teslacrypt | 33ebc8e7d926b1c4d0a9a67fe1b10af1846276ce55d6efe1bd77ba7bab301d6f

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5ac3be9b138a4e8636c1a85056c3e8e_JaffaCakes118.exe
Size

392KB
MD5

e5ac3be9b138a4e8636c1a85056c3e8e
SHA1

6a945974c9b765dab00051478ffd18e4115636b8
SHA256

33ebc8e7d926b1c4d0a9a67fe1b10af1846276ce55d6efe1bd77ba7bab301d6f
SHA512

f318b64e4821b9b2d467a15aa8c856ab9853e14c1808e62de10cdc06d5d9c943154aa6aa8323abf1b005f27a14950613bcfede7e85bc28b51201a832ab1751bb
SSDEEP

6144:t1sKGiE/bfhcLAiHw4X2QohXd4IcyS3/zTQgdbv9sW9KHkmVfN8HyLW12ZlZL/du:vI/bJjiQ45CcvPzsiKH18Hy73ZhcP1s

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+ajfng.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/FDAAA664E7F89CC9 2. http://kkd47eh4hdjshb5t.angortra.at/FDAAA664E7F89CC9 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/FDAAA664E7F89CC9 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/FDAAA664E7F89CC9 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/FDAAA664E7F89CC9 http://kkd47eh4hdjshb5t.angortra.at/FDAAA664E7F89CC9 http://ytrest84y5i456hghadefdsd.pontogrot.com/FDAAA664E7F89CC9 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/FDAAA664E7F89CC9

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/FDAAA664E7F89CC9

http://kkd47eh4hdjshb5t.angortra.at/FDAAA664E7F89CC9

http://ytrest84y5i456hghadefdsd.pontogrot.com/FDAAA664E7F89CC9

http://xlowfznrg4wf7dli.ONION/FDAAA664E7F89CC9

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (875) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	e5ac3be9b138a4e8636c1a85056c3e8e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	tloqyktpinje.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+ajfng.html	tloqyktpinje.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ajfng.png	tloqyktpinje.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ajfng.txt	tloqyktpinje.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ajfng.html	tloqyktpinje.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+ajfng.png	tloqyktpinje.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+ajfng.txt	tloqyktpinje.exe

Executes dropped EXE 2 IoCs

pid	Process
2040	tloqyktpinje.exe
1588	tloqyktpinje.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dfbijfirkjvt = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\tloqyktpinje.exe\""	tloqyktpinje.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3808 set thread context of 3500	3808	e5ac3be9b138a4e8636c1a85056c3e8e_JaffaCakes118.exe	99
PID 2040 set thread context of 1588	2040	tloqyktpinje.exe	105

