teslacrypt | 9c5feadf74c3a5ce0b40d5402f0f1ded6aea80b517c016a179b02f38a22aa489

Analysis

max time kernel
144s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_97020660b63757de9c0e8ad51eed9acf.exe
Size

376KB
MD5

97020660b63757de9c0e8ad51eed9acf
SHA1

bc75b2b04ec8591829a69a7634698c2d7ff406b5
SHA256

9c5feadf74c3a5ce0b40d5402f0f1ded6aea80b517c016a179b02f38a22aa489
SHA512

a6cc6b7c7c8d16419b826affc813ea5cff9501133c5bc386217fa686c35906404a937630bdbcdee193273e5c22872f891e1a40d332393480c8d684ea8bec0f67
SSDEEP

6144:ie3rNhMeYq4CGRTs4kadSoKVStcmTVn57CpSCwsUbg62oXd:iY5hMfqwTsTKcmTV5kINEx+d

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+wydiw.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/C8B1DC585A2BBB21 2. http://kkd47eh4hdjshb5t.angortra.at/C8B1DC585A2BBB21 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/C8B1DC585A2BBB21 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/C8B1DC585A2BBB21 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/C8B1DC585A2BBB21 http://kkd47eh4hdjshb5t.angortra.at/C8B1DC585A2BBB21 http://ytrest84y5i456hghadefdsd.pontogrot.com/C8B1DC585A2BBB21 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/C8B1DC585A2BBB21

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/C8B1DC585A2BBB21

http://kkd47eh4hdjshb5t.angortra.at/C8B1DC585A2BBB21

http://ytrest84y5i456hghadefdsd.pontogrot.com/C8B1DC585A2BBB21

http://xlowfznrg4wf7dli.ONION/C8B1DC585A2BBB21

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (864) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VirusShare_97020660b63757de9c0e8ad51eed9acf.exeiuvcxmsonvsp.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	VirusShare_97020660b63757de9c0e8ad51eed9acf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	iuvcxmsonvsp.exe

Drops startup file 6 IoCs

Processes:

iuvcxmsonvsp.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+wydiw.png	iuvcxmsonvsp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+wydiw.txt	iuvcxmsonvsp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+wydiw.html	iuvcxmsonvsp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+wydiw.png	iuvcxmsonvsp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+wydiw.txt	iuvcxmsonvsp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+wydiw.html	iuvcxmsonvsp.exe

Executes dropped EXE 2 IoCs

Processes:

iuvcxmsonvsp.exeiuvcxmsonvsp.exe

pid	Process
5044	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

iuvcxmsonvsp.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jtnsbaokmuvp = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\iuvcxmsonvsp.exe\""	iuvcxmsonvsp.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

VirusShare_97020660b63757de9c0e8ad51eed9acf.exeiuvcxmsonvsp.exe

description	pid	Process	procid_target
PID 2560 set thread context of 2472	2560	VirusShare_97020660b63757de9c0e8ad51eed9acf.exe	88
PID 5044 set thread context of 3184	5044	iuvcxmsonvsp.exe	92

Drops file in Program Files directory 64 IoCs

Processes:

