teslacrypt | 3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_591c7f90216f596b849ef9562b8f155b.exe
Size

424KB
MD5

591c7f90216f596b849ef9562b8f155b
SHA1

f3c185a27c38214418daa50407c9964fd5281d95
SHA256

3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4
SHA512

31cfa0fb8cc85398223b2377a170fbbdf01ad82764611c3c7775c80119bf0b5bd24d1943135ab18a3e1cff123813b0f786d522ea7d5c5387a1f84f8de6fa178f
SSDEEP

12288:Jj6qMoki2//HuarKqen05/QexvmBG3zbblCJxfS6:JjPQ/HdQoq2fOR1

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_RECoVERY_+cyhyi.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/CB73405DCCCFDFB9 2. http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/CB73405DCCCFDFB9 3. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/CB73405DCCCFDFB9 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/CB73405DCCCFDFB9 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/CB73405DCCCFDFB9 http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/CB73405DCCCFDFB9 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/CB73405DCCCFDFB9 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/CB73405DCCCFDFB9

URLs

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/CB73405DCCCFDFB9

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/CB73405DCCCFDFB9

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/CB73405DCCCFDFB9

http://xlowfznrg4wf7dli.ONION/CB73405DCCCFDFB9

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (874) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VirusShare_591c7f90216f596b849ef9562b8f155b.exerrfwirscsxty.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	VirusShare_591c7f90216f596b849ef9562b8f155b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	rrfwirscsxty.exe

Drops startup file 6 IoCs

Processes:

rrfwirscsxty.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+cyhyi.txt	rrfwirscsxty.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+cyhyi.html	rrfwirscsxty.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+cyhyi.png	rrfwirscsxty.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+cyhyi.txt	rrfwirscsxty.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+cyhyi.html	rrfwirscsxty.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+cyhyi.png	rrfwirscsxty.exe

Executes dropped EXE 1 IoCs

Processes:

rrfwirscsxty.exe

pid process

3804 rrfwirscsxty.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

rrfwirscsxty.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\drsixgemuypd = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\rrfwirscsxty.exe\""	rrfwirscsxty.exe

Drops file in Program Files directory 64 IoCs

Processes:

rrfwirscsxty.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailWideTile.scale-400.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FetchingMail.scale-400.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\DarkGray.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\LargeTile.scale-100.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-80_altform-unplated_contrast-white.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7_RTL.wmv	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Dark\_RECoVERY_+cyhyi.txt	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+cyhyi.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\WideTile.scale-200.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_RECoVERY_+cyhyi.html	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\dropdownarrow_16x16x32.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\_RECoVERY_+cyhyi.txt	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-256.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-40.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\th-TH\_RECoVERY_+cyhyi.html	rrfwirscsxty.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\_RECoVERY_+cyhyi.txt	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraLargeTile.contrast-white_scale-200.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSplashWideTile.scale-100_contrast-black.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\Doughboy.scale-400.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Ratings\_RECoVERY_+cyhyi.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalStoreLogo.scale-200.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_2019.716.2313.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+cyhyi.html	rrfwirscsxty.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\_RECoVERY_+cyhyi.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-200_contrast-high.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_TileWide.scale-200.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-60_contrast-black.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarLargeTile.scale-400.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\_RECoVERY_+cyhyi.txt	rrfwirscsxty.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\_RECoVERY_+cyhyi.html	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-150_contrast-black.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxMediumTile.scale-200.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailLargeTile.scale-150.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-200.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-32_contrast-black.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Standard.targetsize-64_contrast-white.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\_RECoVERY_+cyhyi.html	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+cyhyi.html	rrfwirscsxty.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\_RECoVERY_+cyhyi.html	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sq-AL\_RECoVERY_+cyhyi.txt	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\_RECoVERY_+cyhyi.html	rrfwirscsxty.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\_RECoVERY_+cyhyi.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-80.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\_RECoVERY_+cyhyi.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\_RECoVERY_+cyhyi.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_RECoVERY_+cyhyi.html	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GameBar_AppList.scale-100.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256_altform-lightunplated_devicefamily-colorfulunplated.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailLargeTile.scale-150.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\_RECoVERY_+cyhyi.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\_RECoVERY_+cyhyi.txt	rrfwirscsxty.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\_RECoVERY_+cyhyi.html	rrfwirscsxty.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B53A34F1-FF5D-4EF4-BFFA-089E897035BB\root\vfs\Windows\assembly\GAC_MSIL\_RECoVERY_+cyhyi.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerMedTile.contrast-black_scale-125.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupWideTile.scale-200.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\_RECoVERY_+cyhyi.txt	rrfwirscsxty.exe
File opened for modification	C:\Program Files\dotnet\swidtag\_RECoVERY_+cyhyi.html	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\193.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Ear.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+cyhyi.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\_RECoVERY_+cyhyi.txt	rrfwirscsxty.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\_RECoVERY_+cyhyi.png	rrfwirscsxty.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\LargeTile.scale-125.png	rrfwirscsxty.exe

