teslacrypt | a65bb62fc532acc4f3d35da9f418f1612cb47b8dc57b1b3c560824a39421a415

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 06:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b75fd64ddeb3ae78c3ae1ed748af1263_JaffaCakes118.exe
Size

424KB
MD5

b75fd64ddeb3ae78c3ae1ed748af1263
SHA1

6e34dabf5f487d323029893cdf4d85497de60c57
SHA256

a65bb62fc532acc4f3d35da9f418f1612cb47b8dc57b1b3c560824a39421a415
SHA512

de4083c271a09f7b5fad4bd57c140b3bc67ff3b30974ac970add78cbe12cf38a4076c894029036c0bd11ee21d1a773714f63631e3715e409a8b44b42e9b2c72f
SSDEEP

6144:GsPAYJDo2magV+8GUEmGM41DwAHQmjdN1AUL0yogLpWPoXbftChXW3AxfulDGgB:5p808fEmLqDwAJjpA+E+blCJxfS6

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_RECoVERY_+ycgof.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/478B1F7088A8813 2. http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/478B1F7088A8813 3. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/478B1F7088A8813 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/478B1F7088A8813 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/478B1F7088A8813 http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/478B1F7088A8813 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/478B1F7088A8813 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/478B1F7088A8813

URLs

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/478B1F7088A8813

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/478B1F7088A8813

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/478B1F7088A8813

http://xlowfznrg4wf7dli.ONION/478B1F7088A8813

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (875) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	b75fd64ddeb3ae78c3ae1ed748af1263_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fskwpbdjedrj.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+ycgof.png	fskwpbdjedrj.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+ycgof.txt	fskwpbdjedrj.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+ycgof.html	fskwpbdjedrj.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+ycgof.png	fskwpbdjedrj.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+ycgof.txt	fskwpbdjedrj.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+ycgof.html	fskwpbdjedrj.exe

