teslacrypt | 6950d9f5794147161a7628aedcea38671ee33148580e015cf973f6a86c158d15

Resubmissions

18-10-2024 13:44

241018-q1r6sazdkb 7

18-10-2024 13:29

241018-qrhkzs1hrn 10

Analysis

max time kernel
123s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-10-2024 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe
Size

344KB
MD5

57b2a1db98a792e2498b6ba5344deb90
SHA1

b8a75d237c860f0128eae5adeb7e76f41233fc36
SHA256

6950d9f5794147161a7628aedcea38671ee33148580e015cf973f6a86c158d15
SHA512

36ebdbc0b27025e9bcc0edbe0cb9b40f2f4f4bbc1582d8e94e42d399a474d45227789d158b7d991fd04424188429fbc00fcf9db06922e3e8abf1506c4aa6d729
SSDEEP

6144:FqvsZf39vcCN1RHCfsIltPv6qn0/+sK+x20Im5iTxSO+xUJ:FqIv/wTPv6Q0GwFPxU

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+iarvw.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/9D491D6452BEFF71 2. http://tes543berda73i48fsdfsd.keratadze.at/9D491D6452BEFF71 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/9D491D6452BEFF71 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/9D491D6452BEFF71 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/9D491D6452BEFF71 http://tes543berda73i48fsdfsd.keratadze.at/9D491D6452BEFF71 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/9D491D6452BEFF71 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/9D491D6452BEFF71

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/9D491D6452BEFF71

http://tes543berda73i48fsdfsd.keratadze.at/9D491D6452BEFF71

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/9D491D6452BEFF71

http://xlowfznrg4wf7dli.ONION/9D491D6452BEFF71

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (420) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2824 cmd.exe

pid	process
2824	cmd.exe

Drops startup file 6 IoCs

Processes:

ujyrjqiiptut.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+iarvw.txt	ujyrjqiiptut.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+iarvw.html	ujyrjqiiptut.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+iarvw.png	ujyrjqiiptut.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+iarvw.txt	ujyrjqiiptut.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+iarvw.html	ujyrjqiiptut.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+iarvw.png	ujyrjqiiptut.exe

Executes dropped EXE 2 IoCs

Processes:

ujyrjqiiptut.exeujyrjqiiptut.exe

pid process

2896 ujyrjqiiptut.exe
2176 ujyrjqiiptut.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
2896	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ujyrjqiiptut.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ffwfkqvhbtwd = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\ujyrjqiiptut.exe\""	ujyrjqiiptut.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

Processes:

57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exeujyrjqiiptut.exe

description	pid	process	target process
PID 2960 set thread context of 2324	2960	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe
PID 2896 set thread context of 2176	2896	ujyrjqiiptut.exe	ujyrjqiiptut.exe

Drops file in Program Files directory 64 IoCs

Processes:

ujyrjqiiptut.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\localizedStrings.js	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\Recovery+iarvw.html	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\Recovery+iarvw.txt	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\Recovery+iarvw.txt	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\UnpublishBackup.jpeg	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\Recovery+iarvw.png	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\Recovery+iarvw.html	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\Recovery+iarvw.txt	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\Recovery+iarvw.html	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\Recovery+iarvw.html	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\Recovery+iarvw.png	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\Recovery+iarvw.txt	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\Recovery+iarvw.png	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_hov.png	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\Recovery+iarvw.txt	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\THANKS.txt	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-hot.png	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_hover.png	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\Recovery+iarvw.txt	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Java\jre7\bin\plugin2\Recovery+iarvw.html	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\Recovery+iarvw.txt	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Windows Media Player\Recovery+iarvw.html	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\Recovery+iarvw.html	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\Recovery+iarvw.html	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\Recovery+iarvw.txt	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\Recovery+iarvw.html	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\es-ES\Recovery+iarvw.png	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system.png	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\Recovery+iarvw.txt	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\Recovery+iarvw.png	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\Recovery+iarvw.html	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\Recovery+iarvw.png	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-foreground.png	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sl.pak	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Recovery+iarvw.html	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\Recovery+iarvw.html	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\Recovery+iarvw.html	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double_orange.png	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\add_up.png	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\Recovery+iarvw.png	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\Recovery+iarvw.txt	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\timeZones.js	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-first-quarter.png	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\cpu.css	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\Recovery+iarvw.png	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\Recovery+iarvw.txt	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\Recovery+iarvw.png	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\Recovery+iarvw.png	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\VERSION.txt	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_few-showers.png	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\en-US\Recovery+iarvw.png	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Reference Assemblies\Recovery+iarvw.html	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\Recovery+iarvw.png	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.png	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\Recovery+iarvw.html	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_SelectionSubpicture.png	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\Recovery+iarvw.txt	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\Recovery+iarvw.html	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\Recovery+iarvw.txt	ujyrjqiiptut.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\Recovery+iarvw.txt	ujyrjqiiptut.exe

