d8ee200589d8e7d72878ea79bcfc9d18ee52569c046df74fa0dfe7e33d9ec422

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10-06-2024 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_00442a088456ce18a43187605557b3d1.exe
Size

344KB
MD5

00442a088456ce18a43187605557b3d1
SHA1

d02f19accf695508bc31a650539934d8ea46fb15
SHA256

d8ee200589d8e7d72878ea79bcfc9d18ee52569c046df74fa0dfe7e33d9ec422
SHA512

62d65da6e38ceae67845d44fe979941049d54075ca16ff0ed6b6db3379ccc30df55da5a4a2926e52147a48f0c11c2283fc1ee06864e8605bf31fb77b766656a7
SSDEEP

6144:V6DdOsqgCFKNnhMA6GOopUtQ9KIwD13KJ181KUO:sZOsSwhCGbWWu13E0

Score

10^/10

defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\{RecOveR}-jhhxx__.Txt

Ransom Note

=(5*2<>4(>$*3';681&)3?0$60>/#8. =(5*2<>4(>$*3';681&)3?0$60>/#8. =(5*2<>4(>$*3';681&)3?0$60>/#8. =(5*2<>4(>$*3';681&)3?0$60>/#8. NOT YOUR LANGUAGE? USE https://translate.google.com What's the matter with your files? Your data was secured using a strong encryption with RSA4096. Use the link down below to find additional information on the encryption keys using RSA-4096 https://en.wikipedia.org/wiki/RSA_(cryptosystem) What exactly that means? =(5*2<>4(>$*3';681&)3?0$60>/#8. =(5*2<>4(>$*3';681&)3?0$60>/#8. It means that on a structural level your files have been transformed . You won't be able to use , read , see or work with them anymore . In other words they are useless , however , there is a possibility to restore them with our help . What exactly happened to your files ??? *** Two personal RSA-4096 keys were generated for your PC/Laptop; one key is public, another key is private. *** All your data and files were encrypted by the means of the public key , which you received over the web . *** In order to decrypt your data and gain access to your computer you need a private key and a decryption software, which can be found on one of our secret servers. =(5*2<>4(>$*3';681&)3?0$60>/#8. =(5*2<>4(>$*3';681&)3?0$60>/#8. What should you do next ? There are several options for you to consider : *** You can wait for a while until the price of a private key will raise, so you will have to pay twice as much to access your files or *** You can start getting BitCoins right now and get access to your data quite fast . In case you have valuable files , we advise you to act fast as there is no other option rather than paying in order to get back your data. In order to obtain specific instructions , please access your personal homepage by choosing one of the few addresses down below : http://h3ds4.maconslab.com/18F6C382C5671282 http://aq3ef.goimocoa.at/18F6C382C5671282 http://fl43s.toabolt.at/18F6C382C5671282 If you can't access your personal homepage or the addresses are not working, complete the following steps: *** Download TOR Browser - http://www.torproject.org/projects/torbrowser.html.en *** Install TOR Browser and open TOR Browser *** Insert the following link in the address bar: xzjvzkgjxebzreap.onion/18F6C382C5671282 =(5*2<>4(>$*3';681&)3?0$60>/#8. =(5*2<>4(>$*3';681&)3?0$60>/#8. =(5*2<>4(>$*3';681&)3?0$60>/#8. ***************IMPORTANT*****************INFORMATION******************** Your personal homepages http://h3ds4.maconslab.com/18F6C382C5671282 http://aq3ef.goimocoa.at/18F6C382C5671282 http://fl43s.toabolt.at/18F6C382C5671282 Your personal homepage Tor-Browser xzjvzkgjxebzreap.onion/18F6C382C5671282 Your personal ID 18F6C382C5671282 =(5*2<>4(>$*3';681&)3?0$60>/#8. =(5*2<>4(>$*3';681&)3?0$60>/#8. =(5*2<>4(>$*3';681&)3?0$60>/#8.

