teslacrypt | 5b3bb704b4a56c14d0b238053ce048a7b748ff2e0c083190d55b190b844bf341

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f97eb2df456d28ee41287a456e01bae_JaffaCakes118.exe
Size

424KB
MD5

8f97eb2df456d28ee41287a456e01bae
SHA1

4d6b5fe7a1dd84dfe294e14faac4fa88ecce7d56
SHA256

5b3bb704b4a56c14d0b238053ce048a7b748ff2e0c083190d55b190b844bf341
SHA512

5072d72e42fcfedd8a557efebe9e5fe7599a1e3bb438e76bb9f2d6cb51c3259c445651cc2dec208a9ed22202fe5b780e300fa1a002e55237ed05cfdf1bd573af
SSDEEP

12288:qqEXeMVG+C7QP2sFZ1u2iW4ZJSPhgYblCJxfS6:vEXeCG+uOLFDId2PhggOR1

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_RECoVERY_+jmbck.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/37B9F725C324EAA7 2. http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/37B9F725C324EAA7 3. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/37B9F725C324EAA7 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/37B9F725C324EAA7 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/37B9F725C324EAA7 http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/37B9F725C324EAA7 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/37B9F725C324EAA7 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/37B9F725C324EAA7

URLs

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/37B9F725C324EAA7

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/37B9F725C324EAA7

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/37B9F725C324EAA7

http://xlowfznrg4wf7dli.ONION/37B9F725C324EAA7

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (872) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8f97eb2df456d28ee41287a456e01bae_JaffaCakes118.execqgqcpekupao.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	8f97eb2df456d28ee41287a456e01bae_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	cqgqcpekupao.exe

Drops startup file 6 IoCs

Processes:

cqgqcpekupao.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+jmbck.txt	cqgqcpekupao.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+jmbck.html	cqgqcpekupao.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+jmbck.png	cqgqcpekupao.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+jmbck.txt	cqgqcpekupao.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+jmbck.html	cqgqcpekupao.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+jmbck.png	cqgqcpekupao.exe

Executes dropped EXE 1 IoCs

Processes:

cqgqcpekupao.exe

pid process

4668 cqgqcpekupao.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

cqgqcpekupao.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wpbqqrgmielc = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\cqgqcpekupao.exe\""	cqgqcpekupao.exe

Drops file in Program Files directory 64 IoCs

Processes:

cqgqcpekupao.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nb-NO\_RECoVERY_+jmbck.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupLargeTile.scale-200.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\import_google_contacts\_RECoVERY_+jmbck.html	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\_RECoVERY_+jmbck.html	cqgqcpekupao.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\_RECoVERY_+jmbck.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarWideTile.scale-100.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.scale-400.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\MedTile.scale-100.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\_RECoVERY_+jmbck.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_RECoVERY_+jmbck.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_TeethSmile.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-48.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\6445_48x48x32.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailBadge.scale-400.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\people\_RECoVERY_+jmbck.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\_RECoVERY_+jmbck.txt	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_contrast-black.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\_RECoVERY_+jmbck.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-400_contrast-black.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\_RECoVERY_+jmbck.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Controls\EndOfLife\Assets\_RECoVERY_+jmbck.html	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-48.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_altform-unplated_contrast-white.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OrientationControlCone.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\_RECoVERY_+jmbck.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-60_contrast-white.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\MusicStoreLogo.scale-100_contrast-black.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-96.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\LiveTiles\avatar150x150.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-100_contrast-white.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-125.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+jmbck.html	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-256_altform-unplated.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-16.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-64.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-125.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-400_contrast-white.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\YellowAbstractNote.scale-200.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\_RECoVERY_+jmbck.txt	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe\_RECoVERY_+jmbck.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\_RECoVERY_+jmbck.txt	cqgqcpekupao.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\_RECoVERY_+jmbck.txt	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Microsoft.Support.SDK\Assets\_RECoVERY_+jmbck.html	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\strings\_RECoVERY_+jmbck.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-96_altform-lightunplated.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+jmbck.html	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+jmbck.html	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+jmbck.txt	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-150.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\_RECoVERY_+jmbck.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\_RECoVERY_+jmbck.txt	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+jmbck.html	cqgqcpekupao.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\7.0.16\_RECoVERY_+jmbck.html	cqgqcpekupao.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\_RECoVERY_+jmbck.txt	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\el-GR\View3d\_RECoVERY_+jmbck.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Light.scale-100.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\_RECoVERY_+jmbck.html	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Square71x71Logo.scale-100.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\_RECoVERY_+jmbck.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\_RECoVERY_+jmbck.html	cqgqcpekupao.exe
File opened for modification	C:\Program Files\VideoLAN\_RECoVERY_+jmbck.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-100_contrast-white.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-30.png	cqgqcpekupao.exe
File opened for modification	C:\Program Files\dotnet\shared\_RECoVERY_+jmbck.txt	cqgqcpekupao.exe

