teslacrypt | 84b3cdcc6f4bf098bd8574f5137d6ce863c300e6e2a5512cd6744e6f167459ec

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_55ef5620d1205df70163818bf84688cd.exe
Size

336KB
MD5

55ef5620d1205df70163818bf84688cd
SHA1

d883ae424be4f1968797f5d1ef3d7968932ab650
SHA256

84b3cdcc6f4bf098bd8574f5137d6ce863c300e6e2a5512cd6744e6f167459ec
SHA512

82f7284808f2e513dac7d3de3cbd13e56699dfa37aa45e936c7b36a7a76ff42ace05d0acb75e454c495a50f0c2d7862114bd9ed23417f1698fc1eb9afcb4b2cd
SSDEEP

6144:0xy9nRqDo0RAua922DNcbCfFpHVKY8E4IvFBJ1KTBNqG:0w9noocAxxDNcbCdfH8E7vtw9Nq

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_RECoVERY_+felnl.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://yyre45dbvn2nhbefbmh.begumvelic.at/1556C2D0322E3565 2. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/1556C2D0322E3565 3. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/1556C2D0322E3565 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/1556C2D0322E3565 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://yyre45dbvn2nhbefbmh.begumvelic.at/1556C2D0322E3565 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/1556C2D0322E3565 http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/1556C2D0322E3565 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/1556C2D0322E3565

URLs

http://yyre45dbvn2nhbefbmh.begumvelic.at/1556C2D0322E3565

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/1556C2D0322E3565

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/1556C2D0322E3565

http://xlowfznrg4wf7dli.ONION/1556C2D0322E3565

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (879) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VirusShare_55ef5620d1205df70163818bf84688cd.exegailqpnnqmgt.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	VirusShare_55ef5620d1205df70163818bf84688cd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	gailqpnnqmgt.exe

Drops startup file 6 IoCs

Processes:

gailqpnnqmgt.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+felnl.html	gailqpnnqmgt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+felnl.png	gailqpnnqmgt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+felnl.txt	gailqpnnqmgt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+felnl.html	gailqpnnqmgt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+felnl.png	gailqpnnqmgt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+felnl.txt	gailqpnnqmgt.exe

Executes dropped EXE 1 IoCs

Processes:

gailqpnnqmgt.exe

pid process

4000 gailqpnnqmgt.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

gailqpnnqmgt.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kxrnanexhhgx = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\gailqpnnqmgt.exe\""	gailqpnnqmgt.exe

Drops file in Program Files directory 64 IoCs

Processes:

gailqpnnqmgt.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses\_RECoVERY_+felnl.txt	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\_RECoVERY_+felnl.txt	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\import_google_contacts\googleProfileAvatars.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\offer_cards\_RECoVERY_+felnl.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\avatar_round_mask.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-64.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\_RECoVERY_+felnl.html	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-64_altform-unplated_contrast-black.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\CoreEngine\_RECoVERY_+felnl.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.scale-200.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteMediumTile.scale-150.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-100_contrast-white.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-32.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-24_altform-unplated.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-GoogleCloudCache.scale-150.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\_RECoVERY_+felnl.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\191.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+felnl.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\logo.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\_RECoVERY_+felnl.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-64.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\Internet Explorer\images\_RECoVERY_+felnl.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Shell\Themes\Glyphs\Font\_RECoVERY_+felnl.txt	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-IN\en-IN_female_TTS\_RECoVERY_+felnl.txt	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\_RECoVERY_+felnl.html	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-200_contrast-black.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\2876_24x24x32.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml\Assets\_RECoVERY_+felnl.html	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\Dismiss.scale-80.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\_RECoVERY_+felnl.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\jsaddins\onenote_strings.js	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\node_modules\reactxp-experimental-navigation\NavigationExperimental\assets\_RECoVERY_+felnl.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\FindShow.rar	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\Internet Explorer\uk-UA\_RECoVERY_+felnl.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\reader\_RECoVERY_+felnl.html	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\SmallTile.scale-125.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\_RECoVERY_+felnl.html	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxAccountsSmallTile.scale-100.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\_RECoVERY_+felnl.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\_RECoVERY_+felnl.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\_RECoVERY_+felnl.html	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\_RECoVERY_+felnl.html	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-400_contrast-white.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\el-GR\_RECoVERY_+felnl.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorSmallTile.contrast-white_scale-200.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-150_contrast-black.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Lumia.MagicEdit\_RECoVERY_+felnl.txt	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-125.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\_RECoVERY_+felnl.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\155.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\thumb_stats_render_smallest.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\StoreLogo.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\SearchPlaceholder-dark.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-200.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\_RECoVERY_+felnl.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\_RECoVERY_+felnl.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\_RECoVERY_+felnl.html	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\30.jpg	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+felnl.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageWideTile.scale-150.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-40_altform-unplated_contrast-white.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerWideTile.contrast-black_scale-125.png	gailqpnnqmgt.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-36.png	gailqpnnqmgt.exe