URLs

http://h3ds4.maconslab.com/18F6C382C5671282

http://aq3ef.goimocoa.at/18F6C382C5671282

http://fl43s.toabolt.at/18F6C382C5671282

http://xzjvzkgjxebzreap.onion/18F6C382C5671282

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2664	cmd.exe

Drops startup file 3 IoCs

Processes:

wsmprovhost.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{RecOveR}-jhhxx__.Htm	wsmprovhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{RecOveR}-jhhxx__.Png	wsmprovhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{RecOveR}-jhhxx__.Txt	wsmprovhost.exe

Executes dropped EXE 1 IoCs

Processes:

wsmprovhost.exe

pid	Process
2284	wsmprovhost.exe

Loads dropped DLL 2 IoCs

Processes:

VirusShare_00442a088456ce18a43187605557b3d1.exe

pid	Process
1688	VirusShare_00442a088456ce18a43187605557b3d1.exe
1688	VirusShare_00442a088456ce18a43187605557b3d1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wsmprovhost.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\FIX2-kdfkie = "C:\\Windows\\SYSTEM32\\CMD.EXE /C START \"\" \"C:\\Users\\Admin\\AppData\\Roaming\\wsmprovhost.exe\""	wsmprovhost.exe

Drops file in Program Files directory 64 IoCs

Processes:

wsmprovhost.exe

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hr\{RecOveR}-jhhxx__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\{RecOveR}-jhhxx__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Mail\it-IT\{RecOveR}-jhhxx__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\{RecOveR}-jhhxx__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\or_IN\{RecOveR}-jhhxx__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\default_thumb.jpg	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\{RecOveR}-jhhxx__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\it-IT\{RecOveR}-jhhxx__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\{RecOveR}-jhhxx__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	wsmprovhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\photograph.png	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\{RecOveR}-jhhxx__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\{RecOveR}-jhhxx__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\{RecOveR}-jhhxx__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\{RecOveR}-jhhxx__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\{RecOveR}-jhhxx__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\Uninstall Information\{RecOveR}-jhhxx__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sm\{RecOveR}-jhhxx__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\library.js	wsmprovhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png	wsmprovhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\{RecOveR}-jhhxx__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\{RecOveR}-jhhxx__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\{RecOveR}-jhhxx__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\{RecOveR}-jhhxx__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\{RecOveR}-jhhxx__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\{RecOveR}-jhhxx__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\{RecOveR}-jhhxx__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\calendar.js	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\{RecOveR}-jhhxx__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\22.png	wsmprovhost.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\fr-FR\{RecOveR}-jhhxx__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_right_mousedown.png	wsmprovhost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dtplugin\{RecOveR}-jhhxx__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sk.pak	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\{RecOveR}-jhhxx__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\en-US\{RecOveR}-jhhxx__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\{RecOveR}-jhhxx__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\{RecOveR}-jhhxx__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-disable.png	wsmprovhost.exe
File opened for modification	C:\Program Files\Google\Chrome\{RecOveR}-jhhxx__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\plugin2\{RecOveR}-jhhxx__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{RecOveR}-jhhxx__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\co\{RecOveR}-jhhxx__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\{RecOveR}-jhhxx__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\library.js	wsmprovhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\{RecOveR}-jhhxx__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\{RecOveR}-jhhxx__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\{RecOveR}-jhhxx__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\{RecOveR}-jhhxx__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Journal\es-ES\{RecOveR}-jhhxx__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_play.png	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\{RecOveR}-jhhxx__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png	wsmprovhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-highlight.png	wsmprovhost.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\es-ES\{RecOveR}-jhhxx__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\{RecOveR}-jhhxx__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\{RecOveR}-jhhxx__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ms.pak	wsmprovhost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\{RecOveR}-jhhxx__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\{RecOveR}-jhhxx__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\{RecOveR}-jhhxx__.Png	wsmprovhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a2300000000020000000000106600000001000020000000689489b465359c1ce11149ebd3d11c352d9682507b04885242d775e04496d96a000000000e80000000020000200000009a15ee907b036ad3a30d43fd142a93d48913c984a0645694b9f95a40811301bf20000000ed15ab128b1932d3ed9576b7f6fd1f19700b61f8709eab5f207801867a60382b400000001caf38c5869bbcadb59566a9dba82ef78b799aa0632559fa7e0dc65d31f4c5c54327a919c953c9ef69bdb838d8fe65191833f9f50dc1570303959f4642986633	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{76CF1741-2713-11EF-8F47-7A4B76010719} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 100a3d4b20bbda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a2300000000020000000000106600000001000020000000d129441ca65b40eec52b3358ac7976c476bedd22d7d52a4199b091e2444ffa5e000000000e800000000200002000000008ceee5fbeab67f4766b65ce46cd993e11de203e8a29042c93b90f74ebcde64290000000c871cb0c5737be1748f81178d863a9dbb84fbf19b26ff4c27e0bf1ee546affcbdcd7693cbcb59b07af206a4334ce0034c18cc22e8aec97e60f59e3b5ce2452705b8d94078b3ac0272d35e5bc6a2b44d2e5e987a7c7f6cd96c5b4ae1677e47fafcb8c4a7eea6a7de46255faf953f467f1a2c567552adc4c7cfc07dd2b19548610fd17b43903d6aa81ae116e64fb939894400000009b6ae668fbe3d87a98601925627af4bda3005c2e94dd41a5aec6b1f8ad8a210d051fba5fd2e58e7c7c5051cc6329d9df058412fd88f2b2be5b76b668535df9fc	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424176869"	iexplore.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