Drops file in Windows directory 2 IoCs

Processes:

8f97eb2df456d28ee41287a456e01bae_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\cqgqcpekupao.exe	8f97eb2df456d28ee41287a456e01bae_JaffaCakes118.exe
File opened for modification	C:\Windows\cqgqcpekupao.exe	8f97eb2df456d28ee41287a456e01bae_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

cqgqcpekupao.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings cqgqcpekupao.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2184 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	cqgqcpekupao.exe

pid	process
2184	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cqgqcpekupao.exe

pid	process
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe
4668	cqgqcpekupao.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

412 msedge.exe
412 msedge.exe
412 msedge.exe
412 msedge.exe
412 msedge.exe
412 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

8f97eb2df456d28ee41287a456e01bae_JaffaCakes118.execqgqcpekupao.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4516	8f97eb2df456d28ee41287a456e01bae_JaffaCakes118.exe
Token: SeDebugPrivilege	4668	cqgqcpekupao.exe
Token: SeIncreaseQuotaPrivilege	4756	WMIC.exe
Token: SeSecurityPrivilege	4756	WMIC.exe
Token: SeTakeOwnershipPrivilege	4756	WMIC.exe
Token: SeLoadDriverPrivilege	4756	WMIC.exe
Token: SeSystemProfilePrivilege	4756	WMIC.exe
Token: SeSystemtimePrivilege	4756	WMIC.exe
Token: SeProfSingleProcessPrivilege	4756	WMIC.exe
Token: SeIncBasePriorityPrivilege	4756	WMIC.exe
Token: SeCreatePagefilePrivilege	4756	WMIC.exe
Token: SeBackupPrivilege	4756	WMIC.exe
Token: SeRestorePrivilege	4756	WMIC.exe
Token: SeShutdownPrivilege	4756	WMIC.exe
Token: SeDebugPrivilege	4756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4756	WMIC.exe
Token: SeRemoteShutdownPrivilege	4756	WMIC.exe
Token: SeUndockPrivilege	4756	WMIC.exe
Token: SeManageVolumePrivilege	4756	WMIC.exe
Token: 33	4756	WMIC.exe
Token: 34	4756	WMIC.exe
Token: 35	4756	WMIC.exe
Token: 36	4756	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4756	WMIC.exe
Token: SeSecurityPrivilege	4756	WMIC.exe
Token: SeTakeOwnershipPrivilege	4756	WMIC.exe
Token: SeLoadDriverPrivilege	4756	WMIC.exe
Token: SeSystemProfilePrivilege	4756	WMIC.exe
Token: SeSystemtimePrivilege	4756	WMIC.exe
Token: SeProfSingleProcessPrivilege	4756	WMIC.exe
Token: SeIncBasePriorityPrivilege	4756	WMIC.exe
Token: SeCreatePagefilePrivilege	4756	WMIC.exe
Token: SeBackupPrivilege	4756	WMIC.exe
Token: SeRestorePrivilege	4756	WMIC.exe
Token: SeShutdownPrivilege	4756	WMIC.exe
Token: SeDebugPrivilege	4756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4756	WMIC.exe
Token: SeRemoteShutdownPrivilege	4756	WMIC.exe
Token: SeUndockPrivilege	4756	WMIC.exe
Token: SeManageVolumePrivilege	4756	WMIC.exe
Token: 33	4756	WMIC.exe
Token: 34	4756	WMIC.exe
Token: 35	4756	WMIC.exe
Token: 36	4756	WMIC.exe
Token: SeBackupPrivilege	2204	vssvc.exe
Token: SeRestorePrivilege	2204	vssvc.exe
Token: SeAuditPrivilege	2204	vssvc.exe
Token: SeIncreaseQuotaPrivilege	392	WMIC.exe
Token: SeSecurityPrivilege	392	WMIC.exe
Token: SeTakeOwnershipPrivilege	392	WMIC.exe
Token: SeLoadDriverPrivilege	392	WMIC.exe
Token: SeSystemProfilePrivilege	392	WMIC.exe
Token: SeSystemtimePrivilege	392	WMIC.exe
Token: SeProfSingleProcessPrivilege	392	WMIC.exe
Token: SeIncBasePriorityPrivilege	392	WMIC.exe
Token: SeCreatePagefilePrivilege	392	WMIC.exe
Token: SeBackupPrivilege	392	WMIC.exe
Token: SeRestorePrivilege	392	WMIC.exe
Token: SeShutdownPrivilege	392	WMIC.exe
Token: SeDebugPrivilege	392	WMIC.exe
Token: SeSystemEnvironmentPrivilege	392	WMIC.exe
Token: SeRemoteShutdownPrivilege	392	WMIC.exe
Token: SeUndockPrivilege	392	WMIC.exe
Token: SeManageVolumePrivilege	392	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8f97eb2df456d28ee41287a456e01bae_JaffaCakes118.execqgqcpekupao.exemsedge.exe

