d8ee200589d8e7d72878ea79bcfc9d18ee52569c046df74fa0dfe7e33d9ec422

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2024 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00442a088456ce18a43187605557b3d1_JaffaCakes118.exe
Size

344KB
MD5

00442a088456ce18a43187605557b3d1
SHA1

d02f19accf695508bc31a650539934d8ea46fb15
SHA256

d8ee200589d8e7d72878ea79bcfc9d18ee52569c046df74fa0dfe7e33d9ec422
SHA512

62d65da6e38ceae67845d44fe979941049d54075ca16ff0ed6b6db3379ccc30df55da5a4a2926e52147a48f0c11c2283fc1ee06864e8605bf31fb77b766656a7
SSDEEP

6144:V6DdOsqgCFKNnhMA6GOopUtQ9KIwD13KJ181KUO:sZOsSwhCGbWWu13E0

Score

10^/10

defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\{RecOveR}-yhrws__.Txt

Ransom Note

'+61'4*4;34"59!?4%(2#)=1%17<0$: '+61'4*4;34"59!?4%(2#)=1%17<0$: '+61'4*4;34"59!?4%(2#)=1%17<0$: '+61'4*4;34"59!?4%(2#)=1%17<0$: NOT YOUR LANGUAGE? USE https://translate.google.com What's the matter with your files? Your data was secured using a strong encryption with RSA4096. Use the link down below to find additional information on the encryption keys using RSA-4096 https://en.wikipedia.org/wiki/RSA_(cryptosystem) What exactly that means? '+61'4*4;34"59!?4%(2#)=1%17<0$: '+61'4*4;34"59!?4%(2#)=1%17<0$: It means that on a structural level your files have been transformed . You won't be able to use , read , see or work with them anymore . In other words they are useless , however , there is a possibility to restore them with our help . What exactly happened to your files ??? *** Two personal RSA-4096 keys were generated for your PC/Laptop; one key is public, another key is private. *** All your data and files were encrypted by the means of the public key , which you received over the web . *** In order to decrypt your data and gain access to your computer you need a private key and a decryption software, which can be found on one of our secret servers. '+61'4*4;34"59!?4%(2#)=1%17<0$: '+61'4*4;34"59!?4%(2#)=1%17<0$: What should you do next ? There are several options for you to consider : *** You can wait for a while until the price of a private key will raise, so you will have to pay twice as much to access your files or *** You can start getting BitCoins right now and get access to your data quite fast . In case you have valuable files , we advise you to act fast as there is no other option rather than paying in order to get back your data. In order to obtain specific instructions , please access your personal homepage by choosing one of the few addresses down below : http://h3ds4.maconslab.com/AD35F03018765474 http://aq3ef.goimocoa.at/AD35F03018765474 http://fl43s.toabolt.at/AD35F03018765474 If you can't access your personal homepage or the addresses are not working, complete the following steps: *** Download TOR Browser - http://www.torproject.org/projects/torbrowser.html.en *** Install TOR Browser and open TOR Browser *** Insert the following link in the address bar: xzjvzkgjxebzreap.onion/AD35F03018765474 '+61'4*4;34"59!?4%(2#)=1%17<0$: '+61'4*4;34"59!?4%(2#)=1%17<0$: '+61'4*4;34"59!?4%(2#)=1%17<0$: ***************IMPORTANT*****************INFORMATION******************** Your personal homepages http://h3ds4.maconslab.com/AD35F03018765474 http://aq3ef.goimocoa.at/AD35F03018765474 http://fl43s.toabolt.at/AD35F03018765474 Your personal homepage Tor-Browser xzjvzkgjxebzreap.onion/AD35F03018765474 Your personal ID AD35F03018765474 '+61'4*4;34"59!?4%(2#)=1%17<0$: '+61'4*4;34"59!?4%(2#)=1%17<0$: '+61'4*4;34"59!?4%(2#)=1%17<0$:

URLs

http://h3ds4.maconslab.com/AD35F03018765474

http://aq3ef.goimocoa.at/AD35F03018765474

http://fl43s.toabolt.at/AD35F03018765474

http://xzjvzkgjxebzreap.onion/AD35F03018765474

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

00442a088456ce18a43187605557b3d1_JaffaCakes118.exewsmprovhost.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	00442a088456ce18a43187605557b3d1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	wsmprovhost.exe

