teslacrypt | 39a70938288eacf5eab1002150cb06a8299475ad6064fb131aa6e9118c66b4bc

Analysis

max time kernel
126s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-10-2024 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
Size

340KB
MD5

6bcc066e2a81f34c7e052895001f44c6
SHA1

6f892ec0287ace1c4c7c86e3945b44de6c9d3ba8
SHA256

39a70938288eacf5eab1002150cb06a8299475ad6064fb131aa6e9118c66b4bc
SHA512

b11b924dfda23d28019879acbd790778049f4f711134b0003967408b28532544745d12081a9da538f9ecd84f3791b621d3d9c1b4a62699b22d7c56274a1f9f2c
SSDEEP

6144:2//b5dx5w2hahQGvPmZ8n0SylbvO+MeTHLlj9HhRbr3ET4b7ODRJT0luqig:SddvwdhHvPmZiyIXgLl3ZoMq4wO

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+eeopr.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/D84D3DF744C6DCAD 2. http://tes543berda73i48fsdfsd.keratadze.at/D84D3DF744C6DCAD 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/D84D3DF744C6DCAD If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/D84D3DF744C6DCAD 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/D84D3DF744C6DCAD http://tes543berda73i48fsdfsd.keratadze.at/D84D3DF744C6DCAD http://tt54rfdjhb34rfbnknaerg.milerteddy.com/D84D3DF744C6DCAD *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/D84D3DF744C6DCAD

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/D84D3DF744C6DCAD

http://tes543berda73i48fsdfsd.keratadze.at/D84D3DF744C6DCAD

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/D84D3DF744C6DCAD

http://xlowfznrg4wf7dli.ONION/D84D3DF744C6DCAD

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (420) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2744 cmd.exe

pid	process
2744	cmd.exe

Drops startup file 6 IoCs

Processes:

atcqvbojllgj.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+eeopr.html	atcqvbojllgj.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+eeopr.png	atcqvbojllgj.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+eeopr.txt	atcqvbojllgj.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+eeopr.html	atcqvbojllgj.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+eeopr.png	atcqvbojllgj.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+eeopr.txt	atcqvbojllgj.exe

Executes dropped EXE 2 IoCs

Processes:

atcqvbojllgj.exeatcqvbojllgj.exe

pid process

2852 atcqvbojllgj.exe
1696 atcqvbojllgj.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
2852	atcqvbojllgj.exe
1696	atcqvbojllgj.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

atcqvbojllgj.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\cfuefnwgebyp = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\atcqvbojllgj.exe\""	atcqvbojllgj.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

Processes:

6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exeatcqvbojllgj.exe

description	pid	process	target process
PID 2684 set thread context of 2832	2684	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 2852 set thread context of 1696	2852	atcqvbojllgj.exe	atcqvbojllgj.exe

Drops file in Program Files directory 64 IoCs

Processes:

atcqvbojllgj.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\Recovery+eeopr.png	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider_left.png	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\Recovery+eeopr.html	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Recovery+eeopr.txt	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\Recovery+eeopr.txt	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\Recovery+eeopr.txt	atcqvbojllgj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\Recovery+eeopr.txt	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\Recovery+eeopr.txt	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\Recovery+eeopr.html	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\Recovery+eeopr.html	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_windy.png	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\Recovery+eeopr.txt	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\Recovery+eeopr.png	atcqvbojllgj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\Recovery+eeopr.png	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\month.png	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\Recovery+eeopr.txt	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\Recovery+eeopr.html	atcqvbojllgj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\Recovery+eeopr.png	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_h.png	atcqvbojllgj.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_ButtonGraphic.png	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\currency.css	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\settings.css	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\Recovery+eeopr.png	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\Recovery+eeopr.png	atcqvbojllgj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ta\Recovery+eeopr.png	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\Recovery+eeopr.png	atcqvbojllgj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\Recovery+eeopr.html	atcqvbojllgj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\Recovery+eeopr.html	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\activity16v.png	atcqvbojllgj.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Recovery+eeopr.txt	atcqvbojllgj.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\content-background.png	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\Recovery+eeopr.png	atcqvbojllgj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\co\Recovery+eeopr.txt	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\Recovery+eeopr.html	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\Recovery+eeopr.png	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Common Files\Recovery+eeopr.html	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\et.pak	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\Recovery+eeopr.html	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\localizedStrings.js	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg	atcqvbojllgj.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\Recovery+eeopr.txt	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\Recovery+eeopr.html	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\weather.js	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\Recovery+eeopr.png	atcqvbojllgj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kk\Recovery+eeopr.png	atcqvbojllgj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\Recovery+eeopr.txt	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_orange.png	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\Recovery+eeopr.txt	atcqvbojllgj.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\Recovery+eeopr.txt	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bg.pak	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\Recovery+eeopr.html	atcqvbojllgj.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_SelectionSubpicture.png	atcqvbojllgj.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\720x480icongraphic.png	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Recovery+eeopr.html	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\de-DE\Recovery+eeopr.png	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\Recovery+eeopr.html	atcqvbojllgj.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask_PAL.wmv	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\Recovery+eeopr.html	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Java\jre7\lib\applet\Recovery+eeopr.html	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png	atcqvbojllgj.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ml.pak	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg	atcqvbojllgj.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\time-span-16.png	atcqvbojllgj.exe

