teslacrypt | c46d526ed752a808427220c412135972ed2fbfac2476b9fcd6b74b330e4dc9a3

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/12/2024, 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3c7a712d0aa4db4b62ca2a2abc3af89_JaffaCakes118.exe
Size

396KB
MD5

e3c7a712d0aa4db4b62ca2a2abc3af89
SHA1

80ebc294329a7d40e6ac13feedf0b5554fdf8a38
SHA256

c46d526ed752a808427220c412135972ed2fbfac2476b9fcd6b74b330e4dc9a3
SHA512

814df1437244043bfd5a7803b208695badc87b3a862f24f25b838b8eaee82c91314d5fdd2f52286494fd2499da48a1efb4738235eddc94bd04b7dc14d4cde8fb
SSDEEP

6144:Z0sTdSkul5CpfZsu43jx0HdEouuj5axxn7JCpIKxZU/bc92A6mJOl:qG7pfZsu43d0HdEFuj5EpNbWAcsoOl

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_RECoVERY_+qrhxi.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/519F19C117E8F74A 2. http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/519F19C117E8F74A 3. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/519F19C117E8F74A If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/519F19C117E8F74A 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/519F19C117E8F74A http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/519F19C117E8F74A http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/519F19C117E8F74A *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/519F19C117E8F74A

URLs

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/519F19C117E8F74A

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/519F19C117E8F74A

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/519F19C117E8F74A

http://xlowfznrg4wf7dli.ONION/519F19C117E8F74A

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (873) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	e3c7a712d0aa4db4b62ca2a2abc3af89_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	kxbvfewsldpm.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+qrhxi.txt	kxbvfewsldpm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+qrhxi.html	kxbvfewsldpm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+qrhxi.png	kxbvfewsldpm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+qrhxi.txt	kxbvfewsldpm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+qrhxi.html	kxbvfewsldpm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+qrhxi.png	kxbvfewsldpm.exe

