privateloader | b3df198d64ba6f401611f56743bd344c1b02915f9e5d571d271ef8557feaf56c

Analysis

max time kernel
121s
max time network
142s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
01/05/2024, 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rcsetup153.exe
Size

12.4MB
MD5

5ffb412044b8bfbcda9dab78cf4e8ac5
SHA1

d4e81d90ceaf8179a8b8f112cfa310ec89106dd0
SHA256

b3df198d64ba6f401611f56743bd344c1b02915f9e5d571d271ef8557feaf56c
SHA512

ed5d688e08482e4289c8b74d70398c529cef940379539c8830b44b75385bc1aa5ad5ffd1bcb4f84a193f27064b3fada6b6643ee164c1f4d91479f18c371ea28b
SSDEEP

196608:VzbT8y9mYpOxg521uaSrwizLnyrGB5kVmQ4Sk0OL9MH70Ep+4IhX4kYRd5ekUDGe:V3TXUxgTaSvLn5I2SriMY4+4I1uEkkTF

Score

10^/10

privateloader bootkit discovery loader persistence spyware stealer

Malware Config

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	recuva64.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rcsetup153.exe
File opened for modification	\??\PhysicalDrive0	recuva64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 50 IoCs

description	ioc	Process
File created	C:\Program Files\Recuva\Lang\lang-1028.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1046.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1037.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\recuva.exe	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1043.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1057.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1036.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1052.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1079.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-9999.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1063.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1051.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1067.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1058.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1030.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1026.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1068.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1060.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\uninst.exe	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1032.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1041.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-2052.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1035.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1029.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1048.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\recuva64.exe	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1031.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-5146.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1061.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\SomeRandomTmpFile748329742893.tmp	recuva64.exe
File created	C:\Program Files\Recuva\RecuvaShell64.dll.new	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1025.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-3098.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1059.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1066.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1044.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1040.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-2074.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1049.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1034.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1045.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1054.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1027.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1071.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1038.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1055.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1050.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1062.dll	rcsetup153.exe
File opened for modification	C:\Program Files\Recuva\RecuvaShell64.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1053.dll	rcsetup153.exe

Executes dropped EXE 2 IoCs

pid	Process
692	recuva64.exe
2780	recuva64.exe

Loads dropped DLL 64 IoCs

pid	Process
1740	rcsetup153.exe
1740	rcsetup153.exe
1740	rcsetup153.exe
1740	rcsetup153.exe
1740	rcsetup153.exe
1740	rcsetup153.exe
1740	rcsetup153.exe
1740	rcsetup153.exe
1740	rcsetup153.exe
1740	rcsetup153.exe
1740	rcsetup153.exe
1740	rcsetup153.exe
840	regsvr32.exe
1004	regsvr32.exe
1740	rcsetup153.exe
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
692	recuva64.exe
1740	rcsetup153.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\InprocServer32\ = "C:\\Program Files\\Recuva\\RecuvaShell64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	recuva64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	recuva64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	recuva64.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	recuva64.exe

Modifies data under HKEY_USERS 19 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Piriform\Recuva\Language = "1033"	rcsetup153.exe
Key created	\REGISTRY\USER\S-1-5-18	recuva64.exe
Key created	\REGISTRY\USER\S-1-5-19	recuva64.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Piriform	rcsetup153.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Piriform\Recuva\Language = "1033"	rcsetup153.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\Recuva	rcsetup153.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Piriform	rcsetup153.exe
Key created	\REGISTRY\USER\S-1-5-20	rcsetup153.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	rcsetup153.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Piriform\Recuva	rcsetup153.exe
Key created	\REGISTRY\USER\S-1-5-20	recuva64.exe
Key created	\REGISTRY\USER\.DEFAULT	rcsetup153.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform	rcsetup153.exe
Key created	\REGISTRY\USER\S-1-5-19	rcsetup153.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	rcsetup153.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Piriform\Recuva	rcsetup153.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	rcsetup153.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\Recuva\Language = "1033"	rcsetup153.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Piriform\Recuva	rcsetup153.exe