wsmprovhost.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	wsmprovhost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	wsmprovhost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	wsmprovhost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	wsmprovhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

wsmprovhost.exe

pid	Process
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe
2284	wsmprovhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wsmprovhost.exeWMIC.exevssvc.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	2284	wsmprovhost.exe
Token: SeIncreaseQuotaPrivilege	2672	WMIC.exe
Token: SeSecurityPrivilege	2672	WMIC.exe
Token: SeTakeOwnershipPrivilege	2672	WMIC.exe
Token: SeLoadDriverPrivilege	2672	WMIC.exe
Token: SeSystemProfilePrivilege	2672	WMIC.exe
Token: SeSystemtimePrivilege	2672	WMIC.exe
Token: SeProfSingleProcessPrivilege	2672	WMIC.exe
Token: SeIncBasePriorityPrivilege	2672	WMIC.exe
Token: SeCreatePagefilePrivilege	2672	WMIC.exe
Token: SeBackupPrivilege	2672	WMIC.exe
Token: SeRestorePrivilege	2672	WMIC.exe
Token: SeShutdownPrivilege	2672	WMIC.exe
Token: SeDebugPrivilege	2672	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2672	WMIC.exe
Token: SeRemoteShutdownPrivilege	2672	WMIC.exe
Token: SeUndockPrivilege	2672	WMIC.exe
Token: SeManageVolumePrivilege	2672	WMIC.exe
Token: 33	2672	WMIC.exe
Token: 34	2672	WMIC.exe
Token: 35	2672	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2672	WMIC.exe
Token: SeSecurityPrivilege	2672	WMIC.exe
Token: SeTakeOwnershipPrivilege	2672	WMIC.exe
Token: SeLoadDriverPrivilege	2672	WMIC.exe
Token: SeSystemProfilePrivilege	2672	WMIC.exe
Token: SeSystemtimePrivilege	2672	WMIC.exe
Token: SeProfSingleProcessPrivilege	2672	WMIC.exe
Token: SeIncBasePriorityPrivilege	2672	WMIC.exe
Token: SeCreatePagefilePrivilege	2672	WMIC.exe
Token: SeBackupPrivilege	2672	WMIC.exe
Token: SeRestorePrivilege	2672	WMIC.exe
Token: SeShutdownPrivilege	2672	WMIC.exe
Token: SeDebugPrivilege	2672	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2672	WMIC.exe
Token: SeRemoteShutdownPrivilege	2672	WMIC.exe
Token: SeUndockPrivilege	2672	WMIC.exe
Token: SeManageVolumePrivilege	2672	WMIC.exe
Token: 33	2672	WMIC.exe
Token: 34	2672	WMIC.exe
Token: 35	2672	WMIC.exe
Token: SeBackupPrivilege	2428	vssvc.exe
Token: SeRestorePrivilege	2428	vssvc.exe
Token: SeAuditPrivilege	2428	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1960	WMIC.exe
Token: SeSecurityPrivilege	1960	WMIC.exe
Token: SeTakeOwnershipPrivilege	1960	WMIC.exe
Token: SeLoadDriverPrivilege	1960	WMIC.exe
Token: SeSystemProfilePrivilege	1960	WMIC.exe
Token: SeSystemtimePrivilege	1960	WMIC.exe
Token: SeProfSingleProcessPrivilege	1960	WMIC.exe
Token: SeIncBasePriorityPrivilege	1960	WMIC.exe
Token: SeCreatePagefilePrivilege	1960	WMIC.exe
Token: SeBackupPrivilege	1960	WMIC.exe
Token: SeRestorePrivilege	1960	WMIC.exe
Token: SeShutdownPrivilege	1960	WMIC.exe
Token: SeDebugPrivilege	1960	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1960	WMIC.exe
Token: SeRemoteShutdownPrivilege	1960	WMIC.exe
Token: SeUndockPrivilege	1960	WMIC.exe
Token: SeManageVolumePrivilege	1960	WMIC.exe
Token: 33	1960	WMIC.exe
Token: 34	1960	WMIC.exe
Token: 35	1960	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid	Process
2104	iexplore.exe
1556	DllHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid	Process
2104	iexplore.exe
2104	iexplore.exe
596	IEXPLORE.EXE
596	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