Drops startup file 6 IoCs

Processes:

wsmprovhost.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{RecOveR}-yhrws__.Png	wsmprovhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{RecOveR}-yhrws__.Txt	wsmprovhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{RecOveR}-yhrws__.Htm	wsmprovhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\{RecOveR}-yhrws__.Png	wsmprovhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\{RecOveR}-yhrws__.Txt	wsmprovhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\{RecOveR}-yhrws__.Htm	wsmprovhost.exe

Executes dropped EXE 1 IoCs

Processes:

wsmprovhost.exe

pid	Process
2728	wsmprovhost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wsmprovhost.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FIX2-rvsyvb = "C:\\Windows\\SYSTEM32\\CMD.EXE /C START \"\" \"C:\\Users\\Admin\\AppData\\Roaming\\wsmprovhost.exe\""	wsmprovhost.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

Processes:

wsmprovhost.exe

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\es.pak	wsmprovhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\{RecOveR}-yhrws__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_altform-unplated_contrast-black.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\1850_32x32x32.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\microsoft.system.package.metadata\{RecOveR}-yhrws__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\StoreLogo.scale-100.png	wsmprovhost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\{RecOveR}-yhrws__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\{RecOveR}-yhrws__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\{RecOveR}-yhrws__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\8041_40x40x32.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SplashScreen.scale-200_contrast-black.png	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\{RecOveR}-yhrws__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\Win10\{RecOveR}-yhrws__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-200.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-48.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-100.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\{RecOveR}-yhrws__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\{RecOveR}-yhrws__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\offer_cards\{RecOveR}-yhrws__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-36_altform-lightunplated.png	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\or_IN\LC_MESSAGES\{RecOveR}-yhrws__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\{RecOveR}-yhrws__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\{RecOveR}-yhrws__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\{RecOveR}-yhrws__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-200.png	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\{RecOveR}-yhrws__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\{RecOveR}-yhrws__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteWideTile.scale-150.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\WideTile.scale-200.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lt-LT\{RecOveR}-yhrws__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\dismiss.contrast-white.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageBadgeLogo.scale-150.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\am-ET\{RecOveR}-yhrws__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\{RecOveR}-yhrws__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\{RecOveR}-yhrws__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\offer_cards\{RecOveR}-yhrws__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\{RecOveR}-yhrws__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\{RecOveR}-yhrws__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SplashScreen.scale-125_contrast-black.png	wsmprovhost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-GB\{RecOveR}-yhrws__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\{RecOveR}-yhrws__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\{RecOveR}-yhrws__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\{RecOveR}-yhrws__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\es-MX\View3d\{RecOveR}-yhrws__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.scale-200.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Images\{RecOveR}-yhrws__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\Internet Explorer\uk-UA\{RecOveR}-yhrws__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\{RecOveR}-yhrws__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\SmartSelect\Magic_Select_add_tool.mp4	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Dark.scale-200.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Light.scale-400.png	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\{RecOveR}-yhrws__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\{RecOveR}-yhrws__.Txt	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageSmallTile.scale-200.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-32_altform-unplated.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Google.scale-300.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\2876_24x24x32.png	wsmprovhost.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\{RecOveR}-yhrws__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleMedTile.scale-125.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.scale-150.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-lightunplated.png	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\{RecOveR}-yhrws__.Htm	wsmprovhost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailBadge.scale-100.png	wsmprovhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\{RecOveR}-yhrws__.Png	wsmprovhost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeNOTEPAD.EXEcmd.exe00442a088456ce18a43187605557b3d1_JaffaCakes118.exewsmprovhost.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00442a088456ce18a43187605557b3d1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wsmprovhost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

Processes:

wsmprovhost.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	wsmprovhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

wsmprovhost.exe

pid	Process
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe
2728	wsmprovhost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid	Process
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wsmprovhost.exeWMIC.exevssvc.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	2728	wsmprovhost.exe
Token: SeIncreaseQuotaPrivilege	4512	WMIC.exe
Token: SeSecurityPrivilege	4512	WMIC.exe
Token: SeTakeOwnershipPrivilege	4512	WMIC.exe
Token: SeLoadDriverPrivilege	4512	WMIC.exe
Token: SeSystemProfilePrivilege	4512	WMIC.exe
Token: SeSystemtimePrivilege	4512	WMIC.exe
Token: SeProfSingleProcessPrivilege	4512	WMIC.exe
Token: SeIncBasePriorityPrivilege	4512	WMIC.exe
Token: SeCreatePagefilePrivilege	4512	WMIC.exe
Token: SeBackupPrivilege	4512	WMIC.exe
Token: SeRestorePrivilege	4512	WMIC.exe
Token: SeShutdownPrivilege	4512	WMIC.exe
Token: SeDebugPrivilege	4512	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4512	WMIC.exe
Token: SeRemoteShutdownPrivilege	4512	WMIC.exe
Token: SeUndockPrivilege	4512	WMIC.exe
Token: SeManageVolumePrivilege	4512	WMIC.exe
Token: 33	4512	WMIC.exe
Token: 34	4512	WMIC.exe
Token: 35	4512	WMIC.exe
Token: 36	4512	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4512	WMIC.exe
Token: SeSecurityPrivilege	4512	WMIC.exe
Token: SeTakeOwnershipPrivilege	4512	WMIC.exe
Token: SeLoadDriverPrivilege	4512	WMIC.exe
Token: SeSystemProfilePrivilege	4512	WMIC.exe
Token: SeSystemtimePrivilege	4512	WMIC.exe
Token: SeProfSingleProcessPrivilege	4512	WMIC.exe
Token: SeIncBasePriorityPrivilege	4512	WMIC.exe
Token: SeCreatePagefilePrivilege	4512	WMIC.exe
Token: SeBackupPrivilege	4512	WMIC.exe
Token: SeRestorePrivilege	4512	WMIC.exe
Token: SeShutdownPrivilege	4512	WMIC.exe
Token: SeDebugPrivilege	4512	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4512	WMIC.exe
Token: SeRemoteShutdownPrivilege	4512	WMIC.exe
Token: SeUndockPrivilege	4512	WMIC.exe
Token: SeManageVolumePrivilege	4512	WMIC.exe
Token: 33	4512	WMIC.exe
Token: 34	4512	WMIC.exe
Token: 35	4512	WMIC.exe
Token: 36	4512	WMIC.exe
Token: SeBackupPrivilege	2688	vssvc.exe
Token: SeRestorePrivilege	2688	vssvc.exe
Token: SeAuditPrivilege	2688	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2336	WMIC.exe
Token: SeSecurityPrivilege	2336	WMIC.exe
Token: SeTakeOwnershipPrivilege	2336	WMIC.exe
Token: SeLoadDriverPrivilege	2336	WMIC.exe
Token: SeSystemProfilePrivilege	2336	WMIC.exe
Token: SeSystemtimePrivilege	2336	WMIC.exe
Token: SeProfSingleProcessPrivilege	2336	WMIC.exe
Token: SeIncBasePriorityPrivilege	2336	WMIC.exe
Token: SeCreatePagefilePrivilege	2336	WMIC.exe
Token: SeBackupPrivilege	2336	WMIC.exe
Token: SeRestorePrivilege	2336	WMIC.exe
Token: SeShutdownPrivilege	2336	WMIC.exe
Token: SeDebugPrivilege	2336	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2336	WMIC.exe
Token: SeRemoteShutdownPrivilege	2336	WMIC.exe
Token: SeUndockPrivilege	2336	WMIC.exe
Token: SeManageVolumePrivilege	2336	WMIC.exe
Token: 33	2336	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	Process
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	Process
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

00442a088456ce18a43187605557b3d1_JaffaCakes118.exewsmprovhost.exemsedge.exe

description	pid	Process	procid_target
PID 2968 wrote to memory of 2728	2968	00442a088456ce18a43187605557b3d1_JaffaCakes118.exe	82
PID 2968 wrote to memory of 2728	2968	00442a088456ce18a43187605557b3d1_JaffaCakes118.exe	82
PID 2968 wrote to memory of 2728	2968	00442a088456ce18a43187605557b3d1_JaffaCakes118.exe	82
PID 2968 wrote to memory of 3740	2968	00442a088456ce18a43187605557b3d1_JaffaCakes118.exe	83
PID 2968 wrote to memory of 3740	2968	00442a088456ce18a43187605557b3d1_JaffaCakes118.exe	83
PID 2968 wrote to memory of 3740	2968	00442a088456ce18a43187605557b3d1_JaffaCakes118.exe	83
PID 2728 wrote to memory of 4512	2728	wsmprovhost.exe	85
PID 2728 wrote to memory of 4512	2728	wsmprovhost.exe	85
PID 2728 wrote to memory of 1060	2728	wsmprovhost.exe	99
PID 2728 wrote to memory of 1060	2728	wsmprovhost.exe	99
PID 2728 wrote to memory of 1060	2728	wsmprovhost.exe	99
PID 2728 wrote to memory of 4900	2728	wsmprovhost.exe	100
PID 2728 wrote to memory of 4900	2728	wsmprovhost.exe	100
PID 4900 wrote to memory of 280	4900	msedge.exe	101
PID 4900 wrote to memory of 280	4900	msedge.exe	101
PID 2728 wrote to memory of 2336	2728	wsmprovhost.exe	102
PID 2728 wrote to memory of 2336	2728	wsmprovhost.exe	102
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1972	4900	msedge.exe	104
PID 4900 wrote to memory of 1348	4900	msedge.exe	105
PID 4900 wrote to memory of 1348	4900	msedge.exe	105
PID 4900 wrote to memory of 1792	4900	msedge.exe	106
PID 4900 wrote to memory of 1792	4900	msedge.exe	106
PID 4900 wrote to memory of 1792	4900	msedge.exe	106
PID 4900 wrote to memory of 1792	4900	msedge.exe	106
PID 4900 wrote to memory of 1792	4900	msedge.exe	106

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

wsmprovhost.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	wsmprovhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wsmprovhost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\00442a088456ce18a43187605557b3d1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00442a088456ce18a43187605557b3d1_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Users\Admin\AppData\Roaming\wsmprovhost.exe
  C:\Users\Admin\AppData\Roaming\wsmprovhost.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2728
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4512
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\{RecOveR}-yhrws__.Txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\{RecOveR}-yhrws__.Htm
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4900
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8a6ce46f8,0x7ff8a6ce4708,0x7ff8a6ce4718
      4⤵
      PID:280
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,3521575727245310961,1057488344006187929,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
      4⤵
      PID:1972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,3521575727245310961,1057488344006187929,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
      4⤵
      PID:1348
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,3521575727245310961,1057488344006187929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2600 /prefetch:8
      4⤵
      PID:1792
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3521575727245310961,1057488344006187929,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:1
      4⤵
      PID:444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3521575727245310961,1057488344006187929,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
      4⤵
      PID:2320
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,3521575727245310961,1057488344006187929,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 /prefetch:8
      4⤵
      PID:820
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,3521575727245310961,1057488344006187929,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 /prefetch:8
      4⤵
      PID:4516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3521575727245310961,1057488344006187929,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
      4⤵
      PID:4824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3521575727245310961,1057488344006187929,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
      4⤵
      PID:4068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3521575727245310961,1057488344006187929,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
      4⤵
      PID:4984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3521575727245310961,1057488344006187929,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
      4⤵
      PID:2908
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2336
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Roaming\WSMPRO~1.EXE >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1256
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\00442A~1.EXE >> NUL
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3740

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1728

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\{RecOveR}-yhrws__.Htm

Filesize
9KB

MD5
2e2fd27435a5dc5d4886f3667f283fe3

SHA1
953fcd9132d8b77fb0ce094b2fd2ae22e6ac6c9c

SHA256
0d0e231b327360814d22b6617d768691d5827f46111ec33c71431a76fc0a1920

SHA512
c1489ba5927fb7e73f307e2480455b1f7dea83d39cdcec16d0c41ddc2af508847a61846599a75ed1f30349a374e353f5850d48da2f6a51be83a4f171024d7e5f

Download Submit
C:\Program Files\7-Zip\Lang\{RecOveR}-yhrws__.Png

Filesize
97KB

MD5
eb1dd69973ff62e69e617ea90495bf92

SHA1
295a3d280bf2b7f4b4bf652f56519871ed4f6371

SHA256
b0f7a37b90fdc175c00f99cdfb3b38f090a37fd4569c90a65f8c7efe3a49398e

SHA512
d738395b33b1b1391583918966187141b6e0c489b62d586aa617fd004cee780bf07f2c280f6747f4b6ca45bb2c5101320efc3227850258a69c669a22a68c9f3c

Download Submit
C:\Program Files\7-Zip\Lang\{RecOveR}-yhrws__.Txt

Filesize
2KB

MD5
c362b1aac7abc947dbed325e1ad72b9b

SHA1
e7e883ec1583c7d3a8c84c60e23755d95698a957

SHA256
ac3241c89b373639100407ea8c81505179e07371ddf9c55de46c162205115516

SHA512
75f46fa0fb1cffe80afff17960e723c4e251f22a6fa5cee6aff757d6471c8b38f60697827ab0d25bedb5661456cde65debde6ce3d3d75a0804e48a929f8b13de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ab5f68a38f599fd37b60be11f233e8c6

SHA1
ee26ab7bc18bb72c3f100307833580d841fcdba7

SHA256
b431634ba1fd19165f5d40009c16e43c37898ae21d455daff22bf4112a424e71

SHA512
ae077101edd010ea9bc9a18f21ed642b4b0b1cf0bba495765e80f903903b08a3acb1bdcaa9fc6e18f1c36d3c97e1603f158fa5b06ae05f601d98cd0385d44360

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f5cee5d42358de464715850d4e58b379

SHA1
e335d9b67879be168afe964e6e981e3898ec31e5

SHA256
6b34c69d7b90ef6b3de92f663a7b90923e19777bd93c6307d0ec4ae88ea5789e

SHA512
9487c6ee999347915d4b6bad816b8b10b2f6ace6c275312f44564ea0a60fb33e0476f5c8445c4ae9c244f144783f80ea100b0d47ec35ee96a28254c285535106

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d814406b317f38cebd02c30dafb8dbd4

SHA1
154597e6036be1f1061f527c2195c8a2e51c1555

SHA256
4ea3cc2f7d6b9f7fde278598839aaa5f9550bb3422790d2cdf75ee0279231ab7

SHA512
713b522e2d3c53a9a31578138e955cb5267da298a21ee09d1e85348f51663a78b1481d900a70269c2f96f19293e7ea306da151fa2b4bcaa151d301dd08487339

Download Submit
C:\Users\Admin\AppData\Roaming\wsmprovhost.exe

Filesize
344KB

MD5
00442a088456ce18a43187605557b3d1

SHA1
d02f19accf695508bc31a650539934d8ea46fb15

SHA256
d8ee200589d8e7d72878ea79bcfc9d18ee52569c046df74fa0dfe7e33d9ec422

SHA512
62d65da6e38ceae67845d44fe979941049d54075ca16ff0ed6b6db3379ccc30df55da5a4a2926e52147a48f0c11c2283fc1ee06864e8605bf31fb77b766656a7

Download Submit
\??\pipe\LOCAL\crashpad_4900_RUVMGYVHVWQRTLEA

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2728-13-0x0000000074950000-0x0000000074989000-memory.dmp

Filesize
228KB

Download
memory/2728-6148-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2728-8820-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2728-9761-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2728-3493-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2728-1296-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2728-9807-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2728-9808-0x0000000074950000-0x0000000074989000-memory.dmp

Filesize
228KB

Download
memory/2968-0-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2968-12-0x0000000074950000-0x0000000074989000-memory.dmp

Filesize
228KB

Download
memory/2968-11-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2968-3-0x0000000074950000-0x0000000074989000-memory.dmp

Filesize
228KB

Download
memory/2968-1-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download