teslacrypt | 7647f59703849df9663b9756a6f323ee3e59852463f21a7fc139828a3aa5802f

Analysis

max time kernel
141s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-12-2024 07:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea7642ffb5c98e7f798f29129a64992e_JaffaCakes118.exe
Size

396KB
MD5

ea7642ffb5c98e7f798f29129a64992e
SHA1

3349fbba067b988f38fe202702dedbfab0a41183
SHA256

7647f59703849df9663b9756a6f323ee3e59852463f21a7fc139828a3aa5802f
SHA512

2f7c79b373fa7fca06eb93adbedbc6885de80a674ad111c59706492b594fa5d0963e580568924d660188554b31de057c7b700423edb81dfd1895aa054ffd59ca
SSDEEP

12288:eVaauWatLv/kjWaesK3YSYJmlzFZ3IHmMr:e03DkjtLS5hVq

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+rggva.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E4FF8DFCAAE6CC29 2. http://kkd47eh4hdjshb5t.angortra.at/E4FF8DFCAAE6CC29 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/E4FF8DFCAAE6CC29 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/E4FF8DFCAAE6CC29 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E4FF8DFCAAE6CC29 http://kkd47eh4hdjshb5t.angortra.at/E4FF8DFCAAE6CC29 http://ytrest84y5i456hghadefdsd.pontogrot.com/E4FF8DFCAAE6CC29 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/E4FF8DFCAAE6CC29

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E4FF8DFCAAE6CC29

http://kkd47eh4hdjshb5t.angortra.at/E4FF8DFCAAE6CC29

http://ytrest84y5i456hghadefdsd.pontogrot.com/E4FF8DFCAAE6CC29

http://xlowfznrg4wf7dli.ONION/E4FF8DFCAAE6CC29

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (864) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	elbkcqxlvbap.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	ea7642ffb5c98e7f798f29129a64992e_JaffaCakes118.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+rggva.html	elbkcqxlvbap.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+rggva.png	elbkcqxlvbap.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+rggva.txt	elbkcqxlvbap.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+rggva.html	elbkcqxlvbap.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+rggva.png	elbkcqxlvbap.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+rggva.txt	elbkcqxlvbap.exe

Executes dropped EXE 2 IoCs

pid	Process
1016	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wsrkbdmavwev = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\elbkcqxlvbap.exe\""	elbkcqxlvbap.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5004 set thread context of 1668	5004	ea7642ffb5c98e7f798f29129a64992e_JaffaCakes118.exe	99
PID 1016 set thread context of 4676	1016	elbkcqxlvbap.exe	104