VirusShare_00442a088456ce18a43187605557b3d1.exewsmprovhost.exeiexplore.exe

description	pid	Process	procid_target
PID 1688 wrote to memory of 2284	1688	VirusShare_00442a088456ce18a43187605557b3d1.exe	28
PID 1688 wrote to memory of 2284	1688	VirusShare_00442a088456ce18a43187605557b3d1.exe	28
PID 1688 wrote to memory of 2284	1688	VirusShare_00442a088456ce18a43187605557b3d1.exe	28
PID 1688 wrote to memory of 2284	1688	VirusShare_00442a088456ce18a43187605557b3d1.exe	28
PID 1688 wrote to memory of 2664	1688	VirusShare_00442a088456ce18a43187605557b3d1.exe	29
PID 1688 wrote to memory of 2664	1688	VirusShare_00442a088456ce18a43187605557b3d1.exe	29
PID 1688 wrote to memory of 2664	1688	VirusShare_00442a088456ce18a43187605557b3d1.exe	29
PID 1688 wrote to memory of 2664	1688	VirusShare_00442a088456ce18a43187605557b3d1.exe	29
PID 2284 wrote to memory of 2672	2284	wsmprovhost.exe	31
PID 2284 wrote to memory of 2672	2284	wsmprovhost.exe	31
PID 2284 wrote to memory of 2672	2284	wsmprovhost.exe	31
PID 2284 wrote to memory of 2672	2284	wsmprovhost.exe	31
PID 2284 wrote to memory of 2980	2284	wsmprovhost.exe	39
PID 2284 wrote to memory of 2980	2284	wsmprovhost.exe	39
PID 2284 wrote to memory of 2980	2284	wsmprovhost.exe	39
PID 2284 wrote to memory of 2980	2284	wsmprovhost.exe	39
PID 2284 wrote to memory of 2104	2284	wsmprovhost.exe	40
PID 2284 wrote to memory of 2104	2284	wsmprovhost.exe	40
PID 2284 wrote to memory of 2104	2284	wsmprovhost.exe	40
PID 2284 wrote to memory of 2104	2284	wsmprovhost.exe	40
PID 2284 wrote to memory of 1960	2284	wsmprovhost.exe	41
PID 2284 wrote to memory of 1960	2284	wsmprovhost.exe	41
PID 2284 wrote to memory of 1960	2284	wsmprovhost.exe	41
PID 2284 wrote to memory of 1960	2284	wsmprovhost.exe	41
PID 2104 wrote to memory of 596	2104	iexplore.exe	43
PID 2104 wrote to memory of 596	2104	iexplore.exe	43
PID 2104 wrote to memory of 596	2104	iexplore.exe	43
PID 2104 wrote to memory of 596	2104	iexplore.exe	43
PID 2284 wrote to memory of 2480	2284	wsmprovhost.exe	44
PID 2284 wrote to memory of 2480	2284	wsmprovhost.exe	44
PID 2284 wrote to memory of 2480	2284	wsmprovhost.exe	44
PID 2284 wrote to memory of 2480	2284	wsmprovhost.exe	44

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

wsmprovhost.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	wsmprovhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wsmprovhost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_00442a088456ce18a43187605557b3d1.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_00442a088456ce18a43187605557b3d1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Roaming\wsmprovhost.exe
  C:\Users\Admin\AppData\Roaming\wsmprovhost.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2284
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2672
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\{RecOveR}-jhhxx__.Txt
    3⤵
    PID:2980
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\{RecOveR}-jhhxx__.Htm
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2104 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:596
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1960
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Roaming\WSMPRO~1.EXE >> NUL
    3⤵
    PID:2480
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE >> NUL
  2⤵
  - Deletes itself
  PID:2664

