teslacrypt | 466a0840ed6f4484f26afb630c6875cc6d9ebd4a968ee2808b801d89fcb31c4b

Analysis

max time kernel
142s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-10-2024 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ee4303c494680602137222eced50e71_JaffaCakes118.exe
Size

424KB
MD5

4ee4303c494680602137222eced50e71
SHA1

3783dd9fbde986cc57b57170ac82d20ffeb7e3f3
SHA256

466a0840ed6f4484f26afb630c6875cc6d9ebd4a968ee2808b801d89fcb31c4b
SHA512

e6bb5129945cc1f4c69a6821bf9596cad72d7c0e9686bacd435365c9417e9a20b649ec59a4cb72875a43eb1a8a6aebc372d004dc3aedbe5a4374f002225e00c0
SSDEEP

6144:+HBKR8zpzWdU9V8EAQbsnwyv+U91PoxqHEwoXbftChXW3AxfulDGgB:ehzoO9KEAQbszmSdH6blCJxfS6

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_RECoVERY_+qkwoh.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/F4B5B177FA5486A3 2. http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/F4B5B177FA5486A3 3. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/F4B5B177FA5486A3 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/F4B5B177FA5486A3 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/F4B5B177FA5486A3 http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/F4B5B177FA5486A3 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/F4B5B177FA5486A3 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/F4B5B177FA5486A3

URLs

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/F4B5B177FA5486A3

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/F4B5B177FA5486A3

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/F4B5B177FA5486A3

http://xlowfznrg4wf7dli.ONION/F4B5B177FA5486A3

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (871) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	4ee4303c494680602137222eced50e71_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	dkemaxugasfx.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+qkwoh.png	dkemaxugasfx.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+qkwoh.txt	dkemaxugasfx.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+qkwoh.html	dkemaxugasfx.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+qkwoh.png	dkemaxugasfx.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+qkwoh.txt	dkemaxugasfx.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+qkwoh.html	dkemaxugasfx.exe