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Software\Piriform	rcsetup153.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Software\Piriform\Recuva	rcsetup153.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\RecuvaShellExt	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\RecuvaShellExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\RecuvaShellExt\ = "{435E5DF5-2510-463C-B223-BDA47006D002}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\0\win64	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\HELPDIR\ = "C:\\Program Files\\Recuva"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Software	rcsetup153.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\RecuvaShell.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\0\win64\ = "C:\\Program Files\\Recuva\\RecuvaShell64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Software\Piriform\Recuva\Language = "1033"	rcsetup153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\RecuvaShell.DLL\AppID = "{80109467-DE5A-42A1-9445-7E3952C80B6E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\ = "RecuvaShellExt Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\ = "RecuvaShell 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\InprocServer32\ = "C:\\Program Files\\Recuva\\RecuvaShell64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_Classes\Software\Piriform\Recuva	rcsetup153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{80109467-DE5A-42A1-9445-7E3952C80B6E}\ = "RecuvaShell"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\RecuvaShellExt\ = "{435E5DF5-2510-463C-B223-BDA47006D002}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{80109467-DE5A-42A1-9445-7E3952C80B6E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\InprocServer32	regsvr32.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	recuva64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	rcsetup153.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	rcsetup153.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	recuva64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	recuva64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	recuva64.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	1740	rcsetup153.exe
Token: SeManageVolumePrivilege	1740	rcsetup153.exe
Token: SeRestorePrivilege	1740	rcsetup153.exe
Token: SeRestorePrivilege	692	recuva64.exe
Token: SeBackupPrivilege	692	recuva64.exe
Token: SeRestorePrivilege	692	recuva64.exe
Token: SeBackupPrivilege	692	recuva64.exe
Token: SeRestorePrivilege	692	recuva64.exe
Token: SeBackupPrivilege	692	recuva64.exe
Token: SeRestorePrivilege	692	recuva64.exe
Token: SeBackupPrivilege	692	recuva64.exe
Token: SeRestorePrivilege	692	recuva64.exe
Token: SeBackupPrivilege	692	recuva64.exe
Token: SeRestorePrivilege	692	recuva64.exe
Token: SeBackupPrivilege	692	recuva64.exe
Token: SeRestorePrivilege	692	recuva64.exe
Token: SeBackupPrivilege	692	recuva64.exe
Token: SeRestorePrivilege	692	recuva64.exe
Token: SeBackupPrivilege	692	recuva64.exe
Token: SeRestorePrivilege	692	recuva64.exe
Token: SeBackupPrivilege	692	recuva64.exe
Token: SeRestorePrivilege	692	recuva64.exe
Token: SeBackupPrivilege	692	recuva64.exe
Token: SeBackupPrivilege	2328	vssvc.exe
Token: SeRestorePrivilege	2328	vssvc.exe
Token: SeAuditPrivilege	2328	vssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2780	recuva64.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1740	rcsetup153.exe
1740	rcsetup153.exe
1740	rcsetup153.exe
1740	rcsetup153.exe
2780	recuva64.exe
2780	recuva64.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 840	1740	rcsetup153.exe	29
PID 1740 wrote to memory of 840	1740	rcsetup153.exe	29
PID 1740 wrote to memory of 840	1740	rcsetup153.exe	29
PID 1740 wrote to memory of 840	1740	rcsetup153.exe	29
PID 1740 wrote to memory of 840	1740	rcsetup153.exe	29
PID 1740 wrote to memory of 840	1740	rcsetup153.exe	29
PID 1740 wrote to memory of 840	1740	rcsetup153.exe	29
PID 840 wrote to memory of 1004	840	regsvr32.exe	30
PID 840 wrote to memory of 1004	840	regsvr32.exe	30
PID 840 wrote to memory of 1004	840	regsvr32.exe	30
PID 840 wrote to memory of 1004	840	regsvr32.exe	30
PID 840 wrote to memory of 1004	840	regsvr32.exe	30
PID 840 wrote to memory of 1004	840	regsvr32.exe	30
PID 840 wrote to memory of 1004	840	regsvr32.exe	30
PID 1740 wrote to memory of 692	1740	rcsetup153.exe	31
PID 1740 wrote to memory of 692	1740	rcsetup153.exe	31
PID 1740 wrote to memory of 692	1740	rcsetup153.exe	31
PID 1740 wrote to memory of 692	1740	rcsetup153.exe	31
PID 1740 wrote to memory of 2780	1740	rcsetup153.exe	34
PID 1740 wrote to memory of 2780	1740	rcsetup153.exe	34
PID 1740 wrote to memory of 2780	1740	rcsetup153.exe	34
PID 1740 wrote to memory of 2780	1740	rcsetup153.exe	34