Drops file in Windows directory 2 IoCs

Processes:

VirusShare_591c7f90216f596b849ef9562b8f155b.exe

description	ioc	process
File created	C:\Windows\rrfwirscsxty.exe	VirusShare_591c7f90216f596b849ef9562b8f155b.exe
File opened for modification	C:\Windows\rrfwirscsxty.exe	VirusShare_591c7f90216f596b849ef9562b8f155b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

rrfwirscsxty.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings rrfwirscsxty.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4704 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	rrfwirscsxty.exe

pid	process
4704	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rrfwirscsxty.exe

pid	process
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe
3804	rrfwirscsxty.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

2836 msedge.exe
2836 msedge.exe
2836 msedge.exe
2836 msedge.exe
2836 msedge.exe
2836 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

VirusShare_591c7f90216f596b849ef9562b8f155b.exerrfwirscsxty.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1572	VirusShare_591c7f90216f596b849ef9562b8f155b.exe
Token: SeDebugPrivilege	3804	rrfwirscsxty.exe
Token: SeIncreaseQuotaPrivilege	3328	WMIC.exe
Token: SeSecurityPrivilege	3328	WMIC.exe
Token: SeTakeOwnershipPrivilege	3328	WMIC.exe
Token: SeLoadDriverPrivilege	3328	WMIC.exe
Token: SeSystemProfilePrivilege	3328	WMIC.exe
Token: SeSystemtimePrivilege	3328	WMIC.exe
Token: SeProfSingleProcessPrivilege	3328	WMIC.exe
Token: SeIncBasePriorityPrivilege	3328	WMIC.exe
Token: SeCreatePagefilePrivilege	3328	WMIC.exe
Token: SeBackupPrivilege	3328	WMIC.exe
Token: SeRestorePrivilege	3328	WMIC.exe
Token: SeShutdownPrivilege	3328	WMIC.exe
Token: SeDebugPrivilege	3328	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3328	WMIC.exe
Token: SeRemoteShutdownPrivilege	3328	WMIC.exe
Token: SeUndockPrivilege	3328	WMIC.exe
Token: SeManageVolumePrivilege	3328	WMIC.exe
Token: 33	3328	WMIC.exe
Token: 34	3328	WMIC.exe
Token: 35	3328	WMIC.exe
Token: 36	3328	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3328	WMIC.exe
Token: SeSecurityPrivilege	3328	WMIC.exe
Token: SeTakeOwnershipPrivilege	3328	WMIC.exe
Token: SeLoadDriverPrivilege	3328	WMIC.exe
Token: SeSystemProfilePrivilege	3328	WMIC.exe
Token: SeSystemtimePrivilege	3328	WMIC.exe
Token: SeProfSingleProcessPrivilege	3328	WMIC.exe
Token: SeIncBasePriorityPrivilege	3328	WMIC.exe
Token: SeCreatePagefilePrivilege	3328	WMIC.exe
Token: SeBackupPrivilege	3328	WMIC.exe
Token: SeRestorePrivilege	3328	WMIC.exe
Token: SeShutdownPrivilege	3328	WMIC.exe
Token: SeDebugPrivilege	3328	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3328	WMIC.exe
Token: SeRemoteShutdownPrivilege	3328	WMIC.exe
Token: SeUndockPrivilege	3328	WMIC.exe
Token: SeManageVolumePrivilege	3328	WMIC.exe
Token: 33	3328	WMIC.exe
Token: 34	3328	WMIC.exe
Token: 35	3328	WMIC.exe
Token: 36	3328	WMIC.exe
Token: SeBackupPrivilege	1924	vssvc.exe
Token: SeRestorePrivilege	1924	vssvc.exe
Token: SeAuditPrivilege	1924	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3276	WMIC.exe
Token: SeSecurityPrivilege	3276	WMIC.exe
Token: SeTakeOwnershipPrivilege	3276	WMIC.exe
Token: SeLoadDriverPrivilege	3276	WMIC.exe
Token: SeSystemProfilePrivilege	3276	WMIC.exe
Token: SeSystemtimePrivilege	3276	WMIC.exe
Token: SeProfSingleProcessPrivilege	3276	WMIC.exe
Token: SeIncBasePriorityPrivilege	3276	WMIC.exe
Token: SeCreatePagefilePrivilege	3276	WMIC.exe
Token: SeBackupPrivilege	3276	WMIC.exe
Token: SeRestorePrivilege	3276	WMIC.exe
Token: SeShutdownPrivilege	3276	WMIC.exe
Token: SeDebugPrivilege	3276	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3276	WMIC.exe
Token: SeRemoteShutdownPrivilege	3276	WMIC.exe
Token: SeUndockPrivilege	3276	WMIC.exe
Token: SeManageVolumePrivilege	3276	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