Executes dropped EXE 1 IoCs

pid	Process
4320	dkemaxugasfx.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ohvlnqewdbla = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\dkemaxugasfx.exe\""	dkemaxugasfx.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\_RECoVERY_+qkwoh.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedMedTile.scale-100.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Exchange.scale-125.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-16_altform-lightunplated.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerLargeTile.contrast-black_scale-125.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\_RECoVERY_+qkwoh.txt	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-16.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-32_altform-unplated_contrast-black.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\_RECoVERY_+qkwoh.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_~_8wekyb3d8bbwe\_RECoVERY_+qkwoh.html	dkemaxugasfx.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\3B9D3023-9E41-4144-80F7-056F252AE726\root\vfs\Windows\_RECoVERY_+qkwoh.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Wide310x150\PaintWideTile.scale-400.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\search_emptystate.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\_RECoVERY_+qkwoh.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchStoreLogo.scale-125_contrast-black.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_contrast-white.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\_RECoVERY_+qkwoh.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\_RECoVERY_+qkwoh.html	dkemaxugasfx.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\_RECoVERY_+qkwoh.html	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LargeTile.scale-125_contrast-white.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_BadgeLogo.scale-200.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeBadge.scale-100.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptySearch.scale-125.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\_RECoVERY_+qkwoh.txt	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-125_contrast-white.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\_RECoVERY_+qkwoh.txt	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-64_altform-unplated.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Dark.scale-400.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\_RECoVERY_+qkwoh.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\_RECoVERY_+qkwoh.txt	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Tongue.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-48.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Lumia.AppTk.NativeDirect3d.UAP\_RECoVERY_+qkwoh.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-32.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\_RECoVERY_+qkwoh.txt	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-200_contrast-black.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-48_altform-lightunplated.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\_RECoVERY_+qkwoh.txt	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Registration\_RECoVERY_+qkwoh.html	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\ja-JP\_RECoVERY_+qkwoh.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+qkwoh.html	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-64_altform-unplated.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\_RECoVERY_+qkwoh.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\_RECoVERY_+qkwoh.txt	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\LargeTile.scale-200.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.targetsize-24.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppUpdate.svg	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-30_altform-unplated.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Dismiss.scale-80.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_altform-unplated_contrast-white.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-140.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-MX\_RECoVERY_+qkwoh.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\_RECoVERY_+qkwoh.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageStoreLogo.scale-200.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-20.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxBadge.scale-100.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-40_altform-unplated_contrast-black.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_~_8wekyb3d8bbwe\_RECoVERY_+qkwoh.txt	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-80.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\WideTile.scale-200.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\_RECoVERY_+qkwoh.png	dkemaxugasfx.exe
File opened for modification	C:\Program Files\LockOptimize.mp4	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoFrameExtractor\Views\_RECoVERY_+qkwoh.html	dkemaxugasfx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2020.1906.55.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+qkwoh.png	dkemaxugasfx.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\dkemaxugasfx.exe	4ee4303c494680602137222eced50e71_JaffaCakes118.exe
File opened for modification	C:\Windows\dkemaxugasfx.exe	4ee4303c494680602137222eced50e71_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ee4303c494680602137222eced50e71_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dkemaxugasfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	dkemaxugasfx.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4532	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe
4320	dkemaxugasfx.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3880	4ee4303c494680602137222eced50e71_JaffaCakes118.exe
Token: SeDebugPrivilege	4320	dkemaxugasfx.exe
Token: SeIncreaseQuotaPrivilege	720	WMIC.exe
Token: SeSecurityPrivilege	720	WMIC.exe
Token: SeTakeOwnershipPrivilege	720	WMIC.exe
Token: SeLoadDriverPrivilege	720	WMIC.exe
Token: SeSystemProfilePrivilege	720	WMIC.exe
Token: SeSystemtimePrivilege	720	WMIC.exe
Token: SeProfSingleProcessPrivilege	720	WMIC.exe
Token: SeIncBasePriorityPrivilege	720	WMIC.exe
Token: SeCreatePagefilePrivilege	720	WMIC.exe
Token: SeBackupPrivilege	720	WMIC.exe
Token: SeRestorePrivilege	720	WMIC.exe
Token: SeShutdownPrivilege	720	WMIC.exe
Token: SeDebugPrivilege	720	WMIC.exe
Token: SeSystemEnvironmentPrivilege	720	WMIC.exe
Token: SeRemoteShutdownPrivilege	720	WMIC.exe
Token: SeUndockPrivilege	720	WMIC.exe
Token: SeManageVolumePrivilege	720	WMIC.exe
Token: 33	720	WMIC.exe
Token: 34	720	WMIC.exe
Token: 35	720	WMIC.exe
Token: 36	720	WMIC.exe
Token: SeIncreaseQuotaPrivilege	720	WMIC.exe
Token: SeSecurityPrivilege	720	WMIC.exe
Token: SeTakeOwnershipPrivilege	720	WMIC.exe
Token: SeLoadDriverPrivilege	720	WMIC.exe
Token: SeSystemProfilePrivilege	720	WMIC.exe
Token: SeSystemtimePrivilege	720	WMIC.exe
Token: SeProfSingleProcessPrivilege	720	WMIC.exe
Token: SeIncBasePriorityPrivilege	720	WMIC.exe
Token: SeCreatePagefilePrivilege	720	WMIC.exe
Token: SeBackupPrivilege	720	WMIC.exe
Token: SeRestorePrivilege	720	WMIC.exe
Token: SeShutdownPrivilege	720	WMIC.exe
Token: SeDebugPrivilege	720	WMIC.exe
Token: SeSystemEnvironmentPrivilege	720	WMIC.exe
Token: SeRemoteShutdownPrivilege	720	WMIC.exe
Token: SeUndockPrivilege	720	WMIC.exe
Token: SeManageVolumePrivilege	720	WMIC.exe
Token: 33	720	WMIC.exe
Token: 34	720	WMIC.exe
Token: 35	720	WMIC.exe
Token: 36	720	WMIC.exe
Token: SeBackupPrivilege	2644	vssvc.exe
Token: SeRestorePrivilege	2644	vssvc.exe
Token: SeAuditPrivilege	2644	vssvc.exe
Token: SeIncreaseQuotaPrivilege	720	WMIC.exe
Token: SeSecurityPrivilege	720	WMIC.exe
Token: SeTakeOwnershipPrivilege	720	WMIC.exe
Token: SeLoadDriverPrivilege	720	WMIC.exe
Token: SeSystemProfilePrivilege	720	WMIC.exe
Token: SeSystemtimePrivilege	720	WMIC.exe
Token: SeProfSingleProcessPrivilege	720	WMIC.exe
Token: SeIncBasePriorityPrivilege	720	WMIC.exe
Token: SeCreatePagefilePrivilege	720	WMIC.exe
Token: SeBackupPrivilege	720	WMIC.exe
Token: SeRestorePrivilege	720	WMIC.exe
Token: SeShutdownPrivilege	720	WMIC.exe
Token: SeDebugPrivilege	720	WMIC.exe
Token: SeSystemEnvironmentPrivilege	720	WMIC.exe
Token: SeRemoteShutdownPrivilege	720	WMIC.exe
Token: SeUndockPrivilege	720	WMIC.exe
Token: SeManageVolumePrivilege	720	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3880 wrote to memory of 4320	3880	4ee4303c494680602137222eced50e71_JaffaCakes118.exe	87
PID 3880 wrote to memory of 4320	3880	4ee4303c494680602137222eced50e71_JaffaCakes118.exe	87
PID 3880 wrote to memory of 4320	3880	4ee4303c494680602137222eced50e71_JaffaCakes118.exe	87
PID 3880 wrote to memory of 1928	3880	4ee4303c494680602137222eced50e71_JaffaCakes118.exe	88
PID 3880 wrote to memory of 1928	3880	4ee4303c494680602137222eced50e71_JaffaCakes118.exe	88
PID 3880 wrote to memory of 1928	3880	4ee4303c494680602137222eced50e71_JaffaCakes118.exe	88
PID 4320 wrote to memory of 720	4320	dkemaxugasfx.exe	92
PID 4320 wrote to memory of 720	4320	dkemaxugasfx.exe	92
PID 4320 wrote to memory of 4532	4320	dkemaxugasfx.exe	105
PID 4320 wrote to memory of 4532	4320	dkemaxugasfx.exe	105
PID 4320 wrote to memory of 4532	4320	dkemaxugasfx.exe	105
PID 4320 wrote to memory of 3716	4320	dkemaxugasfx.exe	106
PID 4320 wrote to memory of 3716	4320	dkemaxugasfx.exe	106
PID 3716 wrote to memory of 1976	3716	msedge.exe	107
PID 3716 wrote to memory of 1976	3716	msedge.exe	107
PID 4320 wrote to memory of 720	4320	dkemaxugasfx.exe	108
PID 4320 wrote to memory of 720	4320	dkemaxugasfx.exe	108
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 3252	3716	msedge.exe	110
PID 3716 wrote to memory of 2004	3716	msedge.exe	111
PID 3716 wrote to memory of 2004	3716	msedge.exe	111
PID 3716 wrote to memory of 2456	3716	msedge.exe	112
PID 3716 wrote to memory of 2456	3716	msedge.exe	112
PID 3716 wrote to memory of 2456	3716	msedge.exe	112
PID 3716 wrote to memory of 2456	3716	msedge.exe	112
PID 3716 wrote to memory of 2456	3716	msedge.exe	112

