Analysis
-
max time kernel
124s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-11-2024 19:17
Static task
static1
Behavioral task
behavioral1
Sample
8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe
-
Size
384KB
-
MD5
8736b31e13bcd6e154dd6ad39b839f8c
-
SHA1
9135b9746cb37636cd26cbcc73ffd0451a34b426
-
SHA256
5207a70e0e818741279d7c25c0d9cb6be136a4fc8ca8fe6f48112c4d0572d64f
-
SHA512
1f8a4ca3b1d33e6208e45c8f42fa1650dd1b97162b499053cc45c034dc87f4d03448a4289d9efbc64bd0e135b7cb597036311dd0f5c763dd6ced6f36ac6a01bf
-
SSDEEP
6144:SeVGON09XRWtlggcMOEqmgWqvANwxcLSgL8J4bAvtqjPtW6wU25vB8ynNd98UW:gON09XotWgOfmgLA8cNYQAojtwU2xnv9
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+bwpgu.txt
teslacrypt
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/EAA1E4C4A8422025
http://tes543berda73i48fsdfsd.keratadze.at/EAA1E4C4A8422025
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/EAA1E4C4A8422025
http://xlowfznrg4wf7dli.ONION/EAA1E4C4A8422025
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (422) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 3004 cmd.exe -
Drops startup file 6 IoCs
Processes:
qubxgctqgjny.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+bwpgu.html qubxgctqgjny.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+bwpgu.png qubxgctqgjny.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+bwpgu.txt qubxgctqgjny.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+bwpgu.html qubxgctqgjny.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+bwpgu.png qubxgctqgjny.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+bwpgu.txt qubxgctqgjny.exe -
Executes dropped EXE 2 IoCs
Processes:
qubxgctqgjny.exequbxgctqgjny.exepid process 3008 qubxgctqgjny.exe 2096 qubxgctqgjny.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
qubxgctqgjny.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\qbqsfahnmfxr = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\qubxgctqgjny.exe\"" qubxgctqgjny.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exequbxgctqgjny.exedescription pid process target process PID 2360 set thread context of 2664 2360 8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe 8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe PID 3008 set thread context of 2096 3008 qubxgctqgjny.exe qubxgctqgjny.exe -
Drops file in Program Files directory 64 IoCs
Processes:
qubxgctqgjny.exedescription ioc process File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\Recovery+bwpgu.png qubxgctqgjny.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\Recovery+bwpgu.png qubxgctqgjny.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color32.jpg qubxgctqgjny.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\month.png qubxgctqgjny.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Recovery+bwpgu.html qubxgctqgjny.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\Recovery+bwpgu.html qubxgctqgjny.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\library.js qubxgctqgjny.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\Recovery+bwpgu.html qubxgctqgjny.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\en_GB\Recovery+bwpgu.html qubxgctqgjny.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\Recovery+bwpgu.png qubxgctqgjny.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt qubxgctqgjny.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\GoldRing.png qubxgctqgjny.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\Recovery+bwpgu.png qubxgctqgjny.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\Recovery+bwpgu.png qubxgctqgjny.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\Recovery+bwpgu.txt qubxgctqgjny.