Drops file in Windows directory 2 IoCs

Processes:

VirusShare_55ef5620d1205df70163818bf84688cd.exe

description	ioc	process
File created	C:\Windows\gailqpnnqmgt.exe	VirusShare_55ef5620d1205df70163818bf84688cd.exe
File opened for modification	C:\Windows\gailqpnnqmgt.exe	VirusShare_55ef5620d1205df70163818bf84688cd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

gailqpnnqmgt.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings gailqpnnqmgt.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2904 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	gailqpnnqmgt.exe

pid	process
2904	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

gailqpnnqmgt.exe

pid	process
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe
4000	gailqpnnqmgt.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

4660 msedge.exe
4660 msedge.exe
4660 msedge.exe
4660 msedge.exe
4660 msedge.exe
4660 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

VirusShare_55ef5620d1205df70163818bf84688cd.exegailqpnnqmgt.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4960	VirusShare_55ef5620d1205df70163818bf84688cd.exe
Token: SeDebugPrivilege	4000	gailqpnnqmgt.exe
Token: SeIncreaseQuotaPrivilege	2400	WMIC.exe
Token: SeSecurityPrivilege	2400	WMIC.exe
Token: SeTakeOwnershipPrivilege	2400	WMIC.exe
Token: SeLoadDriverPrivilege	2400	WMIC.exe
Token: SeSystemProfilePrivilege	2400	WMIC.exe
Token: SeSystemtimePrivilege	2400	WMIC.exe
Token: SeProfSingleProcessPrivilege	2400	WMIC.exe
Token: SeIncBasePriorityPrivilege	2400	WMIC.exe
Token: SeCreatePagefilePrivilege	2400	WMIC.exe
Token: SeBackupPrivilege	2400	WMIC.exe
Token: SeRestorePrivilege	2400	WMIC.exe
Token: SeShutdownPrivilege	2400	WMIC.exe
Token: SeDebugPrivilege	2400	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2400	WMIC.exe
Token: SeRemoteShutdownPrivilege	2400	WMIC.exe
Token: SeUndockPrivilege	2400	WMIC.exe
Token: SeManageVolumePrivilege	2400	WMIC.exe
Token: 33	2400	WMIC.exe
Token: 34	2400	WMIC.exe
Token: 35	2400	WMIC.exe
Token: 36	2400	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2400	WMIC.exe
Token: SeSecurityPrivilege	2400	WMIC.exe
Token: SeTakeOwnershipPrivilege	2400	WMIC.exe
Token: SeLoadDriverPrivilege	2400	WMIC.exe
Token: SeSystemProfilePrivilege	2400	WMIC.exe
Token: SeSystemtimePrivilege	2400	WMIC.exe
Token: SeProfSingleProcessPrivilege	2400	WMIC.exe
Token: SeIncBasePriorityPrivilege	2400	WMIC.exe
Token: SeCreatePagefilePrivilege	2400	WMIC.exe
Token: SeBackupPrivilege	2400	WMIC.exe
Token: SeRestorePrivilege	2400	WMIC.exe
Token: SeShutdownPrivilege	2400	WMIC.exe
Token: SeDebugPrivilege	2400	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2400	WMIC.exe
Token: SeRemoteShutdownPrivilege	2400	WMIC.exe
Token: SeUndockPrivilege	2400	WMIC.exe
Token: SeManageVolumePrivilege	2400	WMIC.exe
Token: 33	2400	WMIC.exe
Token: 34	2400	WMIC.exe
Token: 35	2400	WMIC.exe
Token: 36	2400	WMIC.exe
Token: SeBackupPrivilege	2524	vssvc.exe
Token: SeRestorePrivilege	2524	vssvc.exe
Token: SeAuditPrivilege	2524	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4988	WMIC.exe
Token: SeSecurityPrivilege	4988	WMIC.exe
Token: SeTakeOwnershipPrivilege	4988	WMIC.exe
Token: SeLoadDriverPrivilege	4988	WMIC.exe
Token: SeSystemProfilePrivilege	4988	WMIC.exe
Token: SeSystemtimePrivilege	4988	WMIC.exe
Token: SeProfSingleProcessPrivilege	4988	WMIC.exe
Token: SeIncBasePriorityPrivilege	4988	WMIC.exe
Token: SeCreatePagefilePrivilege	4988	WMIC.exe
Token: SeBackupPrivilege	4988	WMIC.exe
Token: SeRestorePrivilege	4988	WMIC.exe
Token: SeShutdownPrivilege	4988	WMIC.exe
Token: SeDebugPrivilege	4988	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4988	WMIC.exe
Token: SeRemoteShutdownPrivilege	4988	WMIC.exe
Token: SeUndockPrivilege	4988	WMIC.exe
Token: SeManageVolumePrivilege	4988	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