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	dkemaxugasfx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	dkemaxugasfx.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4ee4303c494680602137222eced50e71_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4ee4303c494680602137222eced50e71_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3880
- C:\Windows\dkemaxugasfx.exe
  C:\Windows\dkemaxugasfx.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4320
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:720
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:4532
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3716
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa5f3f46f8,0x7ffa5f3f4708,0x7ffa5f3f4718
      4⤵
      PID:1976
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,8085091834865437218,4385368305885806450,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
      4⤵
      PID:3252
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,8085091834865437218,4385368305885806450,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
      4⤵
      PID:2004
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,8085091834865437218,4385368305885806450,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2464 /prefetch:8
      4⤵
      PID:2456
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8085091834865437218,4385368305885806450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2856 /prefetch:1
      4⤵
      PID:4772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8085091834865437218,4385368305885806450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2868 /prefetch:1
      4⤵
      PID:860
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,8085091834865437218,4385368305885806450,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8
      4⤵
      PID:1052
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,8085091834865437218,4385368305885806450,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8
      4⤵
      PID:548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8085091834865437218,4385368305885806450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
      4⤵
      PID:3404
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8085091834865437218,4385368305885806450,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
      4⤵
      PID:2712
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8085091834865437218,4385368305885806450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2852 /prefetch:1
      4⤵
      PID:3960
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8085091834865437218,4385368305885806450,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
      4⤵
      PID:884
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:720
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\DKEMAX~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3036
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\4EE430~1.EXE
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1928

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_RECoVERY_+qkwoh.html

Filesize
11KB

MD5
c7a9997b167137ccbc12ed45a1896a17

SHA1
470bffc672967f34634490728789ddc16638292c

SHA256
d445896d3aa97b4a1dc493833270e2707166c6904144d92b63924a9f70953f00

SHA512
ae5770244a4849cc838172ac0c77fa92b2215a517831fcd0c4be789f6682f8b4aefbe9efa4623fec13bd83323abe2a4dee458c72378d1060943c83c608569cf1

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+qkwoh.png

Filesize
64KB

MD5
d24a4719de765e62cc44afc06452ab97

SHA1
3997c704ab7f9f6abe812ad52883245b093d6ff4

SHA256
95aeb414f396cb8c28c50bd4e581c3dfbadb7e75fad576b03bc04a9c56d67c67

SHA512
d26992238d4e41d715f42c8e51365644dcfe649563a5c82a57990997d04b3230051bd34d1d2151af3c8025f54692ceea59ab7172801f72889c3b1f85c133ea6e

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+qkwoh.txt

Filesize
1KB

MD5
32757b88c7e8e886fd2c0799557ea8b7

SHA1
8a19e7d6dcae77ef979e91becb98cc0352fbbffa

SHA256
0957c438667136ec9caf406896a8b8b042066e091d99f8368c08bdc4ab04025b

SHA512
f0b8821a5a536d30d7e7cec34e6e2fc6db541532ed056e34d6e514a7785be74b6f5ca6e3e9ef3c207830f5c6a7a40447c524943dc50e51cb004849c764b7bfb5