iuvcxmsonvsp.exe

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\1850_24x24x32.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarSmallTile.scale-400.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\Recovery+wydiw.html	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\Recovery+wydiw.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\Recovery+wydiw.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\electron-upgrade-screen-illustration.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-256.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreLogo.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\Recovery+wydiw.txt	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Recovery+wydiw.txt	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-256_altform-unplated.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\StartScreen\Recovery+wydiw.txt	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notetagsUI\Recovery+wydiw.txt	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-100_contrast-black.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-60.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\Recovery+wydiw.html	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\Recovery+wydiw.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_BadgeLogo.scale-200.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Recovery+wydiw.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-36_contrast-white.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-unplated_devicefamily-colorfulunplated.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\Recovery+wydiw.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageWideTile.scale-150_contrast-white.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\thumb_stats_render.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\tr-TR\Recovery+wydiw.html	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\Recovery+wydiw.html	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-40_altform-lightunplated.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\Recovery+wydiw.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-48_altform-unplated_contrast-black.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+wydiw.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_1.m4a	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\Recovery+wydiw.txt	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\Recovery+wydiw.txt	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\Recovery+wydiw.html	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\Recovery+wydiw.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fil-PH\View3d\Recovery+wydiw.txt	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupLargeTile.scale-100.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\offer_cards\subs-illustration.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-60_altform-unplated_contrast-white.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\Recovery+wydiw.html	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedMedTile.scale-100_contrast-white.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedSplash.scale-100.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-256_altform-unplated.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\Recovery+wydiw.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\StoreLogo.scale-200.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Recovery+wydiw.html	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-36.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-24_altform-unplated_contrast-white.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\Recovery+wydiw.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\Recovery+wydiw.html	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Recovery+wydiw.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\StopwatchLargeTile.contrast-black_scale-200.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\SmallTile.scale-100.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_scale-100.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\cs-CZ\View3d\Recovery+wydiw.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\LargeTile.scale-100.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\Fonts\Recovery+wydiw.txt	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-80.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-36_altform-unplated.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\Recovery+wydiw.html	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\Recovery+wydiw.txt	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_altform-unplated_contrast-black.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\SmallTile.scale-200.png	iuvcxmsonvsp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+wydiw.txt	iuvcxmsonvsp.exe

Drops file in Windows directory 2 IoCs

Processes:

VirusShare_97020660b63757de9c0e8ad51eed9acf.exe

description	ioc	Process
File created	C:\Windows\iuvcxmsonvsp.exe	VirusShare_97020660b63757de9c0e8ad51eed9acf.exe
File opened for modification	C:\Windows\iuvcxmsonvsp.exe	VirusShare_97020660b63757de9c0e8ad51eed9acf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

Processes:

iuvcxmsonvsp.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	iuvcxmsonvsp.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
1712	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

iuvcxmsonvsp.exe

pid	Process
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe
3184	iuvcxmsonvsp.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid	Process
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

VirusShare_97020660b63757de9c0e8ad51eed9acf.exeiuvcxmsonvsp.exeWMIC.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	2472	VirusShare_97020660b63757de9c0e8ad51eed9acf.exe
Token: SeDebugPrivilege	3184	iuvcxmsonvsp.exe
Token: SeIncreaseQuotaPrivilege	1732	WMIC.exe
Token: SeSecurityPrivilege	1732	WMIC.exe
Token: SeTakeOwnershipPrivilege	1732	WMIC.exe
Token: SeLoadDriverPrivilege	1732	WMIC.exe
Token: SeSystemProfilePrivilege	1732	WMIC.exe
Token: SeSystemtimePrivilege	1732	WMIC.exe
Token: SeProfSingleProcessPrivilege	1732	WMIC.exe
Token: SeIncBasePriorityPrivilege	1732	WMIC.exe
Token: SeCreatePagefilePrivilege	1732	WMIC.exe
Token: SeBackupPrivilege	1732	WMIC.exe
Token: SeRestorePrivilege	1732	WMIC.exe
Token: SeShutdownPrivilege	1732	WMIC.exe
Token: SeDebugPrivilege	1732	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1732	WMIC.exe
Token: SeRemoteShutdownPrivilege	1732	WMIC.exe
Token: SeUndockPrivilege	1732	WMIC.exe
Token: SeManageVolumePrivilege	1732	WMIC.exe
Token: 33	1732	WMIC.exe
Token: 34	1732	WMIC.exe
Token: 35	1732	WMIC.exe
Token: 36	1732	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5028	WMIC.exe
Token: SeSecurityPrivilege	5028	WMIC.exe
Token: SeTakeOwnershipPrivilege	5028	WMIC.exe
Token: SeLoadDriverPrivilege	5028	WMIC.exe
Token: SeSystemProfilePrivilege	5028	WMIC.exe
Token: SeSystemtimePrivilege	5028	WMIC.exe
Token: SeProfSingleProcessPrivilege	5028	WMIC.exe
Token: SeIncBasePriorityPrivilege	5028	WMIC.exe
Token: SeCreatePagefilePrivilege	5028	WMIC.exe
Token: SeBackupPrivilege	5028	WMIC.exe
Token: SeRestorePrivilege	5028	WMIC.exe
Token: SeShutdownPrivilege	5028	WMIC.exe
Token: SeDebugPrivilege	5028	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5028	WMIC.exe
Token: SeRemoteShutdownPrivilege	5028	WMIC.exe
Token: SeUndockPrivilege	5028	WMIC.exe
Token: SeManageVolumePrivilege	5028	WMIC.exe
Token: 33	5028	WMIC.exe
Token: 34	5028	WMIC.exe
Token: 35	5028	WMIC.exe
Token: 36	5028	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	Process
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	Process
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