Drops file in Windows directory 2 IoCs

Processes:

57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\ujyrjqiiptut.exe	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe
File created	C:\Windows\ujyrjqiiptut.exe	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exeujyrjqiiptut.execmd.exeDllHost.exe57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exeujyrjqiiptut.exeNOTEPAD.EXEIEXPLORE.EXEcmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ujyrjqiiptut.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ujyrjqiiptut.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3D4AF591-8D55-11EF-8C6C-D686196AC2C0} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f54200000000020000000000106600000001000020000000a6fbd14316e084810a8677c1d72328a57a1d0550e0da0f538ea4872e2c81ee48000000000e800000000200002000000008faa6d527600a2c25bdb2fe224c05afb70ed5d0183a2f436a5e5f648766188a90000000d6992bcdbce2574d8b4ab26d6072023d82f6ecf4a06257cc9e304c406025ce2cc74025eb9fbbd81c93c783399598a7521977bdddced58f1ebea651f1c7f77060817f360a08eac6b56308f225d59284e4ce36f6dfa2b992eec32a8c8c5e6eac7f6a3af5fd81e7942ac617dd397314ae70f7adacabc19c805c58c2741bf92244296215bdac2326f0cd1f4a0ce7d13fd8b840000000f0ea675eebece37ede2f7584a36a88bce21ff3d57e4b6ee40909f8a4b500211b0d44a6a429fcd7bdd8e3a96869fefdad977578ccd75cca71a5ef9b82c804d7e7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90cdd0116221db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f542000000000200000000001066000000010000200000002801c8eb069864c9334b3f401ab1617008255c938b2d30eb5add9724e3b3b219000000000e8000000002000020000000eda94c0bd764f6384dc2c68a7f98d7089b15edf4079417751e879559d6dd5dc7200000004d6d3bbdc94b3f122fd2c2ae6c1d3f332200a77eeaecc5866725c5736fc6fbc64000000016d7ed3786db24e81786e9ae189a14c507d5edbb7c143ef63381e3acf157188069e8c89b187ed9f76400db81f839a09475ebb29fd7c3d661f245f4ffbef6415e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1200 NOTEPAD.EXE

pid	process
1200	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ujyrjqiiptut.exe