description	pid	process	target process
PID 4516 wrote to memory of 4668	4516	8f97eb2df456d28ee41287a456e01bae_JaffaCakes118.exe	cqgqcpekupao.exe
PID 4516 wrote to memory of 4668	4516	8f97eb2df456d28ee41287a456e01bae_JaffaCakes118.exe	cqgqcpekupao.exe
PID 4516 wrote to memory of 4668	4516	8f97eb2df456d28ee41287a456e01bae_JaffaCakes118.exe	cqgqcpekupao.exe
PID 4516 wrote to memory of 4832	4516	8f97eb2df456d28ee41287a456e01bae_JaffaCakes118.exe	cmd.exe
PID 4516 wrote to memory of 4832	4516	8f97eb2df456d28ee41287a456e01bae_JaffaCakes118.exe	cmd.exe
PID 4516 wrote to memory of 4832	4516	8f97eb2df456d28ee41287a456e01bae_JaffaCakes118.exe	cmd.exe
PID 4668 wrote to memory of 4756	4668	cqgqcpekupao.exe	WMIC.exe
PID 4668 wrote to memory of 4756	4668	cqgqcpekupao.exe	WMIC.exe
PID 4668 wrote to memory of 2184	4668	cqgqcpekupao.exe	NOTEPAD.EXE
PID 4668 wrote to memory of 2184	4668	cqgqcpekupao.exe	NOTEPAD.EXE
PID 4668 wrote to memory of 2184	4668	cqgqcpekupao.exe	NOTEPAD.EXE
PID 4668 wrote to memory of 412	4668	cqgqcpekupao.exe	msedge.exe
PID 4668 wrote to memory of 412	4668	cqgqcpekupao.exe	msedge.exe
PID 412 wrote to memory of 2316	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2316	412	msedge.exe	msedge.exe
PID 4668 wrote to memory of 392	4668	cqgqcpekupao.exe	WMIC.exe
PID 4668 wrote to memory of 392	4668	cqgqcpekupao.exe	WMIC.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4900	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 636	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 636	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 1508	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 1508	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 1508	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 1508	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 1508	412	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

