d8ee200589d8e7d72878ea79bcfc9d18ee52569c046df74fa0dfe7e33d9ec422

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_00442a088456ce18a43187605557b3d1.exe
Size

344KB
MD5

00442a088456ce18a43187605557b3d1
SHA1

d02f19accf695508bc31a650539934d8ea46fb15
SHA256

d8ee200589d8e7d72878ea79bcfc9d18ee52569c046df74fa0dfe7e33d9ec422
SHA512

62d65da6e38ceae67845d44fe979941049d54075ca16ff0ed6b6db3379ccc30df55da5a4a2926e52147a48f0c11c2283fc1ee06864e8605bf31fb77b766656a7
SSDEEP

6144:V6DdOsqgCFKNnhMA6GOopUtQ9KIwD13KJ181KUO:sZOsSwhCGbWWu13E0

Score

10^/10

defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\{RecOveR}-giiyk__.Txt

Ransom Note

.3'%/62&)?%?2##="&<0,2:#!$-!;!; .3'%/62&)?%?2##="&<0,2:#!$-!;!; .3'%/62&)?%?2##="&<0,2:#!$-!;!; .3'%/62&)?%?2##="&<0,2:#!$-!;!; NOT YOUR LANGUAGE? USE https://translate.google.com What's the matter with your files? Your data was secured using a strong encryption with RSA4096. Use the link down below to find additional information on the encryption keys using RSA-4096 https://en.wikipedia.org/wiki/RSA_(cryptosystem) What exactly that means? .3'%/62&)?%?2##="&<0,2:#!$-!;!; .3'%/62&)?%?2##="&<0,2:#!$-!;!; It means that on a structural level your files have been transformed . You won't be able to use , read , see or work with them anymore . In other words they are useless , however , there is a possibility to restore them with our help . What exactly happened to your files ??? *** Two personal RSA-4096 keys were generated for your PC/Laptop; one key is public, another key is private. *** All your data and files were encrypted by the means of the public key , which you received over the web . *** In order to decrypt your data and gain access to your computer you need a private key and a decryption software, which can be found on one of our secret servers. .3'%/62&)?%?2##="&<0,2:#!$-!;!; .3'%/62&)?%?2##="&<0,2:#!$-!;!; What should you do next ? There are several options for you to consider : *** You can wait for a while until the price of a private key will raise, so you will have to pay twice as much to access your files or *** You can start getting BitCoins right now and get access to your data quite fast . In case you have valuable files , we advise you to act fast as there is no other option rather than paying in order to get back your data. In order to obtain specific instructions , please access your personal homepage by choosing one of the few addresses down below : http://h3ds4.maconslab.com/15F6BB776512A4B http://aq3ef.goimocoa.at/15F6BB776512A4B http://fl43s.toabolt.at/15F6BB776512A4B If you can't access your personal homepage or the addresses are not working, complete the following steps: *** Download TOR Browser - http://www.torproject.org/projects/torbrowser.html.en *** Install TOR Browser and open TOR Browser *** Insert the following link in the address bar: xzjvzkgjxebzreap.onion/15F6BB776512A4B .3'%/62&)?%?2##="&<0,2:#!$-!;!; .3'%/62&)?%?2##="&<0,2:#!$-!;!; .3'%/62&)?%?2##="&<0,2:#!$-!;!; ***************IMPORTANT*****************INFORMATION******************** Your personal homepages http://h3ds4.maconslab.com/15F6BB776512A4B http://aq3ef.goimocoa.at/15F6BB776512A4B http://fl43s.toabolt.at/15F6BB776512A4B Your personal homepage Tor-Browser xzjvzkgjxebzreap.onion/15F6BB776512A4B Your personal ID 15F6BB776512A4B .3'%/62&)?%?2##="&<0,2:#!$-!;!; .3'%/62&)?%?2##="&<0,2:#!$-!;!; .3'%/62&)?%?2##="&<0,2:#!$-!;!;