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\Recovery+rggva.html	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sk-SK\Recovery+rggva.txt	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_~_kzf8qxf38zg5c\AppxMetadata\Recovery+rggva.txt	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\Recovery+rggva.html	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\de-DE\View3d\Recovery+rggva.txt	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\Recovery+rggva.png	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\en-us\Recovery+rggva.png	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ContactPhoto.scale-180.png	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\MicrosoftLogo.scale-200.png	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\Recovery+rggva.txt	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\Recovery+rggva.png	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-125.png	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\0.jpg	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\Doughboy.scale-400.png	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\WideTile.scale-100.png	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\3px.png	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\MedTile.scale-100.png	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.scale-125_contrast-black.png	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\HelpAndFeedback\Recovery+rggva.html	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\Recovery+rggva.png	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Recovery+rggva.txt	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Recovery+rggva.png	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Recovery+rggva.html	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-96_altform-colorize.png	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailMediumTile.scale-125.png	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-72.png	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Recovery+rggva.html	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-96_altform-unplated.png	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Lumia.MagicEdit\UserControls\Recovery+rggva.html	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsMedTile.scale-100.png	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\ExploreButtonGradientTenfoot.png	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\Recovery+rggva.txt	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\Recovery+rggva.txt	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Recovery+rggva.html	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupWideTile.scale-125.png	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-32_altform-unplated.png	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosSmallTile.scale-200.png	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\Recovery+rggva.txt	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\Recovery+rggva.png	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorSplashScreen.contrast-black_scale-125.png	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.scale-150.png	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-100_contrast-high.png	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\Recovery+rggva.html	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-125.png	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\Recovery+rggva.html	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+rggva.html	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2020.1906.55.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+rggva.txt	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-64.png	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Exchange.scale-125.png	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\Recovery+rggva.html	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-24_altform-unplated.png	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\Recovery+rggva.txt	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\Recovery+rggva.png	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sv-SE\Recovery+rggva.txt	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageSmallTile.scale-150.png	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_contrast-white.png	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_should.help.txt	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\Recovery+rggva.html	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\Recovery+rggva.txt	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-64_altform-unplated_contrast-black.png	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageLargeTile.scale-100_contrast-white.png	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_7.m4a	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	elbkcqxlvbap.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+rggva.html	elbkcqxlvbap.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\elbkcqxlvbap.exe	ea7642ffb5c98e7f798f29129a64992e_JaffaCakes118.exe
File opened for modification	C:\Windows\elbkcqxlvbap.exe	ea7642ffb5c98e7f798f29129a64992e_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea7642ffb5c98e7f798f29129a64992e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea7642ffb5c98e7f798f29129a64992e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	elbkcqxlvbap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	elbkcqxlvbap.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	elbkcqxlvbap.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2152	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe
4676	elbkcqxlvbap.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	1668	ea7642ffb5c98e7f798f29129a64992e_JaffaCakes118.exe
Token: SeDebugPrivilege	4676	elbkcqxlvbap.exe
Token: SeIncreaseQuotaPrivilege	3664	WMIC.exe