Executes dropped EXE 1 IoCs

pid	Process
2892	kxbvfewsldpm.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\syvbbvnmxxrm = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\kxbvfewsldpm.exe\""	kxbvfewsldpm.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-36.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EMLAttachmentIcon.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\THMBNAIL.PNG	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\WideLogo.scale-125_contrast-black.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-256_altform-unplated_contrast-black_devicefamily-colorfulunplated.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-30_altform-unplated.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.targetsize-256.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+qrhxi.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\_RECoVERY_+qrhxi.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\Java\_RECoVERY_+qrhxi.html	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\_RECoVERY_+qrhxi.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\_RECoVERY_+qrhxi.txt	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_contrast-black.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailLargeTile.scale-125.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\beeps\beeps\_RECoVERY_+qrhxi.txt	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-16_altform-unplated.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\_RECoVERY_+qrhxi.html	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\_RECoVERY_+qrhxi.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\_RECoVERY_+qrhxi.txt	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\IC_WelcomeBanner.scale-125.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\remixCTA_welcome.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeMediumTile.scale-150.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare.scale-400.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\_RECoVERY_+qrhxi.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubGameBar.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-64_altform-unplated.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyView.scale-100.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\_RECoVERY_+qrhxi.html	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+qrhxi.txt	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\_RECoVERY_+qrhxi.html	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-30_contrast-black.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-60_altform-unplated_contrast-black.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\_RECoVERY_+qrhxi.txt	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-256_altform-unplated.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyView.scale-400.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_RECoVERY_+qrhxi.txt	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\FormatOptimize.ppt	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_altform-unplated_contrast-black.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-20_altform-lightunplated.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml\_RECoVERY_+qrhxi.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_scale-200.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Views\_RECoVERY_+qrhxi.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\_RECoVERY_+qrhxi.txt	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\_RECoVERY_+qrhxi.txt	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-30_altform-lightunplated.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\_RECoVERY_+qrhxi.html	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlMiddleCircleHover.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\_RECoVERY_+qrhxi.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\FileExcel32x32.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\_RECoVERY_+qrhxi.txt	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreLogo.scale-100.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\TextConv\en-US\_RECoVERY_+qrhxi.txt	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\_RECoVERY_+qrhxi.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-400_contrast-white.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\_RECoVERY_+qrhxi.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-48_altform-unplated_contrast-black_devicefamily-colorfulunplated.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pt-BR\_RECoVERY_+qrhxi.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-96_altform-unplated.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\pstn\PSTN_cluster.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_200_percent.pak	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+qrhxi.txt	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-200_contrast-black.png	kxbvfewsldpm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\_RECoVERY_+qrhxi.txt	kxbvfewsldpm.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\kxbvfewsldpm.exe	e3c7a712d0aa4db4b62ca2a2abc3af89_JaffaCakes118.exe
File opened for modification	C:\Windows\kxbvfewsldpm.exe	e3c7a712d0aa4db4b62ca2a2abc3af89_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e3c7a712d0aa4db4b62ca2a2abc3af89_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kxbvfewsldpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	kxbvfewsldpm.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3536	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe
2892	kxbvfewsldpm.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5068	e3c7a712d0aa4db4b62ca2a2abc3af89_JaffaCakes118.exe
Token: SeDebugPrivilege	2892	kxbvfewsldpm.exe
Token: SeIncreaseQuotaPrivilege	4156	WMIC.exe
Token: SeSecurityPrivilege	4156	WMIC.exe
Token: SeTakeOwnershipPrivilege	4156	WMIC.exe
Token: SeLoadDriverPrivilege	4156	WMIC.exe
Token: SeSystemProfilePrivilege	4156	WMIC.exe
Token: SeSystemtimePrivilege	4156	WMIC.exe
Token: SeProfSingleProcessPrivilege	4156	WMIC.exe
Token: SeIncBasePriorityPrivilege	4156	WMIC.exe
Token: SeCreatePagefilePrivilege	4156	WMIC.exe
Token: SeBackupPrivilege	4156	WMIC.exe
Token: SeRestorePrivilege	4156	WMIC.exe
Token: SeShutdownPrivilege	4156	WMIC.exe
Token: SeDebugPrivilege	4156	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4156	WMIC.exe
Token: SeRemoteShutdownPrivilege	4156	WMIC.exe
Token: SeUndockPrivilege	4156	WMIC.exe
Token: SeManageVolumePrivilege	4156	WMIC.exe
Token: 33	4156	WMIC.exe
Token: 34	4156	WMIC.exe
Token: 35	4156	WMIC.exe
Token: 36	4156	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4156	WMIC.exe
Token: SeSecurityPrivilege	4156	WMIC.exe
Token: SeTakeOwnershipPrivilege	4156	WMIC.exe
Token: SeLoadDriverPrivilege	4156	WMIC.exe
Token: SeSystemProfilePrivilege	4156	WMIC.exe
Token: SeSystemtimePrivilege	4156	WMIC.exe
Token: SeProfSingleProcessPrivilege	4156	WMIC.exe
Token: SeIncBasePriorityPrivilege	4156	WMIC.exe
Token: SeCreatePagefilePrivilege	4156	WMIC.exe
Token: SeBackupPrivilege	4156	WMIC.exe
Token: SeRestorePrivilege	4156	WMIC.exe
Token: SeShutdownPrivilege	4156	WMIC.exe
Token: SeDebugPrivilege	4156	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4156	WMIC.exe
Token: SeRemoteShutdownPrivilege	4156	WMIC.exe
Token: SeUndockPrivilege	4156	WMIC.exe
Token: SeManageVolumePrivilege	4156	WMIC.exe
Token: 33	4156	WMIC.exe
Token: 34	4156	WMIC.exe
Token: 35	4156	WMIC.exe
Token: 36	4156	WMIC.exe
Token: SeBackupPrivilege	648	vssvc.exe
Token: SeRestorePrivilege	648	vssvc.exe
Token: SeAuditPrivilege	648	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2276	WMIC.exe
Token: SeSecurityPrivilege	2276	WMIC.exe
Token: SeTakeOwnershipPrivilege	2276	WMIC.exe
Token: SeLoadDriverPrivilege	2276	WMIC.exe
Token: SeSystemProfilePrivilege	2276	WMIC.exe
Token: SeSystemtimePrivilege	2276	WMIC.exe
Token: SeProfSingleProcessPrivilege	2276	WMIC.exe
Token: SeIncBasePriorityPrivilege	2276	WMIC.exe
Token: SeCreatePagefilePrivilege	2276	WMIC.exe
Token: SeBackupPrivilege	2276	WMIC.exe
Token: SeRestorePrivilege	2276	WMIC.exe
Token: SeShutdownPrivilege	2276	WMIC.exe
Token: SeDebugPrivilege	2276	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2276	WMIC.exe
Token: SeRemoteShutdownPrivilege	2276	WMIC.exe
Token: SeUndockPrivilege	2276	WMIC.exe
Token: SeManageVolumePrivilege	2276	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 2892	5068	e3c7a712d0aa4db4b62ca2a2abc3af89_JaffaCakes118.exe	82
PID 5068 wrote to memory of 2892	5068	e3c7a712d0aa4db4b62ca2a2abc3af89_JaffaCakes118.exe	82
PID 5068 wrote to memory of 2892	5068	e3c7a712d0aa4db4b62ca2a2abc3af89_JaffaCakes118.exe	82
PID 5068 wrote to memory of 2024	5068	e3c7a712d0aa4db4b62ca2a2abc3af89_JaffaCakes118.exe	83
PID 5068 wrote to memory of 2024	5068	e3c7a712d0aa4db4b62ca2a2abc3af89_JaffaCakes118.exe	83
PID 5068 wrote to memory of 2024	5068	e3c7a712d0aa4db4b62ca2a2abc3af89_JaffaCakes118.exe	83
PID 2892 wrote to memory of 4156	2892	kxbvfewsldpm.exe	86
PID 2892 wrote to memory of 4156	2892	kxbvfewsldpm.exe	86
PID 2892 wrote to memory of 3536	2892	kxbvfewsldpm.exe	104
PID 2892 wrote to memory of 3536	2892	kxbvfewsldpm.exe	104
PID 2892 wrote to memory of 3536	2892	kxbvfewsldpm.exe	104
PID 2892 wrote to memory of 2584	2892	kxbvfewsldpm.exe	105
PID 2892 wrote to memory of 2584	2892	kxbvfewsldpm.exe	105
PID 2584 wrote to memory of 840	2584	msedge.exe	106
PID 2584 wrote to memory of 840	2584	msedge.exe	106
PID 2892 wrote to memory of 2276	2892	kxbvfewsldpm.exe	107
PID 2892 wrote to memory of 2276	2892	kxbvfewsldpm.exe	107
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 3668	2584	msedge.exe	109
PID 2584 wrote to memory of 2924	2584	msedge.exe	110
PID 2584 wrote to memory of 2924	2584	msedge.exe	110
PID 2584 wrote to memory of 4872	2584	msedge.exe	111
PID 2584 wrote to memory of 4872	2584	msedge.exe	111
PID 2584 wrote to memory of 4872	2584	msedge.exe	111
PID 2584 wrote to memory of 4872	2584	msedge.exe	111
PID 2584 wrote to memory of 4872	2584	msedge.exe	111