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png qubxgctqgjny.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cs\Recovery+bwpgu.txt qubxgctqgjny.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\es_MX\Recovery+bwpgu.png qubxgctqgjny.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Recovery+bwpgu.html qubxgctqgjny.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NextMenuButtonIcon.png qubxgctqgjny.exe File opened for modification C:\Program Files\Windows Media Player\Skins\Recovery+bwpgu.png qubxgctqgjny.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_ButtonGraphic.png qubxgctqgjny.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ta.pak qubxgctqgjny.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Recovery+bwpgu.png qubxgctqgjny.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\Recovery+bwpgu.txt qubxgctqgjny.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-static.png qubxgctqgjny.exe File opened for modification C:\Program Files\Java\jre7\bin\plugin2\Recovery+bwpgu.html qubxgctqgjny.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\settings.js qubxgctqgjny.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\te\Recovery+bwpgu.txt qubxgctqgjny.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\Recovery+bwpgu.html qubxgctqgjny.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sr.pak qubxgctqgjny.exe File opened for modification C:\Program Files\Java\jre7\lib\Recovery+bwpgu.png qubxgctqgjny.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Recovery+bwpgu.png qubxgctqgjny.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\Recovery+bwpgu.html qubxgctqgjny.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\Recovery+bwpgu.png qubxgctqgjny.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\Recovery+bwpgu.png qubxgctqgjny.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\Recovery+bwpgu.png qubxgctqgjny.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-last-quarter.png qubxgctqgjny.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\Recovery+bwpgu.txt qubxgctqgjny.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\Recovery+bwpgu.html qubxgctqgjny.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\Recovery+bwpgu.html qubxgctqgjny.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_flyout.png qubxgctqgjny.exe File opened for modification C:\Program Files\Common Files\System\ado\it-IT\Recovery+bwpgu.png qubxgctqgjny.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\Recovery+bwpgu.txt qubxgctqgjny.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\Recovery+bwpgu.png qubxgctqgjny.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\19.png qubxgctqgjny.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png qubxgctqgjny.exe File opened for modification C:\Program Files\Java\jre7\bin\server\Recovery+bwpgu.txt qubxgctqgjny.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\Recovery+bwpgu.txt qubxgctqgjny.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\js\Recovery+bwpgu.png qubxgctqgjny.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\Recovery+bwpgu.txt qubxgctqgjny.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\Recovery+bwpgu.html qubxgctqgjny.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\Recovery+bwpgu.txt qubxgctqgjny.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\RSSFeeds.js qubxgctqgjny.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\Recovery+bwpgu.png qubxgctqgjny.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\vi.pak qubxgctqgjny.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\Recovery+bwpgu.html qubxgctqgjny.