Executes dropped EXE 1 IoCs

pid	Process
2292	fskwpbdjedrj.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ydxywwcwdlvm = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\fskwpbdjedrj.exe\""	fskwpbdjedrj.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_contrast-black.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\System\ole db\_RECoVERY_+ycgof.html	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleSplashScreen.scale-100.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleAppAssets\Videos\_RECoVERY_+ycgof.txt	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\FileAssociation\FileAssociation.targetsize-32.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\_RECoVERY_+ycgof.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-20_altform-unplated_contrast-white.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\_RECoVERY_+ycgof.html	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarWideTile.scale-125.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\winsdkfb\_RECoVERY_+ycgof.html	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Images\BlankImage.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\SmartSelect\_RECoVERY_+ycgof.txt	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-GB\_RECoVERY_+ycgof.html	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-36.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Logo.scale-125_contrast-black.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_altform-unplated_contrast-white_devicefamily-colorfulunplated.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosWideTile.scale-100.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lv-LV\_RECoVERY_+ycgof.txt	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\Win10\MicrosoftSolitaireMedTile.scale-200.jpg	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-16.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\_RECoVERY_+ycgof.txt	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-256_altform-unplated.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsWideTile.contrast-black_scale-200.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\_RECoVERY_+ycgof.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-30_altform-lightunplated.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\_RECoVERY_+ycgof.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-20_contrast-white.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Programmer.targetsize-64_contrast-white.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-48_contrast-white.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca\_RECoVERY_+ycgof.html	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\_RECoVERY_+ycgof.txt	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_~_8wekyb3d8bbwe\_RECoVERY_+ycgof.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailMediumTile.scale-200.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-180.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\_RECoVERY_+ycgof.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-125_contrast-black.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\_RECoVERY_+ycgof.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageMedTile.scale-125_contrast-white.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\_RECoVERY_+ycgof.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Light.scale-250.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppUpdate.svg	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\_RECoVERY_+ycgof.txt	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\_RECoVERY_+ycgof.txt	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\hr-HR\View3d\_RECoVERY_+ycgof.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72_altform-unplated.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookMedTile.scale-125.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeWideTile.scale-125.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_altform-unplated_contrast-white_devicefamily-colorfulunplated.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\Shield.targetsize-44.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe\_RECoVERY_+ycgof.html	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\_RECoVERY_+ycgof.txt	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeWideTile.scale-200_contrast-white.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorWideTile.contrast-white_scale-200.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageStoreLogo.scale-125_contrast-black.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2020.1906.55.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+ycgof.html	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eo\_RECoVERY_+ycgof.txt	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\_RECoVERY_+ycgof.txt	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookSmallTile.scale-100.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-256_altform-unplated.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\_RECoVERY_+ycgof.txt	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gl\_RECoVERY_+ycgof.txt	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png	fskwpbdjedrj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+ycgof.png	fskwpbdjedrj.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\fskwpbdjedrj.exe	b75fd64ddeb3ae78c3ae1ed748af1263_JaffaCakes118.exe
File created	C:\Windows\fskwpbdjedrj.exe	b75fd64ddeb3ae78c3ae1ed748af1263_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b75fd64ddeb3ae78c3ae1ed748af1263_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fskwpbdjedrj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fskwpbdjedrj.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4628	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe
2292	fskwpbdjedrj.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	b75fd64ddeb3ae78c3ae1ed748af1263_JaffaCakes118.exe
Token: SeDebugPrivilege	2292	fskwpbdjedrj.exe
Token: SeIncreaseQuotaPrivilege	216	WMIC.exe
Token: SeSecurityPrivilege	216	WMIC.exe
Token: SeTakeOwnershipPrivilege	216	WMIC.exe
Token: SeLoadDriverPrivilege	216	WMIC.exe
Token: SeSystemProfilePrivilege	216	WMIC.exe
Token: SeSystemtimePrivilege	216	WMIC.exe
Token: SeProfSingleProcessPrivilege	216	WMIC.exe
Token: SeIncBasePriorityPrivilege	216	WMIC.exe
Token: SeCreatePagefilePrivilege	216	WMIC.exe
Token: SeBackupPrivilege	216	WMIC.exe
Token: SeRestorePrivilege	216	WMIC.exe
Token: SeShutdownPrivilege	216	WMIC.exe
Token: SeDebugPrivilege	216	WMIC.exe
Token: SeSystemEnvironmentPrivilege	216	WMIC.exe
Token: SeRemoteShutdownPrivilege	216	WMIC.exe
Token: SeUndockPrivilege	216	WMIC.exe
Token: SeManageVolumePrivilege	216	WMIC.exe
Token: 33	216	WMIC.exe
Token: 34	216	WMIC.exe
Token: 35	216	WMIC.exe
Token: 36	216	WMIC.exe
Token: SeIncreaseQuotaPrivilege	216	WMIC.exe
Token: SeSecurityPrivilege	216	WMIC.exe
Token: SeTakeOwnershipPrivilege	216	WMIC.exe
Token: SeLoadDriverPrivilege	216	WMIC.exe
Token: SeSystemProfilePrivilege	216	WMIC.exe
Token: SeSystemtimePrivilege	216	WMIC.exe
Token: SeProfSingleProcessPrivilege	216	WMIC.exe
Token: SeIncBasePriorityPrivilege	216	WMIC.exe
Token: SeCreatePagefilePrivilege	216	WMIC.exe
Token: SeBackupPrivilege	216	WMIC.exe
Token: SeRestorePrivilege	216	WMIC.exe
Token: SeShutdownPrivilege	216	WMIC.exe
Token: SeDebugPrivilege	216	WMIC.exe
Token: SeSystemEnvironmentPrivilege	216	WMIC.exe
Token: SeRemoteShutdownPrivilege	216	WMIC.exe
Token: SeUndockPrivilege	216	WMIC.exe
Token: SeManageVolumePrivilege	216	WMIC.exe
Token: 33	216	WMIC.exe
Token: 34	216	WMIC.exe
Token: 35	216	WMIC.exe
Token: 36	216	WMIC.exe
Token: SeBackupPrivilege	2208	vssvc.exe
Token: SeRestorePrivilege	2208	vssvc.exe
Token: SeAuditPrivilege	2208	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4704	WMIC.exe
Token: SeSecurityPrivilege	4704	WMIC.exe
Token: SeTakeOwnershipPrivilege	4704	WMIC.exe
Token: SeLoadDriverPrivilege	4704	WMIC.exe
Token: SeSystemProfilePrivilege	4704	WMIC.exe
Token: SeSystemtimePrivilege	4704	WMIC.exe
Token: SeProfSingleProcessPrivilege	4704	WMIC.exe
Token: SeIncBasePriorityPrivilege	4704	WMIC.exe
Token: SeCreatePagefilePrivilege	4704	WMIC.exe
Token: SeBackupPrivilege	4704	WMIC.exe
Token: SeRestorePrivilege	4704	WMIC.exe
Token: SeShutdownPrivilege	4704	WMIC.exe
Token: SeDebugPrivilege	4704	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4704	WMIC.exe
Token: SeRemoteShutdownPrivilege	4704	WMIC.exe
Token: SeUndockPrivilege	4704	WMIC.exe
Token: SeManageVolumePrivilege	4704	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2292	2904	b75fd64ddeb3ae78c3ae1ed748af1263_JaffaCakes118.exe	84
PID 2904 wrote to memory of 2292	2904	b75fd64ddeb3ae78c3ae1ed748af1263_JaffaCakes118.exe	84
PID 2904 wrote to memory of 2292	2904	b75fd64ddeb3ae78c3ae1ed748af1263_JaffaCakes118.exe	84
PID 2904 wrote to memory of 4528	2904	b75fd64ddeb3ae78c3ae1ed748af1263_JaffaCakes118.exe	85
PID 2904 wrote to memory of 4528	2904	b75fd64ddeb3ae78c3ae1ed748af1263_JaffaCakes118.exe	85
PID 2904 wrote to memory of 4528	2904	b75fd64ddeb3ae78c3ae1ed748af1263_JaffaCakes118.exe	85
PID 2292 wrote to memory of 216	2292	fskwpbdjedrj.exe	87
PID 2292 wrote to memory of 216	2292	fskwpbdjedrj.exe	87
PID 2292 wrote to memory of 4628	2292	fskwpbdjedrj.exe	101
PID 2292 wrote to memory of 4628	2292	fskwpbdjedrj.exe	101
PID 2292 wrote to memory of 4628	2292	fskwpbdjedrj.exe	101
PID 2292 wrote to memory of 3256	2292	fskwpbdjedrj.exe	102
PID 2292 wrote to memory of 3256	2292	fskwpbdjedrj.exe	102
PID 3256 wrote to memory of 4916	3256	msedge.exe	103
PID 3256 wrote to memory of 4916	3256	msedge.exe	103
PID 2292 wrote to memory of 4704	2292	fskwpbdjedrj.exe	104
PID 2292 wrote to memory of 4704	2292	fskwpbdjedrj.exe	104
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4380	3256	msedge.exe	106
PID 3256 wrote to memory of 4816	3256	msedge.exe	107
PID 3256 wrote to memory of 4816	3256	msedge.exe	107
PID 3256 wrote to memory of 4448	3256	msedge.exe	108
PID 3256 wrote to memory of 4448	3256	msedge.exe	108
PID 3256 wrote to memory of 4448	3256	msedge.exe	108
PID 3256 wrote to memory of 4448	3256	msedge.exe	108
PID 3256 wrote to memory of 4448	3256	msedge.exe	108

