teslacrypt | 811740b4ecfe0bde80e90ec6f60fb17db109ccf7490345bb897276354ed31256

Analysis

max time kernel
147s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de01a09f896441e9533913bb82278391_JaffaCakes118.exe
Size

376KB
MD5

de01a09f896441e9533913bb82278391
SHA1

d65824cc0c5b29864c7cac6b10f41fe516c0dd31
SHA256

811740b4ecfe0bde80e90ec6f60fb17db109ccf7490345bb897276354ed31256
SHA512

c8b0f54dc698a39e438ba7105d08632a05396ded5b2d2bb82e35d869e5595f9827d6246eb274657333411b80a9936cf291fd7e644f5b58a5450bdd228732b053
SSDEEP

6144:te3rNhMeYq4CGRTs4kadSoKVStcmTVn57CpSCwsUbg62oXd:tY5hMfqwTsTKcmTV5kINEx+d

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+bvpts.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/6E3290FC3A7FF738 2. http://kkd47eh4hdjshb5t.angortra.at/6E3290FC3A7FF738 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/6E3290FC3A7FF738 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/6E3290FC3A7FF738 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/6E3290FC3A7FF738 http://kkd47eh4hdjshb5t.angortra.at/6E3290FC3A7FF738 http://ytrest84y5i456hghadefdsd.pontogrot.com/6E3290FC3A7FF738 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/6E3290FC3A7FF738

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/6E3290FC3A7FF738

http://kkd47eh4hdjshb5t.angortra.at/6E3290FC3A7FF738

http://ytrest84y5i456hghadefdsd.pontogrot.com/6E3290FC3A7FF738

http://xlowfznrg4wf7dli.ONION/6E3290FC3A7FF738

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (871) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	de01a09f896441e9533913bb82278391_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	ifuxjrgkluhb.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+bvpts.png	ifuxjrgkluhb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+bvpts.txt	ifuxjrgkluhb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+bvpts.html	ifuxjrgkluhb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+bvpts.png	ifuxjrgkluhb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+bvpts.txt	ifuxjrgkluhb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+bvpts.html	ifuxjrgkluhb.exe

Executes dropped EXE 2 IoCs

pid	Process
4516	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gjmkrruyqkny = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\ifuxjrgkluhb.exe\""	ifuxjrgkluhb.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4844 set thread context of 4008	4844	de01a09f896441e9533913bb82278391_JaffaCakes118.exe	98
PID 4516 set thread context of 2020	4516	ifuxjrgkluhb.exe	103

