Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
10/06/2024, 11:48
General
-
Target
VirusShare_99e83f42796e5390063243810c0629de.exe
-
Size
184KB
-
MD5
99e83f42796e5390063243810c0629de
-
SHA1
a97c9cdff2002fc328a933df1ae3bc67508814ee
-
SHA256
722d3afa33d79b277e4198517084248b25db8dc90207b5ee4fff76dfa2b19fb5
-
SHA512
ecc5e1e8fe8b36dbf2326e182772ca852e155f8deb5562e3ff707538c5b24961c16a44b26737efbd09cc6d38683cf51c1a363e2668c27f7453ffea21eb0a7a2c
-
SSDEEP
3072:jFIkQ7yjaILMvzovwBB82T/NyG86ry6BSTqQ+hvVdhCL9juDEDsj/RR:pjLMswHHQG86ry6BSGLVAjuv
Score
10/10
Malware Config
Extracted
Path
C:\Program Files\7-Zip\Lang\+REcovER+uhmfj+.txt
Ransom Note
(&29-% ?33=#60!2=;/#*."'<-!?%+
(&29-% ?33=#60!2=;/#*."'<-!?%+
(&29-% ?33=#60!2=;/#*."'<-!?%+
(&29-% ?33=#60!2=;/#*."'<-!?%+
NOT YOUR LANGUAGE? USE https://translate.google.com
What's the matter with your files?
Your data was secured using a strong encryption with RSA4096.
Use the link down below to find additional information on the encryption keys using RSA-4096 https://en.wikipedia.org/wiki/RSA_(cryptosystem)
What exactly that means?
It means that on a structural level your files have been transformed . You won't be able to use , read , see or work with them anymore .
In other words they are useless , however , there is a possibility to restore them with our help .
What exactly happened to your files ???
*** Two personal RSA-4096 keys were generated for your PC/Laptop; one key is public, another key is private.
*** All your data and files were encrypted by the means of the public key , which you received over the web .
*** In order to decrypt your data and gain access to your computer you need a private key and a decryption software, which can be found on one of our secret servers.
What should you do next ?
There are several options for you to consider :
*** You can wait for a while until the price of a private key will raise, so you will have to pay twice as much to access your files or
*** You can start getting BitCoins right now and get access to your data quite fast .
In case you have valuable files , we advise you to act fast as there is no other option rather
than paying in order to get back your data.
In order to obtain specific instructions , please access your personal homepage by choosing one of the few addresses down below :
http://i5ndw.titlecorta.at/B5EC285F737BD644
http://d34fa.lasmeio.com/B5EC285F737BD644
http://2gdb4.leoraorage.at/B5EC285F737BD644
(&29-% ?33=#60!2=;/#*."'<-!?%+
(&29-% ?33=#60!2=;/#*."'<-!?%+
(&29-% ?33=#60!2=;/#*."'<-!?%+ r
If you can't access your personal homepage or the addresses are not working, complete the following steps:
*** Download TOR Browser - http://www.torproject.org/projects/torbrowser.html.en
*** Install TOR Browser and open TOR Browser
*** Insert the following link in the address bar: k7tlx3ghr3m4n2tu.onion/B5EC285F737BD644
*** *** *** *** *** *** *** IMPORTANT INFORMATION *** *** *** *** *** ***
Your personal homepages
http://i5ndw.titlecorta.at/B5EC285F737BD644
http://d34fa.lasmeio.com/B5EC285F737BD644
http://2gdb4.leoraorage.at/B5EC285F737BD644
Your personal homepage Tor-Browser k7tlx3ghr3m4n2tu.onion/B5EC285F737BD644
Your personal ID B5EC285F737BD644
(&29-% ?33=#60!2=;/#*."'<-!?%+
(&29-% ?33=#60!2=;/#*."'<-!?%+
(&29-% ?33=#60!2=;/#*."'<-!?%+
URLs
http://i5ndw.titlecorta.at/B5EC285F737BD644
http://d34fa.lasmeio.com/B5EC285F737BD644
http://2gdb4.leoraorage.at/B5EC285F737BD644
http://k7tlx3ghr3m4n2tu.onion/B5EC285F737BD644
Extracted
Path
C:\Program Files\7-Zip\Lang\+REcovER+uhmfj+.html
Ransom Note
<html><style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style='background:#33CCFF;'> <center><div style='text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;'> <b><font class='ttl'><center><b>NOT YOUR LANGUAGE? USE <a href=https://translate.google.com target='_blank'>Google Translate</a></b></center> What happened to your files?</b></font><br> <font style='font-size:13px;'>All of your files were pr<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->o<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->t<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->e<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->ct<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->e<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->d <!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->by a s<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->t<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->vr<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->ong encr<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->yption with R<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->S<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->A<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->-4<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->0<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->9<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->6 <br> More information about the encryption RSA-4<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->0<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->9<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->6 c<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->a<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->n b<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->e <!