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_ForwardDirection_RoomScale.jpg	tloqyktpinje.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\Recovery+ajfng.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\7.jpg	tloqyktpinje.exe
File opened for modification	C:\Program Files\Recovery+ajfng.txt	tloqyktpinje.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\Recovery+ajfng.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\WinMetadata\Recovery+ajfng.html	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsSmallTile.contrast-white_scale-125.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-125.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsSplashScreen.contrast-black_scale-200.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Recovery+ajfng.txt	tloqyktpinje.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nn\Recovery+ajfng.txt	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\8px.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-400.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailMediumTile.scale-400.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pl-PL\View3d\Recovery+ajfng.html	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-100.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\default_apps\Recovery+ajfng.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageBadgeLogo.scale-125_contrast-black.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\Recovery+ajfng.html	tloqyktpinje.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Recovery+ajfng.html	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_2019.904.1644.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+ajfng.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_altform-unplated_contrast-black.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-36_altform-colorize.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorLargeTile.contrast-white_scale-100.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\1851_24x24x32.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Recovery+ajfng.txt	tloqyktpinje.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\Recovery+ajfng.txt	tloqyktpinje.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\Recovery+ajfng.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageSmallTile.scale-200.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Recovery+ajfng.txt	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxWideTile.scale-400.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\Recovery+ajfng.txt	tloqyktpinje.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-140.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Recovery+ajfng.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-US\Recovery+ajfng.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockMedTile.contrast-black_scale-125.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_altform-unplated_contrast-white.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxWideTile.scale-200.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\Recovery+ajfng.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Recovery+ajfng.html	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\1851_20x20x32.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-96.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-40_altform-unplated.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\Recovery+ajfng.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg6.jpg	tloqyktpinje.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\Recovery+ajfng.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-64_altform-unplated.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\Recovery+ajfng.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\WideTile.scale-100.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\km-KH\Recovery+ajfng.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare150x150Logo.scale-200_contrast-black.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\Recovery+ajfng.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-100.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-400.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-200_contrast-white.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageMedTile.scale-200.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\StoreLogo.scale-100.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_altform-unplated_contrast-black.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Recovery+ajfng.html	tloqyktpinje.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fr\Recovery+ajfng.html	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-80_altform-unplated.png	tloqyktpinje.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Standard.targetsize-32_contrast-white.png	tloqyktpinje.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\tloqyktpinje.exe	e5ac3be9b138a4e8636c1a85056c3e8e_JaffaCakes118.exe
File opened for modification	C:\Windows\tloqyktpinje.exe	e5ac3be9b138a4e8636c1a85056c3e8e_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5ac3be9b138a4e8636c1a85056c3e8e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tloqyktpinje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tloqyktpinje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5ac3be9b138a4e8636c1a85056c3e8e_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	tloqyktpinje.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2668	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe
1588	tloqyktpinje.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	3500	e5ac3be9b138a4e8636c1a85056c3e8e_JaffaCakes118.exe
Token: SeDebugPrivilege	1588	tloqyktpinje.exe
Token: SeIncreaseQuotaPrivilege	4948	WMIC.exe
Token: SeSecurityPrivilege	4948	WMIC.exe
