teslacrypt | 1cf433abd42285879b502b2d01958fff3fe4ad687a0e7c1fba243ffbffe7f34e

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe
Size

356KB
MD5

a8e0b0186e5159aa8a772e8d4169d3f3
SHA1

7c1f0f6fc4fd2669717e632652ff8a99fb093e69
SHA256

1cf433abd42285879b502b2d01958fff3fe4ad687a0e7c1fba243ffbffe7f34e
SHA512

01fa49ff7921b380f0390a1ba9c4beff61278685d9caabe188d84977b73fffe7ffe51360677fbaa0319c0e4d4387804c665a7671ad63e4f8a8bc6c8ae0fe55fa
SSDEEP

6144:rOWcl+ocAAe1EAnT43osv0pnzKK+PDncAuLELquaWVzsHA93Wo8nswPm22fwh:rFeq0F+PzcOLyWRsHA93/oswe

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+mtxcu.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/F513B4A57C92572 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/F513B4A57C92572 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/F513B4A57C92572 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/F513B4A57C92572 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/F513B4A57C92572 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/F513B4A57C92572 http://yyre45dbvn2nhbefbmh.begumvelic.at/F513B4A57C92572 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/F513B4A57C92572

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/F513B4A57C92572

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/F513B4A57C92572

http://yyre45dbvn2nhbefbmh.begumvelic.at/F513B4A57C92572

http://xlowfznrg4wf7dli.ONION/F513B4A57C92572

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (868) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	iityhyvearoo.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+mtxcu.png	iityhyvearoo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+mtxcu.txt	iityhyvearoo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+mtxcu.html	iityhyvearoo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+mtxcu.png	iityhyvearoo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+mtxcu.txt	iityhyvearoo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+mtxcu.html	iityhyvearoo.exe

Executes dropped EXE 2 IoCs

pid	Process
5080	iityhyvearoo.exe
4968	iityhyvearoo.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vnwsspq = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\iityhyvearoo.exe"	iityhyvearoo.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3844 set thread context of 3428	3844	VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe	89
PID 5080 set thread context of 4968	5080	iityhyvearoo.exe	93