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	kxbvfewsldpm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	kxbvfewsldpm.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e3c7a712d0aa4db4b62ca2a2abc3af89_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e3c7a712d0aa4db4b62ca2a2abc3af89_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Windows\kxbvfewsldpm.exe
  C:\Windows\kxbvfewsldpm.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2892
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4156
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:3536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe65446f8,0x7fffe6544708,0x7fffe6544718
      4⤵
      PID:840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1752,9453926157240567672,2642067427469737850,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
      4⤵
      PID:3668
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1752,9453926157240567672,2642067427469737850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
      4⤵
      PID:2924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1752,9453926157240567672,2642067427469737850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
      4⤵
      PID:4872
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,9453926157240567672,2642067427469737850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
      4⤵
      PID:4976
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,9453926157240567672,2642067427469737850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
      4⤵
      PID:280
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1752,9453926157240567672,2642067427469737850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
      4⤵
      PID:4472
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1752,9453926157240567672,2642067427469737850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
      4⤵
      PID:1684
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,9453926157240567672,2642067427469737850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
      4⤵
      PID:2172
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,9453926157240567672,2642067427469737850,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
      4⤵
      PID:2684
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,9453926157240567672,2642067427469737850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
      4⤵
      PID:2904
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,9453926157240567672,2642067427469737850,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
      4⤵
      PID:4248
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2276
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\KXBVFE~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3304
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\E3C7A7~1.EXE
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2024