VirusShare_55ef5620d1205df70163818bf84688cd.exegailqpnnqmgt.exemsedge.exe

description	pid	process	target process
PID 4960 wrote to memory of 4000	4960	VirusShare_55ef5620d1205df70163818bf84688cd.exe	gailqpnnqmgt.exe
PID 4960 wrote to memory of 4000	4960	VirusShare_55ef5620d1205df70163818bf84688cd.exe	gailqpnnqmgt.exe
PID 4960 wrote to memory of 4000	4960	VirusShare_55ef5620d1205df70163818bf84688cd.exe	gailqpnnqmgt.exe
PID 4960 wrote to memory of 2000	4960	VirusShare_55ef5620d1205df70163818bf84688cd.exe	cmd.exe
PID 4960 wrote to memory of 2000	4960	VirusShare_55ef5620d1205df70163818bf84688cd.exe	cmd.exe
PID 4960 wrote to memory of 2000	4960	VirusShare_55ef5620d1205df70163818bf84688cd.exe	cmd.exe
PID 4000 wrote to memory of 2400	4000	gailqpnnqmgt.exe	WMIC.exe
PID 4000 wrote to memory of 2400	4000	gailqpnnqmgt.exe	WMIC.exe
PID 4000 wrote to memory of 2904	4000	gailqpnnqmgt.exe	NOTEPAD.EXE
PID 4000 wrote to memory of 2904	4000	gailqpnnqmgt.exe	NOTEPAD.EXE
PID 4000 wrote to memory of 2904	4000	gailqpnnqmgt.exe	NOTEPAD.EXE
PID 4000 wrote to memory of 4660	4000	gailqpnnqmgt.exe	msedge.exe
PID 4000 wrote to memory of 4660	4000	gailqpnnqmgt.exe	msedge.exe
PID 4660 wrote to memory of 3132	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3132	4660	msedge.exe	msedge.exe
PID 4000 wrote to memory of 4988	4000	gailqpnnqmgt.exe	WMIC.exe
PID 4000 wrote to memory of 4988	4000	gailqpnnqmgt.exe	WMIC.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3260	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4524	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4524	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4700	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4700	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4700	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4700	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4700	4660	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