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\Recovery+bvpts.png	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.White.png	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageStoreLogo.scale-150_contrast-black.png	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\Recovery+bvpts.png	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-60.png	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\AppxMetadata\Recovery+bvpts.txt	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-32_altform-unplated_contrast-black.png	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-36.png	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_altform-unplated_contrast-white.png	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uk\Recovery+bvpts.png	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailLargeTile.scale-125.png	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\AppxMetadata\Recovery+bvpts.png	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxSmallTile.scale-125.png	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\am-ET\Recovery+bvpts.txt	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\vpaid.js	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-20_altform-unplated_contrast-black.png	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\fr\Recovery+bvpts.html	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Recovery+bvpts.txt	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Recovery+bvpts.html	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\AppxMetadata\Recovery+bvpts.txt	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\questfallback.png	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\Recovery+bvpts.txt	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer2019_eula.txt	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageBadgeLogo.scale-125_contrast-black.png	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-36_altform-unplated.png	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Glasses.png	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\AppxMetadata\Recovery+bvpts.txt	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailMediumTile.scale-100.png	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-80.png	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-20_altform-unplated.png	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\MoviesAnywhereLogoWithTextLight.scale-100.png	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\Recovery+bvpts.png	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\uk-UA\Recovery+bvpts.png	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_contrast-white.png	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\RunningLate.scale-80.png	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\VideoLAN\Recovery+bvpts.txt	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\is-IS\View3d\Recovery+bvpts.html	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\styles\WefGalleryOnenote.css	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\es-ES\Recovery+bvpts.png	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\Recovery+bvpts.html	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-36_altform-unplated.png	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\Recovery+bvpts.html	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\1033\Recovery+bvpts.html	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\gui\Recovery+bvpts.txt	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Recovery+bvpts.txt	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\Recovery+bvpts.txt	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\10px.png	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Speech\en-GB\Recovery+bvpts.html	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\uk-UA\Recovery+bvpts.html	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\smsconnect\SMSConnect2x.png	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\ModifiableWindowsApps\Recovery+bvpts.html	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-32_altform-unplated.png	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Fonts\Recovery+bvpts.png	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_LargeTile.scale-200.png	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\Recovery+bvpts.html	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\Recovery+bvpts.txt	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Recovery+bvpts.txt	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-40_altform-unplated.png	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Recovery+bvpts.txt	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\Recovery+bvpts.html	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageSmallTile.scale-200_contrast-white.png	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square310x310\PaintLargeTile.scale-400.png	ifuxjrgkluhb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Recovery+bvpts.png	ifuxjrgkluhb.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ifuxjrgkluhb.exe	de01a09f896441e9533913bb82278391_JaffaCakes118.exe
File created	C:\Windows\ifuxjrgkluhb.exe	de01a09f896441e9533913bb82278391_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de01a09f896441e9533913bb82278391_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de01a09f896441e9533913bb82278391_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ifuxjrgkluhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ifuxjrgkluhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	ifuxjrgkluhb.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4596	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe
2020	ifuxjrgkluhb.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	4008	de01a09f896441e9533913bb82278391_JaffaCakes118.exe
Token: SeDebugPrivilege	2020	ifuxjrgkluhb.exe
Token: SeIncreaseQuotaPrivilege	4144	WMIC.exe