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_RECoVERY_+qrhxi.html

Filesize
8KB

MD5
5526518097fb4c37172c8bfd60631d52

SHA1
c27020e1e2cf36f4c30aae1288895b8060bed0ca

SHA256
d2677bee62cda024ca1d9a87c51842143c8eb40739ac6fe2435de4b5d086f734

SHA512
3b93645f26cfbe9d282bd38abab75298ca63ba08edc9003cf09030114983c4a104d9a78490fb71ba41306b0930a9ac5773bb99015be28d000e460e6ac19f135a

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+qrhxi.png

Filesize
65KB

MD5
5c0d0b7131cd9dfbe2fdc31139c611a2

SHA1
a5941ed896792d1afa06e476e26ec325246cce35

SHA256
c869b6841fa46301f37200b229f71ec2200ab1a57d5811ddde626c80844418ec

SHA512
dc4aa2aab65ff67f3ce3d8b52a4a3bddef90a0665ec5c63ac18ac5f05e8502cce66de3ea338da8de8fc7881a00fa45379aea4219f58c0b4d6a18fa03b5d6502f

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+qrhxi.txt

Filesize
1KB

MD5
a3e1492405b0b13b2ee7d9e9647bd557

SHA1
34869b026d2205f255082783cccfea8a0bd7322c

SHA256
c2e10a3f56f92ef9ca45dcff70444c279a3df80ad8dc55b22aa4f5b8de0f180d

SHA512
2bae67cf3b5356b4eff0853885f02ba7b777ac2e8595b73cb9070514f49300ab6cde378411624901fb2199fc68b08beab99429be2a13827e685503527b9c2d9d

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
a164c0b92db93aa19e218a4de9b3c966

SHA1
b913c168866c616a8d7a75b7ba7f84ca0b87a747

SHA256
24c883261cc699a855d9d0f9c42f26ba72650a9027366db5e09b5bb6dd9865b3

SHA512
0b58a2f90e54605db0d88cfe5e2fb01e8d87d58af00c7af3e62b24fc09f711cf7661df32bdaf3691fb78a4d9bf2e52bb069c51efc7d5819c1112bdf0210d375f

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
4a4141afc1193c020da61782de9eead2

SHA1
cd1ed30da95a313aecd33430695890c40fc87a99

SHA256
e4a501dea357a6554bbc8225476bc02522444534aaa25a2ebfe5d10e3c00ca12

SHA512
48a4b97d153028bc5cf898cbc9de640c31b6c56317179645f34a098c253f61c270fd9265c7ccd7ccbee4612cda4924ccc67dcef0115b9cdc61b78e64e5f27b09

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
907616b1a33a1fb3f6030bcc5f0ec37d

SHA1
4612f912f5c762c232202d2d25cc62d11f0174e2

SHA256
789a9e35bf63c1aa7f6acec5bdccddba04b9f1785ecc685cf50584fb7512df76

SHA512
5189317b1c66a813dd1b45b5be3bba95a58e100efecc981302fe59138ec652540e7467f798c57d3b065937f4f424b1c71cb36324c86b80e79fc3f5f1e05e0974

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\34898354-9cb3-479e-923e-7710636763fa.tmp

