t1happy | 5015af8fb5725c4c9ebac28a890128587b888acddab6cc9ff06e94e782713882

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

T1.exe
Size

31KB
MD5

29cdb46d2e01f2efb9644c7695a007bb
SHA1

c276166bddcbcc093cf0b7164c4233745eda6cf5
SHA256

3ed94c1b319454f6122a05ef124e5bc8eefc60a3d81987fb712c7af78726e6b3
SHA512

fcce8e8a5c0689cf79dc4ca46ff0bbad6f4c5b8c74dbbb186e1e9df3988fa75526c00dfb6b8181ede6f0e5f1496b96caf23cc59de8c774a70812b1b0b5a590a8
SSDEEP

768:sg1mvOSFUyD+W4e4++sqzYbxw7S0/oc1xO2ISMggtCLYc3qFgxd:sgcvOSFfEe4+tbxw7iCkwe/Fgx

Score

10^/10

t1happy credential_access defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan

Malware Config

Signatures

T1Happy
T1Happy ransomware is a cryptovirus that behaves different than its counterparts.
trojan ransomware t1happy
T1happy family
t1happy
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (5439) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables RegEdit via registry modification 1 IoCs
evasion

Processes:

T1.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" T1.exe
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004
Drops startup file 1 IoCs

Processes:

T1.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini T1.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exe

pid process

2652 takeown.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	T1.exe

pid	process
2652	takeown.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

T1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Users\\Admin\\AppData\\Local\\Temp\\T1.exe"	T1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Users\\Admin\\AppData\\Local\\Temp\\T1.exe"	T1.exe

Drops desktop.ini file(s) 16 IoCs

Processes:

T1.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	T1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	T1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	T1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	T1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	T1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	T1.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	T1.exe
File created	C:\Program Files (x86)\desktop.ini	T1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	T1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	T1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	T1.exe
File created	C:\Users\Admin\Desktop\desktop.ini	T1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	T1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	T1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	T1.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.ipify.org
4 api.ipify.org

flow	ioc
5	api.ipify.org
4	api.ipify.org

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

T1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\screen.jpg"	T1.exe

Drops file in Program Files directory 64 IoCs

Processes:

T1.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101862.BMP	T1.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHKEY.DAT	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\ED00184_.WMF	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0213449.WMF	T1.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21324_.GIF	T1.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\WindowsBase.resources.dll	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00513_.WMF	T1.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\gadget.xml	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145361.JPG	T1.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_underline.gif	T1.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF	T1.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\F12Tools.dll.mui	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099159.WMF	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106816.WMF	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107148.WMF	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107728.WMF	T1.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplateRTL.html	T1.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Document.gif	T1.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\hxdsui.dll	T1.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL	T1.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FSTOCK.DLL	T1.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BOAT.WMF	T1.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00435_.WMF	T1.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME49.CSS	T1.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR18F.GIF	T1.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\slideShow.css	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105348.WMF	T1.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR9F.GIF	T1.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImagesMask.bmp	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_OFF.GIF	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Faculty.accdt	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR42F.GIF	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieMergeLetter.dotx	T1.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\MSB1FREN.ITS	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105490.WMF	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0250997.WMF	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OWSSUPP.DLL	T1.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX9.x3d	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107488.WMF	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387591.JPG	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginDialogBackground.jpg	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\ADD.GIF	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.ID.XML	T1.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\hxdsui.dll	T1.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382969.JPG	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02426_.WMF	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Composite.eftx	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0235241.WMF	T1.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\setup_wm.exe.mui	T1.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\settings.html	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00222_.WMF	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02465_.WMF	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImages.jpg	T1.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck.css	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Dataset.zip	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382970.JPG	T1.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\icon.png	T1.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00388_.WMF	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert.css	T1.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.RunTime.Serialization.Resources.dll	T1.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\picturePuzzle.css	T1.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full_partly-cloudy.png	T1.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