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->f<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->o<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->u<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->n<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->d <a href= http://en.wikipedia.org/wiki/RSA_(cryptosystem) target='_blank'> https://en.wikipedia.org/wiki/RSA_(cryptosystem) </a><br></font> <br><b><font class='ttl'>What does this mean?</b></font><br><font style='font-size:13px;'>This means that the structure and data within yourfiles have been irrevocably changed, you will not be able work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them <br><br><b><font class='ttl'> How did this happen? </b></font> <br> <font style='font-size:13px;'> Espe<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->cially for you, on our SE<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->RVE<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->R was gener<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->ated the se<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->cret key<br>All your files were encrypted with the public key,which has been transferred to your com<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->puter via the Int<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->ernet. <br>Decrypting of YO<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->UR FI<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->LES isonly poss<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->ible with the help of the pr<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->ivate key and decrypt pro<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->gram which is on our Secret Server!!!</font><br><br><b><font class='ttl'>What do I do?</b></font> <br><font style='font-size:13px;'>Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed <br> If you really need your data, then we suggest you do not wastevaluable time searching for other solutions becausen they do not exist.</font><br><br> <div class='tb' style='color:#880000; font-size:13px; border-width:3px;'>For more specific instructions, please visit your pers<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->onal home page, there are a few different addresses point<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->ing to your page be<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->low<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->:<b><hr> 1 - <a href=http://i5ndw.titlecorta.at/B5EC285F737BD644 target="_blank">http://i5ndw.titlecorta.at/B5EC285F737BD644</a> <br> 2 - <a href=http://d34fa.lasmeio.com/B5EC285F737BD644 target="_blank">http://d34fa.lasmeio.com/B5EC285F737BD644</a> <br> 3 - <a href=http://2gdb4.leoraorage.at/B5EC285F737BD644 target="_blank">http://2gdb4.leoraorage.at/B5EC285F737BD644</a> <br> </div><br><div class='tb' style='font-size:13px; border-color:#880000;'><b>If for some reasons the addresses are not available, follow these steps:</b> <hr> 1 - Download and install tor-browser: <a href=http://www.torproject.org/projects/torbrowser.html.en target='_blank'>http://www.torproject.org/projects/torbrowser.html.en</a><br> 2 - After a successful installation, run the browser and wait for initialization.<br> 3 - Typ<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->e in the tor-<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->browser address b<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->ar<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->: <font style='font-weight:bold; color:#009977;'>k7tlx3ghr3m4n2tu.onion/B5EC285F737BD644 </font> <br> 4 - F<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->ollow the in<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->structions on the site.</div><br><br><b>!!! IMPOR<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->TANT INFOR<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->MATION:</b><br> <div class='tb' style='width:790px;'> Yo<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->ur Per<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->sonal PAG<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->ES<b><!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->: <br> <a href=http://i5ndw.titlecorta.at/B5EC285F737BD644 target='_blank'> http://i5ndw.titlecorta.at/B5EC285F737BD644</a> <br><a href=http://d34fa.lasmeio.com/B5EC285F737BD644 target='_blank> http://d34fa.lasmeio.com/B5EC285F737BD644</a></a> <br> <a href=http://2gdb4.leoraorage.at/B5EC285F737BD644 target='_blank'> http://2gdb4.leoraorage.at/B5EC285F737BD644</a> <br>Yo<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->ur P<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->ers<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->onal TO<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->R-Br<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->ow<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->ser page :<font style='font-weight:bold; color:#009977;'> k7tlx3ghr3m4n2tu.onion/B5EC285F737BD644 </font><br> Yo<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->ur pers<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->onal <!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->I<!---(&29-% ?33=#60!2=;/#*."'<-!?%+ -->D (if you open the site directly) :<font style='font-weight:bold; color:#770000;'>B5EC285F737BD644</font><br> </div></div></center></body></html>