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	fskwpbdjedrj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	fskwpbdjedrj.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b75fd64ddeb3ae78c3ae1ed748af1263_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b75fd64ddeb3ae78c3ae1ed748af1263_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\fskwpbdjedrj.exe
  C:\Windows\fskwpbdjedrj.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2292
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:216
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:4628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3256
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ffe57ca46f8,0x7ffe57ca4708,0x7ffe57ca4718
      4⤵
      PID:4916
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,17069873227608837982,15422814954223373719,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
      4⤵
      PID:4380
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,17069873227608837982,15422814954223373719,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
      4⤵
      PID:4816
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,17069873227608837982,15422814954223373719,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
      4⤵
      PID:4448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17069873227608837982,15422814954223373719,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
      4⤵
      PID:1552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17069873227608837982,15422814954223373719,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
      4⤵
      PID:4536
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,17069873227608837982,15422814954223373719,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
      4⤵
      PID:4812
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,17069873227608837982,15422814954223373719,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
      4⤵
      PID:2008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17069873227608837982,15422814954223373719,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
      4⤵
      PID:4064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17069873227608837982,15422814954223373719,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
      4⤵
      PID:3880
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17069873227608837982,15422814954223373719,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
      4⤵
      PID:3512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17069873227608837982,15422814954223373719,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
      4⤵
      PID:3468
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4704
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\FSKWPB~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3352
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\B75FD6~1.EXE
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4528