T1.execmd.exeWMIC.exetakeown.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	T1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

T1.exe

pid	process
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe
2020	T1.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

T1.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2020	T1.exe
Token: SeIncreaseQuotaPrivilege	2736	WMIC.exe
Token: SeSecurityPrivilege	2736	WMIC.exe
Token: SeTakeOwnershipPrivilege	2736	WMIC.exe
Token: SeLoadDriverPrivilege	2736	WMIC.exe
Token: SeSystemProfilePrivilege	2736	WMIC.exe
Token: SeSystemtimePrivilege	2736	WMIC.exe
Token: SeProfSingleProcessPrivilege	2736	WMIC.exe
Token: SeIncBasePriorityPrivilege	2736	WMIC.exe
Token: SeCreatePagefilePrivilege	2736	WMIC.exe
Token: SeBackupPrivilege	2736	WMIC.exe
Token: SeRestorePrivilege	2736	WMIC.exe
Token: SeShutdownPrivilege	2736	WMIC.exe
Token: SeDebugPrivilege	2736	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2736	WMIC.exe
Token: SeRemoteShutdownPrivilege	2736	WMIC.exe
Token: SeUndockPrivilege	2736	WMIC.exe
Token: SeManageVolumePrivilege	2736	WMIC.exe
Token: 33	2736	WMIC.exe
Token: 34	2736	WMIC.exe
Token: 35	2736	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2736	WMIC.exe
Token: SeSecurityPrivilege	2736	WMIC.exe
Token: SeTakeOwnershipPrivilege	2736	WMIC.exe
Token: SeLoadDriverPrivilege	2736	WMIC.exe
Token: SeSystemProfilePrivilege	2736	WMIC.exe
Token: SeSystemtimePrivilege	2736	WMIC.exe
Token: SeProfSingleProcessPrivilege	2736	WMIC.exe
Token: SeIncBasePriorityPrivilege	2736	WMIC.exe
Token: SeCreatePagefilePrivilege	2736	WMIC.exe
Token: SeBackupPrivilege	2736	WMIC.exe
Token: SeRestorePrivilege	2736	WMIC.exe
Token: SeShutdownPrivilege	2736	WMIC.exe
Token: SeDebugPrivilege	2736	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2736	WMIC.exe
Token: SeRemoteShutdownPrivilege	2736	WMIC.exe
Token: SeUndockPrivilege	2736	WMIC.exe
Token: SeManageVolumePrivilege	2736	WMIC.exe
Token: 33	2736	WMIC.exe
Token: 34	2736	WMIC.exe
Token: 35	2736	WMIC.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

T1.execmd.exe

description	pid	process	target process
PID 2020 wrote to memory of 2736	2020	T1.exe	WMIC.exe
PID 2020 wrote to memory of 2736	2020	T1.exe	WMIC.exe
PID 2020 wrote to memory of 2736	2020	T1.exe	WMIC.exe
PID 2020 wrote to memory of 2736	2020	T1.exe	WMIC.exe
PID 2020 wrote to memory of 2748	2020	T1.exe	cmd.exe
PID 2020 wrote to memory of 2748	2020	T1.exe	cmd.exe
PID 2020 wrote to memory of 2748	2020	T1.exe	cmd.exe
PID 2020 wrote to memory of 2748	2020	T1.exe	cmd.exe
PID 2748 wrote to memory of 2652	2748	cmd.exe	takeown.exe
PID 2748 wrote to memory of 2652	2748	cmd.exe	takeown.exe
PID 2748 wrote to memory of 2652	2748	cmd.exe	takeown.exe
PID 2748 wrote to memory of 2652	2748	cmd.exe	takeown.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

T1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	T1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	T1.exe

C:\Users\Admin\AppData\Local\Temp\T1.exe
"C:\Users\Admin\AppData\Local\Temp\T1.exe"
1⤵
- Disables RegEdit via registry modification
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2020
- C:\Windows\SysWOW64\wbem\WMIC.exe
  "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\"."
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\"."
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:2652