Drops file in Windows directory 2 IoCs

Processes:

6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\atcqvbojllgj.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
File opened for modification	C:\Windows\atcqvbojllgj.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exeatcqvbojllgj.exeDllHost.exeIEXPLORE.EXE6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exeatcqvbojllgj.execmd.exeNOTEPAD.EXEcmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atcqvbojllgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atcqvbojllgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c40000000002000000000010660000000100002000000057f472dc03468438a07fd1fceb433bb03094b02cf6535ebb1dc21a8a0d7e79be000000000e8000000002000020000000e323a44e7619ad96d90c96571c3baa6291c5ae8ec6317433085174f47abe9bb3200000002956438cd4e657e26cd4b25488e560d2d4e2fd7cc34d0571b0da1ee8aebfd25d400000006dcc726a5121b263a9feadf72af384d302ed482354e0ae7618c520808af750c6f0f7e374614445d8ed5fdea16fa2494c32393187208681d72d1934b46c6723e7	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c400000000020000000000106600000001000020000000e28344a25b6644e320c442f209d4caad64f0ff577eb8fb369e93f97553a2ffac000000000e8000000002000020000000c68b74b650bee28d98659ad74369e6182d2759babd9803e4ce3c7cb5bb200ce690000000d19c5e1182d93eadb879e4f81921dbc28e4d89cd5961e5e1477779dff8efd070606ba110750133a5e5aa8811343b9d31904c4316e7e08a852201072744a3508d983b3b4331f38608b682887a4bd94dde72d3d276869490ca55d9e37e144ea63af0f83a4ecf63c942f19bd4fe56963729b659c4625265581ff45f33b7aceccce446658991fe14a14db46885ecc9f1a30e400000008693273280a271bb28f090e205063e3350b5e392afe0fe4100a12bd3fe479eb3e4e8df748ec29d659203bc56931fce80f802a621004d8d359a7464803a95c34b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1EA1ADC1-90B4-11EF-AAF2-E67A421F41DB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0224bf3c024db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1388 NOTEPAD.EXE

