teslacrypt | 05884e3e77892db6e9ae3af788003e5265aa2336cd655ac4c81b98e3242ff04c

Analysis

max time kernel
144s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 11:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_77f9f38aff6772904e5cb6ff14a7abe5.exe
Size

428KB
MD5

77f9f38aff6772904e5cb6ff14a7abe5
SHA1

948101647975f44217414a8a8110b2a5d9e4cddf
SHA256

05884e3e77892db6e9ae3af788003e5265aa2336cd655ac4c81b98e3242ff04c
SHA512

6fdec7bcdeaa9fed3de2708265e0861622d003fd6d83ff1d5d8ad4ae1cbae7da6c9f2356ea74fd93df2736156703b6c883a10ffd39b79d27c87ef587dc53703b
SSDEEP

6144:YS61KBLwidWQW0StEYurSyTheRmfu3pUlzwgaa9rSoXbftChXW3AxfulDGgB:YSxvdk0DtrSmeRh3pUGlahbblCJxfS6

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_RECoVERY_+emsus.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/AD5F1223CAD73B48 2. http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/AD5F1223CAD73B48 3. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/AD5F1223CAD73B48 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/AD5F1223CAD73B48 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/AD5F1223CAD73B48 http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/AD5F1223CAD73B48 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/AD5F1223CAD73B48 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/AD5F1223CAD73B48

URLs

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/AD5F1223CAD73B48

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/AD5F1223CAD73B48

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/AD5F1223CAD73B48

http://xlowfznrg4wf7dli.ONION/AD5F1223CAD73B48

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (865) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VirusShare_77f9f38aff6772904e5cb6ff14a7abe5.exeghjhlysbaljl.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	VirusShare_77f9f38aff6772904e5cb6ff14a7abe5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	ghjhlysbaljl.exe

Drops startup file 6 IoCs

Processes:

ghjhlysbaljl.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+emsus.txt	ghjhlysbaljl.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+emsus.html	ghjhlysbaljl.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+emsus.png	ghjhlysbaljl.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+emsus.txt	ghjhlysbaljl.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+emsus.html	ghjhlysbaljl.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+emsus.png	ghjhlysbaljl.exe

Executes dropped EXE 1 IoCs

Processes:

ghjhlysbaljl.exe

pid process

1320 ghjhlysbaljl.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ghjhlysbaljl.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lcefbiefknmp = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\ghjhlysbaljl.exe\""	ghjhlysbaljl.exe

Drops file in Program Files directory 64 IoCs

Processes:

ghjhlysbaljl.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uk\_RECoVERY_+emsus.html	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\_RECoVERY_+emsus.png	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-us\_RECoVERY_+emsus.txt	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-150_contrast-black.png	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxSmallTile.scale-125.png	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_RECoVERY_+emsus.txt	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\_RECoVERY_+emsus.html	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity-dark.png	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_altform-unplated_contrast-black.png	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Light\MilitaryRight.png	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\LargeTile.scale-100.png	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\SmallTile.scale-200.png	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-Toolkit\_RECoVERY_+emsus.txt	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\Logo.scale-125_contrast-black.png	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailMediumTile.scale-400.png	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-72.png	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\_RECoVERY_+emsus.png	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\README.txt	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SplashScreen.scale-100.png	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-36_contrast-black.png	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gl\_RECoVERY_+emsus.html	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\hr-HR\View3d\_RECoVERY_+emsus.txt	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\tilebg.png	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxAccountsSmallTile.scale-100.png	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\jsaddins\onenote_strings.js	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\MarkAsReadToastQuickAction.scale-80.png	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\SmallTile.scale-100.png	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\_RECoVERY_+emsus.txt	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.scale-200.png	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-200_contrast-white.png	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\_RECoVERY_+emsus.png	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eo\_RECoVERY_+emsus.html	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\RotateHorizontally.png	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-16.png	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\en-us\_RECoVERY_+emsus.txt	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dtplugin\_RECoVERY_+emsus.html	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\StoreLogo.png	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-72_altform-lightunplated.png	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppList.scale-100.png	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\_RECoVERY_+emsus.html	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\_RECoVERY_+emsus.png	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\_RECoVERY_+emsus.html	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\_RECoVERY_+emsus.txt	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\7px.png	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\dotnet\swidtag\_RECoVERY_+emsus.html	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\_RECoVERY_+emsus.html	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\LargeTile.scale-125.png	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\_RECoVERY_+emsus.txt	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\_RECoVERY_+emsus.html	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\accessibilitychecker\styles.css	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\1850_32x32x32.png	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageLargeTile.scale-200_contrast-white.png	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteLargeTile.scale-125.png	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\firstrun\_RECoVERY_+emsus.png	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\SmallTile.scale-100.png	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-125_contrast-black.png	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-20_altform-unplated_contrast-white.png	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\_RECoVERY_+emsus.txt	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\_RECoVERY_+emsus.txt	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\_RECoVERY_+emsus.png	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Views\_RECoVERY_+emsus.html	ghjhlysbaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Logo.png	ghjhlysbaljl.exe