VirusShare_97020660b63757de9c0e8ad51eed9acf.exeVirusShare_97020660b63757de9c0e8ad51eed9acf.exeiuvcxmsonvsp.exeiuvcxmsonvsp.exemsedge.exe

description	pid	Process	procid_target
PID 2560 wrote to memory of 2472	2560	VirusShare_97020660b63757de9c0e8ad51eed9acf.exe	88
PID 2560 wrote to memory of 2472	2560	VirusShare_97020660b63757de9c0e8ad51eed9acf.exe	88
PID 2560 wrote to memory of 2472	2560	VirusShare_97020660b63757de9c0e8ad51eed9acf.exe	88
PID 2560 wrote to memory of 2472	2560	VirusShare_97020660b63757de9c0e8ad51eed9acf.exe	88
PID 2560 wrote to memory of 2472	2560	VirusShare_97020660b63757de9c0e8ad51eed9acf.exe	88
PID 2560 wrote to memory of 2472	2560	VirusShare_97020660b63757de9c0e8ad51eed9acf.exe	88
PID 2560 wrote to memory of 2472	2560	VirusShare_97020660b63757de9c0e8ad51eed9acf.exe	88
PID 2560 wrote to memory of 2472	2560	VirusShare_97020660b63757de9c0e8ad51eed9acf.exe	88
PID 2560 wrote to memory of 2472	2560	VirusShare_97020660b63757de9c0e8ad51eed9acf.exe	88
PID 2560 wrote to memory of 2472	2560	VirusShare_97020660b63757de9c0e8ad51eed9acf.exe	88
PID 2472 wrote to memory of 5044	2472	VirusShare_97020660b63757de9c0e8ad51eed9acf.exe	89
PID 2472 wrote to memory of 5044	2472	VirusShare_97020660b63757de9c0e8ad51eed9acf.exe	89
PID 2472 wrote to memory of 5044	2472	VirusShare_97020660b63757de9c0e8ad51eed9acf.exe	89
PID 2472 wrote to memory of 1252	2472	VirusShare_97020660b63757de9c0e8ad51eed9acf.exe	90
PID 2472 wrote to memory of 1252	2472	VirusShare_97020660b63757de9c0e8ad51eed9acf.exe	90
PID 2472 wrote to memory of 1252	2472	VirusShare_97020660b63757de9c0e8ad51eed9acf.exe	90
PID 5044 wrote to memory of 3184	5044	iuvcxmsonvsp.exe	92
PID 5044 wrote to memory of 3184	5044	iuvcxmsonvsp.exe	92
PID 5044 wrote to memory of 3184	5044	iuvcxmsonvsp.exe	92
PID 5044 wrote to memory of 3184	5044	iuvcxmsonvsp.exe	92
PID 5044 wrote to memory of 3184	5044	iuvcxmsonvsp.exe	92
PID 5044 wrote to memory of 3184	5044	iuvcxmsonvsp.exe	92
PID 5044 wrote to memory of 3184	5044	iuvcxmsonvsp.exe	92
PID 5044 wrote to memory of 3184	5044	iuvcxmsonvsp.exe	92
PID 5044 wrote to memory of 3184	5044	iuvcxmsonvsp.exe	92
PID 5044 wrote to memory of 3184	5044	iuvcxmsonvsp.exe	92
PID 3184 wrote to memory of 1732	3184	iuvcxmsonvsp.exe	93
PID 3184 wrote to memory of 1732	3184	iuvcxmsonvsp.exe	93
PID 3184 wrote to memory of 1712	3184	iuvcxmsonvsp.exe	96
PID 3184 wrote to memory of 1712	3184	iuvcxmsonvsp.exe	96
PID 3184 wrote to memory of 1712	3184	iuvcxmsonvsp.exe	96
PID 3184 wrote to memory of 3240	3184	iuvcxmsonvsp.exe	97
PID 3184 wrote to memory of 3240	3184	iuvcxmsonvsp.exe	97
PID 3240 wrote to memory of 3524	3240	msedge.exe	98
PID 3240 wrote to memory of 3524	3240	msedge.exe	98
PID 3184 wrote to memory of 5028	3184	iuvcxmsonvsp.exe	99
