teslacrypt | 5343947829609f69e84fe7e8172c38ee018ede3c9898d4895275f596ac54320d

Resubmissions

04-04-2024 18:10

240404-wscc9afa67 10

04-04-2024 03:22

240404-dw4mssdg95 10

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04-04-2024 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

220518-1mgg8seec9.exe
Size

360KB
MD5

9ce01dfbf25dfea778e57d8274675d6f
SHA1

1bd767beb5bc36b396ca6405748042640ad57526
SHA256

5343947829609f69e84fe7e8172c38ee018ede3c9898d4895275f596ac54320d
SHA512

d6ba89c1f221a94e3061bc4da896760d99935a7c766b8e4e30146266cf3356acd883835e75dbb86574bc869c83d381c8f63f23392101f6062bba4343af49978b
SSDEEP

6144:4qZbqZToxIizLBZ6R56VkGM4ceLJ5vs5JGJceO/QCErIiuNAvwu:4qZb8oR3D6R5QHXZJy/Q50imAvB

Score

10^/10

teslacrypt persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\PerfLogs\_RECOVERY_+uwovi.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/C888D6C9E3F4064 2. http://tes543berda73i48fsdfsd.keratadze.at/C888D6C9E3F4064 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/C888D6C9E3F4064 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/C888D6C9E3F4064 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/C888D6C9E3F4064 http://tes543berda73i48fsdfsd.keratadze.at/C888D6C9E3F4064 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/C888D6C9E3F4064 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/C888D6C9E3F4064

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/C888D6C9E3F4064

http://tes543berda73i48fsdfsd.keratadze.at/C888D6C9E3F4064

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/C888D6C9E3F4064

http://xlowfznrg4wf7dli.ONION/C888D6C9E3F4064

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (880) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

220518-1mgg8seec9.exewflamqsdjhfh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	220518-1mgg8seec9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wflamqsdjhfh.exe

Drops startup file 6 IoCs

Processes:

wflamqsdjhfh.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+uwovi.png	wflamqsdjhfh.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+uwovi.txt	wflamqsdjhfh.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+uwovi.html	wflamqsdjhfh.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+uwovi.png	wflamqsdjhfh.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+uwovi.txt	wflamqsdjhfh.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+uwovi.html	wflamqsdjhfh.exe

Executes dropped EXE 1 IoCs

Processes:

wflamqsdjhfh.exe

pid process

1328 wflamqsdjhfh.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wflamqsdjhfh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\traovkamvadq = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\wflamqsdjhfh.exe\""	wflamqsdjhfh.exe

Drops file in Program Files directory 64 IoCs

Processes:

wflamqsdjhfh.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_contrast-white.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.White.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Wide310x150Logo.scale-400.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square150x150Logo.scale-400.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionMedTile.scale-125.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxLargeTile.scale-150.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\_RECOVERY_+uwovi.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\nav_icons_home.targetsize-48.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_LogoSmall.targetsize-32_altform-unplated.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\id-ID\View3d\_RECOVERY_+uwovi.html	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\_RECOVERY_+uwovi.txt	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-100.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailMediumTile.scale-200.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-GoogleCloudCacheMini.scale-200.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\_RECOVERY_+uwovi.txt	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-100_contrast-white.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-32_altform-unplated.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileSmallSquare.scale-100.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sv-SE\View3d\_RECOVERY_+uwovi.html	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-48.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OrientationSensorCalibrationFigure.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\_RECOVERY_+uwovi.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tr\_RECOVERY_+uwovi.html	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_altform-unplated_contrast-black.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_2019.716.2313.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECOVERY_+uwovi.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Wide310x150Logo.scale-125.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp4.scale-200.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosMedTile.contrast-white_scale-100.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\_RECOVERY_+uwovi.html	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Nose.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageSmallTile.scale-125.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WideTile.scale-100.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.scale-150.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ms-MY\_RECOVERY_+uwovi.txt	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LargeTile.scale-200_contrast-black.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_RECOVERY_+uwovi.html	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\_RECOVERY_+uwovi.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\WideTile.scale-125_contrast-white.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-20.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPack2019Eula.txt	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\Office365LogoWLockup.scale-100.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_contrast-white.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\_RECOVERY_+uwovi.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\_RECOVERY_+uwovi.txt	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\it\_RECOVERY_+uwovi.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Retail\_RECOVERY_+uwovi.txt	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-32_altform-unplated.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_contrast-white.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\_RECOVERY_+uwovi.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\_RECOVERY_+uwovi.txt	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\AugLoop\bundle.js	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\_RECOVERY_+uwovi.html	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\_RECOVERY_+uwovi.txt	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pt-BR\View3d\_RECOVERY_+uwovi.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-72.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_RECOVERY_+uwovi.txt	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\lt.pak	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\_RECOVERY_+uwovi.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\AppxMetadata\_RECOVERY_+uwovi.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\_RECOVERY_+uwovi.txt	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\_RECOVERY_+uwovi.txt	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\_RECOVERY_+uwovi.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-72_altform-unplated.png	wflamqsdjhfh.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\_RECOVERY_+uwovi.html	wflamqsdjhfh.exe