gailqpnnqmgt.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gailqpnnqmgt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	gailqpnnqmgt.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_55ef5620d1205df70163818bf84688cd.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_55ef5620d1205df70163818bf84688cd.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Windows\gailqpnnqmgt.exe
  C:\Windows\gailqpnnqmgt.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4000
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2400
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe2d346f8,0x7fffe2d34708,0x7fffe2d34718
      4⤵
      PID:3132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,15235923164188433586,2084501613977657912,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
      4⤵
      PID:3260
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,15235923164188433586,2084501613977657912,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
      4⤵
      PID:4524
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,15235923164188433586,2084501613977657912,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
      4⤵
      PID:4700
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15235923164188433586,2084501613977657912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
      4⤵
      PID:2224
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15235923164188433586,2084501613977657912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
      4⤵
      PID:3672
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,15235923164188433586,2084501613977657912,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:8
      4⤵
      PID:4164
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,15235923164188433586,2084501613977657912,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:8
      4⤵
      PID:1688
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15235923164188433586,2084501613977657912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
      4⤵
      PID:1472
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15235923164188433586,2084501613977657912,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
      4⤵
      PID:768
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15235923164188433586,2084501613977657912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
      4⤵
      PID:2440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15235923164188433586,2084501613977657912,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
      4⤵
      PID:284
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4988
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\GAILQP~1.EXE
    3⤵
    PID:688
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
  2⤵
  PID:2000

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_RECoVERY_+felnl.html

Filesize
11KB

MD5
0592637406dc9ea4d31b0933cb1417ef

SHA1
e4a8c41b0308bad03b58ce76775163e237290166

SHA256
1a735e002e2167d611321d80ce7b0df3ad575a8b14d1d60536ccd02f08e88274

SHA512
a37b05d9e13781bafef7ae611bffe310769598b2280cdac5e99571f30c55800283ad3bf0b096a900265621b05d896c37060e9d15c0793e80d6ae4333d5fdb35f

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+felnl.png

Filesize
63KB

MD5
e5fee59479e03b16f4821c77b0ea21d1

SHA1
ec427081593035cb164a4c3717c975288b1f1f19

SHA256
fc54064cac426a48bef62a40a97ac30d542d00ca245592b7fdabdac47db02687

SHA512
93a788bb40f50948ddbc7f99397d6ea3c35dc8dad7ac1d8a58f9bd4eefbdeaaa2ed22366263076cad61e3831d8c91aeb5d628a5327b0691cb51ab6193c2d6444

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+felnl.txt

Filesize
1KB

MD5
d924ee0b9c2637f9515027fcc58dc11e

SHA1
ca107fbde955d751549107f257d26e7a1ad3da0b

SHA256
6aa715a7b965e4c43971fb1e85e93d6503f79bf70ff3ac0d8387fdc2e2d9bb0f

SHA512
92038528f3b34247b4fbbcbc7a764eca91f228bd270df7a905c07c8feda6fff0be9c77c6e584a8ce930be9b3504298f4ebaba1a2b8814bce69b754f0a9d8642d

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
a57af626bb458323c48552ee9a0732c2

SHA1
55efce967dbe402019e654ee7fffaf437237fb8e

SHA256
8730dd2713b01f33ed3fbe098c306eedc5e060ba496ac724f045704cd6946b1f

SHA512
e0a442b3b5e5873455b065e466ee5b6dc304984fa84e8b7cfbccc6342da513da5f86cb8ab1a3fcea69daa4e2b0cefffc43845dba701da162765ada09b8c02438

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
1f9a013e308fe27f7bef0bd2ea9b560b

SHA1
96a35c077af4bbe2b184073b887764e5374100da

SHA256
73a622968d7d5056d59a051a83e14a43903505c2c6595443437cd4226ee55dc2

SHA512
fa962db5b829063d9fc83b699ebaa84dc863343d6cfeba0a80876dbcb7473f0ebd61e39b35fc3bfa13b5bcebfed7bd4bbd6f57884925b0867b83b67e53bd1c0b