Token: SeSecurityPrivilege	3664	WMIC.exe
Token: SeTakeOwnershipPrivilege	3664	WMIC.exe
Token: SeLoadDriverPrivilege	3664	WMIC.exe
Token: SeSystemProfilePrivilege	3664	WMIC.exe
Token: SeSystemtimePrivilege	3664	WMIC.exe
Token: SeProfSingleProcessPrivilege	3664	WMIC.exe
Token: SeIncBasePriorityPrivilege	3664	WMIC.exe
Token: SeCreatePagefilePrivilege	3664	WMIC.exe
Token: SeBackupPrivilege	3664	WMIC.exe
Token: SeRestorePrivilege	3664	WMIC.exe
Token: SeShutdownPrivilege	3664	WMIC.exe
Token: SeDebugPrivilege	3664	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3664	WMIC.exe
Token: SeRemoteShutdownPrivilege	3664	WMIC.exe
Token: SeUndockPrivilege	3664	WMIC.exe
Token: SeManageVolumePrivilege	3664	WMIC.exe
Token: 33	3664	WMIC.exe
Token: 34	3664	WMIC.exe
Token: 35	3664	WMIC.exe
Token: 36	3664	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2928	WMIC.exe
Token: SeSecurityPrivilege	2928	WMIC.exe
Token: SeTakeOwnershipPrivilege	2928	WMIC.exe
Token: SeLoadDriverPrivilege	2928	WMIC.exe
Token: SeSystemProfilePrivilege	2928	WMIC.exe
Token: SeSystemtimePrivilege	2928	WMIC.exe
Token: SeProfSingleProcessPrivilege	2928	WMIC.exe
Token: SeIncBasePriorityPrivilege	2928	WMIC.exe
Token: SeCreatePagefilePrivilege	2928	WMIC.exe
Token: SeBackupPrivilege	2928	WMIC.exe
Token: SeRestorePrivilege	2928	WMIC.exe
Token: SeShutdownPrivilege	2928	WMIC.exe
Token: SeDebugPrivilege	2928	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2928	WMIC.exe
Token: SeRemoteShutdownPrivilege	2928	WMIC.exe
Token: SeUndockPrivilege	2928	WMIC.exe
Token: SeManageVolumePrivilege	2928	WMIC.exe
Token: 33	2928	WMIC.exe
Token: 34	2928	WMIC.exe
Token: 35	2928	WMIC.exe
Token: 36	2928	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 1668	5004	ea7642ffb5c98e7f798f29129a64992e_JaffaCakes118.exe	99
PID 5004 wrote to memory of 1668	5004	ea7642ffb5c98e7f798f29129a64992e_JaffaCakes118.exe	99
PID 5004 wrote to memory of 1668	5004	ea7642ffb5c98e7f798f29129a64992e_JaffaCakes118.exe	99
PID 5004 wrote to memory of 1668	5004	ea7642ffb5c98e7f798f29129a64992e_JaffaCakes118.exe	99
PID 5004 wrote to memory of 1668	5004	ea7642ffb5c98e7f798f29129a64992e_JaffaCakes118.exe	99
PID 5004 wrote to memory of 1668	5004	ea7642ffb5c98e7f798f29129a64992e_JaffaCakes118.exe	99
PID 5004 wrote to memory of 1668	5004	ea7642ffb5c98e7f798f29129a64992e_JaffaCakes118.exe	99
PID 5004 wrote to memory of 1668	5004	ea7642ffb5c98e7f798f29129a64992e_JaffaCakes118.exe	99
PID 5004 wrote to memory of 1668	5004	ea7642ffb5c98e7f798f29129a64992e_JaffaCakes118.exe	99
PID 5004 wrote to memory of 1668	5004	ea7642ffb5c98e7f798f29129a64992e_JaffaCakes118.exe	99
PID 1668 wrote to memory of 1016	1668	ea7642ffb5c98e7f798f29129a64992e_JaffaCakes118.exe	100
PID 1668 wrote to memory of 1016	1668	ea7642ffb5c98e7f798f29129a64992e_JaffaCakes118.exe	100
PID 1668 wrote to memory of 1016	1668	ea7642ffb5c98e7f798f29129a64992e_JaffaCakes118.exe	100
PID 1668 wrote to memory of 3180	1668	ea7642ffb5c98e7f798f29129a64992e_JaffaCakes118.exe	101
PID 1668 wrote to memory of 3180	1668	ea7642ffb5c98e7f798f29129a64992e_JaffaCakes118.exe	101
PID 1668 wrote to memory of 3180	1668	ea7642ffb5c98e7f798f29129a64992e_JaffaCakes118.exe	101
PID 1016 wrote to memory of 4676	1016	elbkcqxlvbap.exe	104
PID 1016 wrote to memory of 4676	1016	elbkcqxlvbap.exe	104
PID 1016 wrote to memory of 4676	1016	elbkcqxlvbap.exe	104
PID 1016 wrote to memory of 4676	1016	elbkcqxlvbap.exe	104
PID 1016 wrote to memory of 4676	1016	elbkcqxlvbap.exe	104
PID 1016 wrote to memory of 4676	1016	elbkcqxlvbap.exe	104
PID 1016 wrote to memory of 4676	1016	elbkcqxlvbap.exe	104
PID 1016 wrote to memory of 4676	1016	elbkcqxlvbap.exe	104
PID 1016 wrote to memory of 4676	1016	elbkcqxlvbap.exe	104
PID 1016 wrote to memory of 4676	1016	elbkcqxlvbap.exe	104
PID 4676 wrote to memory of 3664	4676	elbkcqxlvbap.exe	105
PID 4676 wrote to memory of 3664	4676	elbkcqxlvbap.exe	105
PID 4676 wrote to memory of 2152	4676	elbkcqxlvbap.exe	109
PID 4676 wrote to memory of 2152	4676	elbkcqxlvbap.exe	109
PID 4676 wrote to memory of 2152	4676	elbkcqxlvbap.exe	109
PID 4676 wrote to memory of 2492	4676	elbkcqxlvbap.exe	110
PID 4676 wrote to memory of 2492	4676	elbkcqxlvbap.exe	110
PID 2492 wrote to memory of 208	2492	msedge.exe	111
PID 2492 wrote to memory of 208	2492	msedge.exe	111
PID 4676 wrote to memory of 2928	4676	elbkcqxlvbap.exe	112
PID 4676 wrote to memory of 2928	4676	elbkcqxlvbap.exe	112
PID 2492 wrote to memory of 680	2492	msedge.exe	114
PID 2492 wrote to memory of 680	2492	msedge.exe	114
PID 2492 wrote to memory of 680	2492	msedge.exe	114
PID 2492 wrote to memory of 680	2492	msedge.exe	114
PID 2492 wrote to memory of 680	2492	msedge.exe	114
PID 2492 wrote to memory of 680	2492	msedge.exe	114
PID 2492 wrote to memory of 680	2492	msedge.exe	114
PID 2492 wrote to memory of 680	2492	msedge.exe	114
PID 2492 wrote to memory of 680	2492	msedge.exe	114
PID 2492 wrote to memory of 680	2492	msedge.exe	114
PID 2492 wrote to memory of 680	2492	msedge.exe	114
PID 2492 wrote to memory of 680	2492	msedge.exe	114
PID 2492 wrote to memory of 680	2492	msedge.exe	114
PID 2492 wrote to memory of 680	2492	msedge.exe	114
PID 2492 wrote to memory of 680	2492	msedge.exe	114
PID 2492 wrote to memory of 680	2492	msedge.exe	114
PID 2492 wrote to memory of 680	2492	msedge.exe	114
PID 2492 wrote to memory of 680	2492	msedge.exe	114
PID 2492 wrote to memory of 680	2492	msedge.exe	114
PID 2492 wrote to memory of 680	2492	msedge.exe	114
PID 2492 wrote to memory of 680	2492	msedge.exe	114
PID 2492 wrote to memory of 680	2492	msedge.exe	114
PID 2492 wrote to memory of 680	2492	msedge.exe	114
PID 2492 wrote to memory of 680	2492	msedge.exe	114
PID 2492 wrote to memory of 680	2492	msedge.exe	114
PID 2492 wrote to memory of 680	2492	msedge.exe	114
PID 2492 wrote to memory of 680	2492	msedge.exe	114