Filesize
6KB

MD5
d644e9836d37014940bd36ca3308ce1e

SHA1
94b904e6d823425a71bd585679191a93843139bf

SHA256
46c9a6f33495f51fabcea0b574db8c52b06b283d55172dcd272d80f1cd34a58e

SHA512
63316a410daed1448c3fe499803e4b5e4437dbe9a9f947f06fb0baa0e34c8fd81c3e0e9de7ef97cbf345675971d61ee48c5196c02f68e7d23ce4bb6f40fe98cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a4d65491cb40e5be3a5cc9a79889b669

SHA1
ba9e3684534bfa784f1abeec4b946cf9bcfc12f1

SHA256
198259b796f741594faad22d312b903a329e02d4201818f155cbc9285b938419

SHA512
1cd15e4ae8991a0eb22cc7482b9efc698448b44cdb6c26e50b6ff2751c96f2b001a6092f708b00a4c47cdb7b2befec83fd7bb5bd02aa611d97e839710a3a475a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
28eb49bad3024d2a5a5ae4cf55bcd31f

SHA1
3b96a10162c2b7b9a9cad7643dc9d67bf20d6639

SHA256
01aeee9df3183c8d9d05f1db88dd7500fedff0f87815cda452738b1cb5513714

SHA512
27de0673e5757e9abe2e823d17f66631e13f83e60044665ef81305f234c5b2bb24e42df48534f43f6467a7afec337d4d4a47307b96f2196a5f436ac782ce8068

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656298443196.txt

Filesize
77KB

MD5
4c76e2b5c33ce72e57b00a33f4155b8d

SHA1
4cfae7c32cbbf22bec68adcd847ed20386b30038

SHA256
fb65e123a57bc95fc03727bbed4dd58c66079af027be288add9f0e63c7596924

SHA512
88f66ec095b2533efbc474aec0b6e00fd24af14bb8380c4dcc3e6813b6422487e919ca66e03baa8f4c8c3e9a1108e5965c0c52f2a279114e01b9f9a10d738fbe

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727657999741523.txt

Filesize
47KB

MD5
8d45b9f660869bd519893e3f87f55099

SHA1
9bb0025227722bfbdfee296faf02bfb97cdae143

SHA256
bd10e327fce62984d1bf79b2d3f6cbd80dca872e60ac237cfac0c4fc16f48cd5

SHA512
a54a04f07cd41fb567e26fc91c23cb1e0f783747f1101915c26571994148500a42d3a9dc494751928300ff98324448d567de4bee841e2e3b0370c3e7bf33de35

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727666039184869.txt

Filesize
74KB

MD5
917dbf7bc198672e7a31ce3d05627288

SHA1
297a36af17dc41d6761c59b18693c0c098778e69

SHA256
05270637e06376724e788a7108690f2f984cf7bb61de6344b18de3bd1e3e4316

SHA512
defd733ae0e3932b2c80145563ea73f8ec8535106f18587cb36ab18ca526f3493f8abf1ec1c428f4437aff92a9c573480f19a0da8f6560effef95f17a63b941f

Download Submit
C:\Windows\kxbvfewsldpm.exe

Filesize
396KB

MD5
e3c7a712d0aa4db4b62ca2a2abc3af89

SHA1
80ebc294329a7d40e6ac13feedf0b5554fdf8a38

SHA256
c46d526ed752a808427220c412135972ed2fbfac2476b9fcd6b74b330e4dc9a3

SHA512
814df1437244043bfd5a7803b208695badc87b3a862f24f25b838b8eaee82c91314d5fdd2f52286494fd2499da48a1efb4738235eddc94bd04b7dc14d4cde8fb

Download Submit
memory/2892-5126-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2892-8349-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2892-10739-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2892-10741-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2892-11-0x00000000021C0000-0x0000000002244000-memory.dmp

Filesize
528KB

Download
memory/2892-2532-0x00000000021C0000-0x0000000002244000-memory.dmp

Filesize
528KB

Download
memory/2892-2519-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2892-10786-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/5068-0-0x0000000002240000-0x00000000022C4000-memory.dmp

Filesize
528KB

Download
memory/5068-1-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/5068-10-0x0000000002240000-0x00000000022C4000-memory.dmp

Filesize
528KB

Download
memory/5068-9-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download