URLs

http://h3ds4.maconslab.com/15F6BB776512A4B

http://aq3ef.goimocoa.at/15F6BB776512A4B

http://fl43s.toabolt.at/15F6BB776512A4B

http://xzjvzkgjxebzreap.onion/15F6BB776512A4B

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VirusShare_00442a088456ce18a43187605557b3d1.exewsmprovhost.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	VirusShare_00442a088456ce18a43187605557b3d1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wsmprovhost.exe

Drops startup file 6 IoCs

Processes:

wsmprovhost.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{RecOveR}-giiyk__.Png	wsmprovhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{RecOveR}-giiyk__.Txt	wsmprovhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{RecOveR}-giiyk__.Htm	wsmprovhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\{RecOveR}-giiyk__.Png	wsmprovhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\{RecOveR}-giiyk__.Txt	wsmprovhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\{RecOveR}-giiyk__.Htm	wsmprovhost.exe

Executes dropped EXE 1 IoCs

Processes:

wsmprovhost.exe

pid	Process
3104	wsmprovhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wsmprovhost.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FIX2-btutsr = "C:\\Windows\\SYSTEM32\\CMD.EXE /C START \"\" \"C:\\Users\\Admin\\AppData\\Roaming\\wsmprovhost.exe\""	wsmprovhost.exe

Drops file in Program Files directory 64 IoCs

Processes:

wsmprovhost.exe

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\{RecOveR}-giiyk__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\WideTile.scale-125.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-125.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.scale-200.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Controls\EndOfLife\Assets\{RecOveR}-giiyk__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchLargeTile.contrast-black_scale-125.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\cs-CZ\{RecOveR}-giiyk__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-80_altform-unplated.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupMedTile.scale-100.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchSquare150x150Logo.scale-100_contrast-white.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_altform-unplated_contrast-black.png	wsmprovhost.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\{RecOveR}-giiyk__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\{RecOveR}-giiyk__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\{RecOveR}-giiyk__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\AppxMetadata\{RecOveR}-giiyk__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\AppxMetadata\{RecOveR}-giiyk__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeLogo.scale-100.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Config\{RecOveR}-giiyk__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\microsoft.system.package.metadata\{RecOveR}-giiyk__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Shell\Themes\Glyphs\Font\{RecOveR}-giiyk__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\vi\{RecOveR}-giiyk__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Light.scale-100.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SplashWideTile.scale-100_contrast-white.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\{RecOveR}-giiyk__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\WinMetadata\{RecOveR}-giiyk__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeLogo.scale-125.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-60.png	wsmprovhost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\default_apps\{RecOveR}-giiyk__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-200.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-16_altform-colorize.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.scale-200_contrast-white.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\{RecOveR}-giiyk__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-80_altform-unplated_contrast-black.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageMedTile.scale-100.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-36_altform-unplated.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-48_altform-unplated.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\{RecOveR}-giiyk__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\{RecOveR}-giiyk__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-200_contrast-white.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\StoreLogo\PaintApplist.scale-150.png	wsmprovhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\LargeTile.scale-125.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TinyTile.scale-100_contrast-black.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe805.png	wsmprovhost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VGX\{RecOveR}-giiyk__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\{RecOveR}-giiyk__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe\microsoft.system.package.metadata\{RecOveR}-giiyk__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\whatsnewsrc\{RecOveR}-giiyk__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Store.Purchase\{RecOveR}-giiyk__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\SlowMotionEditor\Views\{RecOveR}-giiyk__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\{RecOveR}-giiyk__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\{RecOveR}-giiyk__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\WideTile.scale-125_contrast-white.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\{RecOveR}-giiyk__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\{RecOveR}-giiyk__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-36_altform-unplated.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-32_altform-unplated_contrast-black.png	wsmprovhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-standard\{RecOveR}-giiyk__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\it\{RecOveR}-giiyk__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\{RecOveR}-giiyk__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-20.png	wsmprovhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

wsmprovhost.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	wsmprovhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