Drops file in Windows directory 2 IoCs

Processes:

VirusShare_77f9f38aff6772904e5cb6ff14a7abe5.exe

description	ioc	process
File created	C:\Windows\ghjhlysbaljl.exe	VirusShare_77f9f38aff6772904e5cb6ff14a7abe5.exe
File opened for modification	C:\Windows\ghjhlysbaljl.exe	VirusShare_77f9f38aff6772904e5cb6ff14a7abe5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

ghjhlysbaljl.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings ghjhlysbaljl.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3376 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	ghjhlysbaljl.exe

pid	process
3376	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ghjhlysbaljl.exe

pid	process
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe
1320	ghjhlysbaljl.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

3524 msedge.exe
3524 msedge.exe
3524 msedge.exe
3524 msedge.exe
3524 msedge.exe
3524 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

VirusShare_77f9f38aff6772904e5cb6ff14a7abe5.exeghjhlysbaljl.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2004	VirusShare_77f9f38aff6772904e5cb6ff14a7abe5.exe
Token: SeDebugPrivilege	1320	ghjhlysbaljl.exe
Token: SeIncreaseQuotaPrivilege	4436	WMIC.exe
Token: SeSecurityPrivilege	4436	WMIC.exe
Token: SeTakeOwnershipPrivilege	4436	WMIC.exe
Token: SeLoadDriverPrivilege	4436	WMIC.exe
Token: SeSystemProfilePrivilege	4436	WMIC.exe
Token: SeSystemtimePrivilege	4436	WMIC.exe
Token: SeProfSingleProcessPrivilege	4436	WMIC.exe
Token: SeIncBasePriorityPrivilege	4436	WMIC.exe
Token: SeCreatePagefilePrivilege	4436	WMIC.exe
Token: SeBackupPrivilege	4436	WMIC.exe
Token: SeRestorePrivilege	4436	WMIC.exe
Token: SeShutdownPrivilege	4436	WMIC.exe
Token: SeDebugPrivilege	4436	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4436	WMIC.exe
Token: SeRemoteShutdownPrivilege	4436	WMIC.exe
Token: SeUndockPrivilege	4436	WMIC.exe
Token: SeManageVolumePrivilege	4436	WMIC.exe
Token: 33	4436	WMIC.exe
Token: 34	4436	WMIC.exe
Token: 35	4436	WMIC.exe
Token: 36	4436	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4436	WMIC.exe
Token: SeSecurityPrivilege	4436	WMIC.exe
Token: SeTakeOwnershipPrivilege	4436	WMIC.exe
Token: SeLoadDriverPrivilege	4436	WMIC.exe
Token: SeSystemProfilePrivilege	4436	WMIC.exe
Token: SeSystemtimePrivilege	4436	WMIC.exe
Token: SeProfSingleProcessPrivilege	4436	WMIC.exe
Token: SeIncBasePriorityPrivilege	4436	WMIC.exe
Token: SeCreatePagefilePrivilege	4436	WMIC.exe
Token: SeBackupPrivilege	4436	WMIC.exe
Token: SeRestorePrivilege	4436	WMIC.exe
Token: SeShutdownPrivilege	4436	WMIC.exe
Token: SeDebugPrivilege	4436	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4436	WMIC.exe
Token: SeRemoteShutdownPrivilege	4436	WMIC.exe
Token: SeUndockPrivilege	4436	WMIC.exe
Token: SeManageVolumePrivilege	4436	WMIC.exe
Token: 33	4436	WMIC.exe
Token: 34	4436	WMIC.exe
Token: 35	4436	WMIC.exe
Token: 36	4436	WMIC.exe
Token: SeBackupPrivilege	4904	vssvc.exe
Token: SeRestorePrivilege	4904	vssvc.exe
Token: SeAuditPrivilege	4904	vssvc.exe
Token: SeIncreaseQuotaPrivilege	452	WMIC.exe
Token: SeSecurityPrivilege	452	WMIC.exe
Token: SeTakeOwnershipPrivilege	452	WMIC.exe
Token: SeLoadDriverPrivilege	452	WMIC.exe
Token: SeSystemProfilePrivilege	452	WMIC.exe
Token: SeSystemtimePrivilege	452	WMIC.exe
Token: SeProfSingleProcessPrivilege	452	WMIC.exe
Token: SeIncBasePriorityPrivilege	452	WMIC.exe
Token: SeCreatePagefilePrivilege	452	WMIC.exe
Token: SeBackupPrivilege	452	WMIC.exe
Token: SeRestorePrivilege	452	WMIC.exe
Token: SeShutdownPrivilege	452	WMIC.exe
Token: SeDebugPrivilege	452	WMIC.exe
Token: SeSystemEnvironmentPrivilege	452	WMIC.exe
Token: SeRemoteShutdownPrivilege	452	WMIC.exe
Token: SeUndockPrivilege	452	WMIC.exe
Token: SeManageVolumePrivilege	452	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