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\{RecOveR}-jhhxx__.Htm

Filesize
9KB

MD5
3f8687c9750fa056540c67fac01ce69f

SHA1
8e92a0bb4d09d7337254aa3f60eab922d6138f9b

SHA256
059cd25602f7c1b1964bb059da26eb064906965f95de44f76ce4aae28ef1894c

SHA512
fd8ad24902e556d93e97309249e1c8514f18bbf3854acf6291048dce221231ee62466fd574bb4b41ad879f20a9c9be674386e277e357ed141c306474973d577e

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\{RecOveR}-jhhxx__.Png

Filesize
95KB

MD5
40a1f298d5b95728a7bd53f7b1c8b20d

SHA1
802f7f0bc84a9ced6b7d5eef9eaea5ff70db0785

SHA256
e33c5373f66d8598785e4c7b4262e21b6ea490c9d974c6311608d57d5f2c09b7

SHA512
3fc64ef672cb178b0e39661f8a669321f19e14cd4ca41720ef3d411ddedc8cd854b5a2b11d29e13d4e87d982ecb1a25517cdf8e330f20a5a6078a43465dfee29

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\{RecOveR}-jhhxx__.Txt

Filesize
2KB

MD5
e5b9f975122d3061ad0c5e6669de5ec7

SHA1
d9cbc7e1ded52fa26d2b03a0103e39c0986d12d0

SHA256
e64fecffa94f17192d74245f79afa7bc785688e9a7d243aae53e3d7f1206a726

SHA512
a6f5c8acdec94093fde359515183dfd4778d82196b948f204977248c3e400062ed3d2767cf70aa44d15e9ec2652b75ccb21e410465dc1aea159e2c30f4b1d548

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
373a5efd30a2c21a147a7b849ce5dcbb

SHA1
d49a579b75bbc6d8c99750fbf1725e233ac17b33

SHA256
7997a365bd859b7544918ab8339989b480068e18b2f8bfcdcda6fbc9d4e4e5e3

SHA512
8ff20a8f1333621bea895ddc61c1c9b97e9ec8a72e8bb9d586ceb4350953475f9e62a45f4b077bb6feed2f650c6583e1cafdc9a06da302f9d8f13ec530ea3d81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d688e2201c0b4fa5d86c678c5c4aa17

SHA1
657f07c9734eac9fb1f3f65a4ea51c6314ebaff8

SHA256
5d8866ecbb82e8876dab1839d8e492c05a1a38af3272215b9df2047f1f1da640

SHA512
0238657f33cf49c76c3ed86b915152d1937986f3cfcbbe9e2342a91022b4433828828f3fd5eb7bd48c470ee7e659479ba9dd4ca1ecbcaac4f9cd4776d9f1d0e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71f917c73569b102426703d1e69df6ee

SHA1
edb4528508a258e0d361f30a531450f398e4ce10

SHA256
37bd63bbe46e0052614cba519c984f8f198adb61390539685b82e8c1064d6371

SHA512
67ad56ea6ab51bc4547d6d545755c0929cd213732c2abe0433c5feed43363f28372d80f63353b96b611fdf89708ffc56a019c0ecfed7477eea0070a5088bbd2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
283867633ad849226ab83a01ee4dc728

SHA1
5a8df2b6a7c02155ed3e147df09da89487a34389

SHA256
e9a83ecfc73ee3af4bdbab94f8bbf1f1b0bfdbf6724a9e0951f4393dcc53affd

SHA512
8701119e405b0a666c9ea546c47378659856f7397f1534b70c6673c27168dde79955d80626915b96bbe714e66d1ada91104849fed92945b364926398162fbade

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c64af7ad16967efce6286d9eda07b9d

SHA1
040b77c9bd702a61e113659005a53944426f60fa

SHA256
a917526c75e2699c9a38a2511430b75637c109d4345a58e6be879f91fce76b5c

SHA512
988ae8d50fcd47b7f4383064623655fc2baaad2453184ed409cfebe016391eecdb3e73917e0fc604b687cd6663d311ce4045330731c94920e403bcec32bd8346

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3d12ea8695615aaf91ea937a1d80c2e