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\be\_ReCoVeRy_+mtxcu.txt	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageSmallTile.scale-200.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteWideTile.scale-100.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72_altform-unplated.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\WinMetadata\_ReCoVeRy_+mtxcu.html	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+mtxcu.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailWideTile.scale-100.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsSplashScreen.contrast-black_scale-100.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\_ReCoVeRy_+mtxcu.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-36.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\_ReCoVeRy_+mtxcu.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\_ReCoVeRy_+mtxcu.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\Attribution\holiday_weather.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_EyeLashEye.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+mtxcu.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-30_altform-unplated.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageBadgeLogo.scale-125.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\id-ID\_ReCoVeRy_+mtxcu.html	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\GlowInTheDark.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\_ReCoVeRy_+mtxcu.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_altform-unplated_contrast-black.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\_ReCoVeRy_+mtxcu.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\_ReCoVeRy_+mtxcu.txt	iityhyvearoo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\SystemX86\_ReCoVeRy_+mtxcu.txt	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageStoreLogo.scale-200_contrast-black.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+mtxcu.html	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-60_altform-unplated.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\_ReCoVeRy_+mtxcu.html	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSmallTile.scale-200.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\SmallTile.scale-200.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\_ReCoVeRy_+mtxcu.txt	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+mtxcu.txt	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-30.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-20.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\_ReCoVeRy_+mtxcu.html	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockSmallTile.contrast-black_scale-125.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Gravel.jpg	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\_ReCoVeRy_+mtxcu.txt	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-125_contrast-white.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-150_contrast-black.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-64_contrast-black.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailMediumTile.scale-400.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\_ReCoVeRy_+mtxcu.html	iityhyvearoo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\_ReCoVeRy_+mtxcu.html	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ShareProvider_CopyFile24x24.scale-125.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Dark.scale-300.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Light.scale-100.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-30_altform-lightunplated.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorMedTile.contrast-white_scale-200.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\_ReCoVeRy_+mtxcu.html	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+mtxcu.txt	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-64.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\_ReCoVeRy_+mtxcu.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSplashScreen.contrast-black_scale-125.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookWideTile.scale-125.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteMedTile.scale-400.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\_ReCoVeRy_+mtxcu.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\_ReCoVeRy_+mtxcu.txt	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-64_contrast-white.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-24_altform-unplated.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\HelpAndFeedback\BlogThumbnail.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\CoreEngine\Data\BrushProfile\_ReCoVeRy_+mtxcu.txt	iityhyvearoo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_contrast-white.png	iityhyvearoo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile.png	iityhyvearoo.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\iityhyvearoo.exe	VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe
File opened for modification	C:\Windows\iityhyvearoo.exe	VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	iityhyvearoo.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2108	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe
4968	iityhyvearoo.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3428	VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe
Token: SeDebugPrivilege	4968	iityhyvearoo.exe
Token: SeIncreaseQuotaPrivilege	400	WMIC.exe
Token: SeSecurityPrivilege	400	WMIC.exe
Token: SeTakeOwnershipPrivilege	400	WMIC.exe
Token: SeLoadDriverPrivilege	400	WMIC.exe
Token: SeSystemProfilePrivilege	400	WMIC.exe
Token: SeSystemtimePrivilege	400	WMIC.exe
Token: SeProfSingleProcessPrivilege	400	WMIC.exe
Token: SeIncBasePriorityPrivilege	400	WMIC.exe
Token: SeCreatePagefilePrivilege	400	WMIC.exe
Token: SeBackupPrivilege	400	WMIC.exe
Token: SeRestorePrivilege	400	WMIC.exe
Token: SeShutdownPrivilege	400	WMIC.exe
Token: SeDebugPrivilege	400	WMIC.exe
Token: SeSystemEnvironmentPrivilege	400	WMIC.exe
Token: SeRemoteShutdownPrivilege	400	WMIC.exe
Token: SeUndockPrivilege	400	WMIC.exe