pid	process
1388	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

atcqvbojllgj.exe

pid	process
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe
1696	atcqvbojllgj.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exeatcqvbojllgj.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2832	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
Token: SeDebugPrivilege	1696	atcqvbojllgj.exe
Token: SeIncreaseQuotaPrivilege	2916	WMIC.exe
Token: SeSecurityPrivilege	2916	WMIC.exe
Token: SeTakeOwnershipPrivilege	2916	WMIC.exe
Token: SeLoadDriverPrivilege	2916	WMIC.exe
Token: SeSystemProfilePrivilege	2916	WMIC.exe
Token: SeSystemtimePrivilege	2916	WMIC.exe
Token: SeProfSingleProcessPrivilege	2916	WMIC.exe
Token: SeIncBasePriorityPrivilege	2916	WMIC.exe
Token: SeCreatePagefilePrivilege	2916	WMIC.exe
Token: SeBackupPrivilege	2916	WMIC.exe
Token: SeRestorePrivilege	2916	WMIC.exe
Token: SeShutdownPrivilege	2916	WMIC.exe
Token: SeDebugPrivilege	2916	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2916	WMIC.exe
Token: SeRemoteShutdownPrivilege	2916	WMIC.exe
Token: SeUndockPrivilege	2916	WMIC.exe
Token: SeManageVolumePrivilege	2916	WMIC.exe
Token: 33	2916	WMIC.exe
Token: 34	2916	WMIC.exe
Token: 35	2916	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2916	WMIC.exe
Token: SeSecurityPrivilege	2916	WMIC.exe
Token: SeTakeOwnershipPrivilege	2916	WMIC.exe
Token: SeLoadDriverPrivilege	2916	WMIC.exe
Token: SeSystemProfilePrivilege	2916	WMIC.exe
Token: SeSystemtimePrivilege	2916	WMIC.exe
Token: SeProfSingleProcessPrivilege	2916	WMIC.exe
Token: SeIncBasePriorityPrivilege	2916	WMIC.exe
Token: SeCreatePagefilePrivilege	2916	WMIC.exe
Token: SeBackupPrivilege	2916	WMIC.exe
Token: SeRestorePrivilege	2916	WMIC.exe
Token: SeShutdownPrivilege	2916	WMIC.exe
Token: SeDebugPrivilege	2916	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2916	WMIC.exe
Token: SeRemoteShutdownPrivilege	2916	WMIC.exe
Token: SeUndockPrivilege	2916	WMIC.exe
Token: SeManageVolumePrivilege	2916	WMIC.exe
Token: 33	2916	WMIC.exe
Token: 34	2916	WMIC.exe
Token: 35	2916	WMIC.exe
Token: SeBackupPrivilege	3040	vssvc.exe
Token: SeRestorePrivilege	3040	vssvc.exe
Token: SeAuditPrivilege	3040	vssvc.exe
Token: SeIncreaseQuotaPrivilege	324	WMIC.exe
Token: SeSecurityPrivilege	324	WMIC.exe
Token: SeTakeOwnershipPrivilege	324	WMIC.exe
Token: SeLoadDriverPrivilege	324	WMIC.exe
Token: SeSystemProfilePrivilege	324	WMIC.exe
Token: SeSystemtimePrivilege	324	WMIC.exe
Token: SeProfSingleProcessPrivilege	324	WMIC.exe
Token: SeIncBasePriorityPrivilege	324	WMIC.exe
Token: SeCreatePagefilePrivilege	324	WMIC.exe
Token: SeBackupPrivilege	324	WMIC.exe
Token: SeRestorePrivilege	324	WMIC.exe
Token: SeShutdownPrivilege	324	WMIC.exe
Token: SeDebugPrivilege	324	WMIC.exe
Token: SeSystemEnvironmentPrivilege	324	WMIC.exe
Token: SeRemoteShutdownPrivilege	324	WMIC.exe
Token: SeUndockPrivilege	324	WMIC.exe
Token: SeManageVolumePrivilege	324	WMIC.exe
Token: 33	324	WMIC.exe
Token: 34	324	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

1196 iexplore.exe
2548 DllHost.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXEDllHost.exe

pid process

1196 iexplore.exe
1196 iexplore.exe
604 IEXPLORE.EXE
604 IEXPLORE.EXE
2548 DllHost.exe
2548 DllHost.exe

pid	process
1196	iexplore.exe
2548	DllHost.exe

pid	process
1196	iexplore.exe
1196	iexplore.exe
604	IEXPLORE.EXE
604	IEXPLORE.EXE
2548	DllHost.exe
2548	DllHost.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exeatcqvbojllgj.exeatcqvbojllgj.exeiexplore.exe