Drops file in Windows directory 2 IoCs

Processes:

220518-1mgg8seec9.exe

description	ioc	process
File created	C:\Windows\wflamqsdjhfh.exe	220518-1mgg8seec9.exe
File opened for modification	C:\Windows\wflamqsdjhfh.exe	220518-1mgg8seec9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

Processes:

wflamqsdjhfh.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings wflamqsdjhfh.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4088 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	wflamqsdjhfh.exe

pid	process
4088	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

wflamqsdjhfh.exe

pid	process
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe
1328	wflamqsdjhfh.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

2572 msedge.exe
2572 msedge.exe
2572 msedge.exe
2572 msedge.exe
2572 msedge.exe
2572 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

220518-1mgg8seec9.exewflamqsdjhfh.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2312	220518-1mgg8seec9.exe
Token: SeDebugPrivilege	1328	wflamqsdjhfh.exe
Token: SeIncreaseQuotaPrivilege	2080	WMIC.exe
Token: SeSecurityPrivilege	2080	WMIC.exe
Token: SeTakeOwnershipPrivilege	2080	WMIC.exe
Token: SeLoadDriverPrivilege	2080	WMIC.exe
Token: SeSystemProfilePrivilege	2080	WMIC.exe
Token: SeSystemtimePrivilege	2080	WMIC.exe
Token: SeProfSingleProcessPrivilege	2080	WMIC.exe
Token: SeIncBasePriorityPrivilege	2080	WMIC.exe
Token: SeCreatePagefilePrivilege	2080	WMIC.exe
Token: SeBackupPrivilege	2080	WMIC.exe
Token: SeRestorePrivilege	2080	WMIC.exe
Token: SeShutdownPrivilege	2080	WMIC.exe
Token: SeDebugPrivilege	2080	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2080	WMIC.exe
Token: SeRemoteShutdownPrivilege	2080	WMIC.exe
Token: SeUndockPrivilege	2080	WMIC.exe
Token: SeManageVolumePrivilege	2080	WMIC.exe
Token: 33	2080	WMIC.exe
Token: 34	2080	WMIC.exe
Token: 35	2080	WMIC.exe
Token: 36	2080	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2080	WMIC.exe
Token: SeSecurityPrivilege	2080	WMIC.exe
Token: SeTakeOwnershipPrivilege	2080	WMIC.exe
Token: SeLoadDriverPrivilege	2080	WMIC.exe
Token: SeSystemProfilePrivilege	2080	WMIC.exe
Token: SeSystemtimePrivilege	2080	WMIC.exe
Token: SeProfSingleProcessPrivilege	2080	WMIC.exe
Token: SeIncBasePriorityPrivilege	2080	WMIC.exe
Token: SeCreatePagefilePrivilege	2080	WMIC.exe
Token: SeBackupPrivilege	2080	WMIC.exe
Token: SeRestorePrivilege	2080	WMIC.exe
Token: SeShutdownPrivilege	2080	WMIC.exe
Token: SeDebugPrivilege	2080	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2080	WMIC.exe
Token: SeRemoteShutdownPrivilege	2080	WMIC.exe
Token: SeUndockPrivilege	2080	WMIC.exe
Token: SeManageVolumePrivilege	2080	WMIC.exe
Token: 33	2080	WMIC.exe
Token: 34	2080	WMIC.exe
Token: 35	2080	WMIC.exe
Token: 36	2080	WMIC.exe
Token: SeBackupPrivilege	1736	vssvc.exe
Token: SeRestorePrivilege	1736	vssvc.exe
Token: SeAuditPrivilege	1736	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4680	WMIC.exe
Token: SeSecurityPrivilege	4680	WMIC.exe
Token: SeTakeOwnershipPrivilege	4680	WMIC.exe
Token: SeLoadDriverPrivilege	4680	WMIC.exe
Token: SeSystemProfilePrivilege	4680	WMIC.exe
Token: SeSystemtimePrivilege	4680	WMIC.exe
Token: SeProfSingleProcessPrivilege	4680	WMIC.exe
Token: SeIncBasePriorityPrivilege	4680	WMIC.exe
Token: SeCreatePagefilePrivilege	4680	WMIC.exe
Token: SeBackupPrivilege	4680	WMIC.exe
Token: SeRestorePrivilege	4680	WMIC.exe
Token: SeShutdownPrivilege	4680	WMIC.exe
Token: SeDebugPrivilege	4680	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4680	WMIC.exe
Token: SeRemoteShutdownPrivilege	4680	WMIC.exe
Token: SeUndockPrivilege	4680	WMIC.exe
Token: SeManageVolumePrivilege	4680	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