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Recovery+bwpgu.html qubxgctqgjny.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\Recovery+bwpgu.html qubxgctqgjny.exe File opened for modification C:\Program Files\Windows Sidebar\it-IT\Recovery+bwpgu.html qubxgctqgjny.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\Recovery+bwpgu.html qubxgctqgjny.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\Recovery+bwpgu.png qubxgctqgjny.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\glass.png qubxgctqgjny.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\settings.css qubxgctqgjny.exe -
Drops file in Windows directory 2 IoCs
Processes:
8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exedescription ioc process File created C:\Windows\qubxgctqgjny.exe 8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe File opened for modification C:\Windows\qubxgctqgjny.exe 8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exeDllHost.exeIEXPLORE.EXE8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exequbxgctqgjny.execmd.exequbxgctqgjny.exeNOTEPAD.EXEcmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qubxgctqgjny.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qubxgctqgjny.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000a7bf232f3eadc7f781abc95ad16cb51bda595c963a196600eaf4880298c3dd1b000000000e800000000200002000000077aef2ed8cf1a7af1ea26d4df7f3ee6644b906e67c8dd79000b8aa8b4e98ea859000000097f6d20c52b5bea848e788f67c2cfc7835666f7c71d90571b6b55563f9a10e42aef9d81c6a2756859b6a1f87b1fd5d24a992d44f4ebcaabf14915e5245828b88632a13646f526fa8d28e0860e4d9f42afecb9c51fec0a963d500c0f0ea09aa6331d46d83760f7df983b79db2c2ec1911cb21f9cc6e29fe0ea841f32e2a32017cdb022bfb4974915ed54656e43c7182fc400000001323459be5a946ecd43395b57bf1188f06366fd6d3cb369dcf3364b0f86ce7a58369a02382721bf603a6344ae9fd424fe806c7fd4e800e691c5afdb591561efa iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc500000000002000000000010660000000100002000000067be5370c6e6b3a8ff312ffea8537c65425fda0999df9f2a40cad5490e3fbd41000000000e8000000002000020000000332a0c32a10d0075e640ce96c83829301f6ce916a623f909e9cada756acac0642000000070550acc965c95fa9d33288406b58f1653d6caf7c96fa78bfc69474e6058957440000000e21dd7dd0430a5f3b5e366b360cd7548f9f58b98691a48f41cfdc14958d67cb7aa446195a3619d33d00287cd06f616ff40d5cd8a43344f639b2a481ed8fcd424 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4ED5EC91-9951-11EF-8B78-465533733A50} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0255e235e2ddb01 iexplore.exe -
Processes:
qubxgctqgjny.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 qubxgctqgjny.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 qubxgctqgjny.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2800 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
qubxgctqgjny.exepid process 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe 2096 qubxgctqgjny.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exequbxgctqgjny.exeWMIC.exevssvc.exeWMIC.exedescription pid process Token: SeDebugPrivilege 2664 8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe Token: SeDebugPrivilege 2096 qubxgctqgjny.exe Token: SeIncreaseQuotaPrivilege 2804 WMIC.exe Token: SeSecurityPrivilege 2804 WMIC.exe Token: SeTakeOwnershipPrivilege 2804 WMIC.exe Token: SeLoadDriverPrivilege 2804 WMIC.exe Token: SeSystemProfilePrivilege 2804 WMIC.exe Token: SeSystemtimePrivilege 2804 WMIC.exe Token: SeProfSingleProcessPrivilege 2804 WMIC.exe Token: SeIncBasePriorityPrivilege 2804 WMIC.exe Token: SeCreatePagefilePrivilege 2804 WMIC.exe Token: SeBackupPrivilege 2804 WMIC.exe Token: SeRestorePrivilege 2804 WMIC.exe Token: SeShutdownPrivilege 2804 WMIC.exe Token: SeDebugPrivilege 2804 WMIC.exe Token: SeSystemEnvironmentPrivilege 2804 WMIC.exe Token: SeRemoteShutdownPrivilege 2804 WMIC.exe Token: SeUndockPrivilege 2804 WMIC.exe Token: SeManageVolumePrivilege 2804 WMIC.exe Token: 33 2804 WMIC.exe Token: 34 2804 WMIC.exe Token: 35 2804 WMIC.exe Token: SeIncreaseQuotaPrivilege 2804 WMIC.exe Token: SeSecurityPrivilege 2804 WMIC.exe Token: SeTakeOwnershipPrivilege 2804 WMIC.exe Token: SeLoadDriverPrivilege 2804 WMIC.exe Token: SeSystemProfilePrivilege 2804 WMIC.exe Token: SeSystemtimePrivilege 2804 WMIC.exe Token: SeProfSingleProcessPrivilege 2804 WMIC.exe Token: SeIncBasePriorityPrivilege 2804 WMIC.exe Token: SeCreatePagefilePrivilege 2804 WMIC.exe Token: SeBackupPrivilege 2804 WMIC.exe Token: SeRestorePrivilege 2804 WMIC.exe Token: SeShutdownPrivilege 2804 WMIC.exe Token: SeDebugPrivilege 2804 WMIC.exe Token: SeSystemEnvironmentPrivilege 2804 WMIC.exe Token: SeRemoteShutdownPrivilege 2804 WMIC.exe Token: SeUndockPrivilege 2804 WMIC.exe Token: SeManageVolumePrivilege 2804 WMIC.exe Token: 33 2804 WMIC.exe Token: 34 2804 WMIC.exe Token: 35 2804 WMIC.exe Token: SeBackupPrivilege 1316 vssvc.exe Token: SeRestorePrivilege 1316 vssvc.exe Token: SeAuditPrivilege 1316 vssvc.exe Token: SeIncreaseQuotaPrivilege 316 WMIC.exe Token: SeSecurityPrivilege 316 WMIC.exe Token: SeTakeOwnershipPrivilege 316 WMIC.exe Token: SeLoadDriverPrivilege 316 WMIC.exe Token: SeSystemProfilePrivilege 316 WMIC.exe Token: SeSystemtimePrivilege 316 WMIC.exe Token: SeProfSingleProcessPrivilege 316 WMIC.exe Token: SeIncBasePriorityPrivilege 316 WMIC.exe Token: SeCreatePagefilePrivilege 316 WMIC.exe Token: SeBackupPrivilege 316 WMIC.exe Token: SeRestorePrivilege 316 WMIC.exe Token: SeShutdownPrivilege 316 WMIC.exe Token: SeDebugPrivilege 316 WMIC.exe Token: SeSystemEnvironmentPrivilege 316 WMIC.exe Token: SeRemoteShutdownPrivilege 316 WMIC.exe Token: SeUndockPrivilege 316 WMIC.exe Token: SeManageVolumePrivilege 316 WMIC.exe Token: 33 316 WMIC.exe Token: 34 316 WMIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exeDllHost.exepid process 1296 iexplore.exe 1672 DllHost.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEDllHost.exepid process 1296 iexplore.exe 1296 iexplore.exe 1912 IEXPLORE.EXE 1912 IEXPLORE.EXE 1672 DllHost.exe 1672 DllHost.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exequbxgctqgjny.exequbxgctqgjny.exeiexplore.exedescription pid process target process PID 2360 wrote to memory of 2664 2360 8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe 8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe PID 2360 wrote to memory of 2664 2360 8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe 8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe PID 2360 wrote to memory of 2664 2360 8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe 8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe PID 2360 wrote to memory of 2664 2360 8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe 8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe PID 2360 wrote to memory of 2664 2360 8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe 8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe PID 2360 wrote to memory of 2664 2360 8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe 8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe PID 2360 wrote to memory of 2664 2360 8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe 8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe PID 2360 wrote to memory of 2664 2360 8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe 8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe PID 2360 wrote to memory of 2664 2360 8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe 8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe PID 2360 wrote to memory of 2664 2360 8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe 8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe PID 2360 wrote to memory of 2664 2360 8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe 8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe PID 2664 wrote to memory of 3008 2664 8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe qubxgctqgjny.exe PID 2664 wrote to memory of 3008 2664 8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe qubxgctqgjny.exe PID 2664 wrote to memory of 3008 2664 8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe qubxgctqgjny.exe PID 2664 wrote to memory of 3008 2664 8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe qubxgctqgjny.exe PID 2664 wrote to memory of 3004 2664 8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe cmd.exe PID 2664 wrote to memory of 3004 2664 8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe cmd.exe PID 2664 wrote to memory of 3004 2664 8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe cmd.exe PID 2664 wrote to memory of 3004 2664 8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe cmd.exe PID 3008 wrote to memory of 2096 3008 qubxgctqgjny.exe qubxgctqgjny.exe PID 3008 wrote to memory of 2096 3008 qubxgctqgjny.exe qubxgctqgjny.exe PID 3008 wrote to memory of 2096 3008 qubxgctqgjny.exe qubxgctqgjny.exe PID 3008 wrote to memory of 2096 3008 qubxgctqgjny.exe qubxgctqgjny.exe PID 3008 wrote to memory of 2096 3008 qubxgctqgjny.exe qubxgctqgjny.exe PID 3008 wrote to memory of 2096 3008 qubxgctqgjny.exe qubxgctqgjny.exe PID 3008 wrote to memory of 2096 3008 qubxgctqgjny.exe qubxgctqgjny.exe PID 3008 wrote to memory of 2096 3008 qubxgctqgjny.exe qubxgctqgjny.exe PID 3008 wrote to memory of 2096 3008 qubxgctqgjny.exe qubxgctqgjny.exe PID 3008 wrote to memory of 2096 3008 qubxgctqgjny.exe qubxgctqgjny.exe PID 3008 wrote to memory of 2096 3008 qubxgctqgjny.exe qubxgctqgjny.exe PID 2096 wrote to memory of 2804 2096 qubxgctqgjny.exe WMIC.exe PID 2096 wrote to memory of 2804 2096 qubxgctqgjny.exe WMIC.exe PID 2096 wrote to memory of 2804 2096 qubxgctqgjny.exe WMIC.exe PID 2096 wrote to memory of 2804 2096 qubxgctqgjny.exe WMIC.exe PID 2096 wrote to memory of 2800 2096 qubxgctqgjny.exe NOTEPAD.EXE PID 2096 wrote to memory of 2800 2096 qubxgctqgjny.exe NOTEPAD.EXE PID 2096 wrote to memory of 2800 2096 qubxgctqgjny.exe NOTEPAD.EXE PID 2096 wrote to memory of 2800 2096 qubxgctqgjny.exe NOTEPAD.EXE PID 2096 wrote to memory of 1296 2096 qubxgctqgjny.exe iexplore.exe PID 2096 wrote to memory of 1296 2096 qubxgctqgjny.exe iexplore.exe PID 2096 wrote to memory of 1296 2096 qubxgctqgjny.exe iexplore.exe PID 2096 wrote to memory of 1296 2096 qubxgctqgjny.exe iexplore.exe PID 1296 wrote to memory of 1912 1296 iexplore.exe IEXPLORE.EXE PID 1296 wrote to memory of 1912 1296 iexplore.exe IEXPLORE.EXE PID 1296 wrote to memory of 1912 1296 iexplore.exe IEXPLORE.EXE PID 1296 wrote to memory of 1912 1296 iexplore.exe IEXPLORE.EXE PID 2096 wrote to memory of 316 2096 qubxgctqgjny.exe WMIC.exe PID 2096 wrote to memory of 316 2096 qubxgctqgjny.exe WMIC.exe PID 2096 wrote to memory of 316 2096 qubxgctqgjny.exe WMIC.exe PID 2096 wrote to memory of 316 2096 qubxgctqgjny.exe WMIC.exe PID 2096 wrote to memory of 224 2096 qubxgctqgjny.exe cmd.exe PID 2096 wrote to memory of 224 2096 qubxgctqgjny.exe cmd.exe PID 2096 wrote to memory of 224 2096 qubxgctqgjny.exe cmd.exe PID 2096 wrote to memory of 224 2096 qubxgctqgjny.exe cmd.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