SHA1
d1c36e3bac8552e9a0bbb08210b810954c43a76d

SHA256
a121c74931819ae02aa8a67c74bda4d05ebcc1a47cb465759d71136f59ab9575

SHA512
0313b599e3aabd312e33c93da00fff7d482cdac144858c45f181b3798e7ead0e85e739d3cf1d2d5a6c364672c27c8d0f2ba0fa71b3c42ca2221fc3651efb5fc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1498da001f976902d39dbd11da69291b

SHA1
687fd45ffe87275547c0687c89feff9685d80755

SHA256
198f371ee4a096d86511c2211a1cc7654a37a75f07a38ca37a38786006511e64

SHA512
528a2ef861b4761dc20e304d2c981a3ceced4bd7d23d180fa63309e7cb82631f4922e0666691d8915876456c8582b53514214f084809a129ab9541b7928bac72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9fd74f61e4f941f8c23005c1f565af1

SHA1
e684c2ae118addf45ef46256a00d55cf217d20c4

SHA256
471afc4cd92ba8da75a18cd4ecbf13f2a08b3a6f18ca5088f5ca9dbd2b7cb687

SHA512
4b1e0445a63cd067806e91a2d9f002bea5af873356024c3f961613166806c99d3467894b80039e2d13c4eea41bd7fddb3d441a9159beb5abd347884002dbf180

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93ae28b957b2ba5fa48311fa7e9ae033

SHA1
ba152dc755887ff391c557380485291992f0848f

SHA256
c621e4d5ba4529099d2985656155aea3a1e2ad51fea52b176fe05e68d8ce5547

SHA512
939d4a2f0bee3e9cc053e3c360b95623b0f6284d5048c6cb8bb77e20bcb57dd1dd1bade267d1b04641fac95b5f84653263be120fdeacae8e693a7edfaca53753

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e37565b809ba9329fbe557ecf6bdadb

SHA1
531fa43be1d0bdc3f68cbe890340a896471487f7

SHA256
ae71bb22bf246415a89000406e1673fa3dc84483decc3b9118a8ddc0b7f4b542

SHA512
2f6f8176a14cf0eb73cbc9190660505832ce35433c128d40a75ec70e9cb909b6efd82b1dc340316113d898f36af8836a0a18c1c5f138db7735e9966d434c884f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a14f1d7dcb5e9ea6b7997c7dba98f58

SHA1
341abef43c86188a5ad39ae8a4183c218ba3622f

SHA256
ec6ff4cf63c5f548f35d163cf9626d9ff3243c77e2c179df3a425950b110c8df

SHA512
2968dd1b4d196542104921f236d6babb95e20f320b7b03105354daf1b4e9331be606669e9abf45d6ecfc09a95e1eec0c5620e21de259945551585c5c5a8ba0cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53362df6c9442082777a87d2d0acc2f9

SHA1
a0ca66315b13b1c0bde437cde4f0c71a4b831e89

SHA256
72ca94e0820da619d7dd03ef8467d61d8a66820b1d01c3766b63dbee832f6c65

SHA512
0f376335e04eb3c94ce272516544221faca68ed9a2517aa845fb846a4e5c93d4e46d357201d6291f1acddad4070df3a6dda50ce06fbb7265eabb76136fb5a997

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72e2a6559b2d96acc570cb3a760e1fb8

SHA1
fcb0ca7b0d12ba90070f6f01e66dccf9c037d5c0

SHA256
889512ff424aef7741d872a8532e46b29b493b59d57a9b49379c238d3fe10383

SHA512
07ac59cc0fdba5035cc9c0794326b90add6d5dc6f82c6230775f56a069c6089ed36011555378e105e43952956dcec47ccba412e735b067d587c6aed6507b434c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
848fce88ba090ebc24fbaaec3ae0f1d4

SHA1
7c5c03a7c5b8dbe97f426be69f22802da6ca492e

SHA256
2ba88e020ca76ff288b83faa009334cc6d2b3d7e2738058bc83770cde8855176

SHA512
1c6bd65d2abcd8beddab0191dd1980cd789fb66aeed07094c316acd7b10d830522ba756ed32888880b97bbf42d54a9a3b5104acf40f1a8f842afc563b53bc669

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f64b3008059c92be0181e405e84163ba