VirusShare_77f9f38aff6772904e5cb6ff14a7abe5.exeghjhlysbaljl.exemsedge.exe

description	pid	process	target process
PID 2004 wrote to memory of 1320	2004	VirusShare_77f9f38aff6772904e5cb6ff14a7abe5.exe	ghjhlysbaljl.exe
PID 2004 wrote to memory of 1320	2004	VirusShare_77f9f38aff6772904e5cb6ff14a7abe5.exe	ghjhlysbaljl.exe
PID 2004 wrote to memory of 1320	2004	VirusShare_77f9f38aff6772904e5cb6ff14a7abe5.exe	ghjhlysbaljl.exe
PID 2004 wrote to memory of 3196	2004	VirusShare_77f9f38aff6772904e5cb6ff14a7abe5.exe	cmd.exe
PID 2004 wrote to memory of 3196	2004	VirusShare_77f9f38aff6772904e5cb6ff14a7abe5.exe	cmd.exe
PID 2004 wrote to memory of 3196	2004	VirusShare_77f9f38aff6772904e5cb6ff14a7abe5.exe	cmd.exe
PID 1320 wrote to memory of 4436	1320	ghjhlysbaljl.exe	WMIC.exe
PID 1320 wrote to memory of 4436	1320	ghjhlysbaljl.exe	WMIC.exe
PID 1320 wrote to memory of 3376	1320	ghjhlysbaljl.exe	NOTEPAD.EXE
PID 1320 wrote to memory of 3376	1320	ghjhlysbaljl.exe	NOTEPAD.EXE
PID 1320 wrote to memory of 3376	1320	ghjhlysbaljl.exe	NOTEPAD.EXE
PID 1320 wrote to memory of 3524	1320	ghjhlysbaljl.exe	msedge.exe
PID 1320 wrote to memory of 3524	1320	ghjhlysbaljl.exe	msedge.exe
PID 3524 wrote to memory of 4316	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 4316	3524	msedge.exe	msedge.exe
PID 1320 wrote to memory of 452	1320	ghjhlysbaljl.exe	WMIC.exe
PID 1320 wrote to memory of 452	1320	ghjhlysbaljl.exe	WMIC.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2292	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2924	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 2924	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 1792	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 1792	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 1792	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 1792	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 1792	3524	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