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	elbkcqxlvbap.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	elbkcqxlvbap.exe

C:\Users\Admin\AppData\Local\Temp\ea7642ffb5c98e7f798f29129a64992e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea7642ffb5c98e7f798f29129a64992e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Users\Admin\AppData\Local\Temp\ea7642ffb5c98e7f798f29129a64992e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ea7642ffb5c98e7f798f29129a64992e_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\elbkcqxlvbap.exe
    C:\Windows\elbkcqxlvbap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1016
  - - C:\Windows\elbkcqxlvbap.exe
      C:\Windows\elbkcqxlvbap.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4676
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3664
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:2152
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2492
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcbd4f46f8,0x7ffcbd4f4708,0x7ffcbd4f4718
        6⤵
        
        PID:208
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,7045941101400560012,16855624992123148579,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
        6⤵
        
        PID:680
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,7045941101400560012,16855624992123148579,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
        6⤵
        
        PID:1676
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,7045941101400560012,16855624992123148579,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
        6⤵
        
        PID:2456
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7045941101400560012,16855624992123148579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
        6⤵
        
        PID:1864
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7045941101400560012,16855624992123148579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
        6⤵
        
        PID:996
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,7045941101400560012,16855624992123148579,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
        6⤵
        
        PID:1984
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,7045941101400560012,16855624992123148579,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
        6⤵
        
        PID:2128
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7045941101400560012,16855624992123148579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
        6⤵
        
        PID:4788
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7045941101400560012,16855624992123148579,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
        6⤵
        
        PID:3948
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7045941101400560012,16855624992123148579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
        6⤵
        
        PID:5080
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7045941101400560012,16855624992123148579,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:1
        6⤵
        
        PID:4468
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\ELBKCQ~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4988
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\EA7642~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\Recovery+rggva.html

Filesize
9KB

MD5
f7f2656527e17d20a3e19d96279c326f

SHA1
b3682ce43a8c8683a36f6c7d33293fe83519f941

SHA256
272bbd4b6f665ad87c474909cbe67c2b2c4799c66bcf324554d0624280ce2d07

SHA512
0e37ba58fb1e42e5da4ad1aab89b1736292bc5edaa68274bd2b89831789fe595fc5c17b148e383f3e5671c04e72102f7265305151ce1b00733b331578ed32ab7

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+rggva.png

Filesize
63KB

MD5
87c77bcd686bd28932a66c792b02abbf

SHA1
134009b9a44aa739150c8985bf6a3790245cb890

SHA256
5ecaf9670e99878880201971b9c815740ae73e14f15112ea1c2fc63325080049

SHA512
79ae4642d1354dce267268628c163a5ccec618d4694f99f074ba71fea3d2558f3d9b91f4d3504fc6fcc567904a4f8a27da3b42713a78673dbaceccc9391ba081

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+rggva.txt

Filesize
1KB

MD5
0eadb27ecabcd072945f241202a71a4b

SHA1
778579d25f51b0ed279a9fcaca2e8e97da40a0dc

SHA256
1b77a519364c72a00a5c644c34d557116715fefbf3ee68d1d1e097219d9bd823

SHA512
f356dfe3a93ecc033293ea59c28583ec9ef96da856a926f3af431486b3fa26a1782dcbaca3e1e41bf9828aea684a6848d088924caa261d47d249c67be396bdda

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
76bb6c44ae51787c8387078d9737964a

SHA1
19932b29d6ce545ff39221ffa6350f9ce93b943b

SHA256
b81a7d93c84770a16d7daab7c8f8fe2fc4b63bf081e0a8520369d73a1c9a4d0c

SHA512
f842a6e64395565c6fa946ccad1ff838e365d3e1c16348cd4546204b0d29a273351e1b3a4504f430b4440794bfd5a1535e0109b14c5d98f18b037d52d2d8134d