220518-1mgg8seec9.exewflamqsdjhfh.exemsedge.exe

description	pid	process	target process
PID 2312 wrote to memory of 1328	2312	220518-1mgg8seec9.exe	wflamqsdjhfh.exe
PID 2312 wrote to memory of 1328	2312	220518-1mgg8seec9.exe	wflamqsdjhfh.exe
PID 2312 wrote to memory of 1328	2312	220518-1mgg8seec9.exe	wflamqsdjhfh.exe
PID 2312 wrote to memory of 180	2312	220518-1mgg8seec9.exe	cmd.exe
PID 2312 wrote to memory of 180	2312	220518-1mgg8seec9.exe	cmd.exe
PID 2312 wrote to memory of 180	2312	220518-1mgg8seec9.exe	cmd.exe
PID 1328 wrote to memory of 2080	1328	wflamqsdjhfh.exe	WMIC.exe
PID 1328 wrote to memory of 2080	1328	wflamqsdjhfh.exe	WMIC.exe
PID 1328 wrote to memory of 4088	1328	wflamqsdjhfh.exe	NOTEPAD.EXE
PID 1328 wrote to memory of 4088	1328	wflamqsdjhfh.exe	NOTEPAD.EXE
PID 1328 wrote to memory of 4088	1328	wflamqsdjhfh.exe	NOTEPAD.EXE
PID 1328 wrote to memory of 2572	1328	wflamqsdjhfh.exe	msedge.exe
PID 1328 wrote to memory of 2572	1328	wflamqsdjhfh.exe	msedge.exe
PID 2572 wrote to memory of 3552	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 3552	2572	msedge.exe	msedge.exe
PID 1328 wrote to memory of 4680	1328	wflamqsdjhfh.exe	WMIC.exe
PID 1328 wrote to memory of 4680	1328	wflamqsdjhfh.exe	WMIC.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4376	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4104	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4104	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 2748	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 2748	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 2748	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 2748	2572	msedge.exe	msedge.exe
PID 2572 wrote to memory of 2748	2572	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

wflamqsdjhfh.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wflamqsdjhfh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	wflamqsdjhfh.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\220518-1mgg8seec9.exe
"C:\Users\Admin\AppData\Local\Temp\220518-1mgg8seec9.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\wflamqsdjhfh.exe
  C:\Windows\wflamqsdjhfh.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1328
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2080
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:4088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa3f6c46f8,0x7ffa3f6c4708,0x7ffa3f6c4718
      4⤵
      PID:3552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,6821858943430214598,13674089988006373987,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
      4⤵
      PID:4376
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,6821858943430214598,13674089988006373987,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
      4⤵
      PID:4104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,6821858943430214598,13674089988006373987,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
      4⤵
      PID:2748
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,6821858943430214598,13674089988006373987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
      4⤵
      PID:1036
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,6821858943430214598,13674089988006373987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
      4⤵
      PID:2676
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,6821858943430214598,13674089988006373987,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
      4⤵
      PID:528
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,6821858943430214598,13674089988006373987,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
      4⤵
      PID:3612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,6821858943430214598,13674089988006373987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
      4⤵
      PID:3868
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,6821858943430214598,13674089988006373987,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
      4⤵
      PID:3048
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,6821858943430214598,13674089988006373987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
      4⤵
      PID:436
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,6821858943430214598,13674089988006373987,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
      4⤵
      PID:624
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4680
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\WFLAMQ~1.EXE
    3⤵
    PID:2456
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\220518~1.EXE
  2⤵
  PID:180