SHA1
96fb73f231129704bb686d17824032540da0f907

SHA256
640dcd5bd898eb2b0761d18d614d548d5d4092690ee12697ae5d94dabc0e8742

SHA512
92489822af0d0a25e2b560df51fe53c4c23a8c6b64dfb2693c1fa1f2adf2b94f3ff847c98ac66b2d1fa552d2d22a505c985648888221d0b55301c3256ed2d363

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22a33706178b1c54cb75abf926b8ace2

SHA1
3227dfa9c5e46fd19178781694a80a2052917f16

SHA256
6cef16e3aab703cb54396fd043097874b8c7ca507829287e29b595b307ce83ef

SHA512
49dd1cb3f7b7a88385af0fe4c6df5407e33c80f2f9434af56b4082b00292461015e55c68c476740fed93ff80e95751255357c6997d2a409df229c1cd996bcdb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47592fb3e25634123d73c63bb168d0e1

SHA1
41bb522b1fff6922922a7bdd83e2409907bf74ab

SHA256
ac40a7b11e01bb363846756b2dd14c9f46a794f5b364b94413a85aa6017a7d7a

SHA512
89464f4c44afd853ad3aa2f9a7e0f6059d49b5a2fa69ed28781238413230ec6c03af408157f5a116d4d36386c745fed524d7c3cae708d00cb3765a26b44b559d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
616284cc9ace206ab232ca871711441d

SHA1
a8360af5d87b0f4fc62cb96a2d3d95e18065d8c0

SHA256
13876c980197529fc76ce96b0e607c7e725f4b07860815f6d13085fd8f765c01

SHA512
ab21329f4b47a8a13c8dcd9fee00df26f91d07521b73cea42f8c073df3ae6323c697f4f31dd1619227745d9e200c9199e82d89481ca80214cc24c9aec3add6b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c521d3f6ccdd6cabaf16beabf8e1484

SHA1
6b25ebea0b15959e86d8802bd1b3913840a47861

SHA256
9688e2f501818a5aa677e918fe894e58a5be4312a6437ed78b38e725eb465531

SHA512
07f128fccaf99c1056f53685f37e5d8be49bfc90a77bd0682a0cae6a111443069a3efedda71a927d0d8fc338b218a02eba00bdb83cf93eaed008a42fb92d34b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b3a514bac025908e8d2daa1bde14185

SHA1
eb15d757066f10675cc957c1d95dc41b12fb06fc

SHA256
03e9de3cebd8e0b6de8b672fdfbf2b1e2e618cc849ac4029f2b5475f7ba9c6ff

SHA512
bcb1f285a26bb5b5382cf76aa682aaed2556dcff9b4064ec74009f335b9afcbb8cd3887dde075ff08e5ee6cf877ed79425b3d897ad5f04d17d442794992773fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4bd302b2a2678d7de0d10ec865bcf2d5

SHA1
902db385401316db63249369763f6c5883750679

SHA256
da2823357f842f56b415ea9db18734885213af9716645dc64c5042bc84ddf89d

SHA512
4060eab81a9cd762bfc5cbbe334601a20f333638821564c368c68f9c182a506f9358a71ea734061f5d5838860f2177e70302e7573548004fe46142b66bedaf29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
037860c321584f3686db0d6893ca0659

SHA1
8c53f009423c17df22116c97aa560bab30205f26

SHA256
f2b02e56b923ff55c7e22a8471a26b70df8f246cf89f93b714245f4902b17418

SHA512
ea3b6ec0f277177144d393575d6173769e09d1b391c12b5c014ac4b8603242a02dba8e0de6190dcda3e8f780d5893a762cb46f9374bdd5d0bb39ada60a1012ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2A43.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Roaming\wsmprovhost.exe

Filesize
344KB

MD5
00442a088456ce18a43187605557b3d1

SHA1
d02f19accf695508bc31a650539934d8ea46fb15

SHA256
d8ee200589d8e7d72878ea79bcfc9d18ee52569c046df74fa0dfe7e33d9ec422

SHA512
62d65da6e38ceae67845d44fe979941049d54075ca16ff0ed6b6db3379ccc30df55da5a4a2926e52147a48f0c11c2283fc1ee06864e8605bf31fb77b766656a7

Download Submit
memory/1556-5631-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/1688-0-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1688-1-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1688-13-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2284-5648-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2284-14-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2284-1802-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2284-4392-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2284-5630-0x0000000003550000-0x0000000003552000-memory.dmp

Filesize
8KB

Download
memory/2284-5647-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download