Token: SeManageVolumePrivilege	400	WMIC.exe
Token: 33	400	WMIC.exe
Token: 34	400	WMIC.exe
Token: 35	400	WMIC.exe
Token: 36	400	WMIC.exe
Token: SeIncreaseQuotaPrivilege	400	WMIC.exe
Token: SeSecurityPrivilege	400	WMIC.exe
Token: SeTakeOwnershipPrivilege	400	WMIC.exe
Token: SeLoadDriverPrivilege	400	WMIC.exe
Token: SeSystemProfilePrivilege	400	WMIC.exe
Token: SeSystemtimePrivilege	400	WMIC.exe
Token: SeProfSingleProcessPrivilege	400	WMIC.exe
Token: SeIncBasePriorityPrivilege	400	WMIC.exe
Token: SeCreatePagefilePrivilege	400	WMIC.exe
Token: SeBackupPrivilege	400	WMIC.exe
Token: SeRestorePrivilege	400	WMIC.exe
Token: SeShutdownPrivilege	400	WMIC.exe
Token: SeDebugPrivilege	400	WMIC.exe
Token: SeSystemEnvironmentPrivilege	400	WMIC.exe
Token: SeRemoteShutdownPrivilege	400	WMIC.exe
Token: SeUndockPrivilege	400	WMIC.exe
Token: SeManageVolumePrivilege	400	WMIC.exe
Token: 33	400	WMIC.exe
Token: 34	400	WMIC.exe
Token: 35	400	WMIC.exe
Token: 36	400	WMIC.exe
Token: SeBackupPrivilege	3636	vssvc.exe
Token: SeRestorePrivilege	3636	vssvc.exe
Token: SeAuditPrivilege	3636	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3388	WMIC.exe
Token: SeSecurityPrivilege	3388	WMIC.exe
Token: SeTakeOwnershipPrivilege	3388	WMIC.exe
Token: SeLoadDriverPrivilege	3388	WMIC.exe
Token: SeSystemProfilePrivilege	3388	WMIC.exe
Token: SeSystemtimePrivilege	3388	WMIC.exe
Token: SeProfSingleProcessPrivilege	3388	WMIC.exe
Token: SeIncBasePriorityPrivilege	3388	WMIC.exe
Token: SeCreatePagefilePrivilege	3388	WMIC.exe
Token: SeBackupPrivilege	3388	WMIC.exe
Token: SeRestorePrivilege	3388	WMIC.exe
Token: SeShutdownPrivilege	3388	WMIC.exe
Token: SeDebugPrivilege	3388	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3388	WMIC.exe
Token: SeRemoteShutdownPrivilege	3388	WMIC.exe
Token: SeUndockPrivilege	3388	WMIC.exe
Token: SeManageVolumePrivilege	3388	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3844 wrote to memory of 3428	3844	VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe	89
PID 3844 wrote to memory of 3428	3844	VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe	89
PID 3844 wrote to memory of 3428	3844	VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe	89
PID 3844 wrote to memory of 3428	3844	VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe	89
PID 3844 wrote to memory of 3428	3844	VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe	89
PID 3844 wrote to memory of 3428	3844	VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe	89
PID 3844 wrote to memory of 3428	3844	VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe	89
PID 3844 wrote to memory of 3428	3844	VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe	89
PID 3844 wrote to memory of 3428	3844	VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe	89
PID 3844 wrote to memory of 3428	3844	VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe	89
PID 3428 wrote to memory of 5080	3428	VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe	90
PID 3428 wrote to memory of 5080	3428	VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe	90
PID 3428 wrote to memory of 5080	3428	VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe	90
PID 3428 wrote to memory of 2688	3428	VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe	91
PID 3428 wrote to memory of 2688	3428	VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe	91
PID 3428 wrote to memory of 2688	3428	VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe	91
PID 5080 wrote to memory of 4968	5080	iityhyvearoo.exe	93
PID 5080 wrote to memory of 4968	5080	iityhyvearoo.exe	93
PID 5080 wrote to memory of 4968	5080	iityhyvearoo.exe	93
PID 5080 wrote to memory of 4968	5080	iityhyvearoo.exe	93
PID 5080 wrote to memory of 4968	5080	iityhyvearoo.exe	93
PID 5080 wrote to memory of 4968	5080	iityhyvearoo.exe	93
PID 5080 wrote to memory of 4968	5080	iityhyvearoo.exe	93
PID 5080 wrote to memory of 4968	5080	iityhyvearoo.exe	93
PID 5080 wrote to memory of 4968	5080	iityhyvearoo.exe	93
PID 5080 wrote to memory of 4968	5080	iityhyvearoo.exe	93
PID 4968 wrote to memory of 400	4968	iityhyvearoo.exe	94
PID 4968 wrote to memory of 400	4968	iityhyvearoo.exe	94
PID 4968 wrote to memory of 2108	4968	iityhyvearoo.exe	99
PID 4968 wrote to memory of 2108	4968	iityhyvearoo.exe	99
PID 4968 wrote to memory of 2108	4968	iityhyvearoo.exe	99
PID 4968 wrote to memory of 3004	4968	iityhyvearoo.exe	100
PID 4968 wrote to memory of 3004	4968	iityhyvearoo.exe	100
PID 3004 wrote to memory of 2296	3004	msedge.exe	101
PID 3004 wrote to memory of 2296	3004	msedge.exe	101
PID 4968 wrote to memory of 3388	4968	iityhyvearoo.exe	102
PID 4968 wrote to memory of 3388	4968	iityhyvearoo.exe	102
PID 3004 wrote to memory of 2552	3004	msedge.exe	104
PID 3004 wrote to memory of 2552	3004	msedge.exe	104
PID 3004 wrote to memory of 2552	3004	msedge.exe	104
PID 3004 wrote to memory of 2552	3004	msedge.exe	104
PID 3004 wrote to memory of 2552	3004	msedge.exe	104
PID 3004 wrote to memory of 2552	3004	msedge.exe	104
PID 3004 wrote to memory of 2552	3004	msedge.exe	104
PID 3004 wrote to memory of 2552	3004	msedge.exe	104
PID 3004 wrote to memory of 2552	3004	msedge.exe	104
PID 3004 wrote to memory of 2552	3004	msedge.exe	104
PID 3004 wrote to memory of 2552	3004	msedge.exe	104
PID 3004 wrote to memory of 2552	3004	msedge.exe	104
PID 3004 wrote to memory of 2552	3004	msedge.exe	104
PID 3004 wrote to memory of 2552	3004	msedge.exe	104
PID 3004 wrote to memory of 2552	3004	msedge.exe	104
PID 3004 wrote to memory of 2552	3004	msedge.exe	104
PID 3004 wrote to memory of 2552	3004	msedge.exe	104
PID 3004 wrote to memory of 2552	3004	msedge.exe	104
PID 3004 wrote to memory of 2552	3004	msedge.exe	104
PID 3004 wrote to memory of 2552	3004	msedge.exe	104
PID 3004 wrote to memory of 2552	3004	msedge.exe	104
PID 3004 wrote to memory of 2552	3004	msedge.exe	104
PID 3004 wrote to memory of 2552	3004	msedge.exe	104
PID 3004 wrote to memory of 2552	3004	msedge.exe	104
PID 3004 wrote to memory of 2552	3004	msedge.exe	104
PID 3004 wrote to memory of 2552	3004	msedge.exe	104
PID 3004 wrote to memory of 2552	3004	msedge.exe	104

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	iityhyvearoo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	iityhyvearoo.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3844
- C:\Users\Admin\AppData\Local\Temp\VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3428
- - C:\Windows\iityhyvearoo.exe
    C:\Windows\iityhyvearoo.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:5080
  - - C:\Windows\iityhyvearoo.exe
      C:\Windows\iityhyvearoo.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4968
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:400
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:2108
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3004
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b4f46f8,0x7ffa8b4f4708,0x7ffa8b4f4718
        6⤵
        
        PID:2296
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,1829492529552936951,7528010041498858595,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
        6⤵
        
        PID:2552
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,1829492529552936951,7528010041498858595,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
        6⤵
        
        PID:4584
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,1829492529552936951,7528010041498858595,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:8
        6⤵
        
        PID:2664
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1829492529552936951,7528010041498858595,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
        6⤵
        
        PID:2440
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1829492529552936951,7528010041498858595,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
        6⤵
        
        PID:4784
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,1829492529552936951,7528010041498858595,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8
        6⤵
        
        PID:888
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,1829492529552936951,7528010041498858595,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8
        6⤵
        
        PID:2956
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1829492529552936951,7528010041498858595,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
        6⤵
        
        PID:4208
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1829492529552936951,7528010041498858595,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
        6⤵
        
        PID:4220
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1829492529552936951,7528010041498858595,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
        6⤵
        
        PID:3552
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1829492529552936951,7528010041498858595,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
        6⤵
        
        PID:276
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3388
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\IITYHY~1.EXE
        5⤵
        
        PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
    3⤵
    PID:2688

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+mtxcu.html

Filesize
12KB

MD5
5ba990e013fdf1cfd611e0751a341b8e

SHA1
b853ff3f5e8d73a16ded773311232c5f577ceb14

SHA256
8595db557aecebcc2da0a04081a166874018c37ad2e485326d89010aff6a9726

SHA512
13ca59245762bd56b2fcc63b2c7c2bebf0410c899fffd5c2d2446bbfec727d4684d1c97c52ddca87a4f2f5d5385efbea11a8b387a68fff3d8a22bf1f633b93a6

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+mtxcu.png

Filesize
64KB

MD5
9198fca7e78418095f940bd6295f7618

SHA1
90fcafba2750ae25937e48a7cf96f258b0dcd8fa

SHA256
2a8f0382a538744fba423dfd2fd68852e9b47c4b9d2df51c6af6e3271920aecc

SHA512
bf07e49c803f55b41f91dcfe406fa87691ac70d9e06298d14dfa138e56867d5571bd1ce8091955f234823f5ef7754e9aded1a6421284a847557c4c45814f236b

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+mtxcu.txt

Filesize
1KB

MD5
526bdecef93aba230c67bea3d22b832c

SHA1
aa28be52f50d120f3e69ac3af6c6c0f018e50da6

SHA256
b2f262c274c3d35a95207467fb44b917032c7cc61966a0f4ebc7f5b0981be319

SHA512
f6742e9a0a941213cb320b036e2a6264f3c15b46bf5aa31a1d744c982b9e42bd496e2ce90db60bb940b52c81984c3d850c55abea54f4f900b05509813275d853

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
0b35f9c8b03cf112c02b0b8c2df9abb3

SHA1
69c726812ea7ee99d4692ecb807eee47974a42c2

SHA256
e485a4ce0e1529ceca844cf7a25b4cbffefbb993ae423c36545e96961a6d4326

SHA512
deb5431aa766a9276de57d76d86119408cb7040c663981be92b846e3a5e85c66fcd9315b2f740cf4580d69f9dbe97a7c0c18df9195ec3e968b43f846432ed789

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
75e507aa24c9faed7744dd2cbdd666b7

SHA1
1b9632398d56d6e29fb04342bd61aaa002175fda

SHA256
9b8287d3423b1be7168acc229f1dcb709323e1cc000913b5d15cdd1f73701e7c

SHA512
5038ed5e601ea9785783c9bc5a43f3061def962256b47a7dac66260809d193dcb6e9c3577ff8e761bb39775e9bdca7b57114f07d2a28d6d11bb962ecba9d87a0

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
32ed017b83958090bca9b1615aaa2274

SHA1
4d8a049c167a43959bd4d640f9e0aede5fa47d90

SHA256
102edd9cd584dd7336fa1ce5cf3be59f05c908583a93a98e0a76355b3026134c

SHA512
b073f6bb47f8c04bec9eb8264258b6e3e9b532c68b3472ca913583918b7d464e7a00909966eaea6336b931f70af1c7d12e75eae8cb78c43b1ab696a4d59cf414

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dc6fc5e708279a3310fe55d9c44743d

SHA1
a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2

SHA256
a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8

SHA512
5874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c9c4c494f8fba32d95ba2125f00586a3

SHA1
8a600205528aef7953144f1cf6f7a5115e3611de

SHA256
a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b

SHA512
9d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d39ea857eca16c2eedaa59377a91ab76

SHA1
ee570721401a392c47e90aed00c2c08fe1c7c383

SHA256
11594b95db0e036abf7827facde59b7472df04df582ee5cdd5b98ea8f3974a42

SHA512
752c722476302573618855f13c019f367bd96f7e7cb001f2b9c09fd59f1f5101b11c0e909586b3aaada82f86e5dd5cc272b43168c93ff4de724f4880bdefeb1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6144f71da598c9fab0d77ee729faab93

SHA1
67742b1530f7550265c7d060b5fa3a79bec71cfd

SHA256
3180cbebfbc7156f0034c4c99e0de4ecae39c090ca8924b2b9b7bfd3fc2fa678

SHA512
fe7ef93ef9de4fb1e70ad851ed573f3e1c7abf8aa02d287532e36ae75c4c3c4799c310f1d321765fe6bb49ee093ac3a13bedca0fee7f915743bf5a40b8c2d9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3cac1477c15638b69745d13576ab8d3a

SHA1
ce7df336e7f0741d54f7847e35319cea72c4e47d

SHA256
4bf2bd89f5919573a4731e90ef6e6dae471179720ce89bc0ede27cf0eab53b53

SHA512
aac7a3549ba7084620f377d92ea51da3602c4a8834e6b11a105ec8919cf36af856fdb116aae307b96d3770a077315642badb47edd366edb3cab51131799673ff

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586097090598174.txt

Filesize
75KB

MD5
67ae61fefd8d854c84e5e939c524f4ee

SHA1
9ab30e6c31a6997b7448b6b92f69ce3f997d34a5

SHA256
4635b6d11564280a0effde870293bdf3b89cd49c5163c61d4b76a8618fa01abf

SHA512
f4a57dab3a19a7377a8052abe3e366748b6be855d7f9cfecc8c402c3f077abbe338d3dd1a1f16566776314cb0c075f7ce64b473ae1af0dcbc88cf0dced9f1e31

Download Submit
C:\Windows\iityhyvearoo.exe

Filesize
356KB

MD5
a8e0b0186e5159aa8a772e8d4169d3f3

SHA1
7c1f0f6fc4fd2669717e632652ff8a99fb093e69

SHA256
1cf433abd42285879b502b2d01958fff3fe4ad687a0e7c1fba243ffbffe7f34e

SHA512
01fa49ff7921b380f0390a1ba9c4beff61278685d9caabe188d84977b73fffe7ffe51360677fbaa0319c0e4d4387804c665a7671ad63e4f8a8bc6c8ae0fe55fa

Download Submit
memory/3428-13-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3428-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3428-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3428-5-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3428-4-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3844-0-0x0000000000630000-0x0000000000634000-memory.dmp

Filesize
16KB

Download
memory/3844-3-0x0000000000630000-0x0000000000634000-memory.dmp

Filesize
16KB

Download
memory/3844-1-0x0000000000630000-0x0000000000634000-memory.dmp

Filesize
16KB

Download
memory/4968-17-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4968-7042-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4968-4195-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4968-9718-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4968-10371-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4968-10372-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4968-10380-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4968-10381-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4968-2052-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4968-614-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4968-23-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4968-24-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4968-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4968-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4968-10451-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4968-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/5080-12-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download