teslacrypt | 5061395e96ddf44be20b37f12ab25da2ee84f9c8ec2dd0b5db4f11cfdb14b2a0

Analysis

max time kernel
149s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2024 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15667babdcdd88ee08174a39c86b00ad_JaffaCakes118.exe
Size

396KB
MD5

15667babdcdd88ee08174a39c86b00ad
SHA1

19ed09bbe8711e7e0b9a6b7664538559a86d312d
SHA256

5061395e96ddf44be20b37f12ab25da2ee84f9c8ec2dd0b5db4f11cfdb14b2a0
SHA512

e9688e3c981eb1ff0f822dfc2c1a75c570d518b28c8b324b54f4e4fe626cd78ab39171a9f0a61f54eb1e602d941f7faa456aec169bd2379854e7fa411a6fec4a
SSDEEP

12288:LVaauWatLv/kjWaesK3YSYJmlzFZ3IHmMr:L03DkjtLS5hVq

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+bwbvi.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/7523C779C7E9878 2. http://kkd47eh4hdjshb5t.angortra.at/7523C779C7E9878 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/7523C779C7E9878 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/7523C779C7E9878 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/7523C779C7E9878 http://kkd47eh4hdjshb5t.angortra.at/7523C779C7E9878 http://ytrest84y5i456hghadefdsd.pontogrot.com/7523C779C7E9878 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/7523C779C7E9878

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/7523C779C7E9878

http://kkd47eh4hdjshb5t.angortra.at/7523C779C7E9878

http://ytrest84y5i456hghadefdsd.pontogrot.com/7523C779C7E9878

http://xlowfznrg4wf7dli.ONION/7523C779C7E9878

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (874) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	15667babdcdd88ee08174a39c86b00ad_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	qudcngsbnduu.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+bwbvi.png	qudcngsbnduu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+bwbvi.txt	qudcngsbnduu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+bwbvi.html	qudcngsbnduu.exe

Executes dropped EXE 2 IoCs

pid	Process
2564	qudcngsbnduu.exe
4044	qudcngsbnduu.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mofrdsmgoupx = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\qudcngsbnduu.exe\""	qudcngsbnduu.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5056 set thread context of 1200	5056	15667babdcdd88ee08174a39c86b00ad_JaffaCakes118.exe	90
PID 2564 set thread context of 4044	2564	qudcngsbnduu.exe	95