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe
"C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /I "C:\Program Files\Recuva\RecuvaShell64.dll" /s
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\system32\regsvr32.exe
    /I "C:\Program Files\Recuva\RecuvaShell64.dll" /s
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    PID:1004
- C:\Program Files\Recuva\recuva64.exe
  "C:\Program Files\Recuva\recuva64.exe" /installationComplete "bin|folders|allusers"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:692
- C:\Program Files\Recuva\recuva64.exe
  "C:\Program Files\Recuva\recuva64.exe"
  2⤵
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2780

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Recuva\RecuvaShell64.dll

Filesize
353KB

MD5
28f7b04a5a2b00f8cd7bb9ac8c926561

SHA1
66326430cd2bcaa39a30095ece30a4b4e673d9a7

SHA256
6974a6b2c5b4ff0ce7e4ea7385787d36d5793cc344f03710c24b994699a5c2ef

SHA512
49c7c5532ebaa70042fcd275452bcd8c2d795bae9adb37fb5c55e16519a99f25842a19f07b6f2dfebaf3fc8f9a5a85f5fd3a3f94f267d2611566c6931258fc45

Download Submit
C:\Program Files\Recuva\lang\lang-1025.dll

Filesize
44KB

MD5
9ddb914c12b8931300badf0af3007afc

SHA1
ca12b9a7928e73a94db8ea43aa3969508c219ef5

SHA256
3986bfe961bbd9cfa4f157755aef89ee064f6dcd33419d79d8edb09d72153df7

SHA512
f76cc7d441275be6bf5fbf7684aad98ce9b43bac4a9fc3579770ab2fb79282c25e478c4601682ae73175fb443205e7005907b1317ac7f07a9d74e4f159cb0830

Download Submit
C:\Program Files\Recuva\lang\lang-1027.dll

Filesize
51KB

MD5
2facb5e65c8480fc8a0c3ddca8469020

SHA1
0eff87f3c92a039fd1807fb06633be83c7e1f640

SHA256
8d989a3a83df8150bead76dd49cc8c32b4242d006347061cedd06759e9e20f79

SHA512
7739c700d7c9bf011b7ac2d59786e20a54644603b1d42ea9c28fe43c0aae86968d38ef131abbf7030b289e389bbc96bb664215f729b17020975412a237d49d16

Download Submit
C:\Program Files\Recuva\lang\lang-1028.dll

Filesize
27KB

MD5
de8dcf8665fbf2125e03e13fa0af7e5c

SHA1
df9f08b3f6145d30205d290e1e4c56b74bc04734

SHA256
636075af19d92afd327fe831b28836c1fd196d10279f0fa046b6e0de870c5a0f

SHA512
2b3283d413938db03f61cda75646f1b8aedb869240416b35501cf0079666841d1ec85e49e9c7e9c97b5415bc6de6960f6f07ed410afdade12ffd1e80ceb51a1a

Download Submit
C:\Program Files\Recuva\lang\lang-1030.dll

Filesize
46KB

MD5
44bbf13452ffb6fc77a1cab6b3eb70a3

SHA1
2e06230f1efa667ad271898caf82925162ee4984

SHA256
dd392a083f67df1d2ecacae0131800c232040b84b5b8fce4df477a70930b4eb7

SHA512
3ec1e86310e8ba96b992c961ffe49bcbc0ceea02ccf66ce183a429301dfd9021b953602e8880aa66c689966aaa2ca61131971612da422d4932fa2d29a30db509

Download Submit
C:\Program Files\Recuva\lang\lang-1032.dll

Filesize
52KB

MD5
2951aff067cebc29a13b20b921416b86

SHA1
49c528c482ac6c48b36f5f011ea9aece7413e3eb

SHA256
bbc893ff8dd4279e7f822bd6f14c454db229cd85c09e44f45503bbe938343013

SHA512
7a1b2c27eead257ec441be1e3028bb02c8d0248503467188b83eae9e80f12a7e888277d6f17372fc2a008fb92848ba035b3e10ed31189e914fd920f6446bc5f4