description	pid	process	target process
PID 2684 wrote to memory of 2832	2684	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 2684 wrote to memory of 2832	2684	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 2684 wrote to memory of 2832	2684	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 2684 wrote to memory of 2832	2684	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 2684 wrote to memory of 2832	2684	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 2684 wrote to memory of 2832	2684	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 2684 wrote to memory of 2832	2684	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 2684 wrote to memory of 2832	2684	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 2684 wrote to memory of 2832	2684	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 2684 wrote to memory of 2832	2684	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 2832 wrote to memory of 2852	2832	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	atcqvbojllgj.exe
PID 2832 wrote to memory of 2852	2832	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	atcqvbojllgj.exe
PID 2832 wrote to memory of 2852	2832	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	atcqvbojllgj.exe
PID 2832 wrote to memory of 2852	2832	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	atcqvbojllgj.exe
PID 2832 wrote to memory of 2744	2832	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	cmd.exe
PID 2832 wrote to memory of 2744	2832	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	cmd.exe
PID 2832 wrote to memory of 2744	2832	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	cmd.exe
PID 2832 wrote to memory of 2744	2832	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	cmd.exe
PID 2852 wrote to memory of 1696	2852	atcqvbojllgj.exe	atcqvbojllgj.exe
PID 2852 wrote to memory of 1696	2852	atcqvbojllgj.exe	atcqvbojllgj.exe
PID 2852 wrote to memory of 1696	2852	atcqvbojllgj.exe	atcqvbojllgj.exe
PID 2852 wrote to memory of 1696	2852	atcqvbojllgj.exe	atcqvbojllgj.exe
PID 2852 wrote to memory of 1696	2852	atcqvbojllgj.exe	atcqvbojllgj.exe
PID 2852 wrote to memory of 1696	2852	atcqvbojllgj.exe	atcqvbojllgj.exe
PID 2852 wrote to memory of 1696	2852	atcqvbojllgj.exe	atcqvbojllgj.exe
PID 2852 wrote to memory of 1696	2852	atcqvbojllgj.exe	atcqvbojllgj.exe
PID 2852 wrote to memory of 1696	2852	atcqvbojllgj.exe	atcqvbojllgj.exe
PID 2852 wrote to memory of 1696	2852	atcqvbojllgj.exe	atcqvbojllgj.exe
PID 1696 wrote to memory of 2916	1696	atcqvbojllgj.exe	WMIC.exe
PID 1696 wrote to memory of 2916	1696	atcqvbojllgj.exe	WMIC.exe
PID 1696 wrote to memory of 2916	1696	atcqvbojllgj.exe	WMIC.exe
PID 1696 wrote to memory of 2916	1696	atcqvbojllgj.exe	WMIC.exe
PID 1696 wrote to memory of 1388	1696	atcqvbojllgj.exe	NOTEPAD.EXE
PID 1696 wrote to memory of 1388	1696	atcqvbojllgj.exe	NOTEPAD.EXE
PID 1696 wrote to memory of 1388	1696	atcqvbojllgj.exe	NOTEPAD.EXE
PID 1696 wrote to memory of 1388	1696	atcqvbojllgj.exe	NOTEPAD.EXE
PID 1696 wrote to memory of 1196	1696	atcqvbojllgj.exe	iexplore.exe
PID 1696 wrote to memory of 1196	1696	atcqvbojllgj.exe	iexplore.exe
PID 1696 wrote to memory of 1196	1696	atcqvbojllgj.exe	iexplore.exe
PID 1696 wrote to memory of 1196	1696	atcqvbojllgj.exe	iexplore.exe
PID 1196 wrote to memory of 604	1196	iexplore.exe	IEXPLORE.EXE
PID 1196 wrote to memory of 604	1196	iexplore.exe	IEXPLORE.EXE
PID 1196 wrote to memory of 604	1196	iexplore.exe	IEXPLORE.EXE
PID 1196 wrote to memory of 604	1196	iexplore.exe	IEXPLORE.EXE
PID 1696 wrote to memory of 324	1696	atcqvbojllgj.exe	WMIC.exe
PID 1696 wrote to memory of 324	1696	atcqvbojllgj.exe	WMIC.exe
PID 1696 wrote to memory of 324	1696	atcqvbojllgj.exe	WMIC.exe
PID 1696 wrote to memory of 324	1696	atcqvbojllgj.exe	WMIC.exe
PID 1696 wrote to memory of 1684	1696	atcqvbojllgj.exe	cmd.exe
PID 1696 wrote to memory of 1684	1696	atcqvbojllgj.exe	cmd.exe
PID 1696 wrote to memory of 1684	1696	atcqvbojllgj.exe	cmd.exe
PID 1696 wrote to memory of 1684	1696	atcqvbojllgj.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

atcqvbojllgj.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	atcqvbojllgj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	atcqvbojllgj.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684

C:\Users\Admin\AppData\Local\Temp\6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe"
2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\atcqvbojllgj.exe
C:\Windows\atcqvbojllgj.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852

C:\Windows\atcqvbojllgj.exe
C:\Windows\atcqvbojllgj.exe
4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1696

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:1388

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1196

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1196 CREDAT:275457 /prefetch:2
6⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:604

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:324

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\ATCQVB~1.EXE
5⤵
- System Location Discovery: System Language Discovery
PID:1684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\6BCC06~1.EXE
3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2744

