teslacrypt | 1356acd718a156e106163e91fa87a415e4f6855606d2712d8408d65190a95dad

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2024 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_9213073f63c1542315acdad27c0b8b78.exe
Size

360KB
MD5

9213073f63c1542315acdad27c0b8b78
SHA1

77b5765cd37ccfb7608611291d66e68b7d68e2dc
SHA256

1356acd718a156e106163e91fa87a415e4f6855606d2712d8408d65190a95dad
SHA512

9ae5d76345825b0cd012d4ce8189a1b6864b3d76be93ae7fad22eb28387097346213d7763a989098ae2dd5a921afd3ab8ef72cc308d4d9bfc8e7e7efa3a92735
SSDEEP

6144:YaaRWvS8RStjunQ/ocbbOeEQZlPX6kKhWbyFqoMU2sEEbsOI/4Yi:YFWvNS8EE4+WOeU22bnI/4Yi

Score

10^/10

teslacrypt persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\PerfLogs\_ReCoVeRy_+sefxy.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/291EA866BB823372 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/291EA866BB823372 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/291EA866BB823372 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/291EA866BB823372 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/291EA866BB823372 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/291EA866BB823372 http://yyre45dbvn2nhbefbmh.begumvelic.at/291EA866BB823372 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/291EA866BB823372

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/291EA866BB823372

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/291EA866BB823372

http://yyre45dbvn2nhbefbmh.begumvelic.at/291EA866BB823372

http://xlowfznrg4wf7dli.ONION/291EA866BB823372

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (870) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	VirusShare_9213073f63c1542315acdad27c0b8b78.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	mjftfuvcvcan.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+sefxy.txt	mjftfuvcvcan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+sefxy.html	mjftfuvcvcan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+sefxy.png	mjftfuvcvcan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+sefxy.txt	mjftfuvcvcan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+sefxy.html	mjftfuvcvcan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+sefxy.png	mjftfuvcvcan.exe