VirusShare_591c7f90216f596b849ef9562b8f155b.exerrfwirscsxty.exemsedge.exe

description	pid	process	target process
PID 1572 wrote to memory of 3804	1572	VirusShare_591c7f90216f596b849ef9562b8f155b.exe	rrfwirscsxty.exe
PID 1572 wrote to memory of 3804	1572	VirusShare_591c7f90216f596b849ef9562b8f155b.exe	rrfwirscsxty.exe
PID 1572 wrote to memory of 3804	1572	VirusShare_591c7f90216f596b849ef9562b8f155b.exe	rrfwirscsxty.exe
PID 1572 wrote to memory of 2996	1572	VirusShare_591c7f90216f596b849ef9562b8f155b.exe	cmd.exe
PID 1572 wrote to memory of 2996	1572	VirusShare_591c7f90216f596b849ef9562b8f155b.exe	cmd.exe
PID 1572 wrote to memory of 2996	1572	VirusShare_591c7f90216f596b849ef9562b8f155b.exe	cmd.exe
PID 3804 wrote to memory of 3328	3804	rrfwirscsxty.exe	WMIC.exe
PID 3804 wrote to memory of 3328	3804	rrfwirscsxty.exe	WMIC.exe
PID 3804 wrote to memory of 4704	3804	rrfwirscsxty.exe	NOTEPAD.EXE
PID 3804 wrote to memory of 4704	3804	rrfwirscsxty.exe	NOTEPAD.EXE
PID 3804 wrote to memory of 4704	3804	rrfwirscsxty.exe	NOTEPAD.EXE
PID 3804 wrote to memory of 2836	3804	rrfwirscsxty.exe	msedge.exe
PID 3804 wrote to memory of 2836	3804	rrfwirscsxty.exe	msedge.exe
PID 2836 wrote to memory of 284	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 284	2836	msedge.exe	msedge.exe
PID 3804 wrote to memory of 3276	3804	rrfwirscsxty.exe	WMIC.exe
PID 3804 wrote to memory of 3276	3804	rrfwirscsxty.exe	WMIC.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1384	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 4048	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 4048	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 4612	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 4612	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 4612	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 4612	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 4612	2836	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