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+eeopr.html

Filesize
11KB

MD5
b2dcdbf6cce888dbfd0ed9f8d5764eee

SHA1
d8d848a123b20504ec4463f90199b3c74fe4318f

SHA256
e14428b56441398f1b5fd6f1c5a15eedfe2b0caa2f90d0dbddef10b0e081508f

SHA512
802ef1b46bbb6367c2518a102732d9dc7c7fc7e601abf74201eec2b69ba68f079d89d46858528e5cd9077f2ff204fdef95931de415bf5b4a91e52453eeb77976

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+eeopr.png

Filesize
62KB

MD5
cf371c69494c9e59ccf639cd6b50431e

SHA1
7dae66f0f3a7c9de218568be25c2f0379a749b0a

SHA256
008f02843b378f204fd25d291e7dfdcab61b5a19e1bc1566226ad014c36917d5

SHA512
92845869a3bbb36fe7f1b04e1783c91e9faf39681cd642013fd108517700dace46fd0e3c0c1549069634042e71e9ce4c0e919d9feb182b7ca5321558ed903039

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+eeopr.txt

Filesize
1KB

MD5
e51bf008bcf071b978813f2d2c21c8f5

SHA1
d9033eb2956f7a0d949857c1414fdce174bbd9b1

SHA256
3c57a9e94fb6674f8c7b77677a150cd6e0a7c8fc79b558764cc8beecd941f7e5

SHA512
80f07af0783d020afbf252ae1254739c0c3ebafc2b058192dbfe688c0c801a78aff88a8d60b06f44ab1700421e657e14e6dd9dbb07824149e308f27286ae8d28

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
44e098d1ef618160249eb31739ae3015

SHA1
916a0daebaa087b914d1af5a7968b209c82979e0

SHA256
2e1299823f0f00074a09d784ad1dbfc204c9e003003e61468eb993c67a2e1100

SHA512
ea20561db2ae2cd4570e3b1325f51c3015f022771364b1ce0771b0f312d30a697565c88b9db0e5421ebf78bbb2f8f024be2f95e66096c46eff94faebcf91b1b5

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
4e9705c41e7994bced38c9d146200599

SHA1
14111e1446a9a95932ff5640794fa09d70fa6f4d

SHA256
75c12d295fb055acb6b707aedc143ef154cd4a4d04af7ecf8f897daebee8fdf5

SHA512
18661e532de80b3e440c804d6d18c55827cdeefae6be489ff42fdf67ad45e7e901771b809f22efcead8f0a74fe6a85220403ac7cf96896b6d06bb29531bed5fd

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
59b061bc78ad6a9618d747a8980fee24

SHA1
8ca79707fb28a8689b366a775ccf39de22958c1a

SHA256
bb1b89ce083f7593ffd6871e10dd0bf9aaa55445069ecc5b310f371e0b2cf5dc

SHA512
b5ecf8be8be9d5ad6386ed56ae9321c7c4a702ca7801cc928bf32e4388028249ec49737910ce7c618b6f85b5d45cd06601b94736bb82b5ef717b6bbc05797b8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7cde9fde662a938c15b1c8bc411bb00d

SHA1
aad9d03ec5bf13588c5d08ebff1859037065c4ee

SHA256
99d6804bfef2944004b10a552e94fc0f6f4d9d5d6f77c7ed4c7f765d1df24ae0

SHA512
418b1e7c49c1af0287bf75fe21aa29c8dedc123e2869cc0da15e07b74bfc346a1fa2cbbd4d65293995d816bd881e6b149015988ef420405dcb1a05986c7a8cc7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bea4296126231003d08b8c6ec3c558ec

SHA1
2b58568c260abd5ee7d1bcdd74a98e3e658930c6

SHA256
2d34626e5dfec9d38cbc5746ffe15982996ee017de888d8357292af667570aef

SHA512
1157b37de729d95886a15f3a94a242d1a0193c4cb87ca78b5108a26d2c85e0a51a7ad1e5708536e50ed96bb95d9b12d952f995ec3388b7fae3822dbc69db5bcf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69bfd7ee9002654e732095cf776b1723

SHA1
decf20b6d8a61571036f26c659aa215d6fc25f33

SHA256
569aea38193b03a0544e3bc6ed1554298bc6c223c6d43fbda2eab3dcd2546185

SHA512
d5ced1ff9b1ba2030dd43e92d0f30cb459384bfd322c97482fafdafbb6a8b2d528b5b2c5023fc87d465376e3f2d99a4fe14196d78d977e84ba24a76ac2201bf2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f99117235dffab3dbcc96e938c3125c2