ghjhlysbaljl.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ghjhlysbaljl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	ghjhlysbaljl.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_77f9f38aff6772904e5cb6ff14a7abe5.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_77f9f38aff6772904e5cb6ff14a7abe5.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\ghjhlysbaljl.exe
  C:\Windows\ghjhlysbaljl.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1320
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4436
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:3376
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3524
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc367946f8,0x7ffc36794708,0x7ffc36794718
      4⤵
      PID:4316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,14578087218644557918,15167447971337843058,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
      4⤵
      PID:2292
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,14578087218644557918,15167447971337843058,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
      4⤵
      PID:2924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,14578087218644557918,15167447971337843058,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
      4⤵
      PID:1792
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14578087218644557918,15167447971337843058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
      4⤵
      PID:4452
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14578087218644557918,15167447971337843058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
      4⤵
      PID:2080
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,14578087218644557918,15167447971337843058,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
      4⤵
      PID:1584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,14578087218644557918,15167447971337843058,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
      4⤵
      PID:2952
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14578087218644557918,15167447971337843058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
      4⤵
      PID:5088
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14578087218644557918,15167447971337843058,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
      4⤵
      PID:1204
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14578087218644557918,15167447971337843058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
      4⤵
      PID:1644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14578087218644557918,15167447971337843058,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
      4⤵
      PID:776
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:452
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\GHJHLY~1.EXE
    3⤵
    PID:1160
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
  2⤵
  PID:3196

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_RECoVERY_+emsus.html

Filesize
11KB

MD5
5a629b1d4e84fa1e5c3877a910d50159

SHA1
e731d8c5ea33bc2be7502af9cd77cf90f42c294d

SHA256
3f05961f4350922ed16287a36980fcb94b684980c4d549cc0a1f2221eead531f

SHA512
59c630589f90bb19c962416e5d68c3ae310a19327a41e1485574e9bab21deabdca01f43080973e313bc4c553e9625a38220d0fd6ea7155602437114c0b7bd3aa

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+emsus.png

Filesize
64KB

MD5
8f430cb6ea385ab22545a59ad2d28b3d

SHA1
db1013812a34e3920dcb5b267349660e32e77980

SHA256
87e96c205cb666324a47db382e1a06734c406bc2fec005f90ca59935c4bcedaf

SHA512
d4c46d43ffc83257d9edd28c83f1815b25856562acf79d4382d7f1f2d30bfa5eea609e749fd3a77e4f8bc2a9ac9e0843b723f59ab146ae1d610b8b198e78f90b

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+emsus.txt

Filesize
1KB

MD5
f60c0921bf2ce357206dfb0afd0a9c6c

SHA1
372859fb67df2faa1f84fff2ff4ae3d4448ce100

SHA256
04dbfde9eadb529e1943c10b74d9bbca17988575cdbd5e14dfbf910d2d7c4fe1

SHA512
0656d764f9e2bce53302b1798616bdecb57bfd6d4a7fe87e2f54be87bc6b4f7756f29e82ce92a276fc047cd18bd886c7b9675c607f9b36fe06430779abdc5261

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
61d9db875c69c0f0e4fbdf1f5d28cb38

SHA1
143b7ae576585f67e70d1ef536a73cb313ff5b37

SHA256
6e0b2a627d85948853584d226929f2be1cd36df4de10f89bd024f5fd856227af

SHA512
8cf53b8ea36b15fc9cc135fd959ee5b76cd55c9f90d9183526271cf21e96f85b498991938bb105f8f72b3e90e774d89d989a60036bbb539778f7f11a3773329d

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
731cab742b90b870dd016b9c4e7643ca

SHA1
17ece80ae432b13a117294e5a139a011d6833841

SHA256
2aabda7c199c3fa2d47abe8502cca40adaf31108aafec5a76806e4ff364256a2

SHA512
e655e37191a8f2a3632260bdf6a87072d4168ef3179f5407a60f6b302a41bc07c5e608b1bed09e4e58bc4e92b0b44ece8694c7925f6525077a4d563b2b877b41

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
3ab37d35bf38845fa4de82155251f00c

SHA1
5e17eb5e1676f416051b9ac7a383ae506ed0ea40

SHA256
b625e7fa546425ae6251653fd23b58ee5d5ad660445856389029de10c7e7cf3b

SHA512
85efad38a1fb056994367f0bbfebeb03e41cef6f6525bcde25130ad334577bd0fc4fa00e1cdc96c225d08cc7f98f3faa0c3531012a9242f96bc03f73e8a84382

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
166e233e6bea7f81e4639fe4cd1274ce

SHA1
570a6dfbc2102148197624a646cff04d53343ecc

SHA256
5e9034c873b5709579d007fb71b5920113977ca134bff791f3cb7b19471dde6b

SHA512
46347978e20d92463a233fdb213a470bc9799815b328b251e160ce183a6f00515fa65feba30fc774726b180e4c8386f7f582674363a13bce0ede990e02804d92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b2d514577e6b6b0b8d53d0afb90e048a

SHA1
04f22f05642bdd4747f14a34bbad135cb119c598

SHA256
487727cfc4d1a74d484cc4bb55f8ef84fcb0bcc7b7f8d0aabf7bc66a6e81781a

SHA512
01c5c3e3583273c4eba14cd96f51ebc9a18154b43f95e624a4e564b622ecf4886417300f9f1e493406833bbdc14c381b6998adc75038d3c1cef900cb3795b167

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fc36738345c4ae11760c83ebe7ec1414

SHA1
36358c6edbe944fb4d1b75827a1177cb83bbc19c

SHA256
ad4655473ecc8130f00f4a1ed71fe62d31bb5460117e3b728ea2298fba795cd3

SHA512
893c9443420e02054830153492751769b68914d155b10fb0123cb7741fab2dfef16bb7df40013ec3bf2a312d9b8f7e85ba5f0808136ae42daac2d2ad4296393b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586104620610647.txt

Filesize
75KB

MD5
2a82f0339c4ab9f15b74c835ab6402fa

SHA1
6acb059d8bfb916458db704d65f646a5c4c3a1d0

SHA256
286421e060d91d49a57f968f3b551547b3e5437f57a9b018f780636f66376e35

SHA512
67a1ff7244ff8b9a7f04f5f4af4daa1288943ad4bd02d4012b5ad3398afed617ea5b008768519bd31087de0d3284b2a879d78f3a00802694d1949485596ebf39

Download Submit
C:\Windows\ghjhlysbaljl.exe

Filesize
428KB

MD5
77f9f38aff6772904e5cb6ff14a7abe5

SHA1
948101647975f44217414a8a8110b2a5d9e4cddf

SHA256
05884e3e77892db6e9ae3af788003e5265aa2336cd655ac4c81b98e3242ff04c

SHA512
6fdec7bcdeaa9fed3de2708265e0861622d003fd6d83ff1d5d8ad4ae1cbae7da6c9f2356ea74fd93df2736156703b6c883a10ffd39b79d27c87ef587dc53703b

Download Submit
\??\pipe\LOCAL\crashpad_3524_SDYAQQUXEIFIFLZV

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1320-4242-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1320-7294-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1320-10329-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1320-10379-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1320-4888-0x0000000002170000-0x00000000021F5000-memory.dmp

Filesize
532KB

Download
memory/1320-11-0x0000000002170000-0x00000000021F5000-memory.dmp

Filesize
532KB

Download
memory/1320-1037-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1320-10444-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1320-10460-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2004-3-0x0000000002270000-0x00000000022F5000-memory.dmp

Filesize
532KB

Download
memory/2004-0-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2004-9-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2004-10-0x0000000002270000-0x00000000022F5000-memory.dmp

Filesize
532KB

Download