rrfwirscsxty.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	rrfwirscsxty.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	rrfwirscsxty.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_591c7f90216f596b849ef9562b8f155b.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_591c7f90216f596b849ef9562b8f155b.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Windows\rrfwirscsxty.exe
  C:\Windows\rrfwirscsxty.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3804
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3328
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:4704
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff801b646f8,0x7ff801b64708,0x7ff801b64718
      4⤵
      PID:284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,4486832462650801750,9788881310688382407,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
      4⤵
      PID:1384
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,4486832462650801750,9788881310688382407,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
      4⤵
      PID:4048
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,4486832462650801750,9788881310688382407,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
      4⤵
      PID:4612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4486832462650801750,9788881310688382407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
      4⤵
      PID:3380
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4486832462650801750,9788881310688382407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
      4⤵
      PID:3832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,4486832462650801750,9788881310688382407,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 /prefetch:8
      4⤵
      PID:2160
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,4486832462650801750,9788881310688382407,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 /prefetch:8
      4⤵
      PID:3620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4486832462650801750,9788881310688382407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
      4⤵
      PID:4032
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4486832462650801750,9788881310688382407,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
      4⤵
      PID:3836
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4486832462650801750,9788881310688382407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
      4⤵
      PID:1448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4486832462650801750,9788881310688382407,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
      4⤵
      PID:2292
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3276
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\RRFWIR~1.EXE
    3⤵
    PID:968
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
  2⤵
  PID:2996

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3460

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_RECoVERY_+cyhyi.html

Filesize
8KB

MD5
93d5d433b8a541d3f1f63156a4d9c074

SHA1
50cce25850743d5950a24c76aa320f35913a6fb4

SHA256
d55a82aca5fbf2f2dc3ae7fdaf8640aa47b120212d2fa8411e906eab7a076e90

SHA512
f4e31c25932a160277640fb2301818968af0c6e08d8a7d96cc77a7aba13d263ca35e21e50436268b740847da541eeecc1f3095fcf42241ceedb1ba62684f1cc3

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+cyhyi.png

Filesize
65KB

MD5
ffd0c90eea4be175db438883aed2ad8e

SHA1
49783eb4cd8720d191e1519c540ba89203a2e450

SHA256
859b0f5f1f38dd9869524c340db368cb7eba2fd52ad24a67794c0540c5e315ee

SHA512
2b747b6ec3c71a1f5cd83cf410931c2005a25abd8028371098ce00b4a1a4060906fd7259475d3ee1a80574277ed92c68b41961d99dbfa23a9fe048b11ee9e541

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+cyhyi.txt

Filesize
1KB

MD5
75bb5be2baf0061c21f2c13d45425130

SHA1
37ab7e68acea71fff1687d82087203afcb168f84

SHA256
3aad94cf36625d49d2b2805e780fcd13b1be432d30fc4f9a4b399f02d87dcd3f

SHA512
12e39282f81ef0fc66d59719ccb9a8e106db5d02f2a918b166b17c5cd481d0cc987eb9daf7f099509f8fd7a6d26d00849ca9b0315ab05a4af19bba6cc1d306f0

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
b26235bec887c8b7cd10fb3743b33114

SHA1
2f8bb818377c0a92e0fbabf360adf80b205432cf

SHA256
e527c4e8bcc77a21112a12dcea6497bbce063511fe115e9c7d30de3ab6c1f84a

SHA512
a94c5bb51b8425a130ea38a879f4d53c0b3cccae85a297d48a5ac96b7329fba91c29cb9a6a9530eed871a479fcf952cddf98aafc29b1e47c6b85c30fd78eee67

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
c361fc58da14934b2639a6bf99e2dd91