cqgqcpekupao.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cqgqcpekupao.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	cqgqcpekupao.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8f97eb2df456d28ee41287a456e01bae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8f97eb2df456d28ee41287a456e01bae_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Windows\cqgqcpekupao.exe
  C:\Windows\cqgqcpekupao.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4668
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4756
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb78d746f8,0x7ffb78d74708,0x7ffb78d74718
      4⤵
      PID:2316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,15974927744802393397,14083473234458989672,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
      4⤵
      PID:4900
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,15974927744802393397,14083473234458989672,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
      4⤵
      PID:636
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,15974927744802393397,14083473234458989672,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2572 /prefetch:8
      4⤵
      PID:1508
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15974927744802393397,14083473234458989672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
      4⤵
      PID:552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15974927744802393397,14083473234458989672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
      4⤵
      PID:3492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,15974927744802393397,14083473234458989672,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
      4⤵
      PID:4040
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,15974927744802393397,14083473234458989672,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
      4⤵
      PID:3112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15974927744802393397,14083473234458989672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
      4⤵
      PID:4268
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15974927744802393397,14083473234458989672,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
      4⤵
      PID:1132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15974927744802393397,14083473234458989672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
      4⤵
      PID:3028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15974927744802393397,14083473234458989672,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
      4⤵
      PID:3656
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:392
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\CQGQCP~1.EXE
    3⤵
    PID:4940
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\8F97EB~1.EXE
  2⤵
  PID:4832

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_RECoVERY_+jmbck.html

Filesize
11KB

MD5
2632126abb0b8735453d04ffdd598876

SHA1
04bb6d39a8ad1f0c0263627a38077d8f56c75a7a

SHA256
b9ef7bf2ac9d2cbcfa11f716ab3f8aa7ec57f195a5159f21fa17e8132e57d64d

SHA512
c1088d7a9ff1ff8f7e27d641d418640777b8edb351e90453a07607c04ce01febed59b54dafe6f5e5a70437888c61840026d0816ce0c8df4a6621fa395d6d1db2

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+jmbck.png

Filesize
65KB

MD5
b9828e098ff183612f087811ee4c836c

SHA1
8347970b7eb1c1e56f505dfd3147db525a581f3c

SHA256
4190be383801f6b00a4516ab6951a085597fa13570e63a386c10f1322d03259e

SHA512
566d00ba3ea7e30d3b2d48eac8690d336b861d319c5310d797752aed9264f731a9c16cc088f29cd59de3de6c83e4c6fc624f7e8cd66cce06863a528f25426f34

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+jmbck.txt

Filesize
1KB

MD5
702daf3d81945b25445948075bf00825

SHA1
d287be8137366bf9e916c4de5e25e4805ba32ff6

SHA256
7052761a3bc773590e7f966ae9144c9ce32bca2bc940ce7931c50016e48a075a

SHA512
97c025a7eb84c9f4905d16e3585f0554d0b88d110acffc2faaa6c78f768c54e813ed600f2ecd1c5efa72df6ad15440021d120ac3ccf9ed8d90e41b061c3ae98e

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
bb9e9942d070cf52ec415db39ac9fe91

SHA1
28a56f10a85e8f41029ab1e5ecfe66e51d069cfd

SHA256
ecb5596d063ed25f72e99bf48d9c755c03649b361885fe5cf3ba95a19addcf86

SHA512
7e9200e6b0357d075d5ad8164500ab38fae4bda02d2a9a6213d7958557f93e17870ab86d13f741f9ddaebd6516a7b06d5c963fb33ab33c501175b23689b2bffe

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
6b888f2afa2cb9a32e1c38f8fc0bc662

SHA1
c67f4a955c3e7662b73286384c7a7a69030cbe91

SHA256
4f23150bd0c51847809185e1b1bf4fdf6199296d402fdd0af69c73bb92882d27

SHA512
ad115cfe3043fa30e06a27063a36885dd47b057533fe1652f6360c0bc157c13dbe031b3560e67803237da4a2845c3e7606946abbf0e43864203a3b1e079222e6

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
ae1edc45d05ef8dd804d7b05ca1ff611

SHA1
9fdbe81214c41340863ca4a3a4a0a302c39c98a6

SHA256
e0f6961d636c8f7c2ff7bc6def1580f63ccb9046201324a5ccb2f2932d373b7b

SHA512
349b9b56edcf945ad4a2e8d1bdb6fec598f9fb6e2e953674f4653da315facae7284e18cc06b673595aee57a44cf855f40da76d495918f8b978c7a88922b16cb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
612a6c4247ef652299b376221c984213