Download Submit
C:\Program Files\Recuva\lang\lang-1034.dll

Filesize
52KB

MD5
6efdee57ce0538d5dc2f32caf88a16a2

SHA1
76e181620caa2907b9d2b2427a46c9e6861c6db8

SHA256
6f744599b2622a60f0f7dbc7e6ccfe3973349c523781c61a8bdf66527bdb33ec

SHA512
e30539419e610ed81a337344ed73d35f3fc99702e3de931a5bebaef1178699813452be96280a6a2859bfd28980539b0b0c687df12ca48db894bd77586d3e9889

Download Submit
C:\Program Files\Recuva\lang\lang-1037.dll

Filesize
40KB

MD5
a4fcb6a262236d69465adbfec1c23268

SHA1
0d621ca4b34ce23784135d06a71e78b92dad6060

SHA256
c12a16c4cd4acccf23357864b5db0740cbcf1c1d424a07ed3230000cefe8fa60

SHA512
7076e7469917f392407e86dec32b6f44deeac689bdb08d8cbf67464844936947c9189b3e92f2c3ce8a43694f02b159e9504c2aabec7364b979874b784f1db5b4

Download Submit
C:\Program Files\Recuva\lang\lang-1041.dll

Filesize
32KB

MD5
10cec1e9de4c2e3b3e3c0caed9b69d0b

SHA1
33587bbc8387a368749c1d1e2dc151306f277475

SHA256
e33dde8ed6dbefc2945a6c0ff82eb148e432f9f8e771e7af0a040111d9d23e43

SHA512
257f1998aa57c1fe07f0a0220dda8dfe31a5b52c89d95e087f744ba2885e515d693c2a6b071d55eddf7914f70eb6d98cc745c5c1364465f45cfef22a5f4aacea

Download Submit
C:\Program Files\Recuva\lang\lang-1045.dll

Filesize
49KB

MD5
a067aa2bf30758d3d09b34e9b8183077

SHA1
18632f5ea547181dfb90a88c11f5e13985e697cb

SHA256
d38466c9213410b0696a48f8d2d157f42939c38a14640c5c8d8ed410855b13fd

SHA512
e2ed920dccf1d47b18612c49776f2d9052cf6558265c60d965f7740dbcdc1975ba88ecf652282b7189f5ecd7fb80b025dd4dddd41b248ac6114d86a353b46338

Download Submit
C:\Program Files\Recuva\lang\lang-1046.dll

Filesize
48KB

MD5
fb8966bc3f0fa0c7ef6e3990473ac07c

SHA1
feb021157028ab5f0204ee8af3febb3f476b4751

SHA256
72d15f6d90c8ac7df717b67f7a1126b5e79ee6566a33ee4b6b0d3ba9088525d6

SHA512
f066f9cab13f460f05d4d058fd5b569ab9e7baec9914a657a8fa682b84fb2b6ff4a46867eab1c1dfe7bf2d5a9637653cfbb526dd3096512700b36f2d8108d60d

Download Submit
C:\Program Files\Recuva\lang\lang-1048.dll

Filesize
47KB

MD5
8d80b9957c8078007c3a877516a0d690

SHA1
63e46c2e641f33732537f5e1e7e8739895902cba

SHA256
0dfaf1ae45faa5517a400f939b3f1a7ce21e2fbf79bc06110bfbcb550cbbd61f

SHA512
7f9a49ac4d2108d41cf80122b91cc14d49c633092972de643366ca68051edeaf25e7b8a6591abe58819684bbc948cba329049c8676f667ab3ddd899660a148c0

Download Submit
C:\Program Files\Recuva\lang\lang-1050.dll

Filesize
51KB

MD5
779065193a184dc0319d68db5db8b9a8

SHA1
672193f1597d0a2eaa973f5202507db0f3ba39f4

SHA256
0d2d6f46941caf0f76a814d7c11bb5c3e023fb54a0cd7c20ef2207bd860696fe

SHA512
bb1e39efe6e1f90ff1aa0e1e8bb9e8da2e14f51b72c20430f0cdaff0e4ba99ebb22b964c30892e15450d28f77bdb86fa8e0c2ee8d801ce56963e6468ad02c5cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
504a574e43202f2039118dece4baba1e

SHA1
a3b86d9ea988c26327a08c46cd81abac18c52e70

SHA256
4842058cffe55777487f3006e43fd8e103c3575beb25f08faf9d2e341ffca788

SHA512
d144f590e4b245a86a0facc4c675addf931ced6d3443e12140be10c6259e59421a07e2d9d7d8a74f4de2479ff0d79856145558a122e06930d18394b5585aac85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
32.1MB