Executes dropped EXE 1 IoCs

pid	Process
1516	mjftfuvcvcan.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bkaljly = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\mjftfuvcvcan.exe"	mjftfuvcvcan.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\SmallTile.scale-100.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-30_altform-unplated.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare.scale-100.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\_ReCoVeRy_+sefxy.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\_ReCoVeRy_+sefxy.html	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\_ReCoVeRy_+sefxy.txt	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\_ReCoVeRy_+sefxy.html	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\_ReCoVeRy_+sefxy.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\zh-CN\_ReCoVeRy_+sefxy.html	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\loc_archives\en-gb\_ReCoVeRy_+sefxy.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\cs-CZ\_ReCoVeRy_+sefxy.txt	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\iheart-radio.scale-200_contrast-black.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-30_altform-unplated.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+sefxy.txt	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSmallTile.scale-200.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp5.scale-125.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\_ReCoVeRy_+sefxy.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\_ReCoVeRy_+sefxy.txt	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-48_altform-unplated.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OrientationControlInnerCircle.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_Mocking.help.txt	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\te.pak	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\_ReCoVeRy_+sefxy.txt	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailLargeTile.scale-200.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\_ReCoVeRy_+sefxy.txt	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_ReCoVeRy_+sefxy.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailLargeTile.scale-100.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailWideTile.scale-125.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\th-TH\_ReCoVeRy_+sefxy.html	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\BC511AE6-709C-4371-BC56-72ECE237F064\root\_ReCoVeRy_+sefxy.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-256_contrast-black.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-30_contrast-white.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\_ReCoVeRy_+sefxy.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubMedTile.scale-125_contrast-white.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\WideTile.scale-100.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\Common Files\System\ado\_ReCoVeRy_+sefxy.txt	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\YellowAbstractNote.scale-200.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionMedTile.scale-100.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_altform-unplated_contrast-black.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-400_contrast-black.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-30_altform-unplated.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\_ReCoVeRy_+sefxy.html	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\mr.pak	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d9\_ReCoVeRy_+sefxy.html	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\_ReCoVeRy_+sefxy.html	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\_ReCoVeRy_+sefxy.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\_ReCoVeRy_+sefxy.txt	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\is-IS\View3d\_ReCoVeRy_+sefxy.txt	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-256_altform-lightunplated.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\_ReCoVeRy_+sefxy.html	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8.mp4	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_ReCoVeRy_+sefxy.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\_ReCoVeRy_+sefxy.html	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\_ReCoVeRy_+sefxy.html	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-200.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\_ReCoVeRy_+sefxy.html	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+sefxy.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe\_ReCoVeRy_+sefxy.txt	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-48_altform-unplated_contrast-black.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailBadge.scale-100.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\_ReCoVeRy_+sefxy.png	mjftfuvcvcan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubGameBar.png	mjftfuvcvcan.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\mjftfuvcvcan.exe	VirusShare_9213073f63c1542315acdad27c0b8b78.exe
File opened for modification	C:\Windows\mjftfuvcvcan.exe	VirusShare_9213073f63c1542315acdad27c0b8b78.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	mjftfuvcvcan.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3296	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe
1516	mjftfuvcvcan.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	400	VirusShare_9213073f63c1542315acdad27c0b8b78.exe
Token: SeDebugPrivilege	1516	mjftfuvcvcan.exe
Token: SeIncreaseQuotaPrivilege	1864	WMIC.exe
Token: SeSecurityPrivilege	1864	WMIC.exe
Token: SeTakeOwnershipPrivilege	1864	WMIC.exe
Token: SeLoadDriverPrivilege	1864	WMIC.exe
Token: SeSystemProfilePrivilege	1864	WMIC.exe
Token: SeSystemtimePrivilege	1864	WMIC.exe
Token: SeProfSingleProcessPrivilege	1864	WMIC.exe
Token: SeIncBasePriorityPrivilege	1864	WMIC.exe
Token: SeCreatePagefilePrivilege	1864	WMIC.exe
Token: SeBackupPrivilege	1864	WMIC.exe
Token: SeRestorePrivilege	1864	WMIC.exe
Token: SeShutdownPrivilege	1864	WMIC.exe
Token: SeDebugPrivilege	1864	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1864	WMIC.exe
Token: SeRemoteShutdownPrivilege	1864	WMIC.exe
Token: SeUndockPrivilege	1864	WMIC.exe
Token: SeManageVolumePrivilege	1864	WMIC.exe
Token: 33	1864	WMIC.exe
Token: 34	1864	WMIC.exe
Token: 35	1864	WMIC.exe
Token: 36	1864	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1864	WMIC.exe
Token: SeSecurityPrivilege	1864	WMIC.exe
Token: SeTakeOwnershipPrivilege	1864	WMIC.exe
Token: SeLoadDriverPrivilege	1864	WMIC.exe
Token: SeSystemProfilePrivilege	1864	WMIC.exe
Token: SeSystemtimePrivilege	1864	WMIC.exe
Token: SeProfSingleProcessPrivilege	1864	WMIC.exe
Token: SeIncBasePriorityPrivilege	1864	WMIC.exe
Token: SeCreatePagefilePrivilege	1864	WMIC.exe
Token: SeBackupPrivilege	1864	WMIC.exe
Token: SeRestorePrivilege	1864	WMIC.exe
Token: SeShutdownPrivilege	1864	WMIC.exe
Token: SeDebugPrivilege	1864	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1864	WMIC.exe
Token: SeRemoteShutdownPrivilege	1864	WMIC.exe
Token: SeUndockPrivilege	1864	WMIC.exe
Token: SeManageVolumePrivilege	1864	WMIC.exe
Token: 33	1864	WMIC.exe
Token: 34	1864	WMIC.exe
Token: 35	1864	WMIC.exe
Token: 36	1864	WMIC.exe
Token: SeBackupPrivilege	4680	vssvc.exe
Token: SeRestorePrivilege	4680	vssvc.exe
Token: SeAuditPrivilege	4680	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2244	WMIC.exe
Token: SeSecurityPrivilege	2244	WMIC.exe
Token: SeTakeOwnershipPrivilege	2244	WMIC.exe
Token: SeLoadDriverPrivilege	2244	WMIC.exe
Token: SeSystemProfilePrivilege	2244	WMIC.exe
Token: SeSystemtimePrivilege	2244	WMIC.exe
Token: SeProfSingleProcessPrivilege	2244	WMIC.exe
Token: SeIncBasePriorityPrivilege	2244	WMIC.exe
Token: SeCreatePagefilePrivilege	2244	WMIC.exe
Token: SeBackupPrivilege	2244	WMIC.exe
Token: SeRestorePrivilege	2244	WMIC.exe
Token: SeShutdownPrivilege	2244	WMIC.exe
Token: SeDebugPrivilege	2244	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2244	WMIC.exe
Token: SeRemoteShutdownPrivilege	2244	WMIC.exe
Token: SeUndockPrivilege	2244	WMIC.exe
Token: SeManageVolumePrivilege	2244	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe
296	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 1516	400	VirusShare_9213073f63c1542315acdad27c0b8b78.exe	36
PID 400 wrote to memory of 1516	400	VirusShare_9213073f63c1542315acdad27c0b8b78.exe	36
PID 400 wrote to memory of 1516	400	VirusShare_9213073f63c1542315acdad27c0b8b78.exe	36
PID 400 wrote to memory of 2180	400	VirusShare_9213073f63c1542315acdad27c0b8b78.exe	38
PID 400 wrote to memory of 2180	400	VirusShare_9213073f63c1542315acdad27c0b8b78.exe	38
PID 400 wrote to memory of 2180	400	VirusShare_9213073f63c1542315acdad27c0b8b78.exe	38
PID 1516 wrote to memory of 1864	1516	mjftfuvcvcan.exe	54
PID 1516 wrote to memory of 1864	1516	mjftfuvcvcan.exe	54
PID 1516 wrote to memory of 3296	1516	mjftfuvcvcan.exe	103
PID 1516 wrote to memory of 3296	1516	mjftfuvcvcan.exe	103
PID 1516 wrote to memory of 3296	1516	mjftfuvcvcan.exe	103
PID 1516 wrote to memory of 296	1516	mjftfuvcvcan.exe	104
PID 1516 wrote to memory of 296	1516	mjftfuvcvcan.exe	104
PID 296 wrote to memory of 1520	296	msedge.exe	105
PID 296 wrote to memory of 1520	296	msedge.exe	105
PID 1516 wrote to memory of 2244	1516	mjftfuvcvcan.exe	106
PID 1516 wrote to memory of 2244	1516	mjftfuvcvcan.exe	106
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 4368	296	msedge.exe	112
PID 296 wrote to memory of 2332	296	msedge.exe	109
PID 296 wrote to memory of 2332	296	msedge.exe	109
PID 296 wrote to memory of 3436	296	msedge.exe	108
PID 296 wrote to memory of 3436	296	msedge.exe	108
PID 296 wrote to memory of 3436	296	msedge.exe	108
PID 296 wrote to memory of 3436	296	msedge.exe	108
PID 296 wrote to memory of 3436	296	msedge.exe	108