PID 3184 wrote to memory of 5028	3184	iuvcxmsonvsp.exe	99
PID 3240 wrote to memory of 3844	3240	msedge.exe	101
PID 3240 wrote to memory of 3844	3240	msedge.exe	101
PID 3240 wrote to memory of 3844	3240	msedge.exe	101
PID 3240 wrote to memory of 3844	3240	msedge.exe	101
PID 3240 wrote to memory of 3844	3240	msedge.exe	101
PID 3240 wrote to memory of 3844	3240	msedge.exe	101
PID 3240 wrote to memory of 3844	3240	msedge.exe	101
PID 3240 wrote to memory of 3844	3240	msedge.exe	101
PID 3240 wrote to memory of 3844	3240	msedge.exe	101
PID 3240 wrote to memory of 3844	3240	msedge.exe	101
PID 3240 wrote to memory of 3844	3240	msedge.exe	101
PID 3240 wrote to memory of 3844	3240	msedge.exe	101
PID 3240 wrote to memory of 3844	3240	msedge.exe	101
PID 3240 wrote to memory of 3844	3240	msedge.exe	101
PID 3240 wrote to memory of 3844	3240	msedge.exe	101
PID 3240 wrote to memory of 3844	3240	msedge.exe	101
PID 3240 wrote to memory of 3844	3240	msedge.exe	101
PID 3240 wrote to memory of 3844	3240	msedge.exe	101
PID 3240 wrote to memory of 3844	3240	msedge.exe	101
PID 3240 wrote to memory of 3844	3240	msedge.exe	101
PID 3240 wrote to memory of 3844	3240	msedge.exe	101
PID 3240 wrote to memory of 3844	3240	msedge.exe	101
PID 3240 wrote to memory of 3844	3240	msedge.exe	101
PID 3240 wrote to memory of 3844	3240	msedge.exe	101
PID 3240 wrote to memory of 3844	3240	msedge.exe	101
PID 3240 wrote to memory of 3844	3240	msedge.exe	101
PID 3240 wrote to memory of 3844	3240	msedge.exe	101

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

iuvcxmsonvsp.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	iuvcxmsonvsp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	iuvcxmsonvsp.exe

C:\Users\Admin\AppData\Local\Temp\VirusShare_97020660b63757de9c0e8ad51eed9acf.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_97020660b63757de9c0e8ad51eed9acf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Users\Admin\AppData\Local\Temp\VirusShare_97020660b63757de9c0e8ad51eed9acf.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_97020660b63757de9c0e8ad51eed9acf.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\iuvcxmsonvsp.exe
    C:\Windows\iuvcxmsonvsp.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Windows\iuvcxmsonvsp.exe
      C:\Windows\iuvcxmsonvsp.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3184
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:1712
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3240
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9340646f8,0x7ff934064708,0x7ff934064718
        6⤵
        
        PID:3524
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,17967409137162413003,7905264631616116165,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
        6⤵
        