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\_RECOVERY_+uwovi.html

Filesize
11KB

MD5
28fb8104500e57b010acd445618f2a95

SHA1
2184b07fb659c4d8155b7f1bd21ea1efa6224d06

SHA256
c57d6e940aab7c0ed1a3e7f4634d11235a5cb4f773b5d9f8e233c0d74a44caff

SHA512
f58c87e4ec30072fb1afcd937c0de6e89232a83603e0f1252c702990bdb46b8af83cd0c4013a5563cfffb099cde368fce3fd27e9946376da1d06b288a2df47a1

Download Submit
C:\PerfLogs\_RECOVERY_+uwovi.png

Filesize
62KB

MD5
bfa7759248b9ab74c583da1946b28e20

SHA1
c4d0f0f5269164f94126e4bea1e800928fc1cd55

SHA256
48a9aab9e66998771a04f30cedec6363c2435981f39e75c6d786db49fc6092f5

SHA512
be7e0b0419d995b2c9a326b122483f3636eabb297249993b30a43d9b51e8ce51ce7baffc6582054b815c95255f3cfec2f1c0a0d087725ca3a1b01bb844046106

Download Submit
C:\PerfLogs\_RECOVERY_+uwovi.txt

Filesize
1KB

MD5
85e3407e88bd1fbd4ffe140532446076

SHA1
37174b67fa6a3fd584b02192022cf021d5e579b3

SHA256
07db4c980f26a216ca7a0a18d432ca56647cd474dc6baae40d098d124bb73bf6

SHA512
ca1b6249bcc4bd994756c5ec31b7f657b9d47e2104b725b43b6d15afb4db26c3cc3ae45753fd9a1e9e9d37ad86aa1277ed9f6ae3e2b82571723c4bdc17ee5df9

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
e7241b3247ca1af94a7800b0d769a3e8

SHA1
b5ac91ff917428912d1d15e0f0fb2c1e011706b4

SHA256
fb05f003f408ba91dd59e610ff979c0e849ea01521284133b2388e351eda991d

SHA512
4256fab81a9f3edb63ea784520e1ce8c9ff5ed8244b5b8ca25420c33a05b3e64eb3c05b7c2dc8bbf6a0157dd87721a9480b952e9a8c92d45f4e80190a628e7a6

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
99fb5fd8b89352dcd702cb8f47c0a5a3

SHA1
b92ae094ed4ffe660f034c447f3aa6957b8cc51e

SHA256
a8a073d7911f5ac4ca328797087e2c86e0e1ad8945c389126c3daeccce5fce06

SHA512
f7aa963f7dda4167f26b9ef26c7c2886962807d06651734258c9d91992c791f5e6a06afc767847679b292984b0c21de8e9726ef3f981cae0b295029cc416f62e

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
873b598ed32dea325f810646053bf069

SHA1
df980f05512bd16035589fcb829d0ddb9e919c72

SHA256
9f137a9a077daf3906f9053f751255b45d2afc94547186c6c8d0bc0eca4985d9

SHA512
81e03785298193943ceb6a4c79b623113f9dc8431e140c9d2039577a83db70478c961a8cfdb4d12b5c43823a94236effff712466de18f9a01cfba56a7fa17f1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5c6aef82e50d05ffc0cf52a6c6d69c91

SHA1
c203efe5b45b0630fee7bd364fe7d63b769e2351

SHA256
d9068cf3d04d62a9fb1cdd4c3cf7c263920159171d1b84cb49eff7cf4ed5bc32

SHA512
77ad48936e8c3ee107a121e0b2d1216723407f76872e85c36413237ca1c47b8c40038b8a6349b072bbcc6a29e27ddda77cf686fa97569f4d86531e6b2ac485ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7c6136bc98a5aedca2ea3004e9fbe67d