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
580f9c7f76e72dd0e85847d31f1a63aa

SHA1
ebf39252de892b8eda69a326ad89c6fbc1674f7d

SHA256
19ee3d51b0e502e2fe58ff58ca1c494bd13218f0c496d741a18413a0c9339b7c

SHA512
ce89ed823f99760f0458f62029815a5a52d8a8ed70585ebcd34cf7355cf242adb4b811635e2c7b32574f65ce48fa79b11dd4671d1807b8381944aba4f7aa014b

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
7bf9929d5a456dbecd617184515450a7

SHA1
d7c2ad4d81f1ce02112b9fbb73c3e33a2f8f34f5

SHA256
ceea2326a0488ea9d2e2e8419311f2e1a21bc261996d35db426f16847927ce52

SHA512
761949b4123e3459355acf7a6096bcc13eae453f663534908452e4795de6dd6321dc52227991d4012592be5c13d6047c8e395ac09bd7a085611393f6310d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0a9dc42e4013fc47438e96d24beb8eff

SHA1
806ab26d7eae031a58484188a7eb1adab06457fc

SHA256
58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

SHA512
868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ae74746ef79933479e1dee85c8c4c813

SHA1
7496a0848e372012b84b398e70425c40a192bf95

SHA256
6324e1cae80cc67a9861e919dac035f08dcdf50a1bb9a84bf8dc70a4f29ddb0a

SHA512
1ce85cc9ee34e7977f08284da6b78be9f518816b3ea4d7145f565d3e3c5a922b6bfe4b84eac69ddd1c42308a1ea2bdd69eff7294edb2699bc508f03de079f091

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1e5c459bd20895ebaa3c360e0cef591e

SHA1
81b9fcd341784563f1c8f6eb2de46c3ef51b4de0

SHA256
a3d9452a9e39a07d0e2cd591064490d3a6bafd40d696401281c8f3e918e41bac

SHA512
c9af51628cf3c2e515e524c6b1281b17f8a59aca172f17d862e10fa7059a5d5485a121a970ae4275aabd5eab7b7d60f198e93b14f0ff3a3affa7cd78b53688a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3dfe0fafbebc7a5242311451aee31830

SHA1
4b3a3d659457c2e6e88bd052f072951c6b7a876b

SHA256
e09315b2deabe06dc6302af128a95ffb030fc0119d194d2029eebb64fb1190ae

SHA512
7aa97d3d6c5a58ab2b31c526ec78674f33382de30c42492f4a099286f9129a1341dff4584890d807329ab1a41c104a6411ddd9884a8755f7481ed714674d2028

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727665885684530.txt

Filesize
74KB

MD5
7a8e59df277c83db0a5fd5b702a5dc50

SHA1
d094a79ff18b4b62feb57cda0592b872df7bb25d

SHA256
0d6db9ca40dce9ebc8be166ae20ef562f935e05170b3abc77c6a9d3b0acd3d4a

SHA512
15505e8ffd33b891fe49fc0d1daae136a6748b98327ca235e953f18a9bce94f7084db3a76d71c38a5114bf973c81d4f14c3383e405b0335f811075b1fc50bc40

Download Submit
C:\Windows\elbkcqxlvbap.exe

Filesize
396KB

MD5
ea7642ffb5c98e7f798f29129a64992e

SHA1
3349fbba067b988f38fe202702dedbfab0a41183

SHA256
7647f59703849df9663b9756a6f323ee3e59852463f21a7fc139828a3aa5802f

SHA512
2f7c79b373fa7fca06eb93adbedbc6885de80a674ad111c59706492b594fa5d0963e580568924d660188554b31de057c7b700423edb81dfd1895aa054ffd59ca

Download Submit
memory/1016-12-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/1668-13-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1668-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1668-5-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1668-3-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1668-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4676-17-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4676-338-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4676-2639-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4676-2649-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4676-4976-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4676-8023-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4676-25-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4676-10558-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4676-10560-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4676-10568-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4676-10570-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4676-23-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4676-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4676-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4676-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4676-10609-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/5004-0-0x00000000009E0000-0x00000000009E3000-memory.dmp

Filesize
12KB

Download
memory/5004-4-0x00000000009E0000-0x00000000009E3000-memory.dmp

Filesize
12KB

Download
memory/5004-1-0x00000000009E0000-0x00000000009E3000-memory.dmp

Filesize
12KB

Download