pid	process
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe
2176	ujyrjqiiptut.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exeujyrjqiiptut.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2324	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe
Token: SeDebugPrivilege	2176	ujyrjqiiptut.exe
Token: SeIncreaseQuotaPrivilege	2864	WMIC.exe
Token: SeSecurityPrivilege	2864	WMIC.exe
Token: SeTakeOwnershipPrivilege	2864	WMIC.exe
Token: SeLoadDriverPrivilege	2864	WMIC.exe
Token: SeSystemProfilePrivilege	2864	WMIC.exe
Token: SeSystemtimePrivilege	2864	WMIC.exe
Token: SeProfSingleProcessPrivilege	2864	WMIC.exe
Token: SeIncBasePriorityPrivilege	2864	WMIC.exe
Token: SeCreatePagefilePrivilege	2864	WMIC.exe
Token: SeBackupPrivilege	2864	WMIC.exe
Token: SeRestorePrivilege	2864	WMIC.exe
Token: SeShutdownPrivilege	2864	WMIC.exe
Token: SeDebugPrivilege	2864	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2864	WMIC.exe
Token: SeRemoteShutdownPrivilege	2864	WMIC.exe
Token: SeUndockPrivilege	2864	WMIC.exe
Token: SeManageVolumePrivilege	2864	WMIC.exe
Token: 33	2864	WMIC.exe
Token: 34	2864	WMIC.exe
Token: 35	2864	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2864	WMIC.exe
Token: SeSecurityPrivilege	2864	WMIC.exe
Token: SeTakeOwnershipPrivilege	2864	WMIC.exe
Token: SeLoadDriverPrivilege	2864	WMIC.exe
Token: SeSystemProfilePrivilege	2864	WMIC.exe
Token: SeSystemtimePrivilege	2864	WMIC.exe
Token: SeProfSingleProcessPrivilege	2864	WMIC.exe
Token: SeIncBasePriorityPrivilege	2864	WMIC.exe
Token: SeCreatePagefilePrivilege	2864	WMIC.exe
Token: SeBackupPrivilege	2864	WMIC.exe
Token: SeRestorePrivilege	2864	WMIC.exe
Token: SeShutdownPrivilege	2864	WMIC.exe
Token: SeDebugPrivilege	2864	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2864	WMIC.exe
Token: SeRemoteShutdownPrivilege	2864	WMIC.exe
Token: SeUndockPrivilege	2864	WMIC.exe
Token: SeManageVolumePrivilege	2864	WMIC.exe
Token: 33	2864	WMIC.exe
Token: 34	2864	WMIC.exe
Token: 35	2864	WMIC.exe
Token: SeBackupPrivilege	1516	vssvc.exe
Token: SeRestorePrivilege	1516	vssvc.exe
Token: SeAuditPrivilege	1516	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1336	WMIC.exe
Token: SeSecurityPrivilege	1336	WMIC.exe
Token: SeTakeOwnershipPrivilege	1336	WMIC.exe
Token: SeLoadDriverPrivilege	1336	WMIC.exe
Token: SeSystemProfilePrivilege	1336	WMIC.exe
Token: SeSystemtimePrivilege	1336	WMIC.exe
Token: SeProfSingleProcessPrivilege	1336	WMIC.exe
Token: SeIncBasePriorityPrivilege	1336	WMIC.exe
Token: SeCreatePagefilePrivilege	1336	WMIC.exe
Token: SeBackupPrivilege	1336	WMIC.exe
Token: SeRestorePrivilege	1336	WMIC.exe
Token: SeShutdownPrivilege	1336	WMIC.exe
Token: SeDebugPrivilege	1336	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1336	WMIC.exe
Token: SeRemoteShutdownPrivilege	1336	WMIC.exe
Token: SeUndockPrivilege	1336	WMIC.exe
Token: SeManageVolumePrivilege	1336	WMIC.exe
Token: 33	1336	WMIC.exe
Token: 34	1336	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

2504 iexplore.exe
1512 DllHost.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXEDllHost.exe

pid process

2504 iexplore.exe
2504 iexplore.exe
1276 IEXPLORE.EXE
1276 IEXPLORE.EXE
1512 DllHost.exe
1512 DllHost.exe

pid	process
2504	iexplore.exe
1512	DllHost.exe

pid	process
2504	iexplore.exe
2504	iexplore.exe
1276	IEXPLORE.EXE
1276	IEXPLORE.EXE
1512	DllHost.exe
1512	DllHost.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exeujyrjqiiptut.exeujyrjqiiptut.exeiexplore.exe