Token: SeTakeOwnershipPrivilege	4948	WMIC.exe
Token: SeLoadDriverPrivilege	4948	WMIC.exe
Token: SeSystemProfilePrivilege	4948	WMIC.exe
Token: SeSystemtimePrivilege	4948	WMIC.exe
Token: SeProfSingleProcessPrivilege	4948	WMIC.exe
Token: SeIncBasePriorityPrivilege	4948	WMIC.exe
Token: SeCreatePagefilePrivilege	4948	WMIC.exe
Token: SeBackupPrivilege	4948	WMIC.exe
Token: SeRestorePrivilege	4948	WMIC.exe
Token: SeShutdownPrivilege	4948	WMIC.exe
Token: SeDebugPrivilege	4948	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4948	WMIC.exe
Token: SeRemoteShutdownPrivilege	4948	WMIC.exe
Token: SeUndockPrivilege	4948	WMIC.exe
Token: SeManageVolumePrivilege	4948	WMIC.exe
Token: 33	4948	WMIC.exe
Token: 34	4948	WMIC.exe
Token: 35	4948	WMIC.exe
Token: 36	4948	WMIC.exe
Token: SeIncreaseQuotaPrivilege	116	WMIC.exe
Token: SeSecurityPrivilege	116	WMIC.exe
Token: SeTakeOwnershipPrivilege	116	WMIC.exe
Token: SeLoadDriverPrivilege	116	WMIC.exe
Token: SeSystemProfilePrivilege	116	WMIC.exe
Token: SeSystemtimePrivilege	116	WMIC.exe
Token: SeProfSingleProcessPrivilege	116	WMIC.exe
Token: SeIncBasePriorityPrivilege	116	WMIC.exe
Token: SeCreatePagefilePrivilege	116	WMIC.exe
Token: SeBackupPrivilege	116	WMIC.exe
Token: SeRestorePrivilege	116	WMIC.exe
Token: SeShutdownPrivilege	116	WMIC.exe
Token: SeDebugPrivilege	116	WMIC.exe
Token: SeSystemEnvironmentPrivilege	116	WMIC.exe
Token: SeRemoteShutdownPrivilege	116	WMIC.exe
Token: SeUndockPrivilege	116	WMIC.exe
Token: SeManageVolumePrivilege	116	WMIC.exe
Token: 33	116	WMIC.exe
Token: 34	116	WMIC.exe
Token: 35	116	WMIC.exe
Token: 36	116	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3808 wrote to memory of 3500	3808	e5ac3be9b138a4e8636c1a85056c3e8e_JaffaCakes118.exe	99
PID 3808 wrote to memory of 3500	3808	e5ac3be9b138a4e8636c1a85056c3e8e_JaffaCakes118.exe	99
PID 3808 wrote to memory of 3500	3808	e5ac3be9b138a4e8636c1a85056c3e8e_JaffaCakes118.exe	99
PID 3808 wrote to memory of 3500	3808	e5ac3be9b138a4e8636c1a85056c3e8e_JaffaCakes118.exe	99
PID 3808 wrote to memory of 3500	3808	e5ac3be9b138a4e8636c1a85056c3e8e_JaffaCakes118.exe	99
PID 3808 wrote to memory of 3500	3808	e5ac3be9b138a4e8636c1a85056c3e8e_JaffaCakes118.exe	99
PID 3808 wrote to memory of 3500	3808	e5ac3be9b138a4e8636c1a85056c3e8e_JaffaCakes118.exe	99
PID 3808 wrote to memory of 3500	3808	e5ac3be9b138a4e8636c1a85056c3e8e_JaffaCakes118.exe	99
PID 3808 wrote to memory of 3500	3808	e5ac3be9b138a4e8636c1a85056c3e8e_JaffaCakes118.exe	99
PID 3808 wrote to memory of 3500	3808	e5ac3be9b138a4e8636c1a85056c3e8e_JaffaCakes118.exe	99
PID 3500 wrote to memory of 2040	3500	e5ac3be9b138a4e8636c1a85056c3e8e_JaffaCakes118.exe	100
PID 3500 wrote to memory of 2040	3500	e5ac3be9b138a4e8636c1a85056c3e8e_JaffaCakes118.exe	100
PID 3500 wrote to memory of 2040	3500	e5ac3be9b138a4e8636c1a85056c3e8e_JaffaCakes118.exe	100
PID 3500 wrote to memory of 396	3500	e5ac3be9b138a4e8636c1a85056c3e8e_JaffaCakes118.exe	102
PID 3500 wrote to memory of 396	3500	e5ac3be9b138a4e8636c1a85056c3e8e_JaffaCakes118.exe	102
PID 3500 wrote to memory of 396	3500	e5ac3be9b138a4e8636c1a85056c3e8e_JaffaCakes118.exe	102
PID 2040 wrote to memory of 1588	2040	tloqyktpinje.exe	105
PID 2040 wrote to memory of 1588	2040	tloqyktpinje.exe	105
PID 2040 wrote to memory of 1588	2040	tloqyktpinje.exe	105
PID 2040 wrote to memory of 1588	2040	tloqyktpinje.exe	105
PID 2040 wrote to memory of 1588	2040	tloqyktpinje.exe	105
PID 2040 wrote to memory of 1588	2040	tloqyktpinje.exe	105
PID 2040 wrote to memory of 1588	2040	tloqyktpinje.exe	105
PID 2040 wrote to memory of 1588	2040	tloqyktpinje.exe	105
PID 2040 wrote to memory of 1588	2040	tloqyktpinje.exe	105
PID 2040 wrote to memory of 1588	2040	tloqyktpinje.exe	105
PID 1588 wrote to memory of 4948	1588	tloqyktpinje.exe	106
PID 1588 wrote to memory of 4948	1588	tloqyktpinje.exe	106
PID 1588 wrote to memory of 2668	1588	tloqyktpinje.exe	110
PID 1588 wrote to memory of 2668	1588	tloqyktpinje.exe	110
PID 1588 wrote to memory of 2668	1588	tloqyktpinje.exe	110
PID 1588 wrote to memory of 4340	1588	tloqyktpinje.exe	111
PID 1588 wrote to memory of 4340	1588	tloqyktpinje.exe	111
PID 4340 wrote to memory of 2392	4340	msedge.exe	112
PID 4340 wrote to memory of 2392	4340	msedge.exe	112
PID 1588 wrote to memory of 116	1588	tloqyktpinje.exe	113
PID 1588 wrote to memory of 116	1588	tloqyktpinje.exe	113
PID 4340 wrote to memory of 1264	4340	msedge.exe	115
PID 4340 wrote to memory of 1264	4340	msedge.exe	115
PID 4340 wrote to memory of 1264	4340	msedge.exe	115
PID 4340 wrote to memory of 1264	4340	msedge.exe	115
PID 4340 wrote to memory of 1264	4340	msedge.exe	115
PID 4340 wrote to memory of 1264	4340	msedge.exe	115
PID 4340 wrote to memory of 1264	4340	msedge.exe	115
PID 4340 wrote to memory of 1264	4340	msedge.exe	115
PID 4340 wrote to memory of 1264	4340	msedge.exe	115
PID 4340 wrote to memory of 1264	4340	msedge.exe	115
PID 4340 wrote to memory of 1264	4340	msedge.exe	115
PID 4340 wrote to memory of 1264	4340	msedge.exe	115
PID 4340 wrote to memory of 1264	4340	msedge.exe	115
PID 4340 wrote to memory of 1264	4340	msedge.exe	115
PID 4340 wrote to memory of 1264	4340	msedge.exe	115
PID 4340 wrote to memory of 1264	4340	msedge.exe	115
PID 4340 wrote to memory of 1264	4340	msedge.exe	115
PID 4340 wrote to memory of 1264	4340	msedge.exe	115
PID 4340 wrote to memory of 1264	4340	msedge.exe	115
PID 4340 wrote to memory of 1264	4340	msedge.exe	115
PID 4340 wrote to memory of 1264	4340	msedge.exe	115
PID 4340 wrote to memory of 1264	4340	msedge.exe	115
PID 4340 wrote to memory of 1264	4340	msedge.exe	115
PID 4340 wrote to memory of 1264	4340	msedge.exe	115
PID 4340 wrote to memory of 1264	4340	msedge.exe	115
PID 4340 wrote to memory of 1264	4340	msedge.exe	115
PID 4340 wrote to memory of 1264	4340	msedge.exe	115