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
40d7ae5189bface6a7bed46d1ff8f18b

SHA1
2bdfe37622fb1fed559f99c4d88ca505be857671

SHA256
45994ce51acdaf2b6a50e92d7c44d17f1539ce843addd4cac753a8607a5d9f06

SHA512
4ae5ab427e9048a1ce3c066c80e24e8f8b17aececcdd6a42e912a7e398096c5595bfdbf95a51c677f83d6cabdcd47797990a22ba3f39fcf3facf74aad07f3aef

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
9ad408ee6d7b1d3d297efc8dd2dcf06c

SHA1
efbaf4b9e4f49bab767d63ff27dd473d0d98b7ce

SHA256
674efc1b5fd1ad3fa284ea453f504b532b07de2a93668e40860e6217a21d9822

SHA512
64dd53b53687eb96663f0bf9983c31b60a828c035c019760e06674e8f14c958ee56bb6098011b019ecfccd540135776f57a3c246cc1ba37b45fb37e43e55a68d

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
5c1349a4c59f7aa28db516861c2037e4

SHA1
94d1fcb8a5d76997b87ef4395d6984535a01c582

SHA256
afc7a13c997c1ae9cb9830b599160e0515bf4487b6f92c0dbaeb700e1846ef08

SHA512
45f6fdae855782bb6d176f3b292d99b2a51dc240dcd4607fa922c541bb3233c1fe62010addf3a44bbc2724fc6c43ce6666b6ba7a3764d113094642ce30cb0011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f0e69f37b87784860bd1c438e245a39e

SHA1
ffd52033ad0c65f74a8b84ffe558e22238ec9e2c

SHA256
b97c785f68ff21fb05082a95ce3d612f491946328f23826a82755cd68e1a1fbe

SHA512
19474e378e8495ef25c98a8c005dfb88e2d4e5179151216ac046894c72aba4b93ade89926b35b7957271053f68e8fbd97b2f4bee898a47e1e352b3212015b24e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9242ee02137a70f0751916b1f78a9e5d

SHA1
37cab10b11f16ed4b72e12530d298581c7db4ec4

SHA256
fff3640a829b500eeeed54625c910f49748d40582b7917728897b943958bfd3d

SHA512
96bffb7dba66b990c803f2a0fb8bc5056fd777b86df02dcad5909e0134ed0e836b8a077e7726c8b8c9fdc43e8b6881f74558ab9eaeb05cb215cc982aaaee7750

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3c1b94558eb0ba722ce58ada04b01462

SHA1
f4e307257cd8140d192a6b189fbae1050ce5facd

SHA256
e36930f71151b0f4c98486a577b8fc548f283a0ea7a3663679da8fe5ea3c9710

SHA512
4e35c91475f723e28d10456937d95c1225ff6ce864508233cec8e9c085bd52fb7db5eb746d431cb0de8d876f20835650b54beb907b12a8bea81b0bf9735bc294

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727665766873969.txt

Filesize
74KB

MD5
77941beebecbe844cbd51b0666939088

SHA1
822e45256beb67208a043f88c55944ff2af3873b

SHA256
6414a052f932cfe2ec6d9a75792f9362a29cf0e075d5cf6a4d98423a6f54906f

SHA512
a8a57b4a31cd6f28c4405e8222ea0e5b8c8e8b1852a0a7ce99dda10014314e0a7f214ab563e2788e73962465db9ccf2fa0c14cacce3d2d9dda7e10daac898b31

Download Submit
C:\Windows\dkemaxugasfx.exe

Filesize
424KB

MD5
4ee4303c494680602137222eced50e71

SHA1
3783dd9fbde986cc57b57170ac82d20ffeb7e3f3

SHA256
466a0840ed6f4484f26afb630c6875cc6d9ebd4a968ee2808b801d89fcb31c4b

SHA512
e6bb5129945cc1f4c69a6821bf9596cad72d7c0e9686bacd435365c9417e9a20b649ec59a4cb72875a43eb1a8a6aebc372d004dc3aedbe5a4374f002225e00c0

Download Submit
memory/3880-2-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3880-10-0x0000000002290000-0x0000000002315000-memory.dmp

Filesize
532KB

Download
memory/3880-0-0x0000000002290000-0x0000000002315000-memory.dmp

Filesize
532KB

Download
memory/3880-9-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/4320-10807-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/4320-11-0x0000000000990000-0x0000000000A15000-memory.dmp

Filesize
532KB

Download
memory/4320-10854-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/4320-8397-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/4320-4906-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/4320-2684-0x0000000000990000-0x0000000000A15000-memory.dmp

Filesize
532KB

Download
memory/4320-2406-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download