wsmprovhost.exe

pid	Process
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe
3104	wsmprovhost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid	Process
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wsmprovhost.exeWMIC.exevssvc.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	3104	wsmprovhost.exe
Token: SeIncreaseQuotaPrivilege	3240	WMIC.exe
Token: SeSecurityPrivilege	3240	WMIC.exe
Token: SeTakeOwnershipPrivilege	3240	WMIC.exe
Token: SeLoadDriverPrivilege	3240	WMIC.exe
Token: SeSystemProfilePrivilege	3240	WMIC.exe
Token: SeSystemtimePrivilege	3240	WMIC.exe
Token: SeProfSingleProcessPrivilege	3240	WMIC.exe
Token: SeIncBasePriorityPrivilege	3240	WMIC.exe
Token: SeCreatePagefilePrivilege	3240	WMIC.exe
Token: SeBackupPrivilege	3240	WMIC.exe
Token: SeRestorePrivilege	3240	WMIC.exe
Token: SeShutdownPrivilege	3240	WMIC.exe
Token: SeDebugPrivilege	3240	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3240	WMIC.exe
Token: SeRemoteShutdownPrivilege	3240	WMIC.exe
Token: SeUndockPrivilege	3240	WMIC.exe
Token: SeManageVolumePrivilege	3240	WMIC.exe
Token: 33	3240	WMIC.exe
Token: 34	3240	WMIC.exe
Token: 35	3240	WMIC.exe
Token: 36	3240	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3240	WMIC.exe
Token: SeSecurityPrivilege	3240	WMIC.exe
Token: SeTakeOwnershipPrivilege	3240	WMIC.exe
Token: SeLoadDriverPrivilege	3240	WMIC.exe
Token: SeSystemProfilePrivilege	3240	WMIC.exe
Token: SeSystemtimePrivilege	3240	WMIC.exe
Token: SeProfSingleProcessPrivilege	3240	WMIC.exe
Token: SeIncBasePriorityPrivilege	3240	WMIC.exe
Token: SeCreatePagefilePrivilege	3240	WMIC.exe
Token: SeBackupPrivilege	3240	WMIC.exe
Token: SeRestorePrivilege	3240	WMIC.exe
Token: SeShutdownPrivilege	3240	WMIC.exe
Token: SeDebugPrivilege	3240	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3240	WMIC.exe
Token: SeRemoteShutdownPrivilege	3240	WMIC.exe
Token: SeUndockPrivilege	3240	WMIC.exe
Token: SeManageVolumePrivilege	3240	WMIC.exe
Token: 33	3240	WMIC.exe
Token: 34	3240	WMIC.exe
Token: 35	3240	WMIC.exe
Token: 36	3240	WMIC.exe
Token: SeBackupPrivilege	4964	vssvc.exe
Token: SeRestorePrivilege	4964	vssvc.exe
Token: SeAuditPrivilege	4964	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3620	WMIC.exe
Token: SeSecurityPrivilege	3620	WMIC.exe
Token: SeTakeOwnershipPrivilege	3620	WMIC.exe
Token: SeLoadDriverPrivilege	3620	WMIC.exe
Token: SeSystemProfilePrivilege	3620	WMIC.exe
Token: SeSystemtimePrivilege	3620	WMIC.exe
Token: SeProfSingleProcessPrivilege	3620	WMIC.exe
Token: SeIncBasePriorityPrivilege	3620	WMIC.exe
Token: SeCreatePagefilePrivilege	3620	WMIC.exe
Token: SeBackupPrivilege	3620	WMIC.exe
Token: SeRestorePrivilege	3620	WMIC.exe
Token: SeShutdownPrivilege	3620	WMIC.exe
Token: SeDebugPrivilege	3620	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3620	WMIC.exe
Token: SeRemoteShutdownPrivilege	3620	WMIC.exe
Token: SeUndockPrivilege	3620	WMIC.exe
Token: SeManageVolumePrivilege	3620	WMIC.exe
Token: 33	3620	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	Process
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	Process
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

