8f63f23392101f6062bba4343af49978b

Download Submit
C:\Windows\hcfhrexsntpa.exe

Filesize
360KB

MD5
9ce01dfbf25dfea778e57d8274675d6f

SHA1
1bd767beb5bc36b396ca6405748042640ad57526

SHA256
5343947829609f69e84fe7e8172c38ee018ede3c9898d4895275f596ac54320d

SHA512
d6ba89c1f221a94e3061bc4da896760d99935a7c766b8e4e30146266cf3356acd883835e75dbb86574bc869c83d381c8f63f23392101f6062bba4343af49978b

Download Submit
C:\Windows\hcfhrexsntpa.exe

Filesize
360KB

MD5
9ce01dfbf25dfea778e57d8274675d6f

SHA1
1bd767beb5bc36b396ca6405748042640ad57526

SHA256
5343947829609f69e84fe7e8172c38ee018ede3c9898d4895275f596ac54320d

SHA512
d6ba89c1f221a94e3061bc4da896760d99935a7c766b8e4e30146266cf3356acd883835e75dbb86574bc869c83d381c8f63f23392101f6062bba4343af49978b

Download Submit
memory/2216-15-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2216-0-0x0000000000340000-0x00000000003C5000-memory.dmp

Filesize
532KB

Download
memory/2216-1-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2216-17-0x0000000000340000-0x00000000003C5000-memory.dmp

Filesize
532KB

Download
memory/2676-193-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2676-11-0x0000000000320000-0x00000000003A5000-memory.dmp

Filesize
532KB

Download
memory/2676-100-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2676-18-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2676-196-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2676-208-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2676-612-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2676-737-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2676-745-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2676-19-0x0000000000320000-0x00000000003A5000-memory.dmp

Filesize
532KB

Download
memory/2676-1225-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download