qubxgctqgjny.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" qubxgctqgjny.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qubxgctqgjny.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\qubxgctqgjny.exeC:\Windows\qubxgctqgjny.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\qubxgctqgjny.exeC:\Windows\qubxgctqgjny.exe4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2096 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:2800
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1296 CREDAT:275457 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1912
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:316
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\QUBXGC~1.EXE5⤵
- System Location Discovery: System Language Discovery
PID:224
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\8736B3~1.EXE3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:3004
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1316
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1672
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Indicator Removal
2File Deletion
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD51ca7a12cbff07d2989b19652a61e4fb1
SHA1ec826f2700affe439d41a324c04a2cf27f9ee2a8
SHA25657e7f7e7754d69bb3d1eaec958a6baa56d67a7e08dbf76aa2dc8e0ac0b5599cd
SHA512e37b2e9187e1a48bcd8f6d9370566621b4cde85c5e1134be3a002cbbae1ba70c54aa788517e8e66372c97ae16121ac63479c9bd56f044ce701bccd0c008bdae9
-
Filesize
63KB
MD58db927906844480461d8554920a960a2
SHA1e6d1a19e639268a730d708bd5c97f1a15f747d8d
SHA256640b133bdd28df204291970747aa05fcbf41f143c337b4abfbfadf07a9eb452a
SHA51234f4447366b341f280f096aeaad9eb763a17062b1f5c864c9827c7904517ec176cffa88b0fa492d21c7e12c8cdfa9c3d1529c13ed1c975923fc5ad51202bc7af
-
Filesize
1KB
MD59e0a2d5ce2c93d4e8bcf0b938abe4fc6
SHA1be3c71ded9b1ff76fad70ab7a00c1fbaffbb2ab3
SHA2564868a3911c5af7654ad08aa8351f10a464da990f9fdc44dca3c3dd36838ae149
SHA512896219b9e5838263a5f7e49fd95443f99328b33b52345fe1c9aa55627428b20682781e797dbf3a7cf53268e4dc9cff68a0c1e759769bb151405dd9634b027bbf
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize11KB
MD5750049ea6678297b716e35a81cd080cc
SHA14026a756dcc148582f8f4b2258db0454e7b1c168
SHA256838f934a126c771a554411d11986b2c2bdaa75b223bcdd78f6fab06c8c7a0bc3
SHA512d74d5028e5b6585904aaa8ad2153045d2b841fa77cd14bf4278ed0b33cab40fe7496841609524d409fecc2baaccfb4a9403974c80029c6ee0c21c6711a90e780
-
Filesize
109KB
MD5a0c928683b53d3841b3e014ee4a5b7c0
SHA1a0917472c62a79027f6335e142f4ae20e6b3bdb0
SHA256b69dd78806431cee08f26a08d62244d638e2493126d85dbf808492cbe2e4de4b
SHA512556af17da673d2fee7ccf6c8fa877ecac711ea9704eee11796e82bb2ff5b419777d47454f55fc2bf23e801eef92812c8cf018f105b1be9bd590bcf65dbd865ee
-
Filesize
173KB
MD5964324935277b35020b52f1efca25061
SHA11534ed50c7fb15d5219d1d5458b552c3264ed0a5
SHA25663876d97c54edc6a43fbfb808ab69038c379f8413f58f11acde838c30cf4205e
SHA512e3b036ee6ef8bd432dc91a33ddd5c3ba5742b61866e20b0e16d1d7a2b33bf7c7b6ae423083f78afa3f0d3c59f1101aa80316612de40e8fd39985cde5823e038e
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize252B
MD57d398c0d99b54d3c3c3123d44d9871cc
SHA158ad0403652d92d51deea514353f6bfec1a27f2a
SHA256ffb53454af10df0e47af760bdeea6f19dadee80ac36c58b75291ec2fc5a959ef
SHA512353940a017d383f2206a49757fb9e42c67460d0159916f136a2419a7cbb85989ab58a0414a8eee50ca3a226c66a4ed82a18dad63164a9e240f69f34c2299d8ab
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5945b839a9c8145da3682e34c828fbfa6