Token: SeSecurityPrivilege	4144	WMIC.exe
Token: SeTakeOwnershipPrivilege	4144	WMIC.exe
Token: SeLoadDriverPrivilege	4144	WMIC.exe
Token: SeSystemProfilePrivilege	4144	WMIC.exe
Token: SeSystemtimePrivilege	4144	WMIC.exe
Token: SeProfSingleProcessPrivilege	4144	WMIC.exe
Token: SeIncBasePriorityPrivilege	4144	WMIC.exe
Token: SeCreatePagefilePrivilege	4144	WMIC.exe
Token: SeBackupPrivilege	4144	WMIC.exe
Token: SeRestorePrivilege	4144	WMIC.exe
Token: SeShutdownPrivilege	4144	WMIC.exe
Token: SeDebugPrivilege	4144	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4144	WMIC.exe
Token: SeRemoteShutdownPrivilege	4144	WMIC.exe
Token: SeUndockPrivilege	4144	WMIC.exe
Token: SeManageVolumePrivilege	4144	WMIC.exe
Token: 33	4144	WMIC.exe
Token: 34	4144	WMIC.exe
Token: 35	4144	WMIC.exe
Token: 36	4144	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1624	WMIC.exe
Token: SeSecurityPrivilege	1624	WMIC.exe
Token: SeTakeOwnershipPrivilege	1624	WMIC.exe
Token: SeLoadDriverPrivilege	1624	WMIC.exe
Token: SeSystemProfilePrivilege	1624	WMIC.exe
Token: SeSystemtimePrivilege	1624	WMIC.exe
Token: SeProfSingleProcessPrivilege	1624	WMIC.exe
Token: SeIncBasePriorityPrivilege	1624	WMIC.exe
Token: SeCreatePagefilePrivilege	1624	WMIC.exe
Token: SeBackupPrivilege	1624	WMIC.exe
Token: SeRestorePrivilege	1624	WMIC.exe
Token: SeShutdownPrivilege	1624	WMIC.exe
Token: SeDebugPrivilege	1624	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1624	WMIC.exe
Token: SeRemoteShutdownPrivilege	1624	WMIC.exe
Token: SeUndockPrivilege	1624	WMIC.exe
Token: SeManageVolumePrivilege	1624	WMIC.exe
Token: 33	1624	WMIC.exe
Token: 34	1624	WMIC.exe
Token: 35	1624	WMIC.exe
Token: 36	1624	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 4008	4844	de01a09f896441e9533913bb82278391_JaffaCakes118.exe	98
PID 4844 wrote to memory of 4008	4844	de01a09f896441e9533913bb82278391_JaffaCakes118.exe	98
PID 4844 wrote to memory of 4008	4844	de01a09f896441e9533913bb82278391_JaffaCakes118.exe	98
PID 4844 wrote to memory of 4008	4844	de01a09f896441e9533913bb82278391_JaffaCakes118.exe	98
PID 4844 wrote to memory of 4008	4844	de01a09f896441e9533913bb82278391_JaffaCakes118.exe	98
PID 4844 wrote to memory of 4008	4844	de01a09f896441e9533913bb82278391_JaffaCakes118.exe	98
PID 4844 wrote to memory of 4008	4844	de01a09f896441e9533913bb82278391_JaffaCakes118.exe	98
PID 4844 wrote to memory of 4008	4844	de01a09f896441e9533913bb82278391_JaffaCakes118.exe	98
PID 4844 wrote to memory of 4008	4844	de01a09f896441e9533913bb82278391_JaffaCakes118.exe	98
PID 4844 wrote to memory of 4008	4844	de01a09f896441e9533913bb82278391_JaffaCakes118.exe	98
PID 4008 wrote to memory of 4516	4008	de01a09f896441e9533913bb82278391_JaffaCakes118.exe	99
PID 4008 wrote to memory of 4516	4008	de01a09f896441e9533913bb82278391_JaffaCakes118.exe	99
PID 4008 wrote to memory of 4516	4008	de01a09f896441e9533913bb82278391_JaffaCakes118.exe	99
PID 4008 wrote to memory of 448	4008	de01a09f896441e9533913bb82278391_JaffaCakes118.exe	100
PID 4008 wrote to memory of 448	4008	de01a09f896441e9533913bb82278391_JaffaCakes118.exe	100
PID 4008 wrote to memory of 448	4008	de01a09f896441e9533913bb82278391_JaffaCakes118.exe	100
PID 4516 wrote to memory of 2020	4516	ifuxjrgkluhb.exe	103
PID 4516 wrote to memory of 2020	4516	ifuxjrgkluhb.exe	103
PID 4516 wrote to memory of 2020	4516	ifuxjrgkluhb.exe	103
PID 4516 wrote to memory of 2020	4516	ifuxjrgkluhb.exe	103
PID 4516 wrote to memory of 2020	4516	ifuxjrgkluhb.exe	103
PID 4516 wrote to memory of 2020	4516	ifuxjrgkluhb.exe	103
PID 4516 wrote to memory of 2020	4516	ifuxjrgkluhb.exe	103
PID 4516 wrote to memory of 2020	4516	ifuxjrgkluhb.exe	103
PID 4516 wrote to memory of 2020	4516	ifuxjrgkluhb.exe	103
PID 4516 wrote to memory of 2020	4516	ifuxjrgkluhb.exe	103
PID 2020 wrote to memory of 4144	2020	ifuxjrgkluhb.exe	104
PID 2020 wrote to memory of 4144	2020	ifuxjrgkluhb.exe	104
PID 2020 wrote to memory of 4596	2020	ifuxjrgkluhb.exe	108
PID 2020 wrote to memory of 4596	2020	ifuxjrgkluhb.exe	108
PID 2020 wrote to memory of 4596	2020	ifuxjrgkluhb.exe	108
PID 2020 wrote to memory of 5072	2020	ifuxjrgkluhb.exe	109
PID 2020 wrote to memory of 5072	2020	ifuxjrgkluhb.exe	109
PID 5072 wrote to memory of 2960	5072	msedge.exe	110
PID 5072 wrote to memory of 2960	5072	msedge.exe	110
PID 2020 wrote to memory of 1624	2020	ifuxjrgkluhb.exe	111
PID 2020 wrote to memory of 1624	2020	ifuxjrgkluhb.exe	111
PID 5072 wrote to memory of 2324	5072	msedge.exe	113
PID 5072 wrote to memory of 2324	5072	msedge.exe	113
PID 5072 wrote to memory of 2324	5072	msedge.exe	113
PID 5072 wrote to memory of 2324	5072	msedge.exe	113
PID 5072 wrote to memory of 2324	5072	msedge.exe	113
PID 5072 wrote to memory of 2324	5072	msedge.exe	113
PID 5072 wrote to memory of 2324	5072	msedge.exe	113
PID 5072 wrote to memory of 2324	5072	msedge.exe	113
PID 5072 wrote to memory of 2324	5072	msedge.exe	113
PID 5072 wrote to memory of 2324	5072	msedge.exe	113
PID 5072 wrote to memory of 2324	5072	msedge.exe	113
PID 5072 wrote to memory of 2324	5072	msedge.exe	113
PID 5072 wrote to memory of 2324	5072	msedge.exe	113
PID 5072 wrote to memory of 2324	5072	msedge.exe	113
PID 5072 wrote to memory of 2324	5072	msedge.exe	113
PID 5072 wrote to memory of 2324	5072	msedge.exe	113
PID 5072 wrote to memory of 2324	5072	msedge.exe	113
PID 5072 wrote to memory of 2324	5072	msedge.exe	113
PID 5072 wrote to memory of 2324	5072	msedge.exe	113
PID 5072 wrote to memory of 2324	5072	msedge.exe	113
PID 5072 wrote to memory of 2324	5072	msedge.exe	113
PID 5072 wrote to memory of 2324	5072	msedge.exe	113
PID 5072 wrote to memory of 2324	5072	msedge.exe	113
PID 5072 wrote to memory of 2324	5072	msedge.exe	113
PID 5072 wrote to memory of 2324	5072	msedge.exe	113
PID 5072 wrote to memory of 2324	5072	msedge.exe	113
PID 5072 wrote to memory of 2324	5072	msedge.exe	113