description	pid	process	target process
PID 2960 wrote to memory of 2324	2960	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe
PID 2960 wrote to memory of 2324	2960	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe
PID 2960 wrote to memory of 2324	2960	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe
PID 2960 wrote to memory of 2324	2960	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe
PID 2960 wrote to memory of 2324	2960	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe
PID 2960 wrote to memory of 2324	2960	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe
PID 2960 wrote to memory of 2324	2960	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe
PID 2960 wrote to memory of 2324	2960	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe
PID 2960 wrote to memory of 2324	2960	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe
PID 2960 wrote to memory of 2324	2960	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe
PID 2324 wrote to memory of 2896	2324	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe	ujyrjqiiptut.exe
PID 2324 wrote to memory of 2896	2324	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe	ujyrjqiiptut.exe
PID 2324 wrote to memory of 2896	2324	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe	ujyrjqiiptut.exe
PID 2324 wrote to memory of 2896	2324	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe	ujyrjqiiptut.exe
PID 2324 wrote to memory of 2824	2324	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe	cmd.exe
PID 2324 wrote to memory of 2824	2324	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe	cmd.exe
PID 2324 wrote to memory of 2824	2324	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe	cmd.exe
PID 2324 wrote to memory of 2824	2324	57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe	cmd.exe
PID 2896 wrote to memory of 2176	2896	ujyrjqiiptut.exe	ujyrjqiiptut.exe
PID 2896 wrote to memory of 2176	2896	ujyrjqiiptut.exe	ujyrjqiiptut.exe
PID 2896 wrote to memory of 2176	2896	ujyrjqiiptut.exe	ujyrjqiiptut.exe
PID 2896 wrote to memory of 2176	2896	ujyrjqiiptut.exe	ujyrjqiiptut.exe
PID 2896 wrote to memory of 2176	2896	ujyrjqiiptut.exe	ujyrjqiiptut.exe
PID 2896 wrote to memory of 2176	2896	ujyrjqiiptut.exe	ujyrjqiiptut.exe
PID 2896 wrote to memory of 2176	2896	ujyrjqiiptut.exe	ujyrjqiiptut.exe
PID 2896 wrote to memory of 2176	2896	ujyrjqiiptut.exe	ujyrjqiiptut.exe
PID 2896 wrote to memory of 2176	2896	ujyrjqiiptut.exe	ujyrjqiiptut.exe
PID 2896 wrote to memory of 2176	2896	ujyrjqiiptut.exe	ujyrjqiiptut.exe
PID 2176 wrote to memory of 2864	2176	ujyrjqiiptut.exe	WMIC.exe
PID 2176 wrote to memory of 2864	2176	ujyrjqiiptut.exe	WMIC.exe
PID 2176 wrote to memory of 2864	2176	ujyrjqiiptut.exe	WMIC.exe
PID 2176 wrote to memory of 2864	2176	ujyrjqiiptut.exe	WMIC.exe
PID 2176 wrote to memory of 1200	2176	ujyrjqiiptut.exe	NOTEPAD.EXE
PID 2176 wrote to memory of 1200	2176	ujyrjqiiptut.exe	NOTEPAD.EXE
PID 2176 wrote to memory of 1200	2176	ujyrjqiiptut.exe	NOTEPAD.EXE
PID 2176 wrote to memory of 1200	2176	ujyrjqiiptut.exe	NOTEPAD.EXE
PID 2176 wrote to memory of 2504	2176	ujyrjqiiptut.exe	iexplore.exe
PID 2176 wrote to memory of 2504	2176	ujyrjqiiptut.exe	iexplore.exe
PID 2176 wrote to memory of 2504	2176	ujyrjqiiptut.exe	iexplore.exe
PID 2176 wrote to memory of 2504	2176	ujyrjqiiptut.exe	iexplore.exe
PID 2504 wrote to memory of 1276	2504	iexplore.exe	IEXPLORE.EXE
PID 2504 wrote to memory of 1276	2504	iexplore.exe	IEXPLORE.EXE
PID 2504 wrote to memory of 1276	2504	iexplore.exe	IEXPLORE.EXE
PID 2504 wrote to memory of 1276	2504	iexplore.exe	IEXPLORE.EXE
PID 2176 wrote to memory of 1336	2176	ujyrjqiiptut.exe	WMIC.exe
PID 2176 wrote to memory of 1336	2176	ujyrjqiiptut.exe	WMIC.exe
PID 2176 wrote to memory of 1336	2176	ujyrjqiiptut.exe	WMIC.exe
PID 2176 wrote to memory of 1336	2176	ujyrjqiiptut.exe	WMIC.exe
PID 2176 wrote to memory of 1392	2176	ujyrjqiiptut.exe	cmd.exe
PID 2176 wrote to memory of 1392	2176	ujyrjqiiptut.exe	cmd.exe
PID 2176 wrote to memory of 1392	2176	ujyrjqiiptut.exe	cmd.exe
PID 2176 wrote to memory of 1392	2176	ujyrjqiiptut.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

ujyrjqiiptut.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ujyrjqiiptut.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	ujyrjqiiptut.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960

C:\Users\Admin\AppData\Local\Temp\57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\57b2a1db98a792e2498b6ba5344deb90_JaffaCakes118.exe"
2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\ujyrjqiiptut.exe
C:\Windows\ujyrjqiiptut.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896

C:\Windows\ujyrjqiiptut.exe
C:\Windows\ujyrjqiiptut.exe
4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2176

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:1200

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2504

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2504 CREDAT:275457 /prefetch:2
6⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1276

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\UJYRJQ~1.EXE
5⤵
- System Location Discovery: System Language Discovery
PID:1392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\57B2A1~1.EXE
3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2824