VirusShare_00442a088456ce18a43187605557b3d1.exewsmprovhost.exemsedge.exe

description	pid	Process	procid_target
PID 2548 wrote to memory of 3104	2548	VirusShare_00442a088456ce18a43187605557b3d1.exe	83
PID 2548 wrote to memory of 3104	2548	VirusShare_00442a088456ce18a43187605557b3d1.exe	83
PID 2548 wrote to memory of 3104	2548	VirusShare_00442a088456ce18a43187605557b3d1.exe	83
PID 2548 wrote to memory of 1168	2548	VirusShare_00442a088456ce18a43187605557b3d1.exe	84
PID 2548 wrote to memory of 1168	2548	VirusShare_00442a088456ce18a43187605557b3d1.exe	84
PID 2548 wrote to memory of 1168	2548	VirusShare_00442a088456ce18a43187605557b3d1.exe	84
PID 3104 wrote to memory of 3240	3104	wsmprovhost.exe	87
PID 3104 wrote to memory of 3240	3104	wsmprovhost.exe	87
PID 3104 wrote to memory of 4492	3104	wsmprovhost.exe	100
PID 3104 wrote to memory of 4492	3104	wsmprovhost.exe	100
PID 3104 wrote to memory of 4492	3104	wsmprovhost.exe	100
PID 3104 wrote to memory of 3240	3104	wsmprovhost.exe	101
PID 3104 wrote to memory of 3240	3104	wsmprovhost.exe	101
PID 3240 wrote to memory of 2896	3240	msedge.exe	102
PID 3240 wrote to memory of 2896	3240	msedge.exe	102
PID 3104 wrote to memory of 3620	3104	wsmprovhost.exe	103
PID 3104 wrote to memory of 3620	3104	wsmprovhost.exe	103
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 512	3240	msedge.exe	105
PID 3240 wrote to memory of 3772	3240	msedge.exe	106
PID 3240 wrote to memory of 3772	3240	msedge.exe	106
PID 3240 wrote to memory of 2916	3240	msedge.exe	107
PID 3240 wrote to memory of 2916	3240	msedge.exe	107
PID 3240 wrote to memory of 2916	3240	msedge.exe	107
PID 3240 wrote to memory of 2916	3240	msedge.exe	107
PID 3240 wrote to memory of 2916	3240	msedge.exe	107

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

wsmprovhost.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wsmprovhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	wsmprovhost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_00442a088456ce18a43187605557b3d1.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_00442a088456ce18a43187605557b3d1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Roaming\wsmprovhost.exe
  C:\Users\Admin\AppData\Roaming\wsmprovhost.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3104
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3240
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\{RecOveR}-giiyk__.Txt
    3⤵
    PID:4492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\{RecOveR}-giiyk__.Htm
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaf08346f8,0x7ffaf0834708,0x7ffaf0834718
      4⤵
      PID:2896
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,10517430786365495777,15181391919418010607,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
      4⤵
      PID:512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,10517430786365495777,15181391919418010607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
      4⤵
      PID:3772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,10517430786365495777,15181391919418010607,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
      4⤵
      PID:2916
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10517430786365495777,15181391919418010607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
      4⤵
      PID:2128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10517430786365495777,15181391919418010607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
      4⤵
      PID:3572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,10517430786365495777,15181391919418010607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
      4⤵
      PID:396
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,10517430786365495777,15181391919418010607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
      4⤵
      PID:3644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10517430786365495777,15181391919418010607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
      4⤵
      PID:3944
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10517430786365495777,15181391919418010607,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
      4⤵
      PID:3932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10517430786365495777,15181391919418010607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
      4⤵
      PID:3580
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10517430786365495777,15181391919418010607,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
      4⤵
      PID:2412
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3620
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Roaming\WSMPRO~1.EXE >> NUL
    3⤵
    PID:1732
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE >> NUL
  2⤵
  PID:1168

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\{RecOveR}-giiyk__.Htm

Filesize
9KB

MD5
f86ff4342f73c37bcf1b06d5fecf75c1

SHA1
e9e2b13285d41948ca054942a778c0fa58d54cea

SHA256
585ffd44fae698af8abcab602f6ae57ffef528dca74e2c309e0839589dd7a255

SHA512
11a5a4b44d369a54684fcd0609be220008c47eae388d9288ac2bb97bce0c4e01744c309684bc735523ceb7b2c4119a5ee11e7a7b36111a6b9537f76703ee7aae