        PID:3844
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,17967409137162413003,7905264631616116165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
        6⤵
        
        PID:2392
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,17967409137162413003,7905264631616116165,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
        6⤵
        
        PID:4944
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17967409137162413003,7905264631616116165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
        6⤵
        
        PID:2340
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17967409137162413003,7905264631616116165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
        6⤵
        
        PID:1184
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,17967409137162413003,7905264631616116165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 /prefetch:8
        6⤵
        
        PID:64
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,17967409137162413003,7905264631616116165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 /prefetch:8
        6⤵
        
        PID:2884
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17967409137162413003,7905264631616116165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
        6⤵
        
        PID:392
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17967409137162413003,7905264631616116165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
        6⤵
        
        PID:4372
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17967409137162413003,7905264631616116165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
        6⤵
        
        PID:3136
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17967409137162413003,7905264631616116165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
        6⤵
        
        PID:3580
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5028
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\IUVCXM~1.EXE
        5⤵
        
        PID:4580
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
    3⤵
    PID:1252

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\Recovery+wydiw.html

Filesize
7KB

MD5
02d474dc3f795a6167d09e3721862541

SHA1
218d2cee25355b69e0fe1c70e52069da5d608e22

SHA256
ae89021140da5ef25e0b04f12248653a64a3a46f7984d5750be788a9f437d722

SHA512
45e86988c27005c12306982c7bb9fb74187e46c65d1d5a34981aeb8a649722beb78f7bd7e707d334911b2b07ef7bfc4db7016021fccdc419ebbf119fad6f2c0b

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+wydiw.png

Filesize
63KB

MD5
a7e03004559ff3b004c828434b59885d

SHA1
f1bcbac932bd2238983648dd50d9367159d1753f

SHA256
d6a11043a26dee9abfcd06a75f096f714cdc9482af02292bc08254892fd0ef64

SHA512
60851b2243bd1fa1adc4d581ec91c2cddff74f06fa2e299696c6998a87aa732785c6d53ca744feba3835d0299377113d78c6277e3cdc6c2eeaa0749c0a8b58be

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+wydiw.txt

Filesize
1KB

MD5
d8a58ed1a1862a669d475e61938c21ca

SHA1
065654ea1e0421240b5110bcf78e3a6e340c925b

SHA256
9f757bfe1ef7d00c72523d67b7a84d0343677f9fddcddebae0d779389a69e18c

SHA512
42d0e05fb456b1896995468df1c0e1c480e4e351fee2aa9638e837e3ac0b89806d469f4ab03bccc10d3cdebc5a60cd37af404ed6de9cda1c80c73ed617c2586b

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
f4f0918b25935709bbad0cb95b0e7f13

SHA1
e6867068ff0c815d89a509c16984c4493c6de434

SHA256
42d8033db6307546419d3e58df59adfd40494e699cead1366ec2c0bb092ac3b7

SHA512
8bab498deff33f00d09136d12275900f1d241029236183ea8435086ab1b67d5de877d44164ec51130f13d1ecd0d3834cc78bd51e88c27ec9f83cffdc4a314330

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
8fb6526029079059c0267bce1b14ee20

SHA1
35c917dfa2b2449d188ec8564e775d9fd079f676

SHA256
24a9a4e78119f5a10472e0b48526a1fbded99be1e32e3d5f98a73fc6a085d1fa

SHA512
3bec4f36f8b9a49329dcf951b8cc823d4fd15b366821b64a3147310302985ca702118357ceffa8ef627fa643b1181be5aae861ecc8e0333634061332fa3abade

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
51629115a1e72d1ecab3ea29a95145df

SHA1
de4a03996eccd1077ebaaddc6e9ad8aac7386e95

SHA256
4b57c6ccf612adb95b5bd24df3f4d4c9794eea387cb3360cccaaab8a356fee1f

SHA512
d54381c9923bf809b108d5d731815c593843ae4b667da4640b6da0df2e66620c23220abe54402922a44b2bd0fef19ed5a72286dd0937db64d41eac19b1d55d39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5c0e3f944dc20a0c42844c39ff823a10