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+iarvw.html

Filesize
11KB

MD5
7fcdf5ac10240900814a7916ce26ce05

SHA1
07a6861d4bb8fd7bf54a135ef3c452f9e51b6d7a

SHA256
e37fc022b9045660ecceed4c6c12184b6e87f030bf71b0e8de2c8566f3e404c5

SHA512
b3e1dd477d3060274be0b772f704881c025a417e10bb34eeedf98c4ecdc43af6d10067b3d7fa0e6eb7dcd69ed228350295372db77c24fa566876b02c2cf9232a

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+iarvw.png

Filesize
62KB

MD5
16244d3b03db573969c3222416004d3e

SHA1
b66ed6b7f683f4151138c63713dbaef693dcd640

SHA256
ab986b079350f7b61fb4b69357350864dbccc0971cc04a2034558169625f6c50

SHA512
27611889fd7202f4e8d81df812381eaf210f5190dcc10096db56a256d26b207fa787434f5b2e5246d77bfe1e2ec0132a69c4317e0012fa5ac1127bd3730cee4e

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+iarvw.txt

Filesize
1KB

MD5
25827f6f7396985443e2303609f1a30c

SHA1
fe17430c234be0bb11ffde604d2f3eb50ad67703

SHA256
11a0de0febaf40aa2037683cabd2b9c86b6f38f594857cc98a64d6c830072061

SHA512
4dace44ea8cd21ed9a77c6a3dce5be856d17bb93462ed9562150d45b1cf063054b2c79850c72f28af16b47f332697f69c9026116f06ea25c36b48b3e8620d9eb

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
17bc0347ca7e693e54bf1ae34b111546

SHA1
1cd77da118a5e54cc0e03931c859c39e3a6b999f

SHA256
3226cb484a12dd90a4d79b8d26ec7af6297db0aafbed1761625627eace900077

SHA512
f2b51d0ea1a349bdda9b9b95dde584c81542cf620d71d5ead5a07180bd4d2e763140fd61763bbaf2e12212fe66042ff69e3a32119cddc312d353cd4c2b2d15bb

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
42923d9e1236302c099da07428f537bd

SHA1
45a4d5c06025b6999ae2b0d27a5473a7e1945b5e

SHA256
7e21f8fb1561ad0eb8207cdd60b3250d3e83f5768fc3aaef1871f27555a0e220

SHA512
4421b220f0a6bf3bb70dc0ac619ec8862141516929c0efaf04fda0e16b56b52a2463b2cb8a3f72d1bbb58a9367b33a5a9c8cb74a3ecdc33beef37512100d3299

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
03721639b5379156ec158746cbe1bd3b

SHA1
4913e2fcf7e5372df8d2377916a0f541ad32093b

SHA256
586eb374a2955770bdc8b62d131cc11cb6c629d285b25ac12111c7b3f617a080

SHA512
5cd0d7a7f15589143641e6f59406700abfeb38a2ff3815dc8b29add96b750408050acf269e6ddc10cc40722fa0022fd7fa1338b57d491834ba35b0c37e35f85b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e600c7e409bda1deeb91fc2713b6efaf

SHA1
cdd778cf4bc1a3cc6f01543d3c9dd2205aac019c

SHA256
fa0be2b8da670b9ac603bed851c72d4901e232bcc120e2c781bf9d99695806d2

SHA512
b5308c7b2ca623441551c020d8b16c7a15f9b23f00105a3b621494a22683d5489bddd1dc346bcd81373adc919c3bcdcb533d2818e8ccb7d11ee7b2d7e9dc5f61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
92ad5f2df313c4db985cba03876688ac

SHA1
f649dac75e7513bfdb92977ddc67a56c9cb7198a

SHA256
f23baea464662c783f58c5cff98c4637925112a65bdeda900d3814000278befb

SHA512
1d9db2f68d7232e867d0b54c267b4c6041d2125cb5889589577e0a989d779e3e0e4880c1bfe03d45803ba2efff98902f98b13f6976e5f13a144ea422a8aea05c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb6f3a6f11e665bc5911f32ddc3c98cd

SHA1
656109b61abb333e51f8068f67432c78045f2818

SHA256
845e2dec25ee0091fe55f034e6eafd85ce0e10e3587e82f800912c3b6d359c6b

SHA512
c0f6e2c942866172b0b855f4c29a662ede996661cc2e3fd24226f07fab09842772a754aa555492444ce4d2360fb5eb3c5b15820e40b8cdc5087208627ce2dfc6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6895a6ea2aa5b1ed1fe39eb7b4616e62

