teslacrypt | 7433a5e9c197d553dec3846ca48f83151ab4b17d2e4228d5433786622d575917

Analysis

max time kernel
140s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be009cd5747143e0165519ec8337353d_JaffaCakes118.exe
Size

376KB
MD5

be009cd5747143e0165519ec8337353d
SHA1

95eeacd23cbc4ca9c2eb5c4481211c77ba5867d3
SHA256

7433a5e9c197d553dec3846ca48f83151ab4b17d2e4228d5433786622d575917
SHA512

c743f59887af3052546e9997104a72368db62ecc99940776fd50a9839e7f76307e17609cbe01271d64699623e18a9bb1b2058536d513674420fda0c3aaf5ce14
SSDEEP

6144:Se3rNhMeYq4CGRTs4kadSoKVStcmTVn57CpSCwsUbg62oXd:SY5hMfqwTsTKcmTV5kINEx+d

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+owphu.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/361D8F506D3C86 2. http://kkd47eh4hdjshb5t.angortra.at/361D8F506D3C86 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/361D8F506D3C86 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/361D8F506D3C86 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/361D8F506D3C86 http://kkd47eh4hdjshb5t.angortra.at/361D8F506D3C86 http://ytrest84y5i456hghadefdsd.pontogrot.com/361D8F506D3C86 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/361D8F506D3C86

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/361D8F506D3C86

http://kkd47eh4hdjshb5t.angortra.at/361D8F506D3C86

http://ytrest84y5i456hghadefdsd.pontogrot.com/361D8F506D3C86

http://xlowfznrg4wf7dli.ONION/361D8F506D3C86

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (869) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	be009cd5747143e0165519ec8337353d_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	gwmlnoimwybj.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+owphu.html	gwmlnoimwybj.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+owphu.png	gwmlnoimwybj.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+owphu.txt	gwmlnoimwybj.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+owphu.html	gwmlnoimwybj.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+owphu.png	gwmlnoimwybj.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+owphu.txt	gwmlnoimwybj.exe

Executes dropped EXE 2 IoCs

pid	Process
5056	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ynivpajkullm = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\gwmlnoimwybj.exe\""	gwmlnoimwybj.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1544 set thread context of 1416	1544	be009cd5747143e0165519ec8337353d_JaffaCakes118.exe	99
PID 5056 set thread context of 2536	5056	gwmlnoimwybj.exe	105

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptySearch.scale-400.png	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-100_contrast-black.png	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64.png	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-100_contrast-black.png	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\Recovery+owphu.html	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\Recovery+owphu.txt	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\Recovery+owphu.png	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-125_contrast-white.png	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_altform-unplated_contrast-white.png	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\Recovery+owphu.html	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+owphu.txt	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-400_contrast-white.png	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\Recovery+owphu.png	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\Recovery+owphu.png	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\Recovery+owphu.png	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\MixedRealityPortalSplashScreen.scale-125.png	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-72_altform-unplated_contrast-black.png	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp9.scale-200.png	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\AppxMetadata\Recovery+owphu.txt	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-100.png	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-100.HCWhite.png	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\RunningLate.scale-80.png	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\Recovery+owphu.html	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\contrast-black\Recovery+owphu.html	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Recovery+owphu.txt	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-150.png	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\LargeTile.scale-200.png	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\WideTile.scale-200.png	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\Recovery+owphu.html	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\Recovery+owphu.txt	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-16_altform-unplated.png	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Apply\Recovery+owphu.html	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+owphu.png	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Mutable\Recovery+owphu.html	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\fr\Recovery+owphu.html	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\Recovery+owphu.html	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gl\Recovery+owphu.png	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\contrast-high\Recovery+owphu.png	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-32_altform-unplated_contrast-white.png	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-96.png	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\Recovery+owphu.txt	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\winsdkfb\Images\fb_blank_profile_portrait.png	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-64_altform-unplated.png	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+owphu.png	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\Recovery+owphu.html	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Recovery+owphu.html	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Recovery+owphu.html	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Recovery+owphu.html	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\Win10\Recovery+owphu.html	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageBadgeLogo.scale-150.png	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\Recovery+owphu.html	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Recovery+owphu.txt	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\Json\Recovery+owphu.html	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sk-SK\Recovery+owphu.txt	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\Timer10Sec.targetsize-24.png	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_2019.904.1644.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+owphu.html	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-200.png	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-400.png	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Office365LogoWLockup.scale-140.png	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\MediumTile.scale-100.png	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.scale-200_contrast-black.png	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\Recovery+owphu.txt	gwmlnoimwybj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-24_altform-unplated_contrast-black.png	gwmlnoimwybj.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\gwmlnoimwybj.exe	be009cd5747143e0165519ec8337353d_JaffaCakes118.exe
File opened for modification	C:\Windows\gwmlnoimwybj.exe	be009cd5747143e0165519ec8337353d_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gwmlnoimwybj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gwmlnoimwybj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be009cd5747143e0165519ec8337353d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be009cd5747143e0165519ec8337353d_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	gwmlnoimwybj.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4948	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe
2536	gwmlnoimwybj.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	1416	be009cd5747143e0165519ec8337353d_JaffaCakes118.exe
Token: SeDebugPrivilege	2536	gwmlnoimwybj.exe
Token: SeIncreaseQuotaPrivilege	4220	WMIC.exe
Token: SeSecurityPrivilege	4220	WMIC.exe
Token: SeTakeOwnershipPrivilege	4220	WMIC.exe
Token: SeLoadDriverPrivilege	4220	WMIC.exe
Token: SeSystemProfilePrivilege	4220	WMIC.exe
Token: SeSystemtimePrivilege	4220	WMIC.exe
Token: SeProfSingleProcessPrivilege	4220	WMIC.exe
Token: SeIncBasePriorityPrivilege	4220	WMIC.exe
Token: SeCreatePagefilePrivilege	4220	WMIC.exe
Token: SeBackupPrivilege	4220	WMIC.exe
Token: SeRestorePrivilege	4220	WMIC.exe
Token: SeShutdownPrivilege	4220	WMIC.exe
Token: SeDebugPrivilege	4220	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4220	WMIC.exe
Token: SeRemoteShutdownPrivilege	4220	WMIC.exe
Token: SeUndockPrivilege	4220	WMIC.exe
Token: SeManageVolumePrivilege	4220	WMIC.exe
Token: 33	4220	WMIC.exe
Token: 34	4220	WMIC.exe
Token: 35	4220	WMIC.exe
Token: 36	4220	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3700	WMIC.exe
Token: SeSecurityPrivilege	3700	WMIC.exe
Token: SeTakeOwnershipPrivilege	3700	WMIC.exe
Token: SeLoadDriverPrivilege	3700	WMIC.exe
Token: SeSystemProfilePrivilege	3700	WMIC.exe
Token: SeSystemtimePrivilege	3700	WMIC.exe
Token: SeProfSingleProcessPrivilege	3700	WMIC.exe
Token: SeIncBasePriorityPrivilege	3700	WMIC.exe
Token: SeCreatePagefilePrivilege	3700	WMIC.exe
Token: SeBackupPrivilege	3700	WMIC.exe
Token: SeRestorePrivilege	3700	WMIC.exe
Token: SeShutdownPrivilege	3700	WMIC.exe
Token: SeDebugPrivilege	3700	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3700	WMIC.exe
Token: SeRemoteShutdownPrivilege	3700	WMIC.exe
Token: SeUndockPrivilege	3700	WMIC.exe
Token: SeManageVolumePrivilege	3700	WMIC.exe
Token: 33	3700	WMIC.exe
Token: 34	3700	WMIC.exe
Token: 35	3700	WMIC.exe
Token: 36	3700	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 1416	1544	be009cd5747143e0165519ec8337353d_JaffaCakes118.exe	99
PID 1544 wrote to memory of 1416	1544	be009cd5747143e0165519ec8337353d_JaffaCakes118.exe	99
PID 1544 wrote to memory of 1416	1544	be009cd5747143e0165519ec8337353d_JaffaCakes118.exe	99
PID 1544 wrote to memory of 1416	1544	be009cd5747143e0165519ec8337353d_JaffaCakes118.exe	99
PID 1544 wrote to memory of 1416	1544	be009cd5747143e0165519ec8337353d_JaffaCakes118.exe	99
PID 1544 wrote to memory of 1416	1544	be009cd5747143e0165519ec8337353d_JaffaCakes118.exe	99
PID 1544 wrote to memory of 1416	1544	be009cd5747143e0165519ec8337353d_JaffaCakes118.exe	99
PID 1544 wrote to memory of 1416	1544	be009cd5747143e0165519ec8337353d_JaffaCakes118.exe	99
PID 1544 wrote to memory of 1416	1544	be009cd5747143e0165519ec8337353d_JaffaCakes118.exe	99
PID 1544 wrote to memory of 1416	1544	be009cd5747143e0165519ec8337353d_JaffaCakes118.exe	99
PID 1416 wrote to memory of 5056	1416	be009cd5747143e0165519ec8337353d_JaffaCakes118.exe	100
PID 1416 wrote to memory of 5056	1416	be009cd5747143e0165519ec8337353d_JaffaCakes118.exe	100
PID 1416 wrote to memory of 5056	1416	be009cd5747143e0165519ec8337353d_JaffaCakes118.exe	100
PID 1416 wrote to memory of 2284	1416	be009cd5747143e0165519ec8337353d_JaffaCakes118.exe	101
PID 1416 wrote to memory of 2284	1416	be009cd5747143e0165519ec8337353d_JaffaCakes118.exe	101
PID 1416 wrote to memory of 2284	1416	be009cd5747143e0165519ec8337353d_JaffaCakes118.exe	101
PID 5056 wrote to memory of 2536	5056	gwmlnoimwybj.exe	105
PID 5056 wrote to memory of 2536	5056	gwmlnoimwybj.exe	105
PID 5056 wrote to memory of 2536	5056	gwmlnoimwybj.exe	105
PID 5056 wrote to memory of 2536	5056	gwmlnoimwybj.exe	105
PID 5056 wrote to memory of 2536	5056	gwmlnoimwybj.exe	105
PID 5056 wrote to memory of 2536	5056	gwmlnoimwybj.exe	105
PID 5056 wrote to memory of 2536	5056	gwmlnoimwybj.exe	105
PID 5056 wrote to memory of 2536	5056	gwmlnoimwybj.exe	105
PID 5056 wrote to memory of 2536	5056	gwmlnoimwybj.exe	105
PID 5056 wrote to memory of 2536	5056	gwmlnoimwybj.exe	105
PID 2536 wrote to memory of 4220	2536	gwmlnoimwybj.exe	106
PID 2536 wrote to memory of 4220	2536	gwmlnoimwybj.exe	106
PID 2536 wrote to memory of 4948	2536	gwmlnoimwybj.exe	110
PID 2536 wrote to memory of 4948	2536	gwmlnoimwybj.exe	110
PID 2536 wrote to memory of 4948	2536	gwmlnoimwybj.exe	110
PID 2536 wrote to memory of 840	2536	gwmlnoimwybj.exe	111
PID 2536 wrote to memory of 840	2536	gwmlnoimwybj.exe	111
PID 840 wrote to memory of 3948	840	msedge.exe	112
PID 840 wrote to memory of 3948	840	msedge.exe	112
PID 2536 wrote to memory of 3700	2536	gwmlnoimwybj.exe	113
PID 2536 wrote to memory of 3700	2536	gwmlnoimwybj.exe	113
PID 840 wrote to memory of 2964	840	msedge.exe	115
PID 840 wrote to memory of 2964	840	msedge.exe	115
PID 840 wrote to memory of 2964	840	msedge.exe	115
PID 840 wrote to memory of 2964	840	msedge.exe	115
PID 840 wrote to memory of 2964	840	msedge.exe	115
PID 840 wrote to memory of 2964	840	msedge.exe	115
PID 840 wrote to memory of 2964	840	msedge.exe	115
PID 840 wrote to memory of 2964	840	msedge.exe	115
PID 840 wrote to memory of 2964	840	msedge.exe	115
PID 840 wrote to memory of 2964	840	msedge.exe	115
PID 840 wrote to memory of 2964	840	msedge.exe	115
PID 840 wrote to memory of 2964	840	msedge.exe	115
PID 840 wrote to memory of 2964	840	msedge.exe	115
PID 840 wrote to memory of 2964	840	msedge.exe	115
PID 840 wrote to memory of 2964	840	msedge.exe	115
PID 840 wrote to memory of 2964	840	msedge.exe	115
PID 840 wrote to memory of 2964	840	msedge.exe	115
PID 840 wrote to memory of 2964	840	msedge.exe	115
PID 840 wrote to memory of 2964	840	msedge.exe	115
PID 840 wrote to memory of 2964	840	msedge.exe	115
PID 840 wrote to memory of 2964	840	msedge.exe	115
PID 840 wrote to memory of 2964	840	msedge.exe	115
PID 840 wrote to memory of 2964	840	msedge.exe	115
PID 840 wrote to memory of 2964	840	msedge.exe	115
PID 840 wrote to memory of 2964	840	msedge.exe	115
PID 840 wrote to memory of 2964	840	msedge.exe	115
PID 840 wrote to memory of 2964	840	msedge.exe	115

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gwmlnoimwybj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	gwmlnoimwybj.exe

C:\Users\Admin\AppData\Local\Temp\be009cd5747143e0165519ec8337353d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\be009cd5747143e0165519ec8337353d_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Local\Temp\be009cd5747143e0165519ec8337353d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\be009cd5747143e0165519ec8337353d_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Windows\gwmlnoimwybj.exe
    C:\Windows\gwmlnoimwybj.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5056
  - - C:\Windows\gwmlnoimwybj.exe
      C:\Windows\gwmlnoimwybj.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2536
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4220
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:4948
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:840
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff16a846f8,0x7fff16a84708,0x7fff16a84718
        6⤵
        
        PID:3948
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,13482884065919448253,13193047198069450026,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
        6⤵
        
        PID:2964
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,13482884065919448253,13193047198069450026,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
        6⤵
        
        PID:3344
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,13482884065919448253,13193047198069450026,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
        6⤵
        
        PID:4256
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13482884065919448253,13193047198069450026,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
        6⤵
        
        PID:316
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13482884065919448253,13193047198069450026,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
        6⤵
        
        PID:2160
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,13482884065919448253,13193047198069450026,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
        6⤵
        
        PID:2984
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,13482884065919448253,13193047198069450026,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
        6⤵
        
        PID:4588
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13482884065919448253,13193047198069450026,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1
        6⤵
        
        PID:4540
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13482884065919448253,13193047198069450026,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
        6⤵
        
        PID:1996
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13482884065919448253,13193047198069450026,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
        6⤵
        
        PID:1240
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13482884065919448253,13193047198069450026,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
        6⤵
        
        PID:2240
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3700
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\GWMLNO~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2192
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\BE009C~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2284

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1740

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\Recovery+owphu.html

Filesize
7KB

MD5
4ed2233cfdf756791652df3811fd6b92

SHA1
06b61bf56bcc47eace959dfe3bf20ddf43733b60

SHA256
8d670cc0c7e5574b32ad5816716fecd8d80625909d599fb5f9911a66ba695edd

SHA512
739e7dd15689f2924eda07725f1c2b65554d08fc0f093bc4269658c02b929836771558db4b45064b3a847045602483acb93360b63612174e55c53b37b366c66b

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+owphu.png

Filesize
62KB

MD5
d9842c9200ad83bd91ca7592fb51ed88

SHA1
5c856d40a2e3f1c79d4354310b1f5fdaaaaa8dca

SHA256
80f2737a95f0fd95e3166d8def71db53716eb37e4caa50ee72d2fd4ffb919b6c

SHA512
1b13e08b3e15e3d001734d03a18f4cc375abb337637b220d652565d340764bcc2dc5574bbbc938b002d1b59817d0b088e9a6720f99bb54f96068d79c74f67ecb

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+owphu.txt

Filesize
1KB

MD5
5c4b9cba433301b0b7fc38585b3d2750

SHA1
ddf7b30110ac4615af8abc1fd8079f16bc9b1953

SHA256
6be61d93ee3bfbc61e7f8cbf1573ef1ce6220f9493c6fce4cefd1b26715b138a

SHA512
784725b34ae6aaf628de26a885cf405abfac16ad4f57e31b4dfa674ffaa335e5b600d5519f2e03dadb33bc58e02fc545e6d95c7c25bafd30eece604b0917c6f9

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
6882bab13ac9beb470f1ce7f375f23cc

SHA1
38c68b5626963a5ff51601d835a0a86d055ca786

SHA256
d8bc73a8c659e57355216d281243376ee9e49f372b79efb3aa65b476d8a60116

SHA512
e87e8e1dc08cc0aabbcc11f65ff0f837fec35650842b75d648dba0dc7c09e821f1646c0269447f31d510dc844da5b0586f9b7fd24cb2a90c9966866eb57a2a71

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
7ea694529275087e9b390eddcf08cbff

SHA1
d16dfecec69b594847b4690943ca01545f566f51

SHA256
8e831c3d28c56ed7a5947517da1aa8d64faf34a1f0bd0b63aed17476f1c2c4b4

SHA512
db9347b33e3f8192852172a6a1182875095afcceb81fa3d7927c69162e3c362adeec7113f1c1b9e265acfddc8fb205abca0a76d563f58479464cfb0623eb6325

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
3312373928873241e69b9f4fd597713d

SHA1
535f327f5ad0d7b9cf55d08e420b5b7c3d59a4fc

SHA256
bb30ff8ef2fd0db4ffe381944c11eda0fa9f307d5d9a9ac07c42a2e9df69084a

SHA512
8e58bdc1f858f8c7fb7131d5c4d0686d81ffa8bbcca370ab97018004017297b2ac105c8b57ac2594480e7fa254d9ceab2877bfb5faaff426d83d10997f56adc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
463f2fcda059254fb164ebf5a4f2fe6a

SHA1
ad9f6cb3376b146bb51327135b2558ff030d3395

SHA256
32b6892ea7a64381b5f0edc621cb9a25e912c820b89204b06709ab4c4aa02f5b

SHA512
f0d63c01bb6e9abc5f79f7a55839d38d6d6ef36d11a44929206192c7b0a94d7e312f875f60195393a4444a546f4597a359f9cc52d927e1ffa33cbe8992e1e949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
94a09efd2eb60cdb7d7ab20f8d939ab6

SHA1
5b67c9acd413af644d6b73e8796f7c3370a150a4

SHA256
683bcc2bc407eb0238801f6cc62704d5093fc8b25a940c2691074107fb20a3a5

SHA512
6e2aff152db53151ec1c8a6abf7e8baae988261f40f023ab4560192331ab27ad0ceb02767d90f3788a9c897382ea1a9279d783b49ab59d8e8a8978265f8422f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7ffa6be6b86a22b9b946d10a59f7e707

SHA1
d99954ab2c0fa5f48e438763e1d6b77f9bdfb77b

SHA256
880f9541f3bbdab71d12f16bce4fe47737f33568ec4ea8293b5d000a7bbd0410

SHA512
dfb69294d27f80303048d1e6a22984683ded7c856fe5db55a3a24ae5b360df0fdba1762e28478a751e4a20c1f1257aa2ceb4495237db34c42775ed3eec7f9e8b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662360645001.txt

Filesize
77KB

MD5
e86638463a016541c728eb2a6473909a

SHA1
4d797639a044479d4e7e78a099d9288ae421c448

SHA256
0f477d37bac3c923e28a2868f264525097f059593990e18546e5b039c3e4ff1c

SHA512
c13f2b331be08d4fa9a50c906e759704df8f15367ae7b84723692d2eec8533b6bafb279f55edbdf3b31ede168be72e4078acdce2f5b59a0ca39a35b271854a4c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727663623337830.txt

Filesize
47KB

MD5
57432aebc6c8055314440888f8cbde86

SHA1
40a9f0b36db5f0d957dba8fa4636f04dc4d082e8

SHA256
956856b3b255455a6729e63b4955bb2f2d72a73406791eae949e6e0e52b23739

SHA512
9f32545bb28036cec0b830949d5dda80aa172e404fb577a6caf543a8b11273878a0ac8070332a2301553a780a0d7cbc8ec8f2d09e3e9594a6e4ad0dfb4f0e458

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727671211214398.txt

Filesize
74KB

MD5
6364554a46fe47a89be251560c711b17

SHA1
f541b9f430b13cd56efb42fadbe61c607ea28c25

SHA256
f7f44e392f3c64426c5f0bfe76d89394de82e6ee39aad8d4700e2c5ca41380c9

SHA512
7b0a2bf3150d836ef989e07b89454c06fc9e46605fac629737c3ba2914b4a07c04fe8a87269c4edd60dcd55e9400e2b856cda7468751b779e30bc1209ce0b4d2

Download Submit
C:\Windows\gwmlnoimwybj.exe

Filesize
376KB

MD5
be009cd5747143e0165519ec8337353d

SHA1
95eeacd23cbc4ca9c2eb5c4481211c77ba5867d3

SHA256
7433a5e9c197d553dec3846ca48f83151ab4b17d2e4228d5433786622d575917

SHA512
c743f59887af3052546e9997104a72368db62ecc99940776fd50a9839e7f76307e17609cbe01271d64699623e18a9bb1b2058536d513674420fda0c3aaf5ce14

Download Submit
memory/1416-6-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1416-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1416-3-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1416-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1416-13-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1544-4-0x00000000023E0000-0x00000000023E3000-memory.dmp

Filesize
12KB

Download
memory/1544-1-0x00000000023E0000-0x00000000023E3000-memory.dmp

Filesize
12KB

Download
memory/1544-0-0x00000000023E0000-0x00000000023E3000-memory.dmp

Filesize
12KB

Download
memory/2536-18-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2536-4946-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2536-2460-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2536-2447-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2536-8250-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2536-10721-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2536-10723-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2536-10731-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2536-10732-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2536-488-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2536-25-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2536-24-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2536-20-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2536-10773-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2536-19-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2536-17-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/5056-12-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download