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\PREVIEW.GIF.happy

Filesize
1KB

MD5
da9345bb22a10e1042e7319bc0a4b298

SHA1
d3763ca511af901f58488b2289d9b6f978ec5152

SHA256
c95a93f8d797916945b3535373d66229fce76401d51217a4e8a2cf1f6a191106

SHA512
ca9c3e785f6aeb9621d36f22953bfb2f4e5a65aba0dd217ff02fd77d39075b32cdd4139e853edc208e13248e0d9d0eb473465963689bff3b2731e55cc36424c5

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\WATERMAR.INF.happy

Filesize
704B

MD5
ece56d492dd0c0e83dcc5193ded4170b

SHA1
1f7b24e1f5cb33319476cf824ba9e455c71d69be

SHA256
5ac5736b387dda4a4a029942e04f60312a4c686c1754e39d4904215e47ec8122

SHA512
4cd7389f2d48991a988f07ec7e3bd7586d5bbb88ac3fe71e7b5d51028280ce73a8348e7c003d31bc2631aad9ed7eec51657bd2c94a621946e154386e533ca1f6

Download Submit
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00092_.GIF.happy

Filesize
528B

MD5
4603995f24ea38362b4a4d2da3a7baed

SHA1
618d1665403b72cb22e6d8c85b536e39ad5934b0

SHA256
c5fc926b89818a9b26933fb383222c3654bb2b6921dcc4402ddf517f4b3f77d3

SHA512
7dcf68cb62e653917e1a7c5453c703515bc184cabd419609b5adff032586232084fea99a2c7b71145427f747d70f36c8e9522542cdd5eab810a64549b8737cac

Download Submit
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01151_.WMF.happy

Filesize
2KB

MD5
43b0a1ad14310e9c7ade9ebc2eebc024

SHA1
5fdaa57a25c372da3e1d7021f889da25238a24f3

SHA256
2d1691113be20624549917c59b7771e77ebd45e7bfa65d49cd636d9b858abe72

SHA512
9393a118448d6b5efc8b73503bb91b029a2ba2fa6902411b1945eb35184085805c78bc9c71d4cf51f9ccbf2bc57a5dd3ce158d2bd8281c4c35293abf54ae84d6

Download Submit
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105280.WMF.happy

Filesize
11KB

MD5
49db1543cd8cbee58b9ee4aaf103ae5c

SHA1
55daf1ef8d2f39537cc26c3bb69d5ebb9459c6c1

SHA256
9bb654ca8c0e4235a326862eaee83dc6efa5871605602f36835cab0f61e6047a

SHA512
839cd41cbe9538068b2d4cbae945c21a5c7494bd46e9adf8d293ea6805a909320a0d8db5dcfba85e175a9c9b7168e72d42004ecb149252ef6cbe25005713d0f9

Download Submit
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02028_.WMF.happy

Filesize
9KB

MD5
66b756ad85f6afcfe3652caa1bf8ad19

SHA1
518e419b83fa43df8993daa4ce3f81d1290b7d9d

SHA256
d4c24e399f1c6a1fa11d7be1176dc1871a412b82fecdb7f5a5a2da10a59d0b2c

SHA512
7801a6fc31340f41eba886fb7ba38a9adfef0e660b40bf80407b5ae6863b18c8c41fbb49c7e203f9b3b0ee3fda6744110611a2bc0ff87a03b7ecc340a9211d62

Download Submit
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00560_.WMF.happy

Filesize
1KB

MD5
3af98ca5d166374866f34198dbdf3870

SHA1
ab8208bec8231be7fcefc73603103b7e399525f4

SHA256
6f05f3ec03577a5658d5c1cc712ab92f1d1250bbd4e46c60b77a84c66b14e0c3

SHA512
92b7a1d49a0255af74fdfb5a20770d80d86db6df4a01358fbbff22bbe3e04c63cbbb1415d772ceaf978c28a754679a8ffbe04ba985dd836787a9e7a5941a7e71

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0235241.WMF.happy

Filesize
6KB

MD5
e26bed72e69585b9cd41144399c06653

SHA1
a72f6deb1adf89ca9df15d9562d9a3f18b302f07

SHA256
5153b205c2d63c61b0e80cdca52c0785b4368d55c6cde11f97155ab9f738de1c

SHA512
39e0617535d20bcfed02b8178f6057d392258908cdd957672208554eb57abfaf06f81b7c7a25d63e3f3c9a2889a465e2bb4703ec14f95e05c88739f07c77d871

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10263_.GIF.happy

Filesize
688B

MD5
dccc465f0e825ce4539e55f852c4e374

SHA1
52446d42380c975236814a6944f8dcb1596c6eb3

SHA256
1300ddd5c8a4e5c7b566fc7bb4858759cf9269d597e4a6840a8b4a2a053cee24

SHA512
eebb20f5aa71ee5eef53f2f2fad0de7bd7c15635b040bbfeff6e3bd8780a70228a7b9ea66ff2b4d6095a465e26054f7950279802bfefb0557c716adb62307594

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21376_.GIF.happy

Filesize
208B

MD5
a33585cdc3284f2b90caed8e0e699dfa

SHA1
1c8d60e6b2efbad1a12e93b095f994c95f780ce2

SHA256
ff7fbbbc9b2cf8a2bfc58771be9ad9c0c5da0dd7e7d9d4c39cc8ebe9aaed20da

SHA512
9beb22f9c63c10ef5d0c38e7414f9385a8b0f374079b7d64952762bcf9823aea616db2feb29bd1ea9c7f6274a8c6d0a7eea68070b8217bd2a1018b3d8707648c

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21518_.GIF.happy

Filesize
272B

MD5
85bcd310d31a036e3ef90909d3d4f864

SHA1
162043719b631ee6c02ddbf428842735a58b3ad5

SHA256
ad952fdf162db50c3569866144ab7ec95b2cbcc890169ab390ef8bca76d46146

SHA512
b84f1f25d0ddc9d28a024b4b71a0331a98d8ff2202dd23202dc6569e1194a7601e7ddc0755609840d2c97f2891b1afdab8e25b932abc3d98b3ec922e38aa82eb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\EntityPickerIntl.dll.happy

Filesize
23KB

MD5
a48a197aad358029e54404d0d56d6267

SHA1
60348d2b3f7870f124940eb56a8764b44fbbcc0c

SHA256
0b2bf579d959946bda95da5a1f1f1020f033bf59659e2b71e305812b07c4b09d

SHA512
bea35548a83dc6e016d43a49d18043f0a39de837c6e3cf8c4b618381e91279c344fec4abc5764d4ade291ad6b835d3d960f5fb99328cfab17308c0aa5a296d0f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GROOVE_F_COL.HXK.happy

Filesize
128B

MD5
126de03195c64373d09b26b196960c8c

SHA1
20d5809e84612236b14deb4c60181e3eadd4f8e8

SHA256
5986b177f272c328edd7912833a291300e5660f6eb27993192722e993052b8c6

SHA512
5393c0b0af9d07effb0dc7733dcbd42aeaf25355dcd87cf3714b902949ffbca861ca36c9f24067f2d71092b8a9d1189451ae08ded6f64dedb373fd62c8fe9cd2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR31B.GIF.happy

Filesize
2KB

MD5
65fe4827d0a74aafdaa53e3a0e2df924

SHA1
6d9c209a1ebba1e8199b3e47767bb375e8e04d8e

SHA256
cc02705da62ce246b5731c4db4c07f2c20cb6b9c40646f848966805cb9cd2524

SHA512
a8ff4d5df304f98cdc9ceb3ef861fdb36e36fd52f8b4826983195bf69ffaeaa45839d07f7c1e82d3eac1928e8974eeb54ab56681147456004f66adb6017097b5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\MSOSEC.XML

Filesize
208B

MD5
18ccf0d4c6c55d531de8a7debdb5535f

SHA1
e51748a021c00784dffdb3031edef1a29201c740

SHA256
2ed7f6d601fb86de8ac2e14f93dc9bf5c476f25f7939d9f77a85475bbbc9eceb

SHA512
20c11f2c6adc5d8c75386b4ce3f201e9631b447b139707f92e2fbbc636ebfc5461ae81eefb3ab80f9c01c7cb02cb4ec3f1f2c252ff2f2c883f4503b97f2a75c1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDisableUpArrow.jpg.happy

Filesize
800B

MD5
3b3040bc922540dd844ac61e33fbc3e9

SHA1
f8fe35c63ebb8517a44f53d317f436132bdf347a

SHA256
b86b6827888f98e179104a559470c6b7a2115c2a5de8289a9773114f56ac4c6f

SHA512
7996ef1aa3a1fa2b7613b1f0021e30e73c5b84b4d3ccbec5d30f47d1f30cc66438ec459e9da2e20194da34af13ca5c2f0790eafb0d7a78b43f2dc73d1943951c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif.happy

Filesize
368B

MD5
e6cd8e4ba5dc64519d27e7bb350b717a

SHA1
1ec062e9310b10b98dead78bd21a1a0701603cd5

SHA256
c2bc9e14314558539aebbf7bb9b129b80bc93f0d96fcb3b045aefe4c333aab6d

SHA512
2728634f69c55da4abe1b9690993bf2d27a86bf0fa84bb4f2aa21a4ced673e2908dd386237a6b015422484a07655f31d501cb17265fc55e587a2ad92ec48419c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif.happy

Filesize
21KB

MD5
770c0dd6c443cf8f21326d74acbb5444

SHA1
af6e5e52cddf0983ff722a72045325d403c38926

SHA256
350c0eee530c4e11a625b2cbb057e6c0ab11f2f6b3e4f48e362da82922d168fc

SHA512
77a91844efa9b87219586752734d868766cafdbe1eed090e8b82894af96e5830cf7d6965c519c4b2b58448bc415625594832fc8362ab6f9ef56cf6491dad8c71

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF.happy

Filesize
384B

MD5
b30dd83b7ee92ddcf7bf51c4c674899d

SHA1
94b20cbeeb49bce97aee0594a7135b9cbb0029c8

SHA256
5d5baf9efb4808b9dbace7498305cfee5d68cb8cb9b1c2cc2adf34836920d0fc

SHA512
4cb52e68a87ea4b683136691ac6be9a699537d8ecd41ef898570a0ce3b9fb552f59e22c897d1d3f5e4b87616ca9e58af9b2572bc6afcfe29280f6542afcafb81

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NAVBRPH1.POC.happy

Filesize
944B

MD5
68944cddb9b17731cc983006dbe86242

SHA1
dbbafd6cdd1dd9b72983dc3ab35cf2370f6750a1

SHA256
de73caff92f04df02317677db57832760c9e8c34fae5dd2353ccd4aa1b192f5c

SHA512
d0632543cafdae1bdc4d591d34f092e5e3ae0429dc3b67c94adeb150cd80815eb52773028e8a9230d1322cd4f15448593a869ce601e1b924d69779c0edb73629

Download Submit
memory/2020-0-0x000000007494E000-0x000000007494F000-memory.dmp

Filesize
4KB

Download
memory/2020-1-0x0000000000880000-0x000000000088E000-memory.dmp

Filesize
56KB

Download
memory/2020-2-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2020-14-0x000000007494E000-0x000000007494F000-memory.dmp

Filesize
4KB

Download
memory/2020-80-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download