SHA1
06c308fbd464d9e85025bbb0667415a8d6c0457b

SHA256
d2620e8d828d8a80b726181fd18404a54814ecf6397e6f4efa0ff9607530439a

SHA512
eae2746be4c7b6957499e57744c0bc960d21707a82b503f4a1996dd30c6630cc5bcfb3b7fe055709efc212b0aa3395be7ab752498c62732ad2e629ebcc889e37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9dfa9fd210eb75d252af7ee3df8e17f9

SHA1
2d691a2ee039cdd6900825492e624b53b9155fdb

SHA256
dcb589bc72cd5eec1c5f851a79cc36a060ad4b1a0c69ae7f16e1320c0adcc037

SHA512
19d900c10a0e850c72e31fe4992c07f6e1ed94f6bc55c81168c9ce245bfd3a2d4f44f364a50843c893cc5efcd7388dd8fc94c8da3ff2ce9e41aac1c0c289dcdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05db9edc7f5cacaafe1f5e5513ad93d3

SHA1
ee1a7a76ef3e60ea78ba4dc06f621e2faa7245dc

SHA256
0c333893b135f6e0ad0136eda526f09a0cb7db5905357f937456d554f2d91229

SHA512
e1de681c26f778c285d80945f0adb2949571da6388d98f46c6b6ec27ce8a19a92be418b4f8551c6295bcdb702de188df73273b380d14170307d9737ee9dbd623

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8397689346c1bf841ebe685ba53b6c88

SHA1
814387cc34a2889552bd82a1645fd692f648c27a

SHA256
3c864edcd00b4202b8b36f2af6069e0bea7e3efb481934ad2506f876193f34bb

SHA512
e64e7c85ccda89a3b0e3224fd684d6f2dfaea71b4d461fdac6061364a77c57aa91e22183956b79c7e9ce9d33fb93b75595a1320d949065b3df668bbfba4128fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6599c09a32fe441d7d043f45ee718701

SHA1
9ec273eac1af610421d6b061f1d180d77cbd359f

SHA256
5b13786fba7d14b5d398a18b4392447f1c72274ead626e23b2e2dc1094c4b6f2

SHA512
5d74e4d5c11df833a31dc18c997c663ac8934edd9c8aafe9d6669d34ababf018e517105572b60f22f8aeae50bfbbd93656cbe5bafba450eecfcefffb70ba37ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3cc63268cea315b813c82977f5679251

SHA1
98dc96b7d8070a6066543df0e30f6b562260cd77

SHA256
045c4ecc8968b8d116a3442e1410c1847dbccf77e0d17cd638cea19cdf7be914

SHA512
0079f53c8f79cde5c644d0c5984e4ec20db28b68cdd6d4486db2d737d1dc14e88652a1afac01798fd1de1eb86afacad6707b78a3cf2ca6aeb491bf140f66daa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3C17.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3C8A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\ujyrjqiiptut.exe

Filesize
344KB

MD5
57b2a1db98a792e2498b6ba5344deb90

SHA1
b8a75d237c860f0128eae5adeb7e76f41233fc36

SHA256
6950d9f5794147161a7628aedcea38671ee33148580e015cf973f6a86c158d15

SHA512
36ebdbc0b27025e9bcc0edbe0cb9b40f2f4f4bbc1582d8e94e42d399a474d45227789d158b7d991fd04424188429fbc00fcf9db06922e3e8abf1506c4aa6d729

Download Submit
memory/1512-6105-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/2176-758-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2176-6107-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2176-51-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2176-6113-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2176-47-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2176-1222-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2176-1223-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2176-46-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2176-45-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2176-4081-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2176-6098-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2176-6104-0x00000000005C0000-0x00000000005C2000-memory.dmp

Filesize
8KB

Download
memory/2176-6116-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2176-50-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2176-6109-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2324-9-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2324-27-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2324-3-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2324-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2324-7-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2324-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2324-13-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2324-15-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2324-17-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2324-1-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2896-28-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/2960-0-0x0000000000270000-0x0000000000273000-memory.dmp

Filesize
12KB

Download
memory/2960-16-0x0000000000270000-0x0000000000273000-memory.dmp

Filesize
12KB

Download