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	tloqyktpinje.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	tloqyktpinje.exe

C:\Users\Admin\AppData\Local\Temp\e5ac3be9b138a4e8636c1a85056c3e8e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e5ac3be9b138a4e8636c1a85056c3e8e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3808
- C:\Users\Admin\AppData\Local\Temp\e5ac3be9b138a4e8636c1a85056c3e8e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e5ac3be9b138a4e8636c1a85056c3e8e_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3500
- - C:\Windows\tloqyktpinje.exe
    C:\Windows\tloqyktpinje.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\tloqyktpinje.exe
      C:\Windows\tloqyktpinje.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1588
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4948
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:2668
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4340
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a23446f8,0x7ff9a2344708,0x7ff9a2344718
        6⤵
        
        PID:2392
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,9354206332525528607,11655244434931638055,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
        6⤵
        
        PID:1264
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,9354206332525528607,11655244434931638055,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
        6⤵
        
        PID:1512
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,9354206332525528607,11655244434931638055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:8
        6⤵
        
        PID:2436
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9354206332525528607,11655244434931638055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
        6⤵
        
        PID:1648
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9354206332525528607,11655244434931638055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
        6⤵
        
        PID:4404
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,9354206332525528607,11655244434931638055,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
        6⤵
        
        PID:2308
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,9354206332525528607,11655244434931638055,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
        6⤵
        
        PID:1220
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9354206332525528607,11655244434931638055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
        6⤵
        