SHA14dee0c05123d7b43f48cba31b43f41d36a32744f
SHA2561b28ddadd9af6f4aba8bb9e5f2c87821f0d9bb68889dff0b11ca3e71b501a942
SHA512c548f4658451fa43aa21d7c21d6cbaebcfd0599ed27af9803be046cb6aa0e33f417d6908100e5034c153282b111edc122c13c8c50623dda43e30289578a5fcf1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fb2dff1b9b6803d484fae9ac5f59fcf4
SHA1b6f8899c6f490806664d9515a91c5a76c3c7cdfa
SHA25627d758a0482081754b77a40ade535a860ab4b73aca46cc9a42d4bb038379dabd
SHA5122a166af55fdf275c9e3ad13750a5065c6d13258c04a237bf9e912a264dbb5252b09eb991b2d116633d96b2688bd45c74c8fe608ed68fa273053fa0e6977d1267
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a84f68825282a9a455deaa895b395b77
SHA1b15d65bea2712f1d4c3632833b4346bd5fcdad04
SHA25643ad496ee14625f72d7bcbe2f302f8fb8ee72869d7604c708a188e10e907aaaf
SHA512a18db2c76df7111569b3fcf4eb0cf62c464fac26be12242296689c8b5a3a97154a4112e9027c3ee03615393774f038ba74b6fd78825834b955c1ed9300ec5f67
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d8e6c02eb7856a35124e5a5b32112978
SHA1bdaae711e1980587cc5778ff64932b125bd13095
SHA256abc6e2b98e807494c7da3600a76b790126668686f789ee3ff3bbe5160c1a28b8
SHA5125b872eadc9b94a4f9ef91032818887dd74fe72e4b6b626a3d39b0178eff794bf718b6ece50051fd2fd7b5bb9cd6ab764ed0b002d05dbbee51bccd8b40ab89195
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c7837c86040bac3ff8b2f32307eabfa4
SHA1a3dce909ced03ffa04ad4b3f812ee748d85cc2f5
SHA256dee1161c264d2a71ccbbf256bb764275a93674ee3dbacac1d0035f08c9457d45
SHA51216a9de8c446107fe6d9f210b205977cadd02d0d3e598c7d3f4787b0eddc10e8219391fca475d72fb7695b0987fbb7d0ed43eb794b9cea68a62f9fc909dd083ca
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51a9afbdc30787d85673ba0b19613ff09
SHA15eea4bc686bbbf863cc36497c9a1b3d7fa5b7974
SHA256d5b2406a474d3e35012b0ff6ab65204ff56d66f357406ba7ca28e10d9c072579
SHA512b3a040b2e4e166165515f00e49e47a6941d71a047240254132754982d25e5f39930e0074d899fdc7725ce4ad58f40ff80c5ee30988b73e41b54495bc461d9686
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD554d7f14a47c00d65490c40300f94a7bc
SHA111d318eb550122bc4736357eb34023235a3b3ac0
SHA256954c014c5f7fc1aa70db95f93dc2d834fcfac217a620c091931222423c57cadc
SHA5124cfe8b4720680929f859f1582f626c8a39172e3669dce73236b50b6550d6c132474185ac4b8c891f9e3c7ab040a3f8600fd5670603d7ddc6e3399942a0f167c1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d6492bea143ee2a8436d885247f09bc5
SHA150d69cbaf47bf1c2fd7ecde88e26958771014150
SHA2569ad345d8fe5c8aed981ab44a21285c2facff878b6a4f14ca3cd92c838e4a088e
SHA51256ce0ae945669b216094e02245cfb45563740943ac6e9e5c1c94fb2dc362f4a780a040c7a741595a6022e00989f9ed7a2be8cbfd7ca0de3dbb00078c1b122fde
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b02eb4f83740687ccc482d72c8a6e3ce
SHA1a8d4833818f61ec6ddb4fb21ab651f12ace1fbc3
SHA256d1b3b049f063cb3d7ede8033475e7c0b1f510942509a7c8bd8461a8a32ac0239
SHA512e08fd2ebd01b0d96881f33b4a61e4a421786648a8c3f5a8fb0d5b5ab4ef22fc12509a4261cbe3015195a2d40993286fe22349cf5d695a795747b42761ebe8760
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5b66daf40f5fd2a2cda5d7a51cee8dcb2
SHA1637593e4158c4024a731912a46e5033b08a3784f
SHA256f7b3d95e1fdd622e4881932e95729d6bb9f9bb4cf3893b46aba22211285411fe
SHA51282dceb1d02fbde84589d067af532eeb50ea5910ba0d7b4e1fb6de87eab1ed81f360b649d41ce906fa5a52d5963a8a66c082183149b21846a1b9b4cbeda3cd025
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
384KB
MD58736b31e13bcd6e154dd6ad39b839f8c
SHA19135b9746cb37636cd26cbcc73ffd0451a34b426
SHA2565207a70e0e818741279d7c25c0d9cb6be136a4fc8ca8fe6f48112c4d0572d64f
SHA5121f8a4ca3b1d33e6208e45c8f42fa1650dd1b97162b499053cc45c034dc87f4d03448a4289d9efbc64bd0e135b7cb597036311dd0f5c763dd6ced6f36ac6a01bf