MD5
33e038c3042b5cf8d42e68bcc20bb8ec

SHA1
24710e7880541b8f6c9b0ac6200d08e13c7ad8d9

SHA256
224a25a1cff982540b49adb0cd79668a0dd3da0163cc2b80d05b496ee6f3ae44

SHA512
17ac545d625db8bf05102b6cb22551ea5ec76d59737237cc28f1212159b324606bff9f415d0946b776f1dcfabd369480f574fc222d951f8483949f7a19d323fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6114.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6174.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdF7D.tmp\p\InstallerHelper.dll

Filesize
3.0MB

MD5
75167037fb3c8aeee24125d6f299788b

SHA1
ffa0a17ae8c31b034c8b7493f0c0475707b22244

SHA256
b4d5b08719dde73fdc10d40021ab90c8bd1e83115156c35188bcecb48a1620b0

SHA512
da2ca9e243c1b369e067a0c242bcba41d34a883b8172c938808b5fe33d204e702e4b599408bb89d925ff750e893575e15bc3a461ab34f0384e83b33655ef3525

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdF7D.tmp\ui\res\Montserrat-Regular.otf

Filesize
44KB

MD5
27e50ffd6a14cbc8221c9dbd3b5208dc

SHA1
713c997ce002a4d8762c2dcc405213061233e4bc

SHA256
40fc1142200a5c1c18f80b6915257083c528c7f7fd2b00a552aeebc42898d428

SHA512
0a602f88cfba906b41719943465edb09917c447d746bfed5c9ce9c75d077f6aed2f8146697acd74557359f1ae267ca2a8e3a2ca40fb1633bde8e6114261abd90

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdF7D.tmp\ui\res\PF_logo.png

Filesize
3KB

MD5
079cca30760cca3c01863b6b96e87848

SHA1
98c2ca01f248bc61817db7e5faea4a3d8310db50

SHA256
8dd37d3721e25c32c5bf878b6dba9e61d04b7ce8aec45bdf703a41bc41802dfa

SHA512
3e25c10e3a5830584c608b9178ab062e93e0e9009a7d897bb5e3561180b0b0910bd4178063d982eb33806a005c93931ae2ec5be520ec0d0c9a7c452cb78fd6a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdF7D.tmp\ui\res\RC_Computer.png

Filesize
82KB

MD5
67f13e50fa75087ef8c2074a52cc8bb1

SHA1
8f31cf48fab91b9e263105289d17c146d088274b

SHA256
044ec2d36e9f573d762fc8a43eb09f7b24eb30094a4e61b5d606fd96f72d391f

SHA512
44ee943ae440d93d7ec78393749667680abbe379f9e21fb10244362c2c3f9df790170c541aa30a8487ef25952068c78e44dacd48def29aa84cee78d1c1ce63ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdF7D.tmp\ui\res\Recuva_Logo_72px.png

Filesize
9KB

MD5
6a2e01749e591a1ce8216daed41b8721

SHA1
a4aa31d936a33eb7d58e809b738184f6b2c7e1c2

SHA256
f72782600989eff0aa13ff7c63875538c9042c32b77862475c899514f61c9290

SHA512
262e6b6ed89fa30f954dc73c1bb329d9ea256fefa172e12b23610e7c1ab6dad3b698cbcdc010f8c16e90b0bdd6e96d60e8aba50b876d69f9fb1f2889ac14f0fe

Download Submit
\Program Files\Recuva\Lang\lang-1026.dll

Filesize
46KB

MD5
e481a7929bb5259c2c3109f715898446

SHA1
2fd5ab1da7f07d73a60866d83dea01315f8b98d0

SHA256
a3ffcfe0a2f99be55ca688e069a401a1c662d81e103760e87bce33fe6bde6395

SHA512
4e6e1354323235176d556dc2b3ebb037120deb509009f66272bc17d381e9c7a802340939560c6d4c8aac27585300d8484f43eb8fbdb8c840fde3f20817362fab

Download Submit
\Program Files\Recuva\Lang\lang-1029.dll

Filesize
46KB

MD5
b795c500b754cb89fa59a75e93ec2995

SHA1
9f6b82938fdcc3d40912f8dd6b7b9c793e62a282

SHA256
c20b2fbdf7abfe43715fbd9a885e77e19048be0f6e43a68068bb72abec0d886b

SHA512
c4505108c5ad0d996d78d49b8f0909d76bee5de591c857c53700fdd022a5fffd311626d7f3624e73b982b570922d64daa72b59363a4f41e9ff97624ed442a03f