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	mjftfuvcvcan.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	mjftfuvcvcan.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_9213073f63c1542315acdad27c0b8b78.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_9213073f63c1542315acdad27c0b8b78.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:400
- C:\Windows\mjftfuvcvcan.exe
  C:\Windows\mjftfuvcvcan.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1516
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1864
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:3296
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:296
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xd8,0xe0,0x7ffa640546f8,0x7ffa64054708,0x7ffa64054718
      4⤵
      PID:1520
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,17673287841223994047,13121944421427677952,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
      4⤵
      PID:3436
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,17673287841223994047,13121944421427677952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
      4⤵
      PID:2332
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17673287841223994047,13121944421427677952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
      4⤵
      PID:3684
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17673287841223994047,13121944421427677952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
      4⤵
      PID:4100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,17673287841223994047,13121944421427677952,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
      4⤵
      PID:4368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,17673287841223994047,13121944421427677952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
      4⤵
      PID:4708
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,17673287841223994047,13121944421427677952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
      4⤵
      PID:4532
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17673287841223994047,13121944421427677952,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
      4⤵
      PID:1476
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17673287841223994047,13121944421427677952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
      4⤵
      PID:2132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17673287841223994047,13121944421427677952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
      4⤵
      PID:3912
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17673287841223994047,13121944421427677952,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
      4⤵
      PID:4980
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2244
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\MJFTFU~1.EXE
    3⤵
    PID:308
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
  2⤵
  PID:2180