URLs
http://i5ndw.titlecorta.at/B5EC285F737BD644</a>
http://d34fa.lasmeio.com/B5EC285F737BD644</a></a>
http://2gdb4.leoraorage.at/B5EC285F737BD644</a>
http://k7tlx3ghr3m4n2tu.onion/B5EC285F737BD644
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 6 IoCs
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_99e83f42796e5390063243810c0629de.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_99e83f42796e5390063243810c0629de.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\qpekua.exeC:\Users\Admin\Documents\qpekua.exe2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\+REcovER+uhmfj+.txt3⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\+REcovER+uhmfj+.html3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffea69046f8,0x7ffea6904708,0x7ffea69047184⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,14422472583282283148,9916680941742449184,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,14422472583282283148,9916680941742449184,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:34⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,14422472583282283148,9916680941742449184,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14422472583282283148,9916680941742449184,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14422472583282283148,9916680941742449184,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,14422472583282283148,9916680941742449184,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,14422472583282283148,9916680941742449184,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14422472583282283148,9916680941742449184,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14422472583282283148,9916680941742449184,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14422472583282283148,9916680941742449184,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14422472583282283148,9916680941742449184,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:14⤵
-
-
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\DOCUME~1\qpekua.exe >> NUL3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE >> NUL2⤵
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5c31dc805496fe47a137137ba0d8fab72
SHA1e34c5d6b8be360d90648eaf2d8bee8a58091f998
SHA256c28aaa75e32c408777f7fa846af2b01ff6c329ff95e3155e8621ca6a7d561122
SHA5124deaa42a71aafa78854c9f5bb1452185db388815b1870526c362a8681ea044f8b5bc543a4b81cea8ae87f1658ff25a01f5112435f9ecd1ca6f1b7496bae898b6
-
Filesize
82KB
MD594dae22c6c680d54650313423d2fc950
SHA1c349d411d5baa8492a397cd62d688bc8a60de970
SHA2568ef4681157ade40ccda2ef7f40695dece2bbd7920420a30d37f8c991f29af0d4
SHA5123595fc50a66028be5a9d86cfef69a70569a1ff74818f51bc05a653982fbf0e7bb89120d2b915d074cc2042ee258e314676318da0af4bdcbf2d668d9fdb8e5917
-
Filesize
2KB
MD54b366c5be58d2348488c1ef4e5bd9e3b
SHA1216cd1ad25cf2a5e8f19a4bcc87dc063f636d137
SHA256c2aac3ac8348d8a5d6c358b632c72ee4e0f69c2d7e3e7cf20e7af50120fb0905
SHA51217fc311745463cb9d69efeecfaf3c7ff4d1cf33d538168e311a7702b6aa9cc234b6eb67fd0cc1efb96c3ab451bc927b58395ad7e6bbac50c7fc88f07e60804ef
-
Filesize
152B
MD5439b5e04ca18c7fb02cf406e6eb24167
SHA1e0c5bb6216903934726e3570b7d63295b9d28987
SHA256247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2
-
Filesize
152B
MD5a8e767fd33edd97d306efb6905f93252
SHA1a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA51207b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241
-
Filesize
5KB
MD56ae296606ea7df8ccc4862c0df39f557
SHA1c525d4af3956ddc28779c1b7c14bbb972d1bd64f
SHA2565180b59b93a76809fbc5393daf7562c04255578d17e650a1e5e067fa80f9a192
SHA5121eb6adb785f9fd3bf34e456e67563b676bf0cfb887cebdb6ff2b0e71103bbe4c4aa7e895df852eb938ae8cd37116b97dd3cc141df21bb4feb88efd82cb0c245a
-
Filesize
6KB
MD55472c09fff523669e5b4d8ecd8fde080
SHA1c7a0d62737adc71635a89fb9a919073101bf4460
SHA256c823bc367411b1db8fa41fa17b3501f3cedefe5dcfc7b5eda9b2135a1c38bb1e
SHA5123ab40f5c07c03af6bb3686257aed34ed43dc4b06c4c154f4d85de66bb06b50bb7af7a50839f71dd7dfd6be8187477aac49a7d7026aa86dc412f77abd57e59496
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5156105a13121efa61a5cf18fcd1a05e0
SHA12ad7a91bf477fa4df6614868be14369a7c602c63
SHA256647eaafbbb1a835887e2ae35fb324cbe89d45dd816419796038f3bd156e89d7e
SHA512240edc8eb7f0b4a034e97c32ab0b79ef0cfb3e28758d2bca22ac54fe11742f809052fc1c99c2744ac4d3b9b7d392599d13f5793e24bb2b15ca725fce0be682ba
-
Filesize
75KB
MD58d80ee7e05b7cb03e11f1eb910db8a16
SHA16c736bd1fabb8c2ce57f0ead9128433c26ae55fd
SHA2565034435edfc958c08fe45ea8e8d2621ce12b3269157124420ad6cdda8e1db967
SHA512b4a8adf357e70e105024665dbad0a9d1ada4b76ed985ba836522f1f48532eb2985b795c1e9d2c8873e1532a975f3cddd1c650b39661bf521ad064a506ec4c00b
-
Filesize
184KB
MD599e83f42796e5390063243810c0629de
SHA1a97c9cdff2002fc328a933df1ae3bc67508814ee
SHA256722d3afa33d79b277e4198517084248b25db8dc90207b5ee4fff76dfa2b19fb5
SHA512ecc5e1e8fe8b36dbf2326e182772ca852e155f8deb5562e3ff707538c5b24961c16a44b26737efbd09cc6d38683cf51c1a363e2668c27f7453ffea21eb0a7a2c
-
Filesize
560KB
-
Filesize
228KB
-
Filesize
560KB
-
Filesize
228KB
-
Filesize
4KB
-
Filesize
228KB
-
Filesize
560KB
-
Filesize
560KB
-
Filesize
560KB
-
Filesize
228KB
-
Filesize
560KB
-
Filesize
560KB
-
Filesize
560KB