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
1646bd21ed8b1191c8e84f1209c0156d

SHA1
f6ae5a341bc3dd3480972daf5c4d4a1be7b9cafd

SHA256
2e7102aba1b2807ce39dcf844459df3584129b0b605f2cb573ddf7b064db02d4

SHA512
ea2e3ab98e87f6a5dce591be8ce90d8828b0e50190e88fd3fc99cb6953a3662f2eca16d63afd2fe80163655fef1cde24069ad1b6f2496bee4d94d959229bfe80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dc6fc5e708279a3310fe55d9c44743d

SHA1
a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2

SHA256
a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8

SHA512
5874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c9c4c494f8fba32d95ba2125f00586a3

SHA1
8a600205528aef7953144f1cf6f7a5115e3611de

SHA256
a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b

SHA512
9d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3fcd6dea2b74abce087defbb3cbf024a

SHA1
5072a4a3325dff6ef81bb162ec60e03aa21c407a

SHA256
74a4de4d079fffb5ee6c62704f1e588f0d9e15f090c2a43bc23eb09cebd395c4

SHA512
4943e4ab48ac135ccd2f050d51571dc2e99e79f332ad654ba1663e3c4ad3ebc99169be542e5176d3ecfb12d2415d2558d7f854533a034f376d05cb89f568f9d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
610b5fa072590392b80fca2e4f49964f

SHA1
178248da9d5bfcd06b34fd0f83fc07bcb5b9b3f7

SHA256
80c4c21d3341c2eb09267740b0886275477c27aa40f54cdab556c712b7dfa993

SHA512
b3f8addc78755cf35a3f5dd2759b456045e07dc4a4cc60388a6fc33ad252eb16d71ad2b5780d88478d4dfd20cd02e5b18c7851dc7e2f7eae7088da31005554bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2ca0fd7304feb98d03b0b07768c0e464

SHA1
cc1ec88af2692129804c457bbe20e7c4b63532bd

SHA256
5661a2505f372d001eb99ee66bddbbf5530b7109b3e8f040f057115eb33e3eb0

SHA512
68abd017c91fbc8168bdb44cd1245e10066a7e402d793c3fc24adad7a9325f4bc83bff68f1a1fe0f0103a4a6e7aead9a651e756f42fef3fa6751631eb1b5cbe5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586097090598174.txt

Filesize
75KB

MD5
3e86b286953da291644991afc1ab0e79

SHA1
ac5b386115c3b9cdcf205b1d9e98b7a6484fcd7c

SHA256
c37bf433a465bcffecc8fa690dbc929e74d4be867e131a622698f221028ac264

SHA512
d4ecf3824210dd95f9dd9cf31887cccd5faa7505218d2be11ab3d314353e99d54989d7d56170975fd84c7ce9f8b2a8bc15c21b93aa66b2f225055d60b4e1c777

Download Submit
C:\Windows\gailqpnnqmgt.exe

Filesize
336KB

MD5
55ef5620d1205df70163818bf84688cd

SHA1
d883ae424be4f1968797f5d1ef3d7968932ab650

SHA256
84b3cdcc6f4bf098bd8574f5137d6ce863c300e6e2a5512cd6744e6f167459ec

SHA512
82f7284808f2e513dac7d3de3cbd13e56699dfa37aa45e936c7b36a7a76ff42ace05d0acb75e454c495a50f0c2d7862114bd9ed23417f1698fc1eb9afcb4b2cd

Download Submit
\??\pipe\LOCAL\crashpad_4660_IGTQEPHMXAATNBVR

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4000-10387-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4000-10283-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4000-7417-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4000-4528-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4000-2132-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4000-13-0x0000000002120000-0x00000000021A6000-memory.dmp

Filesize
536KB

Download
memory/4000-10462-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4000-10477-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4960-0-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4960-9-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4960-3-0x0000000002170000-0x00000000021F6000-memory.dmp

Filesize
536KB

Download