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\_ReCoVeRy_+sefxy.html

Filesize
12KB

MD5
a14db84bdc5f67a34e5d9cd4d2771335

SHA1
b1fc0d2eb9a3623f001e60b898ecdefa2794d38b

SHA256
a938c7d0dfab4883ba8582460c5e5a3c95dd83e71897d38d5b86c9336c99cdc1

SHA512
97029c733ebe60c31eb967c0278dee102fe6f4ac5240362a1c6bcd07c1049ef620f941dd133308b8aaf3e0c224cb6507c61ba26177d47d3a80f6c9569f2b17b3

Download Submit
C:\PerfLogs\_ReCoVeRy_+sefxy.png

Filesize
29KB

MD5
aa9cd5cae601d863d12cc51d5c2d804d

SHA1
eba23ff8ea1b481a88df7936314344d5bdeefd46

SHA256
594185d4481937597f74cc76262e4d1dbe3b00041e3fe5c1e5496c341332fcda

SHA512
9a1894a97f1bc77d8fa8e9e5fe5c08586476adf4a541c78ad6b3b040df88b7450659519e656c5baf2ea981e316be4bd520feebccadb78a63abbf410ea3a74c96

Download Submit
C:\PerfLogs\_ReCoVeRy_+sefxy.txt

Filesize
1KB

MD5
0e9887e6fb6f426dec2ea6c29b06e25f

SHA1
d3a19b85e153187eb63ecb41c09354c7423728d1

SHA256
da51297f8047cafa4861cac6c29456934ccbe6f24e01f4781316a527af56d0e9

SHA512
97a9e3bb76bcce887af0c460e4af62b23ab9750e927840caf9c84a9b335948774d05dd2e4ada91f71dcb7eeb8c78493e07d8e2f5632c097fdba76c734a16b07c

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
8687fed0c7c3a5d3b53189029f58f983

SHA1
88e9e0de64085f7437bb89f293735b6252f343f3

SHA256
d2412f9b01bde5db15180568e8b9e9a7b2cdb57e27af55dbb9d3c92822a94877

SHA512
ac92dc335056b4d6504f7ed3df1446b0ae98857dfb4c0dbd0152c53850da6bc14e8eaf8976fa8ee801c75245dbbb12734d47520c0708f01d5a8f81a42af3835d

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
44aef00414def9403d17abf7b9993c3f

SHA1
457a546b875a7f27a4bd591dbdeae95a2d5cc259

SHA256
e5f157af8fd3d16026c27c52ba9189ba637c9301c050f8fcdc1142c59a855151

SHA512
a06f524f50c43788688e09ceb9cc6151375fa749cffa49a17e8bca06af5cd2176b71578b1ea5b3f0e1201e3c55c53bb33c639bb6aa5a054b617d28c3797bf06f

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
1cd3bd22fea086238149fb72c2b9553a

SHA1
d11426357fcd775918e74102fdac73b92e2de194

SHA256
6c2ec870574a765802d55b13a3df975d5874a902776af23345ed191aa50fc2af

SHA512
b90ac8aed755e86a8648413fe46289ee4df968234975bbdf8f83de36467ac51b0584807403ebec2a3034d2858c95da98df828efe1da40e2642939d9cc585c5a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4d6e17218d9a99976d1a14c6f6944c96

SHA1
9e54a19d6c61d99ac8759c5f07b2f0d5faab447f

SHA256
32e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93

SHA512
3fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2d11c6022e40b9743184cd7d6cfe11cd

SHA1
267a186437a70bcc99d9224d12cddff67373a5c1

SHA256
cd5f038feaa329b190bedd537fbcbb3ee39568927b8e38b49d2a27af7e5af227

SHA512
f928fd84241db9a7be413d62c3dc0fd07936001a27b568d1d88dd2aa77e7018cb0bc84cd8bd6becd9a6b271d72ce65ccf390eaaef078f803426b0757b44804c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
86781907b7c3509eecb71c7e31bea73c