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	ifuxjrgkluhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ifuxjrgkluhb.exe

C:\Users\Admin\AppData\Local\Temp\de01a09f896441e9533913bb82278391_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\de01a09f896441e9533913bb82278391_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Users\Admin\AppData\Local\Temp\de01a09f896441e9533913bb82278391_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\de01a09f896441e9533913bb82278391_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\Windows\ifuxjrgkluhb.exe
    C:\Windows\ifuxjrgkluhb.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4516
  - - C:\Windows\ifuxjrgkluhb.exe
      C:\Windows\ifuxjrgkluhb.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2020
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4144
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:4596
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:5072
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc45d46f8,0x7ffdc45d4708,0x7ffdc45d4718
        6⤵
        
        PID:2960
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,8715282076231014160,16578030508416206160,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
        6⤵
        
        PID:2324
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,8715282076231014160,16578030508416206160,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
        6⤵
        
        PID:2216
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,8715282076231014160,16578030508416206160,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
        6⤵
        
        PID:4796
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8715282076231014160,16578030508416206160,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
        6⤵
        
        PID:4896
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8715282076231014160,16578030508416206160,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
        6⤵
        
        PID:4228
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,8715282076231014160,16578030508416206160,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8
        6⤵
        
        PID:4620
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,8715282076231014160,16578030508416206160,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8
        6⤵
        
        PID:2496
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8715282076231014160,16578030508416206160,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
        6⤵
        