        PID:1292
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9354206332525528607,11655244434931638055,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
        6⤵
        
        PID:3192
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9354206332525528607,11655244434931638055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
        6⤵
        
        PID:5048
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9354206332525528607,11655244434931638055,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
        6⤵
        
        PID:316
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:116
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\TLOQYK~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4912
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\E5AC3B~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\Recovery+ajfng.html

Filesize
9KB

MD5
0b763d53b3a6256324815b2bcaa77056

SHA1
43479afb6813adc0af87e3bbcaf09d262443f258

SHA256
f02912da3f3524338512d7545ddad3ceebb21a3426ae2b1da1985344cda57bc3

SHA512
f51ca8bd5b98e4bd01abf6b45526848b0f83a0f39a57bacae92a007618aa52eb3fbf52d84f898ec78e67e8a551ce5da2469eb9fd5f1434e6b6bdd1ef5faff6e3

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+ajfng.png

Filesize
63KB

MD5
26b70470026ab9feefdd4011b6507d5a

SHA1
cdc0614659ef5652b86f4c5ef2e078728f730e60

SHA256
69cd94721c5fb346dd6a55b2fcb3628b7934f7b09ca0ae95543c2129c9ed575d

SHA512
5aedd56e67a82679e1f9b356c0416ed54ac6bc6d998a8d34d049411286046f9ed442c9610ec057c858f37935fde422a2581f49cfa9e2d2a89322127d015c4a0a

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+ajfng.txt

Filesize
1KB

MD5
17871d7b03bf0eed2a65283a6d1756d8

SHA1
315a832b4b6e30c7e208a5a7f3411ff3e9bf578a

SHA256
47c6d340b9e8d76c457793f909e57a670b0c860782e975b5f9730c9dc4adbd75

SHA512
91edd02648c4a13f595582428b6cee5ba9bf5219fff1725f84153729cea1349f2502cbe4108201dfb6948d1a315aa2085bb1263a259756808f2b736d49f5d592

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
980fbe2aca3aadcc6b978fd7f4b65569

SHA1
e917a634213738e2e60db6159365a3140fb16ca2

SHA256
5afce7b41d6aaf08d914eb430228b9d733af7060ec9f082a0b5ffa6aea13c53c

SHA512
74d9593de7f279bc812f4c92fc4ddb6bc21d5a958ccf4f0b515783fe030e1642b9a4adde89f16fdc29fa25322c558c4f83cdf54164359ea32c7dee985935101d

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
c5b754e6f9baf05c1ae3688e69a31f24

SHA1
ae4139384adacddfa14b324b6482ea25df7f7f1c

SHA256
a0428d9b1e9884f53c822fc8bee7800c298c13c1c1bb03f268b8a97a71dd201c

SHA512
855ba802c81a079484bf9d26e604edb26848c55c15000cb9a6091927c662dfbe5909f638d74ae6463cebe7291a464a1de09370531adc3dd3ee9f623189ce5248

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
d9a62bada577dadc6c82d20bb692dd46

SHA1
4a2a5c984419cd64d84e3bb79a082c8484590777

SHA256
f9f27b30afa7b69f911b78232d9b952580852e3952e260cd2def62a57a301b67

SHA512
7ea4df50ce13405f91e3593e6ec3d320d9f9ffde11e86ecd51693833a07a3a689a83133ca3818e59ce5b5dc9e52fec5e0b1b8ebf3b08867161df108de9f6b692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1fa6be7ebd9b3a8bad6d2afa4c9407aa

SHA1
f817dad13b6c388f55470b2457456be7d049c96a

SHA256
0c3654d2a5544bd816605643939384c4dcf60131f8329c1e5f91a6f808e71056

SHA512
9e59a5c5be368e3f4b2e0ee6f15a1d39dea6e7bd331b589074ee1940753d520095e93ba3649ae32cc13eec19e4f58ef097c86d3840831d935c3c47700439afb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d2261200d6ffe63cf8b74946a5fa892b