SHA1
925bd80de4bef94c2a50e9612f05e3d84a05e485

SHA256
3c09d0d24076b88e38c6d463bd7859d3e5d14bcbdbb5b17339d3b5efec12637e

SHA512
087b8281d766f6faa7b2db8648eb6a51732079b9994582053c9d8421af39ca62b0221e3de7e691ba571e9e2a94469414e2cffec1c8cd9c3e567cfc71ed63bb47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
c2ef1d773c3f6f230cedf469f7e34059

SHA1
e410764405adcfead3338c8d0b29371fd1a3f292

SHA256
185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521

SHA512
2ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
21ba8f4a4f001869c523c4eb185480aa

SHA1
b393fa79d85f134a43a86273bc828b79c0d8619d

SHA256
cfc3495a8e0310c7c0cc0e11580d5d816d8475739f1054a6057e7e1ca0171769

SHA512
260f6092c5bb596d1be736d476b44a35f0f551ef4de91daa22883df22993c4606daf7c98b981a84094226176c616f17fe2b2a908f59e7089683aed6a79842e9c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133471162011620913.txt

Filesize
74KB

MD5
134d1ed5247c038f595aa38a20129b31

SHA1
0750c1a1c3b3ca273125b1e2e948a1cb7bb01e3b

SHA256
c0b53162a3862cfc7f54ceb0ad7a5a9a2af03ce01d71c82882ef925e78c22da7

SHA512
cf32c384652cf830fe8e933fa6f489f4fc29d78981d3ace3670e2faed080f42cc85097c9456c999a25d2641cbb19cc9d71883022fbbc752ec14d6ffd4e7beb06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\_ReCoVeRy_+sefxy.png

Filesize
65KB

MD5
6c775a544dc87d23c6f0f63e5090884b

SHA1
59623a545c220339c172d29dab72ad13ca21ca5e

SHA256
5f0b3434aed006a13c2f6f1892ff0bb29a1b3d39bdfc21ba2d6fb92bda1ce6ce

SHA512
aff9ba42c1db0a40ebcc469793a2dc32095427fbbeea623df140880c9911ba9c5a252c9ee1af36b40bad0721ba0407e970f351d0f2e1963bcac62a0fb143d04a

Download Submit
C:\Windows\mjftfuvcvcan.exe

Filesize
261KB

MD5
c6c78a0d37d79b5754458dab41b478e0

SHA1
b6c4583fcfbd71991f1069f69df8ea785909f860

SHA256
3ed6abdb48ac9bd9f5342996311bcdbeac8f63a4431dda0cb8e40833f824ce9b

SHA512
53c8b214a4ad606a1fe75f2a1ff11335f2c0d470509f6e5e682083e966c70731d1b4639150d442d37ed900a0b77e0b30894604224b7856eeaf5f94c8595fe961

Download Submit
C:\Windows\mjftfuvcvcan.exe

Filesize
228KB

MD5
4c9e528062bca59a13112374883313e0

SHA1
83300b71bebfcae4d996093b8ee83edc120b0f6a

SHA256
8606cc8d534d8a6df5d6edc83527edf9b8ea899c23f8c258481a3baacfd361f5

SHA512
be04f0e7a08c1478123142194a157a3c16901df6d991878ab52e26b0eb5571df802f680f09477eb427f680e5a5566e14098e41eb55da4f21a08155f62e77cf61

Download Submit
memory/400-0-0x0000000002290000-0x0000000002316000-memory.dmp

Filesize
536KB

Download
memory/400-13-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/400-14-0x0000000002290000-0x0000000002316000-memory.dmp

Filesize
536KB

Download
memory/400-1-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1516-10329-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1516-8420-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1516-5907-0x0000000002100000-0x0000000002186000-memory.dmp

Filesize
536KB

Download
memory/1516-5137-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1516-10384-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1516-10386-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1516-2844-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1516-10-0x0000000002100000-0x0000000002186000-memory.dmp

Filesize
536KB

Download