SHA1
b5fe048147fe59ddda506a64e7474ff3a3c07f86

SHA256
aee56abb2c7e3fa85f4dc1faaa3167265b0b1096d43c055aa11c131c252a8fd5

SHA512
2db2c0ecc04425708d4665bee9d520f183860bf7fe6e5be5ffa733beafa60bc7ea1f0ae5e47af5f94353caaf895efec7e1a3b1440967c346b2c69c1e6fff970a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8997250f4031d0c380bb51b747858b09

SHA1
d8e008e19afa45820ecf83b1cec6a194d4f382db

SHA256
f725d243b743dc2a3c6d48fdc406e807fbe0baff1a02822b2059179c20dcbc8f

SHA512
7ed1f445c07bee4bcdf0e6dafbd5f500c9f1b1cf6fed7686f72df709f2a31fece8e13b5b8bbed4326dad0788c1da2b24fbc5af02367dcb68adeda565268a93a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b67b02dfdf655041c53a776426d3c57b

SHA1
374aa4fe6af6255b1d8efb94db5da43a672a76d3

SHA256
2f1f1556435bef016cb61846ff6172cbd0fd573ac789ac31f6f4e7f747599714

SHA512
2b5ff6580625a1d23d550fada0c22cf52fea8104d08bd96e4f258e17b9a04ea693735dbe631cde4bca7337d7b939c53b817864a1d6d00a44adf2718a9f650367

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586087795228297.txt

Filesize
47KB

MD5
e1c7b726f0264c878c71e68f677824aa

SHA1
c258bcfb47f78815ac8bc3b4cf6e09f43e7ec8a7

SHA256
afea3b652633f8762454c363400db3fc519f46da7c64a636785b986f5ba69368

SHA512
b5f6f8e7e49a94c3d87f4dda41c42825be41f1965e9d7699655bdcdd7e0018e60dd5c9dc25975214c7f9e861e08d7c660ed8daa1fbf9d181a9d5001240aaa4dd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586113806511602.txt

Filesize
75KB

MD5
c34e48c65c372a8d163c624229ef7019

SHA1
e4c7aed08e82d60ca716c3fc90cf5786f8be8377

SHA256
959191a78213fdad12fff03daabdc94ede7a04b605c6997cbb586ca6138e92ce

SHA512
65d3350cb6e46796ae52a1ff437798de9af62f6a980db2c7a69c52e32c71ff0b1f750f264ec222fad61882243d72616e54a50cd0e67fb67f557d74fa965861b2

Download Submit
C:\Windows\iuvcxmsonvsp.exe

Filesize
376KB

MD5
97020660b63757de9c0e8ad51eed9acf

SHA1
bc75b2b04ec8591829a69a7634698c2d7ff406b5

SHA256
9c5feadf74c3a5ce0b40d5402f0f1ded6aea80b517c016a179b02f38a22aa489

SHA512
a6cc6b7c7c8d16419b826affc813ea5cff9501133c5bc386217fa686c35906404a937630bdbcdee193273e5c22872f891e1a40d332393480c8d684ea8bec0f67

Download Submit
\??\pipe\LOCAL\crashpad_3240_AVCSONZOXRULLJDS

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2472-13-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2472-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2472-3-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2472-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2472-6-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2560-0-0x0000000000C30000-0x0000000000C33000-memory.dmp

Filesize
12KB

Download
memory/2560-1-0x0000000000C30000-0x0000000000C33000-memory.dmp

Filesize
12KB

Download
memory/2560-4-0x0000000000C30000-0x0000000000C33000-memory.dmp

Filesize
12KB

Download
memory/3184-2651-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3184-19-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3184-8667-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3184-10380-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3184-10381-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3184-10389-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3184-10391-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3184-23-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3184-5115-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3184-25-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3184-17-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3184-18-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3184-10444-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3184-20-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/5044-12-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download