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-36_altform-unplated.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Recovery+bwbvi.txt	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\HelpAndFeedback\Recovery+bwbvi.txt	qudcngsbnduu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SAMPLES\Recovery+bwbvi.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.White.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\1033\Recovery+bwbvi.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\Recovery+bwbvi.txt	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\dropdownarrow_16x16x32.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-96_altform-unplated_contrast-black.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\Assets\AppIcon.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\Recovery+bwbvi.txt	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-256_altform-unplated.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Views\Recovery+bwbvi.txt	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xeccf.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Recovery+bwbvi.txt	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-64_altform-unplated_contrast-black.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\he-IL\Recovery+bwbvi.html	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\Recovery+bwbvi.html	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarWideTile.scale-100.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fi-FI\View3d\Recovery+bwbvi.txt	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+bwbvi.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\3039_40x40x32.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyCalendarSearch.scale-100.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\Recovery+bwbvi.txt	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-250.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\Recovery+bwbvi.txt	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+bwbvi.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\SplashScreen\Recovery+bwbvi.html	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\WinMetadata\Recovery+bwbvi.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-40.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-72_altform-unplated_contrast-white.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-48_altform-unplated.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Recovery+bwbvi.html	qudcngsbnduu.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\de.pak	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\word_art\sticker32.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-64_altform-unplated_contrast-white.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-400.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ImmersiveVideoPlayback\Content\Shaders\Recovery+bwbvi.txt	qudcngsbnduu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt	qudcngsbnduu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\Recovery+bwbvi.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+bwbvi.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-200_contrast-white.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Recovery+bwbvi.txt	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailMediumTile.scale-400.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Recovery+bwbvi.html	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailMediumTile.scale-200.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Google.scale-150.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_altform-unplated_contrast-black.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-125.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Recovery+bwbvi.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\Recovery+bwbvi.html	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-100_contrast-white.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-20.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Recovery+bwbvi.txt	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Wide310x150Logo.scale-200.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-150_contrast-black.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-125_contrast-white.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-80.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\Recovery+bwbvi.html	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\es-ES\View3d\Recovery+bwbvi.txt	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-72_altform-lightunplated.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreSmallTile.scale-100.png	qudcngsbnduu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\Recovery+bwbvi.html	qudcngsbnduu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fil-PH\Recovery+bwbvi.html	qudcngsbnduu.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\qudcngsbnduu.exe	15667babdcdd88ee08174a39c86b00ad_JaffaCakes118.exe
File opened for modification	C:\Windows\qudcngsbnduu.exe	15667babdcdd88ee08174a39c86b00ad_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qudcngsbnduu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qudcngsbnduu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15667babdcdd88ee08174a39c86b00ad_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15667babdcdd88ee08174a39c86b00ad_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	qudcngsbnduu.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4052	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe
4044	qudcngsbnduu.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	1200	15667babdcdd88ee08174a39c86b00ad_JaffaCakes118.exe
Token: SeDebugPrivilege	4044	qudcngsbnduu.exe
Token: SeIncreaseQuotaPrivilege	2184	WMIC.exe
Token: SeSecurityPrivilege	2184	WMIC.exe
Token: SeTakeOwnershipPrivilege	2184	WMIC.exe
Token: SeLoadDriverPrivilege	2184	WMIC.exe
Token: SeSystemProfilePrivilege	2184	WMIC.exe
Token: SeSystemtimePrivilege	2184	WMIC.exe
Token: SeProfSingleProcessPrivilege	2184	WMIC.exe
Token: SeIncBasePriorityPrivilege	2184	WMIC.exe
Token: SeCreatePagefilePrivilege	2184	WMIC.exe
Token: SeBackupPrivilege	2184	WMIC.exe
Token: SeRestorePrivilege	2184	WMIC.exe
Token: SeShutdownPrivilege	2184	WMIC.exe
Token: SeDebugPrivilege	2184	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2184	WMIC.exe
Token: SeRemoteShutdownPrivilege	2184	WMIC.exe
Token: SeUndockPrivilege	2184	WMIC.exe
Token: SeManageVolumePrivilege	2184	WMIC.exe
Token: 33	2184	WMIC.exe
Token: 34	2184	WMIC.exe
Token: 35	2184	WMIC.exe
Token: 36	2184	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4848	WMIC.exe
Token: SeSecurityPrivilege	4848	WMIC.exe
Token: SeTakeOwnershipPrivilege	4848	WMIC.exe
Token: SeLoadDriverPrivilege	4848	WMIC.exe
Token: SeSystemProfilePrivilege	4848	WMIC.exe
Token: SeSystemtimePrivilege	4848	WMIC.exe
Token: SeProfSingleProcessPrivilege	4848	WMIC.exe
Token: SeIncBasePriorityPrivilege	4848	WMIC.exe
Token: SeCreatePagefilePrivilege	4848	WMIC.exe
Token: SeBackupPrivilege	4848	WMIC.exe
Token: SeRestorePrivilege	4848	WMIC.exe
Token: SeShutdownPrivilege	4848	WMIC.exe
Token: SeDebugPrivilege	4848	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4848	WMIC.exe
Token: SeRemoteShutdownPrivilege	4848	WMIC.exe
Token: SeUndockPrivilege	4848	WMIC.exe
Token: SeManageVolumePrivilege	4848	WMIC.exe
Token: 33	4848	WMIC.exe
Token: 34	4848	WMIC.exe
Token: 35	4848	WMIC.exe
Token: 36	4848	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 1200	5056	15667babdcdd88ee08174a39c86b00ad_JaffaCakes118.exe	90
PID 5056 wrote to memory of 1200	5056	15667babdcdd88ee08174a39c86b00ad_JaffaCakes118.exe	90
PID 5056 wrote to memory of 1200	5056	15667babdcdd88ee08174a39c86b00ad_JaffaCakes118.exe	90
PID 5056 wrote to memory of 1200	5056	15667babdcdd88ee08174a39c86b00ad_JaffaCakes118.exe	90
PID 5056 wrote to memory of 1200	5056	15667babdcdd88ee08174a39c86b00ad_JaffaCakes118.exe	90
PID 5056 wrote to memory of 1200	5056	15667babdcdd88ee08174a39c86b00ad_JaffaCakes118.exe	90
PID 5056 wrote to memory of 1200	5056	15667babdcdd88ee08174a39c86b00ad_JaffaCakes118.exe	90
PID 5056 wrote to memory of 1200	5056	15667babdcdd88ee08174a39c86b00ad_JaffaCakes118.exe	90
PID 5056 wrote to memory of 1200	5056	15667babdcdd88ee08174a39c86b00ad_JaffaCakes118.exe	90
PID 5056 wrote to memory of 1200	5056	15667babdcdd88ee08174a39c86b00ad_JaffaCakes118.exe	90
PID 1200 wrote to memory of 2564	1200	15667babdcdd88ee08174a39c86b00ad_JaffaCakes118.exe	92
PID 1200 wrote to memory of 2564	1200	15667babdcdd88ee08174a39c86b00ad_JaffaCakes118.exe	92
PID 1200 wrote to memory of 2564	1200	15667babdcdd88ee08174a39c86b00ad_JaffaCakes118.exe	92
PID 1200 wrote to memory of 4832	1200	15667babdcdd88ee08174a39c86b00ad_JaffaCakes118.exe	93
PID 1200 wrote to memory of 4832	1200	15667babdcdd88ee08174a39c86b00ad_JaffaCakes118.exe	93
PID 1200 wrote to memory of 4832	1200	15667babdcdd88ee08174a39c86b00ad_JaffaCakes118.exe	93
PID 2564 wrote to memory of 4044	2564	qudcngsbnduu.exe	95
PID 2564 wrote to memory of 4044	2564	qudcngsbnduu.exe	95
PID 2564 wrote to memory of 4044	2564	qudcngsbnduu.exe	95
PID 2564 wrote to memory of 4044	2564	qudcngsbnduu.exe	95
PID 2564 wrote to memory of 4044	2564	qudcngsbnduu.exe	95
PID 2564 wrote to memory of 4044	2564	qudcngsbnduu.exe	95
PID 2564 wrote to memory of 4044	2564	qudcngsbnduu.exe	95
PID 2564 wrote to memory of 4044	2564	qudcngsbnduu.exe	95
PID 2564 wrote to memory of 4044	2564	qudcngsbnduu.exe	95
PID 2564 wrote to memory of 4044	2564	qudcngsbnduu.exe	95
PID 4044 wrote to memory of 2184	4044	qudcngsbnduu.exe	96
PID 4044 wrote to memory of 2184	4044	qudcngsbnduu.exe	96
PID 4044 wrote to memory of 4052	4044	qudcngsbnduu.exe	99
PID 4044 wrote to memory of 4052	4044	qudcngsbnduu.exe	99
PID 4044 wrote to memory of 4052	4044	qudcngsbnduu.exe	99
PID 4044 wrote to memory of 2080	4044	qudcngsbnduu.exe	100
PID 4044 wrote to memory of 2080	4044	qudcngsbnduu.exe	100
PID 2080 wrote to memory of 4748	2080	msedge.exe	101
PID 2080 wrote to memory of 4748	2080	msedge.exe	101
PID 4044 wrote to memory of 4848	4044	qudcngsbnduu.exe	102
PID 4044 wrote to memory of 4848	4044	qudcngsbnduu.exe	102
PID 2080 wrote to memory of 4592	2080	msedge.exe	104
PID 2080 wrote to memory of 4592	2080	msedge.exe	104
PID 2080 wrote to memory of 4592	2080	msedge.exe	104
PID 2080 wrote to memory of 4592	2080	msedge.exe	104
PID 2080 wrote to memory of 4592	2080	msedge.exe	104
PID 2080 wrote to memory of 4592	2080	msedge.exe	104
PID 2080 wrote to memory of 4592	2080	msedge.exe	104
PID 2080 wrote to memory of 4592	2080	msedge.exe	104
PID 2080 wrote to memory of 4592	2080	msedge.exe	104
PID 2080 wrote to memory of 4592	2080	msedge.exe	104
PID 2080 wrote to memory of 4592	2080	msedge.exe	104
PID 2080 wrote to memory of 4592	2080	msedge.exe	104
PID 2080 wrote to memory of 4592	2080	msedge.exe	104
PID 2080 wrote to memory of 4592	2080	msedge.exe	104
PID 2080 wrote to memory of 4592	2080	msedge.exe	104
PID 2080 wrote to memory of 4592	2080	msedge.exe	104
PID 2080 wrote to memory of 4592	2080	msedge.exe	104
PID 2080 wrote to memory of 4592	2080	msedge.exe	104
PID 2080 wrote to memory of 4592	2080	msedge.exe	104
PID 2080 wrote to memory of 4592	2080	msedge.exe	104
PID 2080 wrote to memory of 4592	2080	msedge.exe	104
PID 2080 wrote to memory of 4592	2080	msedge.exe	104
PID 2080 wrote to memory of 4592	2080	msedge.exe	104
PID 2080 wrote to memory of 4592	2080	msedge.exe	104
PID 2080 wrote to memory of 4592	2080	msedge.exe	104
PID 2080 wrote to memory of 4592	2080	msedge.exe	104
PID 2080 wrote to memory of 4592	2080	msedge.exe	104

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	qudcngsbnduu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	qudcngsbnduu.exe

C:\Users\Admin\AppData\Local\Temp\15667babdcdd88ee08174a39c86b00ad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\15667babdcdd88ee08174a39c86b00ad_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Users\Admin\AppData\Local\Temp\15667babdcdd88ee08174a39c86b00ad_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\15667babdcdd88ee08174a39c86b00ad_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Windows\qudcngsbnduu.exe
    C:\Windows\qudcngsbnduu.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\qudcngsbnduu.exe
      C:\Windows\qudcngsbnduu.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4044
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:4052
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2080
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d3af46f8,0x7ff9d3af4708,0x7ff9d3af4718
        6⤵
        
        PID:4748
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2296,12753956523616043448,18317744892034675012,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2308 /prefetch:2
        6⤵
        
        PID:4592
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2296,12753956523616043448,18317744892034675012,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
        6⤵
        
        PID:1404
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2296,12753956523616043448,18317744892034675012,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
        6⤵
        
        PID:3432
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,12753956523616043448,18317744892034675012,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
        6⤵
        
        PID:3924
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,12753956523616043448,18317744892034675012,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
        6⤵
        
        PID:4112
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2296,12753956523616043448,18317744892034675012,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
        6⤵
        
        PID:2260
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2296,12753956523616043448,18317744892034675012,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
        6⤵
        
        PID:2548
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,12753956523616043448,18317744892034675012,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
        6⤵
        
        PID:776
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,12753956523616043448,18317744892034675012,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
        6⤵
        
        PID:2988
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,12753956523616043448,18317744892034675012,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
        6⤵
        
        PID:3288
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,12753956523616043448,18317744892034675012,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
        6⤵
        
        PID:512
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4848
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\QUDCNG~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1100
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\15667B~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4832

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\Recovery+bwbvi.html

Filesize
9KB

MD5
0dd64e2570e79d7a8711c8db651ec062

SHA1
62324f3e1cef9cf07f04fee419e69fc0e60231c4

SHA256
ca3c902f733a4c31f4b2d6463390e5c0a70feb8f2e0b9fcdafdfa73cae150f2a

SHA512
ad5de524daff9e5efd91a178109c177371f7803d2b25f791b33020713227160b850fc68111a90acca89503534c95e8e78edd598e56b55d50bb0577f7513ef200

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+bwbvi.png

Filesize
62KB

MD5
57fbae7c69b751ebb2e4b4a8ccf63ede

SHA1
c33b46b08b71babfb2f64f66971985291a1bc082

SHA256
2396a2816b26da8b8e0f44b60b9bda93ea4aef6a438eba7c3d8e13c74dcaec88

SHA512
a0d6dc8fe8e06f77e831837cffdf4c702ce03dad03fa39dda3e1251c9027e42e6dde13d5316aa320add3fde519b50356c6b7f4efd58a342c198e860823802437

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+bwbvi.txt

Filesize
1KB

MD5
23d01d204adbba6813df5a0f1f48f1f0

SHA1
ecf787bc97e30c925b03bec47314223c58648a42

SHA256
a73c0b7a74128cdd8215185121d93da6cba056765e933ddbc029189398d1d3e6

SHA512
740da4a4cb0250e84ed874b797bd84d19a9a2ff3d691a0242e02dc93172f048756680746f5a027c0d2e6fec637e8c291580d7b33b0f6d90dc372c3edc9f359a5

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
18cb39fcd9741941c62eaa4397d19c06

SHA1
0e84ee058a4d8e02a28663873842756803ffcbc9

SHA256
9545bd27cfcd8b5070af6951dcda170c520f8e10a2ffa65e5f8b9bb92c4bde0d

SHA512
1bff43f29dcf000193a8ded093f501437a3477b1e0682a208075d9d8b8100c901adb1dde6c3f5fbe2b037a383a1a8bd819648b48b0b2bea3bd2ec0b83bf596ca

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
31e1504eb925e96cfeba241997b4a0d0

SHA1
ccec4604effd71c847755fa4e8590b33f0211154

SHA256
2ae876f427fcce6e668d2d5b455f9878dcc4ce39a98b245b5e023df5261430e5

SHA512
3a25c463d70c0be294d7336272ece0c13de979b9fc5a285bd5f34ef1d38e6fa5c2d7649db30a9087f3674d960638772cfcb88daffe2925af14db0c363dc998d6

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
4b9c657525a3c00c0e30be9bb216423a

SHA1
a9c0acdeb8d7b878cff9bacbc25784334209904d

SHA256
b1386a20b2d958680c67be9239e59e7631a5f4d2559c8469f513e69450960dc3

SHA512
23eda2be9aa4b29444d106507978d0f0318462c104c3e495c0a61f4ec0d598d405ca6fc7a9cf565b4afcee96eff533a7b6aab01618fea64370f4b0e900a6bf58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fb6bf10d333ea0777e6e5779b853b202

SHA1
55298cf0d565bf156bc95fa6ee6afabbc0dc45c3

SHA256
250d547b7594f7c9e9e1e01b77e8c3dbe7acbe78564de50ef6c695c065e306fc

SHA512
9ceace3ab43eeb5d17fb0ee48de96cdbb5611c4c101208ead6a76f2889cfa7f0629c136718794b94753b72b054249394e80f86d765c180645ea3ebf29e63c7b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
64e206925825db634d202281422dfbe7

SHA1
0bf0b4b719897772b93435c4fc5e20aa80aa7a8c

SHA256
b3998435a08530e4745bf92bbc4117b9945ffdba6ee2181a40c1d927d4c7cb1a

SHA512
82170b4a4af3b02909ee15df2e02a48d75099d07bde3985b5601657edc005d010f826faed7c84b50f1c985418deb7a8a207c9cbadae500c1eda80f57e5aa0418

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c3c7a43c3b61fdc6c433746de9855654

SHA1
da9df96669a67bca742e7061d902a62f77a02f79

SHA256
95ddbca42c326c27a17c82e7bd5e9ca2a52eb7c86e1995d483581b0fbdae2e05

SHA512
3247ca9dfcaac4259ab74a50811f1c0e872d63f24286acad862e39b7afbab55ff39e1b2e5b4552f3001b61f0e6b1fc097706ee517ab08feee00b82e8a42051a1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670756182462133.txt

Filesize
47KB

MD5
8c0ae5037d75052a5ce1d2373bd5ba34

SHA1
e6e3c0fa396113ea8de3a912ea06b65cb0c496e6

SHA256
2d56fe8d4c1b7742409e52835b96ddc4bec4bea0e4e1db5405cd8f4061e7185f

SHA512
05b3202e38a42a9e8d15d0b43c7be4e9d8058c6a31d79af1a74ff2dc104ea7ef481095265de1a13020ccf972cb0b3a375faac9835c06819cf39c5bb5dcc7657e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670764368086779.txt

Filesize
74KB

MD5
1c54389231cdeda16948b552f0744619

SHA1
f2a9f43b4d8168febb995336f51f2409682fe8ce

SHA256
7819a15abecd9a0f7415e7faba06e27262e884f39271a4ce2137849fee5a42ac

SHA512
a3121e53a5294849f9d6f32f1e76939b53f60fef375eca149f45a76e5701e1d414d859658ceab7da0a29693077a86409e04ac8ebd809389374a71c360261ad54

Download Submit
C:\Windows\qudcngsbnduu.exe

Filesize
396KB

MD5
15667babdcdd88ee08174a39c86b00ad

SHA1
19ed09bbe8711e7e0b9a6b7664538559a86d312d

SHA256
5061395e96ddf44be20b37f12ab25da2ee84f9c8ec2dd0b5db4f11cfdb14b2a0

SHA512
e9688e3c981eb1ff0f822dfc2c1a75c570d518b28c8b324b54f4e4fe626cd78ab39171a9f0a61f54eb1e602d941f7faa456aec169bd2379854e7fa411a6fec4a

Download Submit
memory/1200-13-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1200-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1200-4-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1200-3-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1200-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2564-12-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/4044-17-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4044-10467-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4044-6394-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4044-7277-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4044-3140-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4044-25-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4044-9943-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4044-10458-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4044-10459-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4044-3141-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4044-10468-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4044-23-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4044-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4044-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4044-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4044-10546-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/5056-5-0x00000000007F0000-0x00000000007F3000-memory.dmp

Filesize
12KB

Download
memory/5056-1-0x00000000007F0000-0x00000000007F3000-memory.dmp

Filesize
12KB

Download
memory/5056-0-0x00000000007F0000-0x00000000007F3000-memory.dmp

Filesize
12KB

Download