Download Submit
\Program Files\Recuva\Lang\lang-1031.dll

Filesize
49KB

MD5
265be91935b61c63cba03f4b7f05cf7f

SHA1
569a8cf145dd27a087cbf8cdedf1330b4c52659c

SHA256
7c357f11264c03e881cd604b3e8d1d36eff1cc0bf0f9728e478b178c25a962de

SHA512
e7f204fc7806280e36bc15c7c92ad46919288848e50688d2b95ca0c8d1e65856508409ca0c28fce177ce4cb8ffa7c21c0690ba701399504d9cca6d37242d7f7b

Download Submit
\Program Files\Recuva\Lang\lang-1035.dll

Filesize
48KB

MD5
36ce745af843c782552193365133e304

SHA1
b98974efe324e006d5ce8a37287ffa1506a5187b

SHA256
ec57eab3e52753d0321efe8f5cdd277a5cd1f6057a9ef61576703aff21664fe1

SHA512
58616abfc5caad0ab7875ee695ad3f2abd06ad1955f3d0bdf7859f148e84332921b5d4461227e118a745d3102a16b198a613d77427abb43215e9e750bb676aa6

Download Submit
\Program Files\Recuva\Lang\lang-1036.dll

Filesize
52KB

MD5
adbca31238c5bdb2b100fd0677d81090

SHA1
d402da5441ec418f20789dc2db50c34bf6b3de17

SHA256
ac082917e481081c653d2e897dd6a0b58e4ac7cbf42b17ad45d7b281ca9a423a

SHA512
fdfa289aacb78069e898a8727013b14185da5536ebcddb0de4881a77d8ce65868d694a6b2cef0a3d540276808004811d22020bc5595b5edd9e5bdb4f96034995

Download Submit
\Program Files\Recuva\Lang\lang-1038.dll

Filesize
50KB

MD5
2a1fc614dfd7fefa59ce5663454f0121

SHA1
305dccbd90a884242f3e7944ea513af806da9c9d

SHA256
c5e9f5112e9d3b2edec3e74f08426128bba6de68bbe9637308dee033693ba0f8

SHA512
0ec44ae4ee4ea3394d03b1e7601043dc5e2fdcb9c180270fcb94809287e7eb88d99e38302a0add80ac78e81dc6d6dfdb88faff9f97d773c98414e51bc8a02e2f

Download Submit
\Program Files\Recuva\Lang\lang-1040.dll

Filesize
50KB

MD5
1b76d1e1721505bb78e244ca9f4b4592

SHA1
0d6cc6fca0efe58137efc4a55896f8f07177f611

SHA256
7000a53f92557e349fd06a7d8c243d15eb934f07e85fb384b331eebb429296c2

SHA512
57618c4d7f43b5a30b4dbce162b600579c72b539814e9d46940d2e54b6f73f9daf1de242b597f18334168ce59fbb868bec5e1b9364e56963f218e748e24f1be1

Download Submit
\Program Files\Recuva\Lang\lang-1043.dll

Filesize
52KB

MD5
aa9aad1c5c880ea0f48095d50d302fd6

SHA1
0015ff4fc557f87fe06d9e5dc6018536398c34c4

SHA256
08b61f09ba0997a01a82ee650e1d7efb14380f98d76ae905fdc80659aa5db70a

SHA512
d5a8704ae380ecd2c953ae0cde8da14a7f4b23073c054ecc2c981bfed3632fd43830bf99d5b9a79a37663b189feb302a0a6d71665929eba86c55fa1308ed311a

Download Submit
\Program Files\Recuva\Lang\lang-1044.dll

Filesize
46KB

MD5
ed87eb680f9d852195da551b84afb425

SHA1
bf8cfc4fde0fbd84240cf5851c3065f70c63a854

SHA256
9ecbf11a016f8151c671f79ccfc61b28484de18d1dd3e85abb46b703eddb8446

SHA512
7c2676606be168793b3524cce32482eb3edc744f27cfcb929716021c7875700b11d3b52a148fee0442d3e114805b168c1c6740bbdd0acd180f3d4273c0354829