        PID:1704
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8715282076231014160,16578030508416206160,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
        6⤵
        
        PID:1924
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8715282076231014160,16578030508416206160,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
        6⤵
        
        PID:1448
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8715282076231014160,16578030508416206160,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
        6⤵
        
        PID:3080
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\IFUXJR~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\DE01A0~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\Recovery+bvpts.html

Filesize
7KB

MD5
f6674bf9e45a19dfdeaa787b67b125f7

SHA1
fbd78f7f6187177c478db8e4dcf5fff7a215cf9f

SHA256
b9490b3c583e5320e4b308b42596814cce27c955cfc773702428097f48e9354e

SHA512
44fddb336d2edce023010954813f6b58c44809dce86600c033c9679191c30dfd92c64972718e5069412acd665d500d4981c73286907e74547eb0a54ab7b33742

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+bvpts.png

Filesize
63KB

MD5
1375a4aa5f0de698b87258fe7f132ffa

SHA1
877bf2e47164fff2614ab12275813af76f02bed5

SHA256
bc834c3a434ed9a07ce217dca89df5a4341fb4fb7cc09acce8705788f57242b5

SHA512
409b50f100e3c4d110169d005f1eb523072c24f6fb873068e079f2cf81f250a467f9b2ba007d067a9f6a51e65b82cf2f4736982ceed043396a20420cf980237e

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+bvpts.txt

Filesize
1KB

MD5
5f3ac67a20a4c3640edede9561f0b75a

SHA1
90d1a3ad29572003c4fa695d320ab2b4c472c877

SHA256
18054c9f6ea8effbf866e03b97968a7062f9ff991c8209e7ee8f086192f9c4a7

SHA512
426f388ba67bb318cb6fd31286a200e8c8ff43295dcece71d8fdcc03d9812e09df055f58a0274feb0a69f0d0a983817610456d6601d88fe708f1f2a23f5118c2

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
931fc2284230fb91a7cf9330625661a0

SHA1
c1617448a93c679b36cd2efc9fe1d240af87e851

SHA256
5f2eb449626f1d71904a609f96edadfdd07c4039b61d8e36432dea2e329c72b8

SHA512
4c82ba0a9f94f08c4c34f1fc6475c44deda3dd840cf5bdf2de27db6c33209d75a36419e091e42a3db94ffc91a28562a8f508b761141bcbfe8850f3c7e660f60a

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
270881974d7cf4fa0cc9ccf1dcff307f

SHA1
1bec02bc5d404047048bf462c08b638bda14fe6c

SHA256
e972036d0bf473b15e36c5790b80cd7e62cd44693d1251e7c3b4ea93d48a108c

SHA512
92423a09dc21ea08908cadd4053d15f2b4eb96e6c0bb96615fd54382703273e57ab227422710210191d29d8e77214956b79fc6b184437ca48bb1d2b0dec6296c

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
0a6ba378fc8dc26fe4fcc46f5578d20e

SHA1
75a8f3ecf4db765c9aba051f4beeaba25270bd61

SHA256
a25e2a9d96a5337b884229b099c9a46fa9c7744cde266af0de9f1b3f409d863c

SHA512
60242d23996c81c81c6fc68d0bc09bef66b91ac4c97ea82b560212d8cc68ca18e3f5a3c0cb88d05a99c3e8996e9a37139c2883a2560e7a954c53f64c0cfddd49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
475ee13b8b8d5a276b8d2d4dbd9c9c2a

SHA1
a3ba09170fdfce449c58f99616283cf797a39348

SHA256
ef40b42ffe6a1f286751f2faecd30503f6ffdb70ca89b380953fb2fe3f89ce10

SHA512
82f2eaea7bf76d2a63dd03e56082edf16b0d8bf37cb24dee09c2d3baf06ee79cec75ad42241c98503e3a98d1930bb4a4f2d9ddf5b85b1cdf26fccd1a663b0ad9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d42496532d513f955a801c54c4f796a0

SHA1
f7dc4a58b2a8de8d4f4762d95fda561ea245cd7a

SHA256
0f0b355ac9d761535fbb654b1cf8f2df884eead7d03c5f0236a583451843b196

SHA512
3c95d775c54aabe202e4bba377f747b6f3a75a1511416c8b5bc31d6a3c91124c6036ec3265e4ac41b52b4e828dab4e6661e69f01e918378717d95ffb830fe866

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
38a7b41ff132c77dc883cfd3c2af626a

SHA1
7423ab76f56b6ac76566ae3eefce53d41dde7e3a

SHA256
a8197eab93d02dde4b1d92d14c60e09b18be4128c6952ea9758c9acaf725ac61

SHA512
9436bd9427ece05e9a7083d85aad2c89cddd2eb98d806e28c7a1bddd4baa898f89f3a4988a77c5025310998a9af65c2cac91a7d007cc318213bbabd99a732e78

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727658865736960.txt

Filesize
77KB

MD5
64a9f26f738b9455d856d752c09035ef

SHA1
d0e2c669e90f9f59f734f5f76c4aa54c82594ba9

SHA256
a98a0501e081fdfca404bc448fae25172ace71b4408434c9089eb3c075d43088

SHA512
0e0ada2e01cae7adad4d5630f09ec93ecff98b11ae4aa041ead4d0ea264e422059b94cc44dc5a1eeb774bf74c5cafd6fc7ffe302339df5971b106453cfc7dde1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727660257997193.txt

Filesize
47KB

MD5
fe94e5e11e0a3905d322909e5bd7ed44

SHA1
69822fc775e40014d6a1a2a975cd857b71bf6888

SHA256
2600902841868123c3e7e01b8e8569af4b5af5e04b483c24d446939e5f4272ca

SHA512
04b5a7ae9dc534e5ac20b7e9c6d09c694f070d6cc5bcea13ec9eb260a515503125726d693c3f98787d2444261a668ed9f6f0bfd4e60cc23f8a12a101482ca76e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727667861810871.txt

Filesize
74KB

MD5
97e57ec2acd06bddfc446eed912254b5

SHA1
7c433e89b1c6d9507987b95321b803ab38e5d267

SHA256
3aee525795f64d4cc6d4f00184331cf30eff3e89dcdcab8972c03ff6e8b6ed6b

SHA512
2d0802c68cd3c5e97a7b0d938b3bd8ff67604a21f4b419b2902230daab3a3f7e723aace8348cb0b2aae04c9d22fb633392e2e37b8ef47d4927322959b06dba6b

Download Submit
C:\Windows\ifuxjrgkluhb.exe

Filesize
376KB

MD5
de01a09f896441e9533913bb82278391

SHA1
d65824cc0c5b29864c7cac6b10f41fe516c0dd31

SHA256
811740b4ecfe0bde80e90ec6f60fb17db109ccf7490345bb897276354ed31256

SHA512
c8b0f54dc698a39e438ba7105d08632a05396ded5b2d2bb82e35d869e5595f9827d6246eb274657333411b80a9936cf291fd7e644f5b58a5450bdd228732b053

Download Submit
memory/2020-17-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2020-8261-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2020-23-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2020-20-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2020-19-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2020-2493-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2020-2494-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2020-4932-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2020-18-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2020-10573-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2020-10532-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2020-561-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2020-10521-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2020-10522-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2020-10531-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4008-13-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4008-6-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4008-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4008-3-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4008-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4516-12-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/4844-4-0x0000000000C30000-0x0000000000C33000-memory.dmp

Filesize
12KB

Download
memory/4844-0-0x0000000000C30000-0x0000000000C33000-memory.dmp

Filesize
12KB

Download
memory/4844-1-0x0000000000C30000-0x0000000000C33000-memory.dmp

Filesize
12KB

Download