SHA1
dd9d673101d9d03bd1c66e4e5cbf5d82cff503b2

SHA256
c5fd5c21a0f3269b043ab58602a062581b03ef601f4e422c52e07688231cd6c1

SHA512
f82bf7f4ce0cd5b92c5b41b6e232002fd9fc5c8ffcd2bc9d61dcf6c32f87128ba4e195a800f4b15f34c03bfa63af10e16c375ee6749bf8b9163b6bca8211f579

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
aeb383e7ee3cd79b1a719ef34e2a5023

SHA1
1d815e7ba3e46eb1c7d56cce2e94fe5c88cffe74

SHA256
2cdb67406f9b1871f8b80b0259570fe2ea2742af30a11ac7ec89254004b5bd30

SHA512
3a1007e092937552532a8c298f89e2679f66f22358ee9d7e2ea891bef3a962f735faa28307aca3b5bda15dae0deacb86e23a6578d19e8b5329eb6e4e0c96d1ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e8799e33e4ef3a313a2b9e6d8b6753b8

SHA1
65e6987823be325f092bb8671b3b6fde73151da8

SHA256
0545e2a18203741114c1e992eeab9bad7c44148c9b3e44332bb3ea98a3938131

SHA512
b3ce28f29ace09c8711a75b992e39944bc6d8f0c4be71fc1f856a2645393cf9f6bc811800b009c81a43c984d28a2021520c6722a6e03b3ef37720492b56f6fc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
519dece05c8d5fbf25934e04e6458c18

SHA1
4043fea84478d0b6a731643a9aff100c0cf668b4

SHA256
037124ccee5a018495a2686b311984f54c11c1601798c9b916a806e6571294e5

SHA512
5fc4b50cfe99c763c8d6a8d00769b5d8c190f06441477107f3beae977b772a8e2b29cc45d4d1f1f0545cef9a73c583e13344ed5d2c79fb1b6606edb3dec37275

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
70388d0052a29ded730dad783f45fc7b

SHA1
129889b294b05df721295729aa2ae04ae30a6c1d

SHA256
998897a6efea48b76a802b42d8774015509990453884d72c39c8f60aadea6164

SHA512
55b92c57a5f3d054d393e5764ea1f0841563a38dd51baa801f55246535c68824a61495c14723fd2d24d3958ead8db4837bd3e98c164da0fb71febbe228eabb82

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596449526171674.txt

Filesize
75KB

MD5
e3940d26d15187dfdf368d191c68914f

SHA1
69ab41b3f025d57c2a87637ed2999143cb51d969

SHA256
fdcd7df5b1a4685095ed234d3f8963652e41b6fb6f7758c3f37dd4427229e693

SHA512
b949bc491218811149aa1405e4002d2d9f3d5b767d7c34896d2813c09618d5b11755a0b0292ae7e8942a2b09137d606e084cecbb48cb1f85e81b61f0f6196e7c

Download Submit
C:\Windows\rrfwirscsxty.exe

Filesize
424KB

MD5
591c7f90216f596b849ef9562b8f155b

SHA1
f3c185a27c38214418daa50407c9964fd5281d95

SHA256
3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4

SHA512
31cfa0fb8cc85398223b2377a170fbbdf01ad82764611c3c7775c80119bf0b5bd24d1943135ab18a3e1cff123813b0f786d522ea7d5c5387a1f84f8de6fa178f

Download Submit
\??\pipe\LOCAL\crashpad_2836_HZBPBXDXFUIBVTGK

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1572-3-0x00000000022B0000-0x0000000002334000-memory.dmp

Filesize
528KB

Download
memory/1572-0-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/1572-9-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/1572-10-0x00000000022B0000-0x0000000002334000-memory.dmp

Filesize
528KB

Download
memory/3804-10354-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3804-8766-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3804-5968-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3804-3803-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3804-10401-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3804-14-0x0000000002240000-0x00000000022C4000-memory.dmp

Filesize
528KB

Download
memory/3804-868-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download