Download Submit
C:\Program Files\7-Zip\Lang\{RecOveR}-giiyk__.Png

Filesize
93KB

MD5
ea2bd5b4d1a1365de6e4c48cae2e1af5

SHA1
4500d58c11617be5f188212b4ddb27aa1ba1a28e

SHA256
33c2909e790bd3206a2ee70a721051bc46ed24010e624f16c25e3d0fda8b49d8

SHA512
47be8dbf090a9e20eba69c3f9533d6bf5d5ffb11d2350f014fb46e7ef2e12aefce1b0aa77a27f5338b37512f2ef004f8ac80c7efb1acacb89b91b9829861a7df

Download Submit
C:\Program Files\7-Zip\Lang\{RecOveR}-giiyk__.Txt

Filesize
2KB

MD5
35f68f08377e3e1f1b3ca84b730131b2

SHA1
332d0121d45c7cf5179886bc7006d2c6f6422d50

SHA256
fb8e57945bec3c758cbf955287ad2abb1b6d7d35b4cd6e8244a8d1a9058fd84f

SHA512
c010c80d54f4298e28307da9b5b582772bc64323349649d60f8a272f835f96d9f73d6f892f5ac552c59c3343634d4da6f604eb4817c8fe576d3a3da4764215b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eaa3db555ab5bc0cb364826204aad3f0

SHA1
a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca

SHA256
ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b

SHA512
e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4b4f91fa1b362ba5341ecb2836438dea

SHA1
9561f5aabed742404d455da735259a2c6781fa07

SHA256
d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c

SHA512
fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e3c5a28b189e14649e717d551aea039e

SHA1
b9fc67b86302d7e99d1b878f7c84c0bf841a28fb

SHA256
c8005156c69dd1941cc9c463b503343f7b6bdf335b6550a6bd5868573762ac0c

SHA512
4a121fbdabf16ac54152f9a4dd379d3bd28d03825aaf9df290e29f838d5c27d444827e9094c0ec8a970f4dbbd9b95ceaa8b27f06b1a8b3b43d83b9405dd3edcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
425a7b55f2e897d21124609c0e6b7390

SHA1
4176a9050fe609ae87feb252ca3eb8119b5cc729

SHA256
1d46416ddcd1ef367cfa8f2a15d3525c0c00f779c51e2f46bd90eac7c74a0046

SHA512
31d7d9a9a02aeb05307cf0b6218b6acba7708c80e958983878bd55b094c9656edae2f216460ab143e1ea82e2fe4f2042d2edaf022d4dada639e202b6d68fe5de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
26b50e28f50bcd60faf21f1a3b5f1340

SHA1
ebccffa81ede0cb8d0a3695bdfc00f671a68b45d

SHA256
6326848bcbd05c422b0ad8e0a6e39933937b7dec8829603cf2ad1e23d68972c9

SHA512
def8218ac9a2ddac38f355094b55520fc73b795cc124ef727ee3e58c4f717e3ac08078a93930ca4021d4d8c9be25e11d03642aa22cc4920f6365c4147ee41046

Download Submit
C:\Users\Admin\AppData\Roaming\wsmprovhost.exe

Filesize
344KB

MD5
00442a088456ce18a43187605557b3d1

SHA1
d02f19accf695508bc31a650539934d8ea46fb15

SHA256
d8ee200589d8e7d72878ea79bcfc9d18ee52569c046df74fa0dfe7e33d9ec422

SHA512
62d65da6e38ceae67845d44fe979941049d54075ca16ff0ed6b6db3379ccc30df55da5a4a2926e52147a48f0c11c2283fc1ee06864e8605bf31fb77b766656a7

Download Submit
\??\pipe\LOCAL\crashpad_3240_UTWOMYXMWBZZVSXR

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2548-2-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2548-9-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2548-10-0x00000000743C0000-0x00000000743F9000-memory.dmp

Filesize
228KB

Download
memory/2548-3-0x00000000743C0000-0x00000000743F9000-memory.dmp

Filesize
228KB

Download
memory/2548-1-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3104-13-0x00000000743C0000-0x00000000743F9000-memory.dmp

Filesize
228KB

Download
memory/3104-9534-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3104-9580-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3104-9581-0x00000000743C0000-0x00000000743F9000-memory.dmp

Filesize
228KB

Download
memory/3104-9489-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3104-6872-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3104-3998-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3104-1815-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download