SHA1
5446c0825af31b204d310a457663814b8ce89b17

SHA256
52a0d306f5a81972977561ceb1edb2a65471fde9ca4b3a03ebf1f58105ab1770

SHA512
3dc3d0eef97cb8bd892cdbe2973acc84e94cba41703f603b66c78a9fe79e4d140a96e2a64ba6ac479f3822b9f5976ad273af413c4fa2d3e6126c0afcb45f76a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
67c4fe9719b0bbf49ec410b476527ac2

SHA1
c8cec847d331c2035a8e9abc1c83173666d7511a

SHA256
c97de1653a6eeccd87ea6a95f06cc2241e04602da92520d8ec2e41c3d95e4a1c

SHA512
2025f97dd472a2ef0f1a4db6d0bb2c2ba22a22e85e8c746a688625bab3c137686b41366b627527e9d0ad7571e108b0b52a56f6b812e1066dc7881ea5c1ad0af9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662820354407.txt

Filesize
77KB

MD5
c74618803205e03756be2145dccdbf2f

SHA1
de77d047b1ce600a1e4feaa28e5cef3f9e66c187

SHA256
13c22840c702daed86ae12a5ccf2f564312a003ecc4f8cf3e39881d0d91e7b0f

SHA512
1232c9af11ee142c637e8d0ea3ec09dab9905654ef1477ebe905b7a1d814c7fa7317e35f4d2d4f5224c9ea571e5b0de34bf5267eabcb99ebc4e393751a9ce5d3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727664176773847.txt

Filesize
48KB

MD5
5a4130f5d732cdde47ec1f4390bea26e

SHA1
e3116f2c1004ff565841601e97aed013e2f24826

SHA256
6af0b7a10de026c9b87ce81e2c2d65af68f7fe630b5f96132dc5d0cc073c14cd

SHA512
dceaf17696f69f0d9840c8effff681d3f4af75f1e2cd419581dd2576dfa174ae4daf916fa4d571cfe206327d3a3795dde65d49e2c1cd03c175a1aedf1400a4ea

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727672589120253.txt

Filesize
75KB

MD5
cb97ed9df923b67aa2695e7995c3df72

SHA1
dd2ed280245f262e9bd5152c6a881cb8ea1ba415

SHA256
6931a9ead99a20cbb54e51693724db837838f8b9fa082de67e677ac6bdfd5c73

SHA512
9280b6cf360a001064a8cd6c4ced528fd2d749aa3586344c43a5e486a2c6415ad4ac71310248e1094ea7880cf5ed755d73c1d3544f841bde1f73ad14aa2d626f

Download Submit
C:\Windows\tloqyktpinje.exe

Filesize
392KB

MD5
e5ac3be9b138a4e8636c1a85056c3e8e

SHA1
6a945974c9b765dab00051478ffd18e4115636b8

SHA256
33ebc8e7d926b1c4d0a9a67fe1b10af1846276ce55d6efe1bd77ba7bab301d6f

SHA512
f318b64e4821b9b2d467a15aa8c856ab9853e14c1808e62de10cdc06d5d9c943154aa6aa8323abf1b005f27a14950613bcfede7e85bc28b51201a832ab1751bb

Download Submit
memory/1588-17-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1588-10797-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1588-25-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1588-23-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1588-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1588-3066-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1588-3067-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1588-5870-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1588-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1588-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1588-10845-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1588-9405-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1588-10796-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1588-399-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1588-10805-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1588-10807-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2040-12-0x0000000000400000-0x000000000060B000-memory.dmp

Filesize
2.0MB

Download
memory/3500-13-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3500-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3500-5-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3500-3-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3500-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3808-0-0x0000000002400000-0x0000000002403000-memory.dmp

Filesize
12KB

Download
memory/3808-4-0x0000000002400000-0x0000000002403000-memory.dmp

Filesize
12KB

Download
memory/3808-1-0x0000000002400000-0x0000000002403000-memory.dmp

Filesize
12KB

Download