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_RECoVERY_+ycgof.html

Filesize
11KB

MD5
ad415ab1d2aa76452de7be176e9c7fb6

SHA1
99b75ad6835053072c53e2c600e5a78763c682ac

SHA256
64d38700ab4d9a17aa81f58abde7796d0038a865a64ea903ad33a32a16306d95

SHA512
6a5f5e54c5271cf4d25948a348555ec5fd93b7826519a3739604d85aed4035c6cae0fbf1e11010e037d0ac1fae8c86207cef6c1efbd572ce78862d184a2eb09a

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+ycgof.png

Filesize
64KB

MD5
2762992f34dffe6cd76b0727bec93191

SHA1
52d571d6bb436dfd68812aeec326b14b6f317d92

SHA256
535a7ae251c89a9c0727bd9e3d98e2313e0423179395ab5d02bffc32d2ac2dee

SHA512
d06b7e8d57ab7d9472b977fa14f94956ddc0fe983f4f672f3646e05c80af2a572186a730552d9346a23e5aa217e1736888eb6fe6f6dcaaa2484b16eddf9b0397

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+ycgof.txt

Filesize
1KB

MD5
bf7ce29b92fcccd1cd5a049e6d5c502d

SHA1
8b27ef6346a2d01797c418e4323424368291ea0c

SHA256
5c21d12638ca995de523ea9a08882a541c13d7a497b2e30fffeefb909388f02a

SHA512
839d0ceaaced29934b83037cd83cbc1b479904e6d138bdcaea9c25ee15e089427f8d364c7c97a723a41ee79615037f1ef1b6a18c38374b5e7791cbaf09a2f342

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
9ded2ed0dbf2ae5242d0c0d4691b3874

SHA1
c9f4b5cee60db38ccc034a385441a3182bff1c81

SHA256
971bda887fecdc7ea36ad65fe2338be4c5378b3c8bae94f90caa4e5303cf86d0

SHA512
500d0ae219ef7a7e858bb41132a8757fd44608af04a8505e2e8de7d88560096948a9e5b89eec22328864e499433dbed69c1219cb261987d7cb7ecde853532ca6

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
d568e4cd3934999e9c5d731138d6b2cb

SHA1
1780ccb6a931eb4dd371341c470c44f57fc12cdd

SHA256
cf4605450d6bf8212a80bc44b5dad72ea11b1611223dda9b6b336586f7cae6dd

SHA512
01750940ab30569801f0e2d4af0c37cc891893cca9954fcbb98260f2cf23027a5cd07cb1b391229ab544f92239ef228dcdac9429b0272c1a3a9d1f993995f1d4

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
7c481a1ce2d85c5c529ead038c9925a4

SHA1
4b8f957a17360f98f711665d9c15861a32fd9d74

SHA256
5899b9adc8f62d83b3ebeabf8116abd55a1d84f28be643312729d3484f241bdb

SHA512
282bdee1bcb8b829577cf116610d9a6c8b227e160c74fc95086c4261d2556d11a39494f06a90cebf807e2219697b2ca0ab934128644776ff1e4d98717d9ee4cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0aa1b0463e0761f95eff608c1b66b8c8

SHA1
c3792a908c8e63d7c6ad3fca28ed3df5b17092b6

SHA256
8c3f4f4052b1a8867e2885f1b79b1b93054be7cf6a4063056b567ef86d02ab1b

SHA512
fb5d53beb55fe9c717180d1c674a0ae0a016a093633bb0c6fdf14c85a19e36b6369c954b1017f52c30383a1b3178ff68ad62f3352e74389edabb1a701598caa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f65e6a5bdfabfeabb20ec2963e583e97

SHA1
7ce496670b5d6e9c34706c96e58712cfd889c093

SHA256
7241a90f256c2f1c16f2c1d539ebd38b401e4521dcfef131989a365ec4604bfd

SHA512
8d828356ccfdbdecd31ba087f5ea35c6adda1e7adc5950d800803ba1ff8a22636bdb3b33d4272c73142d13785b8cea6090864a67b793479ef1e3234c51775461

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0cab908290e45ce250e4990e28adc76e

SHA1
15593c3b3a0c634152b30f73940df052891cf038

SHA256
2e25a48834bc5d158bb4f27c9c3f71a5cb891ac5eced75c0d2ab29a37c5164f7

SHA512
c8741e1373916a27128dde088ffaddf78d1e3419024281848d82ec9511a9bcd3f5d0e044614fcdcf99a2dc2109027fa4fab52c396ce902cc37e1ffdf23a57129

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662824772148.txt

Filesize
77KB

MD5
fd86ce623dd0e969dbd311375ae2640e

SHA1
edf5d2a15d32c9a22fb507d720cdff9478e2a794

SHA256
8b8c1d8fd7a51dfeea5aff66ed81f71adcc5c7769ae56e65fd324025c640f919

SHA512
b1cd6367e510f06ddac545fc69e6a5ade49da2b053132427ce80770b7b8862dc3de37f32e9aac03f4ca65092e65e315ea0b1df53372a87fc22f1ba27665719ca

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727671764608349.txt

Filesize
74KB

MD5
5e198a8e41d359f6614ff22803edaff0

SHA1
1a1555df024aa79aded98b478b0382ddd209be7b

SHA256
0ab5480ed8e8c56cbfaefa6d6a63acded669788f37f1e325fdd622bde8fbe4d1

SHA512
12c8eec9c776f66d73dcd1367ce15378ba45b293bc4099fc6a58ab7dabc83036c7b100878bf5d464577abd2964c20abb8818299880cb3d878df1f9ebabf84864

Download Submit
C:\Windows\fskwpbdjedrj.exe

Filesize
424KB

MD5
b75fd64ddeb3ae78c3ae1ed748af1263

SHA1
6e34dabf5f487d323029893cdf4d85497de60c57

SHA256
a65bb62fc532acc4f3d35da9f418f1612cb47b8dc57b1b3c560824a39421a415

SHA512
de4083c271a09f7b5fad4bd57c140b3bc67ff3b30974ac970add78cbe12cf38a4076c894029036c0bd11ee21d1a773714f63631e3715e409a8b44b42e9b2c72f

Download Submit
memory/2292-5331-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2292-8765-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2292-10749-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2292-10757-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2292-2712-0x0000000002190000-0x0000000002215000-memory.dmp

Filesize
532KB

Download
memory/2292-2711-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2292-11-0x0000000002190000-0x0000000002215000-memory.dmp

Filesize
532KB

Download
memory/2292-10796-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2904-0-0x00000000022F0000-0x0000000002375000-memory.dmp

Filesize
532KB

Download
memory/2904-9-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2904-10-0x00000000022F0000-0x0000000002375000-memory.dmp

Filesize
532KB

Download
memory/2904-2-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download