SHA1
d306f3b16bde39708aa862aee372345feb559750

SHA256
9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a

SHA512
34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56641592f6e69f5f5fb06f2319384490

SHA1
6a86be42e2c6d26b7830ad9f4e2627995fd91069

SHA256
02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455

SHA512
c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a6ec3108c1c1d2e35eb92d2404b606c8

SHA1
a19650323764cb8106b71cbc9479730b61520385

SHA256
e35fa55ca76b686b17017684caa3d4d9fcba2cd919287bf248c43c2e5455b310

SHA512
8b31fa6a00e8e0f7c23ae039c83a06332c49d3ee8012c453ea8ec7b4b2d796f697c9f7d1c6e901aa07d9d0f0ac81089c25a1531f852c494cf67d972aacee254d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
14aef972c6bfa19136175e99841f5bcb

SHA1
eee5dc5b317d5ba54c67c052a32cf3dfd2362749

SHA256
710abfb9437a6ba659327bfb968014b2323c93373e9047fe0150a40f86a17d11

SHA512
76ba226a909b71d6f51b0323d9d22d48303c14964d231d65257d418bb09fe1c254ee3f6beabaa0f04ed42cc3ccbe5442e7122e28333df8452d3d7227eb976d1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9eec3067656ab392a4d103ec3e8e6b95

SHA1
1f7d513ef745b451d0f7bc38508e4ce980f8ac2e

SHA256
5ba7cc076f1619053e3fa2f7b9318cf459ef2a93228dcb77cb33a49e2c0c2b12

SHA512
de2b3e7efb43894e48689fb91922afbcdf7964845c76b48ff667a3859e7db4bfb257a8892bf3cfcf9c26eeaf2051d6de4dc0d474d731b2593c8367889fdcdd90

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596440369039129.txt

Filesize
47KB

MD5
ce924093e225cc38f983165be40d6b4e

SHA1
74a340b770202f9c5a946b34ec6b4968054a6628

SHA256
fac791ed93aaf2345611c556722df3d69d4ad52e0918b406646a98837f681ab1

SHA512
9e464881dbf4b1af41b8ab87871fc71efeed64b1cd3a8864910f808157c1443ca8d3687fe30d705c12e9094ad7c3cebea71419a7101450c4f71ade707ca1debd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596449026566195.txt

Filesize
75KB

MD5
86a0ce0e693c500574c1dff42969de5b

SHA1
921505c4dc602d3dcbcc5446a57583736abffdc3

SHA256
27aad67e41bad4e384eedab95823ffaf2fe765f923c2bb17d1cc12a392cdb8e7

SHA512
32584e948aae283d6c130a387f9df5a74a8af6e111de6e8cf04278d3f6c9156abd21da86668aa1600ea9fd87894897f739293a0f1eaf64f4b6c182e7ae8be88f

Download Submit
C:\Windows\cqgqcpekupao.exe

Filesize
424KB

MD5
8f97eb2df456d28ee41287a456e01bae

SHA1
4d6b5fe7a1dd84dfe294e14faac4fa88ecce7d56

SHA256
5b3bb704b4a56c14d0b238053ce048a7b748ff2e0c083190d55b190b844bf341

SHA512
5072d72e42fcfedd8a557efebe9e5fe7599a1e3bb438e76bb9f2d6cb51c3259c445651cc2dec208a9ed22202fe5b780e300fa1a002e55237ed05cfdf1bd573af

Download Submit
\??\pipe\LOCAL\crashpad_412_RKAKFNHCKZDRJHZL

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4516-0-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/4516-9-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/4516-3-0x0000000000B40000-0x0000000000BC5000-memory.dmp

Filesize
532KB

Download
memory/4668-10351-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/4668-7891-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/4668-4656-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/4668-1276-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/4668-10398-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/4668-13-0x0000000000960000-0x00000000009E5000-memory.dmp

Filesize
532KB

Download