SHA1
74318d997f4c9c351eef86d040bc9b085ce1ad4f

SHA256
50c3bd40caf7e9a82496a710f58804aa3536b44d57e2ee5e2af028cbebc6c2f2

SHA512
2d2fb839321c56e4cb80562e9a1daa4baf48924d635729dc5504a26462796919906f0097dd1fc7fd053394c0eea13c25219dec54ffe6e9abb6e8cb9afa66bada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ef217c896d8d9325e66fa1f5e2d01b56

SHA1
ba038ea7fc383908b13897709f994c047aca3d60

SHA256
823448418a42889ec60eace84e05f07dfcd71dad879d9e9cac354c9363161592

SHA512
0051c35d81848be1d31f8f3bccf0196bbb6e6163733547a131503175b7bdb5d4f7d575905718bda4a2c748176110b857ae187a9c51d466e7933e0a28d5f9e916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c3120159-350d-42be-ba60-8cc4e2702b22.tmp

Filesize
6KB

MD5
9bdc9f494ac7c5e208034dff52b3441a

SHA1
ecbbeadf9eaa2a1d4076a4a6c09c3911b1f59a82

SHA256
05c129817e543cc268efef31f8b26a4baccc596d985765d5d5dd179405fc6860

SHA512
13215f67813b18da10aea6d4f878b67a5f4dbc6e17bc42749b63b9561244214a897b6bc113d8e183a6c458c0b7c9cbb0c88b37b9107952c4076cf65cd59d6d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
74170df6072be4771f5859e79438683e

SHA1
43063c51ac8b309973b6fdcefd561fac7d583fa1

SHA256
38649d71dcb0abee1c50e1729ddde17c67f3368eab18724364877f81f864bf85

SHA512
e017135fec82961b99425d0120a8846a6e89c5934e21f0a54ef9ac9cfd2b49e06bebfc81ac4cb1eaf2912badcd611b058bf8a6149c1a23b08c141ace43f356d5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{b865753f-56ab-4e63-9795-4896568f5e65}\0.0.filtertrie.intermediate.txt

Filesize
28KB

MD5
621ea40a1b2c8faf50bdadd6f39e46f4

SHA1
3217ea6c7911af57bf2249ba065164f74543ddf0

SHA256
b85aae3a3d6b97adb3025ef4da4249a3809a9cfdd955a167050fa9940d4808cc

SHA512
66bd01eb22f95f7fdec3103b2fca2538e7b9931105a3974802412f331532e88397afe448991d74168f06dc6655ff29eb5ec41144a8dd0dc8d07d4be2aa11332a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133534316792546747.txt

Filesize
74KB

MD5
bb1670a1703d775d65fbd00534d07b27

SHA1
6e9691663b91f59b5d066df2bc7f9e0e1e66d3dd

SHA256
d73422fa81c59901e6f57342955d05672697035e6908caeb3d2b3b4fc3bb9c28

SHA512
30b2cb0ea5487d8d7d241aced936fc689587794a5c160ee3a56f3d74fdd0638579a44c8d4c0427e921bf4a8379eb3b5400997b78c5f44d5f5d33ac44249e000c

Download Submit
C:\Windows\wflamqsdjhfh.exe

Filesize
360KB

MD5
9ce01dfbf25dfea778e57d8274675d6f

SHA1
1bd767beb5bc36b396ca6405748042640ad57526

SHA256
5343947829609f69e84fe7e8172c38ee018ede3c9898d4895275f596ac54320d

SHA512
d6ba89c1f221a94e3061bc4da896760d99935a7c766b8e4e30146266cf3356acd883835e75dbb86574bc869c83d381c8f63f23392101f6062bba4343af49978b

Download Submit
\??\pipe\LOCAL\crashpad_2572_OAXKPAUFNMEHANBK

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1328-3767-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1328-1625-0x0000000002130000-0x00000000021B5000-memory.dmp

Filesize
532KB

Download
memory/1328-6137-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1328-7586-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1328-10-0x0000000002130000-0x00000000021B5000-memory.dmp

Filesize
532KB

Download
memory/1328-2546-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1328-9021-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1328-10345-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1328-10356-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1328-4466-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1328-1324-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1328-603-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1328-10424-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1328-10423-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2312-13-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2312-14-0x00000000009A0000-0x0000000000A25000-memory.dmp

Filesize
532KB

Download
memory/2312-0-0x00000000009A0000-0x0000000000A25000-memory.dmp

Filesize
532KB

Download
memory/2312-1-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download