SHA1
86c0c90be7216743356223c0c27012176b16545e

SHA256
217970f36aa530f8e6f1d07cb5610cddb05d0497ff964520bb3ecde7f619dc5b

SHA512
00d1979c9587570543a00885d3d26017476cbccf8dcc1ea3acdfff83669ab461bdfb043435b7d870e433b5e64bf226964dabe57d035312279a846df337f01d4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
040d21bc06b86a79c4b51fc77f34d4f8

SHA1
afda664201f7c93d5faa8d36b254005342cb0bf9

SHA256
7b913613f9d7fcb9320b63052a1b1c24e584805c24bc1e5a5407067faafe7f2d

SHA512
762fea8753d31d2486407b579076ee88e633de6eedcedf69dd25b37cf01fa046ad4bd9d213c65d3db9fe0214faff8b1a02125ffe242fc6fd7c2f8b719fcf444a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e2c2073da617f26beaad651cef051df

SHA1
8bd10f6c9f5693f99693a80df1a07651c61a9a04

SHA256
885cc87fdde50afe2d973390d76abf2a8cf8e3a85e5419cfb6ffa0cfdfb41869

SHA512
dfbc8b3410e881bb6bc06988b56749de3aa9c53ce52c02c37f55bc3d0d9918985d0a374985064a637338930b1b4119fe98e9c63aefd005babd96a29ff1c60cb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ef9f3a66f74a8e4d3d14694b80ff835

SHA1
4afda63488d5fc903605d6396e80de92ddd2d512

SHA256
92c6fbdee9454daf2a4418291c07441e74c84dc7e20ddd327b0a8862ec56205f

SHA512
829e2d0bd373184725f3a9b84094b6bfeb1305abbb177d50838f7afbb630324fc985961bfa83154f3efdcc22ded17971b11f18dc70b1f60ce7b9f9bf054b29d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
540a064be837e475584a8f9d325f548c

SHA1
c5eae3100646e6def4f18e69c4b2c4a8e63acf6f

SHA256
8fef9ba04c25ff004a62f9dddc43484b93055ae619cde7d5d27107a05e6bbeba

SHA512
f204c08512a132e8cf59ae112f9e9744136ded323f067ced899752fbf60584239e8cccf179ca6620965ffb02b007eef70371c615accea93c7474e148a26ca6c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1c6c201cca9b239033b3a3494d5be3b

SHA1
4321aaa75af613372f067559e4f8f2eb0511f3c2

SHA256
cc85b141e8fab7eee33c842473ec141ce5b2dad3abd189ba66e0e487a69f3f5d

SHA512
2915e0296d0cf96877ab920b49c865de79e6426f2dba6c8a0e0f03f0ca0fb4ff931b6c78a16ce8d66132a99948399bab3d92ad10b4e96214129e8a338066f43e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB78.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBD9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\atcqvbojllgj.exe

Filesize
340KB

MD5
6bcc066e2a81f34c7e052895001f44c6

SHA1
6f892ec0287ace1c4c7c86e3945b44de6c9d3ba8

SHA256
39a70938288eacf5eab1002150cb06a8299475ad6064fb131aa6e9118c66b4bc

SHA512
b11b924dfda23d28019879acbd790778049f4f711134b0003967408b28532544745d12081a9da538f9ecd84f3791b621d3d9c1b4a62699b22d7c56274a1f9f2c

Download Submit
memory/1696-6116-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1696-6108-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1696-51-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1696-47-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1696-777-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1696-45-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1696-1261-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1696-1260-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1696-46-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1696-6113-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1696-3814-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1696-6098-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1696-6099-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1696-6109-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1696-6105-0x0000000002BB0000-0x0000000002BB2000-memory.dmp

Filesize
8KB

Download
memory/1696-52-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2548-6106-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/2684-16-0x00000000003B0000-0x00000000003B3000-memory.dmp

Filesize
12KB

Download
memory/2684-0-0x00000000003B0000-0x00000000003B3000-memory.dmp

Filesize
12KB

Download
memory/2832-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2832-15-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2832-3-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2832-27-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2832-7-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2832-9-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2832-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2832-13-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2832-17-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2832-1-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2852-28-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download