Download Submit
\Program Files\Recuva\Lang\lang-1049.dll

Filesize
45KB

MD5
5966407028d5712ae7ee5d874908c97a

SHA1
6fde76062502185daabcb74613e3b08f7ead763e

SHA256
a5b7dd96329547ea34358d4f64e57908cfb6bd06cf78e2cb6db33f9c1870a2e9

SHA512
213d229fa00c1f9f97fd1e337ebef1efe5c2ba9460c9d7cefc6995444c5126c0cf38e99f7c0b046adcb8d1a1b469a4392e0dac23fc670f40ad2e5aab34023d93

Download Submit
\Program Files\Recuva\recuva64.exe

Filesize
7.8MB

MD5
a6e75ac54ca80764ed631be8a0259ef5

SHA1
5e362445783d2800ec7f2c377ed005a58ecb3ba7

SHA256
b640f712a5dc9ab2bb5dd7c7957cf13da520aae74851770437165ede54f3dff4

SHA512
8d8a082a5269706bcfaf6696cff5488b3a3f93d10aa056055726a1c7c6fa2cb77af5bf66d1507c7e1b1e9a844ea37349307511566ba50397e31ac6b4aa405aa9

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF7D.tmp\ButtonEvent.dll

Filesize
5KB

MD5
c24568a3b0d7c8d7761e684eb77252b5

SHA1
66db7f147cbc2309d8d78fdce54660041acbc60d

SHA256
e2da6d8b73b5954d58baa89a949aacece0527dfb940ca130ac6d3fd992d0909d

SHA512
5d43e4c838fd7f4c6a4ab6cc6d63e0f81d765d9ca33d9278d082c4f75f9416907df10b003e10edc1b5ef39535f722d8dbfab114775ac67da7f9390dcc2b4b443

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF7D.tmp\INetC.dll

Filesize
23KB

MD5
7760daf1b6a7f13f06b25b5a09137ca1

SHA1
cc5a98ea3aa582de5428c819731e1faeccfcf33a

SHA256
5233110ed8e95a4a1042f57d9b2dc72bc253e8cb5282437637a51e4e9fcb9079

SHA512
d038bea292ffa2f2f44c85305350645d504be5c45a9d1b30db6d9708bfac27e2ff1e41a76c844d9231d465f31d502a5313dfded6309326d6dfbe30e51a76fdb5

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF7D.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF7D.tmp\UserInfo.dll

Filesize
4KB

MD5
2f69afa9d17a5245ec9b5bb03d56f63c

SHA1
e0a133222136b3d4783e965513a690c23826aec9

SHA256
e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0

SHA512
bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF7D.tmp\g\gcapi_dll.dll

Filesize
348KB

MD5
2973af8515effd0a3bfc7a43b03b3fcc

SHA1
4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee

SHA256
d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0

SHA512
b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF7D.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF7D.tmp\ui\pfUI.dll

Filesize
17.3MB

MD5
f7222368c66e02ee333e6fca4fdccb66

SHA1
b2c6c1d24f78cb4a6de87eba5480f3a6f6b278b5

SHA256
b09f1359c68947c7d13123dda3ab56360b982befb43c134be815934ed4879215

SHA512
ab6158735234cbbc7ccfdee3c8e247d196070aa234e6bcb6b4cc6c13b4d0f1c85d84afe5c7d3f98349b32a4d4bc84750335fc9f1d8032e759ea03cea1e11a839

Download Submit
memory/1740-137-0x0000000007410000-0x0000000007411000-memory.dmp

Filesize
4KB

Download
memory/1740-142-0x00000000073C0000-0x00000000073C1000-memory.dmp

Filesize
4KB

Download
memory/1740-135-0x00000000075A0000-0x00000000075A8000-memory.dmp

Filesize
32KB

Download
memory/1740-132-0x0000000007420000-0x0000000007428000-memory.dmp

Filesize
32KB

Download
memory/1740-109-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/1740-103-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/1740-85-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1740-187-0x0000000007430000-0x0000000007438000-memory.dmp

Filesize
32KB

Download
memory/1740-190-0x00000000075A0000-0x00000000075A8000-memory.dmp

Filesize
32KB

Download
memory/1740-192-0x0000000007420000-0x0000000007421000-memory.dmp

Filesize
4KB

Download
memory/1740-197-0x00000000073C0000-0x00000000073C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads