c9b7b6b2aa03cfd41164df798f6481eb81fc7260635e7bcc5b7cfc3409660e76

Analysis

max time kernel
89s
max time network
91s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22-03-2023 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rcsetup153.exe
Size

11.3MB
MD5

90e8564308043d11b65215dcedcdb4c0
SHA1

56f6ac4fda81334483b878cbb5c606312ad783ca
SHA256

c9b7b6b2aa03cfd41164df798f6481eb81fc7260635e7bcc5b7cfc3409660e76
SHA512

0f44dd5abfe7d79fd03f2b9a4ec0970a4b488c1a3e3bf5fabdea88bd61a5a81143f51dc316828ec80feed66e74ba69157294697e473c0f77030d757caa87ffb9
SSDEEP

196608:rEpX2/5WWnKf7YrfS2VwY6Inliwuu02znPyCC4VSC+xShskxOfLWdDSAj2VGHfN:rfWWWYzlwYXS2zP44QxwEfLGSAaVSfN

Score

7^/10

bootkit discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rcsetup153.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	rcsetup153.exe

Executes dropped EXE 2 IoCs

Processes:

recuva64.exerecuva64.exe

pid process

2168 recuva64.exe
4348 recuva64.exe

pid	process
2168	recuva64.exe
4348	recuva64.exe

Loads dropped DLL 19 IoCs

Processes:

rcsetup153.exeregsvr32.exeregsvr32.exe

pid	process
4120	rcsetup153.exe
4120	rcsetup153.exe
4120	rcsetup153.exe
4120	rcsetup153.exe
4120	rcsetup153.exe
4120	rcsetup153.exe
4120	rcsetup153.exe
4120	rcsetup153.exe
4120	rcsetup153.exe
4120	rcsetup153.exe
4120	rcsetup153.exe
4120	rcsetup153.exe
4120	rcsetup153.exe
4120	rcsetup153.exe
4120	rcsetup153.exe
4816	regsvr32.exe
3224	regsvr32.exe
4120	rcsetup153.exe
4120	rcsetup153.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\InprocServer32\ = "C:\\Program Files\\Recuva\\RecuvaShell64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

recuva64.exe

description ioc process

File opened (read-only) \??\D: recuva64.exe
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

rcsetup153.exerecuva64.exe

description ioc process

File opened for modification \??\PhysicalDrive0 rcsetup153.exe
File opened for modification \??\PhysicalDrive0 recuva64.exe

description	ioc	process
File opened (read-only)	\??\D:	recuva64.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	rcsetup153.exe
File opened for modification	\??\PhysicalDrive0	recuva64.exe

Drops file in Program Files directory 50 IoCs

Processes:

rcsetup153.exerecuva64.exe

description	ioc	process
File created	C:\Program Files\Recuva\Lang\lang-1034.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1028.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1025.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1063.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1051.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-5146.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1067.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1049.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1029.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1032.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1062.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1054.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\recuva64.exe	rcsetup153.exe
File created	C:\Program Files\Recuva\RecuvaShell64.dll.new	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-2074.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1026.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1057.dll	rcsetup153.exe
File opened for modification	C:\Program Files\Recuva\RecuvaShell64.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1036.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-2052.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1048.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1058.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1061.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-9999.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\uninst.exe	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1045.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1035.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1046.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-3098.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\recuva.exe	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1031.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1041.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1030.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1037.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1060.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1053.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1040.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1043.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1038.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1027.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1066.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1079.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1059.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1044.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1055.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1052.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1071.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1050.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\Lang\lang-1068.dll	rcsetup153.exe
File created	C:\Program Files\Recuva\SomeRandomTmpFile748329742893.tmp	recuva64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

recuva64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	recuva64.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	recuva64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	recuva64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	recuva64.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 17 IoCs

Processes:

rcsetup153.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform	rcsetup153.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform\Recuva	rcsetup153.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform\Recuva\Language = "1033"	rcsetup153.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Piriform\Recuva\Language = "1033"	rcsetup153.exe
Key created	\REGISTRY\USER\S-1-5-19	rcsetup153.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform\Recuva	rcsetup153.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform\Recuva\Language = "1033"	rcsetup153.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Piriform\Recuva	rcsetup153.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	rcsetup153.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Piriform\Recuva	rcsetup153.exe
Key created	\REGISTRY\USER\S-1-5-20	rcsetup153.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Piriform	rcsetup153.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	rcsetup153.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Piriform\Recuva	rcsetup153.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform	rcsetup153.exe
Key created	\REGISTRY\USER\.DEFAULT	rcsetup153.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	rcsetup153.exe

Modifies registry class 28 IoCs

Processes:

regsvr32.exercsetup153.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\0\win64\ = "C:\\Program Files\\Recuva\\RecuvaShell64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Software\Piriform	rcsetup153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\RecuvaShell.DLL\AppID = "{80109467-DE5A-42A1-9445-7E3952C80B6E}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Software	rcsetup153.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\RecuvaShellExt	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Software\Piriform\Recuva\Language = "1033"	rcsetup153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{80109467-DE5A-42A1-9445-7E3952C80B6E}\ = "RecuvaShell"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\0\win64	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\HELPDIR\ = "C:\\Program Files\\Recuva"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\InprocServer32\ = "C:\\Program Files\\Recuva\\RecuvaShell64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\ = "RecuvaShell 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{80109467-DE5A-42A1-9445-7E3952C80B6E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\RecuvaShellExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\ = "RecuvaShellExt Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\RecuvaShellExt\ = "{435E5DF5-2510-463C-B223-BDA47006D002}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Software\Piriform\Recuva	rcsetup153.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\RecuvaShellExt\ = "{435E5DF5-2510-463C-B223-BDA47006D002}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\RecuvaShell.DLL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\InprocServer32	regsvr32.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

recuva64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	recuva64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	recuva64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	recuva64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	recuva64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	recuva64.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

rcsetup153.exemsedge.exemsedge.exe

pid	process
4120	rcsetup153.exe
4120	rcsetup153.exe
4120	rcsetup153.exe
4120	rcsetup153.exe
4120	rcsetup153.exe
4120	rcsetup153.exe
4120	rcsetup153.exe
4120	rcsetup153.exe
4120	rcsetup153.exe
4120	rcsetup153.exe
4120	rcsetup153.exe
4120	rcsetup153.exe
4120	rcsetup153.exe
4120	rcsetup153.exe
4120	rcsetup153.exe
4120	rcsetup153.exe
4120	rcsetup153.exe
4120	rcsetup153.exe
4120	rcsetup153.exe
4120	rcsetup153.exe
4120	rcsetup153.exe
4120	rcsetup153.exe
4636	msedge.exe
4636	msedge.exe
1224	msedge.exe
1224	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

msedge.exe

pid process

1224 msedge.exe
1224 msedge.exe
1224 msedge.exe

pid	process
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

rcsetup153.exerecuva64.exevssvc.exe

description	pid	process
Token: SeRestorePrivilege	4120	rcsetup153.exe
Token: SeRestorePrivilege	2168	recuva64.exe
Token: SeBackupPrivilege	2168	recuva64.exe
Token: SeRestorePrivilege	2168	recuva64.exe
Token: SeBackupPrivilege	2168	recuva64.exe
Token: SeRestorePrivilege	2168	recuva64.exe
Token: SeBackupPrivilege	2168	recuva64.exe
Token: SeRestorePrivilege	2168	recuva64.exe
Token: SeBackupPrivilege	2168	recuva64.exe
Token: SeRestorePrivilege	2168	recuva64.exe
Token: SeBackupPrivilege	2168	recuva64.exe
Token: SeRestorePrivilege	2168	recuva64.exe
Token: SeBackupPrivilege	2168	recuva64.exe
Token: SeRestorePrivilege	2168	recuva64.exe
Token: SeBackupPrivilege	2168	recuva64.exe
Token: SeRestorePrivilege	2168	recuva64.exe
Token: SeBackupPrivilege	2168	recuva64.exe
Token: SeBackupPrivilege	4728	vssvc.exe
Token: SeRestorePrivilege	4728	vssvc.exe
Token: SeAuditPrivilege	4728	vssvc.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

msedge.exerecuva64.exe

pid process

1224 msedge.exe
1224 msedge.exe
1224 msedge.exe
1224 msedge.exe
4348 recuva64.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

rcsetup153.exerecuva64.exe

pid process

4120 rcsetup153.exe
4120 rcsetup153.exe
4120 rcsetup153.exe
4120 rcsetup153.exe
4348 recuva64.exe
4348 recuva64.exe

pid	process
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
4348	recuva64.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rcsetup153.exeregsvr32.exemsedge.exe

description	pid	process	target process
PID 4120 wrote to memory of 4816	4120	rcsetup153.exe	regsvr32.exe
PID 4120 wrote to memory of 4816	4120	rcsetup153.exe	regsvr32.exe
PID 4120 wrote to memory of 4816	4120	rcsetup153.exe	regsvr32.exe
PID 4816 wrote to memory of 3224	4816	regsvr32.exe	regsvr32.exe
PID 4816 wrote to memory of 3224	4816	regsvr32.exe	regsvr32.exe
PID 4120 wrote to memory of 2168	4120	rcsetup153.exe	recuva64.exe
PID 4120 wrote to memory of 2168	4120	rcsetup153.exe	recuva64.exe
PID 4120 wrote to memory of 1224	4120	rcsetup153.exe	msedge.exe
PID 4120 wrote to memory of 1224	4120	rcsetup153.exe	msedge.exe
PID 1224 wrote to memory of 3028	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3028	1224	msedge.exe	msedge.exe
PID 4120 wrote to memory of 4348	4120	rcsetup153.exe	recuva64.exe
PID 4120 wrote to memory of 4348	4120	rcsetup153.exe	recuva64.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 3964	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 4636	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 4636	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 1892	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 1892	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 1892	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 1892	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 1892	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 1892	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 1892	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 1892	1224	msedge.exe	msedge.exe
PID 1224 wrote to memory of 1892	1224	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe
"C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4120

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /I "C:\Program Files\Recuva\RecuvaShell64.dll" /s
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4816

C:\Windows\system32\regsvr32.exe
/I "C:\Program Files\Recuva\RecuvaShell64.dll" /s
3⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:3224

C:\Program Files\Recuva\recuva64.exe
"C:\Program Files\Recuva\recuva64.exe" /installationComplete "bin|folders|allusers"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ccleaner.com/go/app_releasenotes?p=2&v=1.53.2083&l=1033&b=1&a=0
2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9b97546f8,0x7ff9b9754708,0x7ff9b9754718
3⤵
PID:3028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,12065536712573860195,6254792054321743328,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
3⤵
PID:3964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,12065536712573860195,6254792054321743328,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,12065536712573860195,6254792054321743328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
3⤵
PID:1892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12065536712573860195,6254792054321743328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
3⤵
PID:2700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12065536712573860195,6254792054321743328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
3⤵
PID:2248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12065536712573860195,6254792054321743328,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
3⤵
PID:3248

C:\Program Files\Recuva\recuva64.exe
"C:\Program Files\Recuva\recuva64.exe"
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4348

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:444

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Recuva\RecuvaShell64.dll
Filesize
351KB

MD5
e2f0dbd601ca28818b1ba2d69f6a0268

SHA1
4d06d01fd00c3866c0cdfd6cfbcaccca849454cf

SHA256
eefd30c828bbe1948cf4fc8371889936ff7638df3041aa8fb29b18cace84ed58

SHA512
bb5b13d48f19be60f30732e93f8ca66b092c6a89a466e86bcb92e64c48abb158929f224afff413d104c440021331ade960d079b44799b4ae4b38f3507be9b4ca

Download Submit
C:\Program Files\Recuva\RecuvaShell64.dll
Filesize
351KB

MD5
e2f0dbd601ca28818b1ba2d69f6a0268

SHA1
4d06d01fd00c3866c0cdfd6cfbcaccca849454cf

SHA256
eefd30c828bbe1948cf4fc8371889936ff7638df3041aa8fb29b18cace84ed58

SHA512
bb5b13d48f19be60f30732e93f8ca66b092c6a89a466e86bcb92e64c48abb158929f224afff413d104c440021331ade960d079b44799b4ae4b38f3507be9b4ca

Download Submit
C:\Program Files\Recuva\RecuvaShell64.dll
Filesize
351KB

MD5
e2f0dbd601ca28818b1ba2d69f6a0268

SHA1
4d06d01fd00c3866c0cdfd6cfbcaccca849454cf

SHA256
eefd30c828bbe1948cf4fc8371889936ff7638df3041aa8fb29b18cace84ed58

SHA512
bb5b13d48f19be60f30732e93f8ca66b092c6a89a466e86bcb92e64c48abb158929f224afff413d104c440021331ade960d079b44799b4ae4b38f3507be9b4ca

Download Submit
C:\Program Files\Recuva\lang\lang-1025.dll
Filesize
43KB

MD5
09ab3d5c272b1c3e34726252aac0aa00

SHA1
d7af58974a59d79e0dbed8183082d68bd8fa676f

SHA256
7db1b35b6febe6acc6c37c98b127fe53163092111844e13ff05d0d09ce2c139a

SHA512
405baa702532a7c355faba5220f9d758003407e63f318d6298bb6c037753797667f95957aa3824c2dede75bfdfce05d8e1909e6be83f34f879239e3e3a13dede

Download Submit
C:\Program Files\Recuva\lang\lang-1026.dll
Filesize
45KB

MD5
eaf2d3ce4b5aacf072707dfab5e26f17

SHA1
7dbc64b1e261eb5c65f5becbf68f27fe4b985275

SHA256
d2999bb838e442ca0a34619d811fd64529602b4c19fc8bf2dd29f3579a19d717

SHA512
67bddd73930a2ab060b478b82229e393f2ae2b3c69fe347a17c3779a4a4c039316b6ecd2ea7c605d419ec40ac56f7d611084fa715d631ee019715018f708f313

Download Submit
C:\Program Files\Recuva\lang\lang-1027.dll
Filesize
50KB

MD5
95ebf12104b8168fe449c935a81d37d4

SHA1
b9999b55cdd950ecb4aac4a9b2aaa4fb0451b322

SHA256
f272553cd68979f241184b9885dde0ecd0641bec119b70238a0ab0fb5df7a8c0

SHA512
6e0b87c3babf74409339feb1aa48e4d08d08dcb9fa4fdc39c4a7ceeb6afebc0cf4f3117c9e2a2b5ca1c195823a2316f57c822a223ed0da8e5625099dcdc2faae

Download Submit
C:\Program Files\Recuva\lang\lang-1028.dll
Filesize
26KB

MD5
1c5beb94194a3d6a232b164aaa60538b

SHA1
1bf993ebadd3659049bd46fd1af57a7ae0914b24

SHA256
14155fb1296a0023737005ffeabcee8ac1af0f7933a1e6cc0eeb75b2a5d26978

SHA512
79a5e1d39a9f44684188e16eb6fdd578e87fb83a43f70bbdbda1641c9865563d3c17aab945a8423fbf1812792c87bf8f5269f9212ee5c3f8ac1ae3020eadca29

Download Submit
C:\Program Files\Recuva\lang\lang-1029.dll
Filesize
45KB

MD5
7f1caf8c28b06adf5d11fa1e86350f5b

SHA1
fb0f005eb0f246adec2eb1077dc9a96c36ae78f1

SHA256
bcdf4079402621e16a495d5702199e9ee8210ae3cc91ec07a551d439ae72ddef

SHA512
6c60e19913363b1e2a098c9d3489102c64fe3f5b22cf1c8e800b972d30ab1796c3f04b721c75f684ad90c6cbefef7822a608d0d8a8744853d501a8f6e92b8046

Download Submit
C:\Program Files\Recuva\lang\lang-1030.dll
Filesize
45KB

MD5
391f6f821b42f7704cd14a9fed60b425

SHA1
13a08d7f7330ce1c6c31b74eef105d94ce748969

SHA256
ec7baed5fdde3bd531cc4aa3b5ab9a64d4cf673eb95bfbbf77e72ef535193549

SHA512
530a66655ddfb8c11380a18033fce7d86db4507ae602bd0cbcdbb776d47945ea27db27a1a8364098ef0eb3cf326ddfa04ffdd53c6a6af664196ab29107645e4c

Download Submit
C:\Program Files\Recuva\lang\lang-1031.dll
Filesize
48KB

MD5
69aa97c9ca93a876ce7bf9b00b01ba7b

SHA1
f42f111afaa0c63043ab1c9f154409466b6060e4

SHA256
80053c4652f079f5512ceb77cde17a72a07751ea789dc946e3c8841ab9a582cd

SHA512
adf619f5b0ea3c32f8135392feec0bfafa07aa5dd33ea828550d5fff71abde80523e4943342a86d1e67a064b2d407b014b0b5a7ff8716eea6952f04008a215e6

Download Submit
C:\Program Files\Recuva\lang\lang-1032.dll
Filesize
51KB

MD5
6159a67b72ed230709441f601bf576ac

SHA1
b70af5bc0ce6aafacc641dc62fe313d21f52ea2b

SHA256
01ae5d89c2db1443d49a18608d5ee7fdde5c6383d32ff9c347e543073581385a

SHA512
0bb0986b589be5393e2d2b9d0921024c0c895aa9950e8adc3842a217c26700b105ff8c1960f12050df2afde7108b41073db62ada0a71f149cdba5c006ba476dc

Download Submit
C:\Program Files\Recuva\lang\lang-1034.dll
Filesize
51KB

MD5
d82d08d87a1cf7bd51e8e44d8b438de4

SHA1
f9935326438d79706e5b6fa52703c2933a3c9505

SHA256
7c4f7f0e0a6e003ec667ed681573c3a471ca787f72bcfb52fe5b583b712b6023

SHA512
651b969061c7027698f65aa6a7edc404dc4783093f1ddf8238e1e30e4e5ddc665b581eb1d7d030db38a9bc08624ef6bf31e06aaabf3e45692d894bc8dde3c808

Download Submit
C:\Program Files\Recuva\lang\lang-1035.dll
Filesize
47KB

MD5
9ce51a54f147f717ea9ad8fc61a69993

SHA1
9dbd2a92d59fb23d0373ef9e64e1b3acd18547fa

SHA256
7b2b5464bb580541dd1801d1a39f2e0031015c0c9421215e4a1107d695b7f9dc

SHA512
369835b2f2d019809774dc38e601f5e9dceb9c4cf63e707a9a728b63771a5eaa45fe553f4d8ff1bf683075e96f660c5e5efabb75e212abaf6e5d5dde53030fd5

Download Submit
C:\Program Files\Recuva\lang\lang-1036.dll
Filesize
51KB

MD5
c51cbe724edfee2a904767a51bc92602

SHA1
4976364b4acb95bc9e4b1170bc4acabaa79808a8

SHA256
26bbb1dc1e2e53177fb13f5cf5fa8c2b2a28bac07dbf49e0cb12350e7e592a46

SHA512
a9050572bf8103953f7ebb04857113f0fb6861124a7fd5c00696df7dabafad3ecd7e875c3f386e115f0fae2a93347cdf124e57f663679b2057fad9b405e97361

Download Submit
C:\Program Files\Recuva\lang\lang-1037.dll
Filesize
39KB

MD5
751a9edaddbdcef72e630ecf405748d4

SHA1
ad64b8385eac4b609c2411b2edc62cc37382845e

SHA256
36cd7755ce3ad555fe7200641b9cebd70001039c2918fcf2d6209d162c8c332c

SHA512
31ce437fcbe08bef412707206542eae23719edcb17b07fc68262c9094d690d74b5896bcff94d4423a1cf370b964b6a00ef2c82ba088fba43b0e98b55375e1a02

Download Submit
C:\Program Files\Recuva\lang\lang-1038.dll
Filesize
49KB

MD5
c7839ac60acb518dfba5cca36c1ee1fa

SHA1
35348b7986110c037d7a32feb02ee379576c269c

SHA256
a6064f6008461c02153f0e602ce5ca0c14ad780ab745f6d765b974e71d22d181

SHA512
40000a08f4ff26c178a3ee83b87a3b6251d57f5a3597e34e6bcd468aadfaa5e03c7c8c8f60b3db3241759cd52f6c21f3bfdbc5d3d032122eca6f55fc7aecf3f7

Download Submit
C:\Program Files\Recuva\lang\lang-1040.dll
Filesize
49KB

MD5
12011869e5e4ae071852ceb77caebe8a

SHA1
cc4c5ffc4db6fceb3e3a57ae96d6d098f033c74f

SHA256
2d5206e56796b7a5f7f3ab5ffd8c65176860cf707e18c957590dbaf53564b11f

SHA512
5201909937ee1dd56ee880987c7f0c5c87feb107d85b13d87fd9e98cbbab2e833a59fd6786acfc45459cf1ea13bfc9ff7170c94ada957254ca877fe4e9b6a022

Download Submit
C:\Program Files\Recuva\lang\lang-1041.dll
Filesize
31KB

MD5
ce2e97db024dcccd793defb25d4c8848

SHA1
88d5f7a813c620c8df54e3ef39135a298ba843ac

SHA256
c366a4f163213092c40ee6c83c1f22119382a578a1d95b4f35b780baf8c3dd8c

SHA512
6ea189d3888537920ab86aca9c31c87e8b70c1871463991dcdfbadf9a390260c99dd08da8acbf37ea98bffe9ab0388f64afc88b322a4fe50864dc93bd1bea014

Download Submit
C:\Program Files\Recuva\lang\lang-1043.dll
Filesize
51KB

MD5
22115338dc23301dfe003af2ac45d586

SHA1
b56a3545daa0a6a005bb4aaa9467ec9c6b9e3715

SHA256
83d1e8f8f62bf7df240731c03e27afae79cdbcf49b5509c732ba82d4086a7f3f

SHA512
3ae9decf8f79714f2b03a88ce09182446253bd61c0dcf556e919408771df374fc57497576933ee3bc887f43073c176a3e65f8394a518edf1334b7b20f3170747

Download Submit
C:\Program Files\Recuva\lang\lang-1044.dll
Filesize
45KB

MD5
562f2cf6d15f9a15830ad9a7b3112631

SHA1
2084966ad004ba90aab1b5023669462d9e4c6065

SHA256
ae6fb2fa374e496214f85806207b57abe418963701fa2aed37424ef062e723b2

SHA512
42f3ebe47b3ddfd99a16f0dec832844a17da96dbf13e5e27cefe1a0a83f9a0da1358deddacfb1e5a232aa91b629eb4d10d80f2dec91586a468f42a791c069c53

Download Submit
C:\Program Files\Recuva\lang\lang-1045.dll
Filesize
48KB

MD5
f5355563258e089e4fa63edc28f406ef

SHA1
01364ed0dfac3d95e55bdc657e7b9c6136440b10

SHA256
417d609be4fef9dff24cd10aad131051ea72c8dbdfeb9de5a4d7dc08e7d6fc04

SHA512
7ec20992ff5b8c73b669ab9211679366dc0601ea5556e03dfed9957f15e30bd30f3230a32eb04350d52e3067532e36693263e876111f199b51d37cdd93b8f6cc

Download Submit
C:\Program Files\Recuva\lang\lang-1046.dll
Filesize
47KB

MD5
399e14c5fbfb34d38c628b6f62489357

SHA1
072a15d2019119d6384fa3315a2801cd7e964b2b

SHA256
23fdbf0067efb6a3499c9fc1b46b7cefb5a79091ec53c467c129c5cf3e791d8d

SHA512
740be2c3192106908723e8aa9007fddd39abe5a82f8662f452a9ba6ca3d8cb07ec82ad8bc5c4549fbf33b6a3d8db5a5dc2d0c3673fbb87d295957041e89d970b

Download Submit
C:\Program Files\Recuva\lang\lang-1048.dll
Filesize
45KB

MD5
90f43ec553b0651382bc57971e07a09b

SHA1
7239c324c7eab52a67944071e996619bf9fcf857

SHA256
0c395ffaa27215b5d81b9d36df54e520909dc55935919c2572881de14860cb61

SHA512
ac64c25c48cd0b7cf6bf77f74c4d6411e9a18c05b8938eb90fa0f7137f89dcc7a70e2580eb867e28db7b4a97d58ee599a06464ab18c70fafceebb2c371631ec3

Download Submit
C:\Program Files\Recuva\lang\lang-1049.dll
Filesize
44KB

MD5
98a5ddb69bc7563a748dfe5455cfbe02

SHA1
36bc9193908b1ecd8e3ea96f406669022561e57a

SHA256
aeb0a885c8f65e53aa5dea19119a02e6affa8e55881a92fc292c4550c25c4d77

SHA512
0d877ed1812a915a1201fe42404644fdf33e14e35c9e4e7b1a6cb064b03ca3826d289fcfe5ff89d50ae45941cf707ba0a508b103cca5e9520d658804197d2449

Download Submit
C:\Program Files\Recuva\lang\lang-1050.dll
Filesize
49KB

MD5
1efee3cddde6f0209ad99161958f8ca9

SHA1
8afcf83a1ed73f7dc746213a2af5978a8b2e738d

SHA256
d88addec337c636166d4ec46fec41e23662d56b23fa3c30241109f0d6c508799

SHA512
7ef93745e8697030e7511ff61b1beeaae8069482116fc93d2cdbee238af42e702dc1a6382765a41d4b9f71232be5c81433113bacc88c08d2983a26659937e7e5

Download Submit
C:\Program Files\Recuva\lang\lang-1051.dll
Filesize
44KB

MD5
213321eb50c6439d62cabbae6cac1ebf

SHA1
ca691b979870acb44b7e98c10f644710aa39e947

SHA256
6ef20f5065718d0a614ed0a87062c1800ca72b06c97d36a3d845f60d989f046b

SHA512
590dd853972b3ce283d53d8fad118241194000cc5a08a1d6b4ef6d43a4f5e34f9208d1e50e52b90ec771d6bb7eb5b55bf772fa8493df2c0bbf0031ff38fa5616

Download Submit
C:\Program Files\Recuva\lang\lang-1052.dll
Filesize
46KB

MD5
4aaa19c1bed12be29a2441325cec1230

SHA1
af6e4a627f89d34f5434884165c89286a58fdc36

SHA256
48232a0de1cc476bbbb6dcd258aabcf8dc41ee6707c91028b085b694e5c02783

SHA512
15bb1e65107dbb557739ad12aa4d0a8e36d508321388513c96785f2554d948d494a79827ba3fbb4a1fd7f570653583618b7beb7af24ef949de33c41c881a105f

Download Submit
C:\Program Files\Recuva\lang\lang-1053.dll
Filesize
46KB

MD5
30a47809ee8280eca65d9ce906a32b60

SHA1
28a717d4f80f302d661704437a1f19679efc1014

SHA256
52ec0c6f08e2d6c1b9747ef24823a23782b9625e39082fa0bbf2932b4a9d6b4d

SHA512
57eb4e5b75b988629f9af05312a9fe534f6c261ee1bd74e3f56224e4c41978c0073dffb111593532d202234483bd8ebe2e9f60ddcf3878a66bbc42a59f4f8393

Download Submit
C:\Program Files\Recuva\lang\lang-1054.dll
Filesize
43KB

MD5
88856a1ec2ece4eaea8c405ea5da673c

SHA1
ffbdeb59bbdb00bc04c9fac06ef9fb93787213fd

SHA256
387c7aae9a7c7338313aac3bda930d897da87b2a82f90c6baf9d11ac549bcbdc

SHA512
a7adb84ee624f3155369af243702be56246df3fed25e63ec92c4d10140b740feb815f672f517bb3f8a2f8cf59cca296475a7fa2094c5aee4fc25f3dc0ec93e64

Download Submit
C:\Program Files\Recuva\lang\lang-1055.dll
Filesize
44KB

MD5
03f444b1a82a34afc1e494d4672fc27a

SHA1
4b3c9d9fcc960e91cd93012623966a383bdc70ce

SHA256
bd6bb09d9a5190268f1af23b9aa70d47c4049272b7eb7659382cc3bf6fa071db

SHA512
8465b29891dc2bf863ef1c08b8a33ef3ac8c49eeda3f081e6969722610d7be977f138ca830626cc017ee348e826528e4760604462c12150876e92af15e0c9cc1

Download Submit
C:\Program Files\Recuva\lang\lang-1057.dll
Filesize
47KB

MD5
d5eb12996e948790ef64d02ddeeeee4f

SHA1
d2a4c3b5bb94e1b06c117ede3c4c5f2496514e67

SHA256
c8705b828d7dde9ea2323d794d619c47d3d4c7f8bec1e33cf7d7e2ab34108912

SHA512
a5a4b5a29fd5a992236770d4f49378488cf21ba283610d8105cbfec8d7e44f29bce7645f5219d714e311728370330b575e5aa8c1d41dcc26c30b76410858dd31

Download Submit
C:\Program Files\Recuva\lang\lang-1058.dll
Filesize
45KB

MD5
dc8363eb2e72506bcd356665cb3a7272

SHA1
1ab82859dd01cf9cd1c610a08233e8d1a62a5873

SHA256
96b0ced959bcba557c080efe27bcea1e89f7d33aae0fc03d775e9a411c406c21

SHA512
4460faf017a882f696fd2d95e7689fbf576ba057c1bcede34cfa3bbe53043252b1378f073e9d3887dbcd529da98b98c982a3e48ba4945dd4a840973b4e6e549b

Download Submit
C:\Program Files\Recuva\lang\lang-1059.dll
Filesize
46KB

MD5
496e6f7e68aa51f34e1463bcb65f74f0

SHA1
a403e62eaba19ad345d08047b00642876e43d3cc

SHA256
09edc6c3460f0394af2d4bc46362d77de58d37a0ff22916e577d72d0e45e8e4c

SHA512
88231d0ce69093d5a9e4131ed7954af33b0ddf5bc4588ae8aa587eb1a989b9550ef7f75fb49946ac618fe47df7586652e818f726b77cf4de089424e1b8673a95

Download Submit
C:\Program Files\Recuva\lang\lang-1060.dll
Filesize
47KB

MD5
4cf9e3e2cee317f1882294b7258e5ee2

SHA1
b32df40532b3d837373d1d634ca06108653ff089

SHA256
d518e5aeecbaa3c881bfbf019a62b4859b17496617cba94c7acf54ce803dbd0a

SHA512
cf75f9ee174d2a6780e4bcc220cc76e7a61d6436f333588796105b9501aa129ba69905d4fda5a0d8f1621b5c28b90ef0c9984ec81be29b377a33f782a671b06a

Download Submit
C:\Program Files\Recuva\lang\lang-1061.dll
Filesize
45KB

MD5
9032f538fcb058974546fbb85ba59058

SHA1
26605ee67fe042bba1e2931b523ede0dc761511e

SHA256
234a6db540db1848944d723ed7a67c7a940b71f8cc4458b6a524756b187fc42a

SHA512
ec1612695cb317345931af2a78b7a8215d1f40d37b54f8980eead540085d68958a84ade88ee9558166ce31fb7963d552c53dcd35615d67e92da222b705b30e88

Download Submit
C:\Program Files\Recuva\lang\lang-1062.dll
Filesize
47KB

MD5
1f46a3148ac60b46074d540a96253fbc

SHA1
dd0e782661c4bd6d5f6bc3f740ab706bbd516a3b

SHA256
9f75b93ed0825bd3a8b0d4b018aa40056528237277681f14227b8e50613ee0cb

SHA512
d253117e6fbeda7e048afb858d298170b12e1f56f606e663a3960ffdb38e4bf794caa8e81d81dca59ad97f846d4889c2e204a7062e8958d845860f89ed4a17d2

Download Submit
C:\Program Files\Recuva\lang\lang-1063.dll
Filesize
47KB

MD5
1181d1db4718742985ea81febcbda4b8

SHA1
56e28758390b3abfd86d45a2a75a9ae09ba1c75c

SHA256
a175484bfc9c7944a4299623a38965ea7cd5eece44998001b4ca73d4c67459ba

SHA512
b77951874d0aa18c4544636598f19a86bfccb9d8cc58753a188854771ea4f5351355fb6cf71544bac29208907aa5396f0e1b5af7ed302d3db6933c1ea645c6b0

Download Submit
C:\Program Files\Recuva\lang\lang-1066.dll
Filesize
45KB

MD5
740e75e8ca4569dfea3bebead0110da4

SHA1
b5b998f59d47e91cb42d62f2215bfaa51f533263

SHA256
9cd110ae75d10508ed7d994e0d517069602d60d5407b37dd9e01b1ea8e3ab56d

SHA512
bb5ad285a7fcc502fe44f5bc59c763f6b44974e10d71fc59550258f7f162d90663a565b02dee29a3759e302e8b2f6f95a14adbd23c9e1dc27aaa6f78adac850d

Download Submit
C:\Program Files\Recuva\lang\lang-1067.dll
Filesize
44KB

MD5
e90c60b28b318b80fdf790934807d694

SHA1
534033be10da65b9baa0309ff318ce6964688d95

SHA256
f29c180e10221da71ac24b675e971fd3474b454029751a5cdc93f7b6186a939f

SHA512
24f11959d009f6a7c85b36b64f3ef41026c8d368889bc88e8c7c6bd87b0779288c614d62c56e33176cf78e3ea23a54417d4d437d869f780e44e96881afefd0a7

Download Submit
C:\Program Files\Recuva\lang\lang-1068.dll
Filesize
45KB

MD5
fdd121c00d46cf347613a1533d4c0b35

SHA1
9ccded93f909890dc33c8accab35edcb96d51310

SHA256
b2e78dd7ea53edfb602d4e6c843af474cff2cf7791d9f7983c1100bc447d514c

SHA512
e4624f6fa63179af962bf96bf3247f1036e6d2ae19117b0a01cd0eaf403ceb4163d07089f7bb1eee34aafe9572dbf58c404b12198d480f8efa7827c659d398ac

Download Submit
C:\Program Files\Recuva\lang\lang-1071.dll
Filesize
49KB

MD5
29cecf05cc41d116d01aa98147aa714a

SHA1
8147ee2f53b4c5a3967876a9500b0200d2a871cc

SHA256
520e8f4c1a138619612b4bbacd65538cde8b6099a606d1eb409827664a0477e9

SHA512
dc8f22036c33ede81fbd991936ee881d3da51fa41bc7eec964f41770f86e8cac677974a9e2defe6987217b218c374a72dc285dedfa901a5ec98b71c9b505f7b4

Download Submit
C:\Program Files\Recuva\lang\lang-1079.dll
Filesize
46KB

MD5
e39ef20a3f9dcdf9a87bba02fe7217c4

SHA1
257b5d7b3c72e4c616464542cfbdabecca89a356

SHA256
dab0bc5f85f7a6d4c71aced56d1d7014a7185cb0329a8fc52452d9a9add67d21

SHA512
48046cb3560e23388a4ab249691b1d2d2647460f2b8f257b89448ee9aefd4cf93b0b7731fa0bba299f4f43985a56bb70a50d971834e079e02ed8ec12bd0967a0

Download Submit
C:\Program Files\Recuva\lang\lang-2052.dll
Filesize
25KB

MD5
082b024457caf398e93f8ceea8b2b05f

SHA1
25719da050765cfb77ec409ebcb4fac71efd802d

SHA256
895abf9462d581903dad54842a99123ffda52c3cc3bf6271809e117f17583daf

SHA512
90488a1fb85f99ad8430b083516691aff356aa17a9b1122607d098e8ebcd21823b6a8ce44fb7b0e646d72e7797f976061e40d3f7eb17def124b0159cdc237f1a

Download Submit
C:\Program Files\Recuva\lang\lang-2074.dll
Filesize
47KB

MD5
1ef677941856a6cc87c42e5c54ae4e47

SHA1
eaf5a9a80505ace0c7e6cd2369437bf299e6b3de

SHA256
79ae97fa23b56a25ed2893a0e105a219754f1c5afa63779d525fbbc75ff49db4

SHA512
7b42b12e090c705a71e71b1a4f6b5019dc5c85b488cf023b6a4ee443246fb1ca6c74ed6515d0a517b3b4a041bd870cee45c0f8fea5911177e98f80c22a60353c

Download Submit
C:\Program Files\Recuva\lang\lang-3098.dll
Filesize
47KB

MD5
f7ac0b30ef034606286998d71abe9bbb

SHA1
5a09e1cc4b83fcdca10e11c41c7c4044e909f480

SHA256
42c5cb240fc3f41c1b89100a23ca395691ae248fab8a2eb293b11a2ea2465901

SHA512
5d22242e4adb09085477d96cd7abdeabc214407742a4c0e3ce1d4eb11ea173fbe6b0fd6771f01d66d707f4232bc5a7916af4c98b394044d4cdb9cb277c4038fd

Download Submit
C:\Program Files\Recuva\lang\lang-5146.dll
Filesize
45KB

MD5
2427c0f79874211461c31c5ef5d37f71

SHA1
7e109eac11e41973367f50d7fd3153c75918334f

SHA256
3ae042317e7b1b666a9fce06a98a6972dc2a249cf9c9e73345403e72e1485e57

SHA512
ae9736dea19d26f26e994cc254cf569e4726d271570c0f2a7bb0a41130a855a516d803e7348ef30353d78fc21db4b0c722ba3696a18756ecf55db6ef7fd46b28

Download Submit
C:\Program Files\Recuva\lang\lang-9999.dll
Filesize
46KB

MD5
eb3b78a336ddb4c9b5cc242ad26d5859

SHA1
0dc67d5df4ccdf3cca25bb462e354a99b585eb7a

SHA256
1a633fbed97c028611b709a19fef76d4e639e72a5d09276e9fd930aaaa0e99d2

SHA512
5def2c95dbd7a716d30e95ef1fd46e48c48266387e1c0337eac4c80976216965d614155ba080ac7e677b603dbcf059f4db08ed05f8444c37576bc25e590fc99a

Download Submit
C:\Program Files\Recuva\recuva64.exe
Filesize
7.8MB

MD5
fbc238fa96aae3fe3b9755a0f0e4e6ec

SHA1
f5dd1f3bf812622bf75961e3d1125d032fa0e3cf

SHA256
1fd90402820539b60da545a75e5e216c779b342d15d05b70e97432ddd20ecfc0

SHA512
ce2490221ed8dd15991cc815327724965159a12c53a7c18e35277c987b28f3dcf5c694e77ad01fbe637ad7214964116302adb7f678afaddb4b1e6ea89aa77b4d

Download Submit
C:\Program Files\Recuva\recuva64.exe
Filesize
7.8MB

MD5
fbc238fa96aae3fe3b9755a0f0e4e6ec

SHA1
f5dd1f3bf812622bf75961e3d1125d032fa0e3cf

SHA256
1fd90402820539b60da545a75e5e216c779b342d15d05b70e97432ddd20ecfc0

SHA512
ce2490221ed8dd15991cc815327724965159a12c53a7c18e35277c987b28f3dcf5c694e77ad01fbe637ad7214964116302adb7f678afaddb4b1e6ea89aa77b4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0820611471c1bb55fa7be7430c7c6329

SHA1
5ce7a9712722684223aced2522764c1e3a43fbb9

SHA256
f00d04749a374843bd118b41f669f8b0a20d76526c34b554c3ccac5ebd2f4f75

SHA512
77ea022b4265f3962f5e07a0a790f428c885da0cc11be0975285ce0eee4a2eec0a7cda9ea8f366dc2a946679b5dd927c5f94b527de6515856b68b8d08e435148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
425e83cc5a7b1f8edfbec7d986058b01

SHA1
432a90a25e714c618ff30631d9fdbe3606b0d0df

SHA256
060a2e5f65b8f3b79a8d4a0c54b877cfe032f558beb0888d6f810aaeef8579bd

SHA512
4bf074de60e7849ade26119ef778fe67ea47691efff45f3d5e0b25de2d06fcc6f95a2cfcdbed85759a5c078bb371fe57de725babda2f44290b4dc42d7b6001af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
384B

MD5
2fbd44b6332582a4915b3a7c2db5f305

SHA1
2942f86e01f336ade0363a489943bc8945dae43e

SHA256
19d9ac5addced681e7382df41ce6ab38037a04b8d1213f21c74d1dfcec2807cb

SHA512
9d5978bf66002d7ce0725353acf398505bb9de3046bdad700d9c4f69a091402aa5672b9441e0b95ca2a6f69aa13feeb0532dc38a67b6314f32ac00c5a1e0bf7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
48B

MD5
8f6a1f08f8eb58b20e30163d605b85ab

SHA1
02d555bdf03ea411a0016cc5158bb7aeb875c405

SHA256
9e7302c1c5d2444a4077f830a6706bf2052b7bff13c4a2799ab8cfec72e4fe78

SHA512
9ab6448b00ff4000ba65f2a4fb96edcb3007833e3e8cf96e149abcf32b5dd88929846e55ea7c043f02c440890dc94e79aa25fa5ecc1f1d7300299cd5ef0d0f43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
53f6bcc1422a15d5843938acbf179583

SHA1
1e351a7137f8f576ed566a39de3868f0a7bed1c7

SHA256
328f9c79cbf8aa86b4f6152b540cd6ad4f12de849e162599b8dc37ace9dba148

SHA512
100b3650b268eda4a2d58c9bd0ceaca0a310b320ee0a1a75559ee7c621ad6e4afe10e550e565bcad2c2ae9cbaeaa73f18d5d77c1a571b8f8fe87558c1bad7542

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
ee9677da8234732ac148559ccca33e8d

SHA1
2dfff0ea8e16af45c4e73515c64b685a2fb5af35

SHA256
a41cbea665fb70a151ef7c2d28f942946d8f67d5b285815d751477ccb1ac3df6

SHA512
9cc1600cbcf8bf011a090cb0790451fdfa7232673f5cc7e471d38b592cd225c7e5d106da3d47ef91d63afed33a143ab289c3de29c792edc785a8e7be23b8f601

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
4a363c5835f31e5b3a244477e07442c0

SHA1
91a2e1e81708934799da6472b0279e8f95b2e89f

SHA256
80425f68e3cf761f795d9cbca66fd1f81e79a48f39e43120ff0b4daddfd5c584

SHA512
b7bdfb5ffd2b7474f3f51a958aea9a6d72365ba9ccc40c067f38cc59a472def443f3c1403d7190b709815700bab21b179c439090b5de7cb23b7a8db83b44aa3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
bc056085e3cadf6fa75de07d11de232c

SHA1
24b0578bfa1b0432f3d5ea96b5e127d1d0733876

SHA256
9b67bad83b502223679b60352b1a5435912135bb39b21430e3048494ad85e092

SHA512
0d7b19e5a92fb2c9ee3ce90d286caa32ea8a6222b72e09e30a1dd899d76abbeaf1878a6db4e6b481b7bf674275bcd70d1f9f6e05c329cc714b884b82df5f16f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
d53ac35ab3976e67caeed75c4d44ffc1

SHA1
c139ab66d75dc06f98ada34b5baf4d5693266176

SHA256
647867c7236bcb78b7d585b476d82a101a077fac43c78dc59e612253fbf69437

SHA512
391355c71734ded913239a6db10a3202087e756bccc8e29411108f21b3f2460d9a9c606619aadd785285be70eddcf61ef9519441cd387cd3823c1399a6967cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000001.dbtmp
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
bae83489616e09d7804fe1c7642b106a

SHA1
fce1c1f5918d0f2fb80136ec983facb28fd65c84

SHA256
78855d589261887de36222c94349ebd4726f211b8569c6bf3bdfc5b2835d3089

SHA512
6e76becbbf820fa056efe6687eb7b366e2303d2f5294fad3007733613a3227dc1fb1219343c7ba75a6915529a987fe0ead8708b3a1dec7019fff116e2a46d235

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log
Filesize
512KB

MD5
ed90dd8b522f38a9929f99b469ee4aa5

SHA1
070b0ae0c45b8d65c344d7ea1a0ca6060b7a7719

SHA256
5935b917df6a2e36011bfe412dbfa660a67087499d2aea4dd0d2f3253fa1840e

SHA512
d6d9362da7abb5bd57e7722a639dc0ff0fbf8b0a71d19a4ee510a2d700b1c8bfba0137d462e8939215caf5ead872811e64288be13be4991b510c2ea114997bf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
Filesize
14.0MB

MD5
5c53ba359938487795ed3c2c62382f92

SHA1
c24be545541ef8df100541a2c722e8e1c8e04bc3

SHA256
029eac41d1cd10206f98bb6a4390671ebcd5ce9e229eaab1a047bc2addc8b3b6

SHA512
30c1abfa687cb168b6573b4d429655298b19948d9c417819470f42b34e4ac96f5f28bfc24ba2bba97d94d885d1ac385328bcc69d3c1769832c38551a0e498531

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq95EE.tmp\ButtonEvent.dll
Filesize
5KB

MD5
c24568a3b0d7c8d7761e684eb77252b5

SHA1
66db7f147cbc2309d8d78fdce54660041acbc60d

SHA256
e2da6d8b73b5954d58baa89a949aacece0527dfb940ca130ac6d3fd992d0909d

SHA512
5d43e4c838fd7f4c6a4ab6cc6d63e0f81d765d9ca33d9278d082c4f75f9416907df10b003e10edc1b5ef39535f722d8dbfab114775ac67da7f9390dcc2b4b443

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq95EE.tmp\ButtonEvent.dll
Filesize
5KB

MD5
c24568a3b0d7c8d7761e684eb77252b5

SHA1
66db7f147cbc2309d8d78fdce54660041acbc60d

SHA256
e2da6d8b73b5954d58baa89a949aacece0527dfb940ca130ac6d3fd992d0909d

SHA512
5d43e4c838fd7f4c6a4ab6cc6d63e0f81d765d9ca33d9278d082c4f75f9416907df10b003e10edc1b5ef39535f722d8dbfab114775ac67da7f9390dcc2b4b443

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq95EE.tmp\System.dll
Filesize
11KB

MD5
41a3c964232edd2d7d5edea53e8245cd

SHA1
76d7e1fbf15cc3da4dd63a063d6ab2f0868a2206

SHA256
8b65fec615c7b371c23f8f7f344b12dc5085e40a556f96db318ed757494d62d5

SHA512
fa16bd9d020602e3065afd5c0638bc37775b40eb18bfa33b4ca5babcc3e6f112ae7d43457a6e9685ddbe6e94b954a1dc43d1da7af9ca7464019a3f110af549c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq95EE.tmp\System.dll
Filesize
11KB

MD5
41a3c964232edd2d7d5edea53e8245cd

SHA1
76d7e1fbf15cc3da4dd63a063d6ab2f0868a2206

SHA256
8b65fec615c7b371c23f8f7f344b12dc5085e40a556f96db318ed757494d62d5

SHA512
fa16bd9d020602e3065afd5c0638bc37775b40eb18bfa33b4ca5babcc3e6f112ae7d43457a6e9685ddbe6e94b954a1dc43d1da7af9ca7464019a3f110af549c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq95EE.tmp\System.dll
Filesize
11KB

MD5
41a3c964232edd2d7d5edea53e8245cd

SHA1
76d7e1fbf15cc3da4dd63a063d6ab2f0868a2206

SHA256
8b65fec615c7b371c23f8f7f344b12dc5085e40a556f96db318ed757494d62d5

SHA512
fa16bd9d020602e3065afd5c0638bc37775b40eb18bfa33b4ca5babcc3e6f112ae7d43457a6e9685ddbe6e94b954a1dc43d1da7af9ca7464019a3f110af549c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq95EE.tmp\UserInfo.dll
Filesize
4KB

MD5
c1f778a6d65178d34bde4206161a98e0

SHA1
29719fffef1ab6fe2df47e5ed258a5e3b3a11cfc

SHA256
9caf7a78f750713180cf64d18967a2b803b5580e636e59279dcaaf18ba0daa87

SHA512
9c3cf25cf43f85a5f9c9ed555f12f3626ef9daeeedd4d366ada58748ead1f6e279fea977c76ae8bae1dc49bfd852e899cb137c4a006c13e9fcebf6e5e2926a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq95EE.tmp\UserInfo.dll
Filesize
4KB

MD5
c1f778a6d65178d34bde4206161a98e0

SHA1
29719fffef1ab6fe2df47e5ed258a5e3b3a11cfc

SHA256
9caf7a78f750713180cf64d18967a2b803b5580e636e59279dcaaf18ba0daa87

SHA512
9c3cf25cf43f85a5f9c9ed555f12f3626ef9daeeedd4d366ada58748ead1f6e279fea977c76ae8bae1dc49bfd852e899cb137c4a006c13e9fcebf6e5e2926a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq95EE.tmp\UserInfo.dll
Filesize
4KB

MD5
c1f778a6d65178d34bde4206161a98e0

SHA1
29719fffef1ab6fe2df47e5ed258a5e3b3a11cfc

SHA256
9caf7a78f750713180cf64d18967a2b803b5580e636e59279dcaaf18ba0daa87

SHA512
9c3cf25cf43f85a5f9c9ed555f12f3626ef9daeeedd4d366ada58748ead1f6e279fea977c76ae8bae1dc49bfd852e899cb137c4a006c13e9fcebf6e5e2926a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq95EE.tmp\g\gcapi_dll.dll
Filesize
348KB

MD5
2973af8515effd0a3bfc7a43b03b3fcc

SHA1
4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee

SHA256
d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0

SHA512
b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq95EE.tmp\g\gcapi_dll.dll
Filesize
348KB

MD5
2973af8515effd0a3bfc7a43b03b3fcc

SHA1
4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee

SHA256
d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0

SHA512
b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq95EE.tmp\g\gcapi_dll.dll
Filesize
348KB

MD5
2973af8515effd0a3bfc7a43b03b3fcc

SHA1
4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee

SHA256
d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0

SHA512
b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq95EE.tmp\inetc.dll
Filesize
23KB

MD5
7760daf1b6a7f13f06b25b5a09137ca1

SHA1
cc5a98ea3aa582de5428c819731e1faeccfcf33a

SHA256
5233110ed8e95a4a1042f57d9b2dc72bc253e8cb5282437637a51e4e9fcb9079

SHA512
d038bea292ffa2f2f44c85305350645d504be5c45a9d1b30db6d9708bfac27e2ff1e41a76c844d9231d465f31d502a5313dfded6309326d6dfbe30e51a76fdb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq95EE.tmp\inetc.dll
Filesize
23KB

MD5
7760daf1b6a7f13f06b25b5a09137ca1

SHA1
cc5a98ea3aa582de5428c819731e1faeccfcf33a

SHA256
5233110ed8e95a4a1042f57d9b2dc72bc253e8cb5282437637a51e4e9fcb9079

SHA512
d038bea292ffa2f2f44c85305350645d504be5c45a9d1b30db6d9708bfac27e2ff1e41a76c844d9231d465f31d502a5313dfded6309326d6dfbe30e51a76fdb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq95EE.tmp\inetc.dll
Filesize
23KB

MD5
7760daf1b6a7f13f06b25b5a09137ca1

SHA1
cc5a98ea3aa582de5428c819731e1faeccfcf33a

SHA256
5233110ed8e95a4a1042f57d9b2dc72bc253e8cb5282437637a51e4e9fcb9079

SHA512
d038bea292ffa2f2f44c85305350645d504be5c45a9d1b30db6d9708bfac27e2ff1e41a76c844d9231d465f31d502a5313dfded6309326d6dfbe30e51a76fdb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq95EE.tmp\nsDialogs.dll
Filesize
9KB

MD5
2aba8f16eca82517460013a3de7cbf67

SHA1
3812192fa7b873f426c4b0d0d822b3c9d51aa164

SHA256
60b85fad2477b8c0138067be3697290b280b9334cf408cb57894e3baae615d0d

SHA512
4e059f70ef420c22d69199557ff3eab9e51fcefc75d220b057f1508f9566cd6251f9e06a8fe3695bf7d913ebabd2519ce52f485f2de9a5e4ab3ebc553b877fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq95EE.tmp\nsDialogs.dll
Filesize
9KB

MD5
2aba8f16eca82517460013a3de7cbf67

SHA1
3812192fa7b873f426c4b0d0d822b3c9d51aa164

SHA256
60b85fad2477b8c0138067be3697290b280b9334cf408cb57894e3baae615d0d

SHA512
4e059f70ef420c22d69199557ff3eab9e51fcefc75d220b057f1508f9566cd6251f9e06a8fe3695bf7d913ebabd2519ce52f485f2de9a5e4ab3ebc553b877fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq95EE.tmp\nsDialogs.dll
Filesize
9KB

MD5
2aba8f16eca82517460013a3de7cbf67

SHA1
3812192fa7b873f426c4b0d0d822b3c9d51aa164

SHA256
60b85fad2477b8c0138067be3697290b280b9334cf408cb57894e3baae615d0d

SHA512
4e059f70ef420c22d69199557ff3eab9e51fcefc75d220b057f1508f9566cd6251f9e06a8fe3695bf7d913ebabd2519ce52f485f2de9a5e4ab3ebc553b877fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq95EE.tmp\nsDialogs.dll
Filesize
9KB

MD5
2aba8f16eca82517460013a3de7cbf67

SHA1
3812192fa7b873f426c4b0d0d822b3c9d51aa164

SHA256
60b85fad2477b8c0138067be3697290b280b9334cf408cb57894e3baae615d0d

SHA512
4e059f70ef420c22d69199557ff3eab9e51fcefc75d220b057f1508f9566cd6251f9e06a8fe3695bf7d913ebabd2519ce52f485f2de9a5e4ab3ebc553b877fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq95EE.tmp\nsDialogs.dll
Filesize
9KB

MD5
2aba8f16eca82517460013a3de7cbf67

SHA1
3812192fa7b873f426c4b0d0d822b3c9d51aa164

SHA256
60b85fad2477b8c0138067be3697290b280b9334cf408cb57894e3baae615d0d

SHA512
4e059f70ef420c22d69199557ff3eab9e51fcefc75d220b057f1508f9566cd6251f9e06a8fe3695bf7d913ebabd2519ce52f485f2de9a5e4ab3ebc553b877fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq95EE.tmp\nsDialogs.dll
Filesize
9KB

MD5
2aba8f16eca82517460013a3de7cbf67

SHA1
3812192fa7b873f426c4b0d0d822b3c9d51aa164

SHA256
60b85fad2477b8c0138067be3697290b280b9334cf408cb57894e3baae615d0d

SHA512
4e059f70ef420c22d69199557ff3eab9e51fcefc75d220b057f1508f9566cd6251f9e06a8fe3695bf7d913ebabd2519ce52f485f2de9a5e4ab3ebc553b877fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq95EE.tmp\p\InstallerHelper.dll
Filesize
3.0MB

MD5
69fe0f183fa7b8eb6c9a55cb2ff93f7a

SHA1
1f8a64ac55a031a829f1b1b695a6933ce42f7692

SHA256
4ac7b7d19ba91de4aaf02629035a44df5d346f45ec7dcf5ada2bf644265f66a0

SHA512
a153d662fdb74dec9cfed138a590f17403571e3554d99d448c50abdc04f19b2f5d35ac40808012861b2875d93d6a31871ef3efb3465893f77bdd52e66c4b6523

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq95EE.tmp\p\InstallerHelper.dll
Filesize
3.0MB

MD5
69fe0f183fa7b8eb6c9a55cb2ff93f7a

SHA1
1f8a64ac55a031a829f1b1b695a6933ce42f7692

SHA256
4ac7b7d19ba91de4aaf02629035a44df5d346f45ec7dcf5ada2bf644265f66a0

SHA512
a153d662fdb74dec9cfed138a590f17403571e3554d99d448c50abdc04f19b2f5d35ac40808012861b2875d93d6a31871ef3efb3465893f77bdd52e66c4b6523

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq95EE.tmp\ui\pfUI.dll
Filesize
13.6MB

MD5
1bfa036321fcb209564549538345a289

SHA1
8ede722a5cc6135847ad5276f30143022fa7bacf

SHA256
547e48f35a1c38362cfa71a3ffe1b81cc8d61eb204157828e2ec58a80f3e4b2e

SHA512
9729cc5ca18dbd58b516169de053d50e0df9288fc2d91cbbbd887573fe006c5f506789f23a09a73dfcf75fa71b9cff88e0f59da550263d877939be8c4f996d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq95EE.tmp\ui\pfUI.dll
Filesize
13.6MB

MD5
1bfa036321fcb209564549538345a289

SHA1
8ede722a5cc6135847ad5276f30143022fa7bacf

SHA256
547e48f35a1c38362cfa71a3ffe1b81cc8d61eb204157828e2ec58a80f3e4b2e

SHA512
9729cc5ca18dbd58b516169de053d50e0df9288fc2d91cbbbd887573fe006c5f506789f23a09a73dfcf75fa71b9cff88e0f59da550263d877939be8c4f996d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq95EE.tmp\ui\res\Montserrat-Regular.otf
Filesize
44KB

MD5
27e50ffd6a14cbc8221c9dbd3b5208dc

SHA1
713c997ce002a4d8762c2dcc405213061233e4bc

SHA256
40fc1142200a5c1c18f80b6915257083c528c7f7fd2b00a552aeebc42898d428

SHA512
0a602f88cfba906b41719943465edb09917c447d746bfed5c9ce9c75d077f6aed2f8146697acd74557359f1ae267ca2a8e3a2ca40fb1633bde8e6114261abd90

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq95EE.tmp\ui\res\PF_logo.png
Filesize
3KB

MD5
079cca30760cca3c01863b6b96e87848

SHA1
98c2ca01f248bc61817db7e5faea4a3d8310db50

SHA256
8dd37d3721e25c32c5bf878b6dba9e61d04b7ce8aec45bdf703a41bc41802dfa

SHA512
3e25c10e3a5830584c608b9178ab062e93e0e9009a7d897bb5e3561180b0b0910bd4178063d982eb33806a005c93931ae2ec5be520ec0d0c9a7c452cb78fd6a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq95EE.tmp\ui\res\RC_Computer.png
Filesize
82KB

MD5
67f13e50fa75087ef8c2074a52cc8bb1

SHA1
8f31cf48fab91b9e263105289d17c146d088274b

SHA256
044ec2d36e9f573d762fc8a43eb09f7b24eb30094a4e61b5d606fd96f72d391f

SHA512
44ee943ae440d93d7ec78393749667680abbe379f9e21fb10244362c2c3f9df790170c541aa30a8487ef25952068c78e44dacd48def29aa84cee78d1c1ce63ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq95EE.tmp\ui\res\Recuva_Logo_72px.png
Filesize
9KB

MD5
6a2e01749e591a1ce8216daed41b8721

SHA1
a4aa31d936a33eb7d58e809b738184f6b2c7e1c2

SHA256
f72782600989eff0aa13ff7c63875538c9042c32b77862475c899514f61c9290

SHA512
262e6b6ed89fa30f954dc73c1bb329d9ea256fefa172e12b23610e7c1ab6dad3b698cbcdc010f8c16e90b0bdd6e96d60e8aba50b876d69f9fb1f2889ac14f0fe

Download Submit
memory/4120-272-0x0000000006FF0000-0x0000000006FF8000-memory.dmp

Filesize
32KB

Download
memory/4120-293-0x0000000007090000-0x0000000007098000-memory.dmp

Filesize
32KB

Download
memory/4120-269-0x0000000007250000-0x0000000007258000-memory.dmp

Filesize
32KB

Download
memory/4120-273-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

Filesize
4KB

Download
memory/4120-275-0x0000000006FF0000-0x0000000006FF8000-memory.dmp

Filesize
32KB

Download
memory/4120-278-0x0000000006FE0000-0x0000000006FE8000-memory.dmp

Filesize
32KB

Download
memory/4120-281-0x0000000006FA0000-0x0000000006FA1000-memory.dmp

Filesize
4KB

Download
memory/4120-271-0x00000000072B0000-0x00000000072B8000-memory.dmp

Filesize
32KB

Download
memory/4120-295-0x00000000070D0000-0x00000000070D8000-memory.dmp

Filesize
32KB

Download
memory/4120-296-0x00000000070D0000-0x00000000070D8000-memory.dmp

Filesize
32KB

Download
memory/4120-299-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

Filesize
4KB

Download
memory/4120-303-0x0000000006FA0000-0x0000000006FA1000-memory.dmp

Filesize
4KB

Download
memory/4120-349-0x00000000071D0000-0x00000000071D8000-memory.dmp

Filesize
32KB

Download
memory/4120-351-0x0000000007250000-0x0000000007258000-memory.dmp

Filesize
32KB

Download
memory/4120-251-0x0000000006200000-0x0000000006210000-memory.dmp

Filesize
64KB

Download
memory/4120-245-0x0000000006060000-0x0000000006070000-memory.dmp

Filesize
64KB

Download