teslacrypt | 4500cb0221426a2a102f03d23da913fcd6070b7b5cb8b1e0acaf5261c0c91758

Analysis

max time kernel
144s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e877e8c5020bc0eb13b27e07c066c07_JaffaCakes118.exe
Size

360KB
MD5

5e877e8c5020bc0eb13b27e07c066c07
SHA1

c8bb1cf30af7ccf06358b5888c86245eb88a92d7
SHA256

4500cb0221426a2a102f03d23da913fcd6070b7b5cb8b1e0acaf5261c0c91758
SHA512

829a12f1068931e517e55c7245cd56139b46195f3485cf621743b0935ae22f614b6370bb14fe725c7661e04db6beb14ed7b04c989462a3b6485e1e3cdc5ed4b3
SSDEEP

6144:Zw7VmMxZ+gdbX38IsdH11EmQYn9wiJnoYR:Zw7HkdHzEe9wGno4

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+acmum.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/93C2A0337EAB204F 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/93C2A0337EAB204F 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/93C2A0337EAB204F If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/93C2A0337EAB204F 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/93C2A0337EAB204F http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/93C2A0337EAB204F http://yyre45dbvn2nhbefbmh.begumvelic.at/93C2A0337EAB204F Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/93C2A0337EAB204F

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/93C2A0337EAB204F

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/93C2A0337EAB204F

http://yyre45dbvn2nhbefbmh.begumvelic.at/93C2A0337EAB204F

http://xlowfznrg4wf7dli.ONION/93C2A0337EAB204F

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (868) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	5e877e8c5020bc0eb13b27e07c066c07_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	dfpxvpwsuuqh.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+acmum.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+acmum.txt	dfpxvpwsuuqh.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+acmum.html	dfpxvpwsuuqh.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+acmum.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+acmum.txt	dfpxvpwsuuqh.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+acmum.html	dfpxvpwsuuqh.exe

Executes dropped EXE 1 IoCs

pid	Process
4288	dfpxvpwsuuqh.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uusihnk = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\dfpxvpwsuuqh.exe"	dfpxvpwsuuqh.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\_ReCoVeRy_+acmum.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Views\_ReCoVeRy_+acmum.html	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-32.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\styles\wefgallerywinrt.css	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\_ReCoVeRy_+acmum.html	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlCone.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\_ReCoVeRy_+acmum.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-200_contrast-black.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+acmum.html	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\_ReCoVeRy_+acmum.html	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookLargeTile.scale-400.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_5.m4a	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_contrast-black.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SplashScreen.scale-100.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Text\_ReCoVeRy_+acmum.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_ReCoVeRy_+acmum.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Call_Reconnected.m4a	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LargeTile.scale-200_contrast-black.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\_ReCoVeRy_+acmum.html	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\_ReCoVeRy_+acmum.txt	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-40_altform-unplated_contrast-white.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sv\_ReCoVeRy_+acmum.html	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LibrarySquare150x150Logo.scale-100_contrast-black.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\_ReCoVeRy_+acmum.txt	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\logger\_ReCoVeRy_+acmum.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Tented\_ReCoVeRy_+acmum.html	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-200_contrast-white.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\firstrun\_ReCoVeRy_+acmum.txt	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-200.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\af-ZA\View3d\_ReCoVeRy_+acmum.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_CarReservation_Light.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\_ReCoVeRy_+acmum.txt	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\7-Zip\Lang\_ReCoVeRy_+acmum.txt	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1036\_ReCoVeRy_+acmum.html	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\animations\_ReCoVeRy_+acmum.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\_ReCoVeRy_+acmum.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_Cliffhouse.jpg	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_ReCoVeRy_+acmum.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\_ReCoVeRy_+acmum.html	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\Attribution\holiday_weather.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-48_altform-unplated_contrast-white_devicefamily-colorfulunplated.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_ReCoVeRy_+acmum.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\Attribution\foreca.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-60_contrast-white.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\NoProfilePicture.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-72_altform-lightunplated.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-256.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailWideTile.scale-400.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageStoreLogo.scale-125.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeLargeTile.scale-125.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\_ReCoVeRy_+acmum.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_8.m4a	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-64.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsSmallTile.contrast-white_scale-200.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSmallTile.scale-400.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\GenericEnglish-3.jpg	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+acmum.txt	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\es-ES\_ReCoVeRy_+acmum.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\_ReCoVeRy_+acmum.txt	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\_ReCoVeRy_+acmum.png	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\_ReCoVeRy_+acmum.html	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\_ReCoVeRy_+acmum.html	dfpxvpwsuuqh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+acmum.html	dfpxvpwsuuqh.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\dfpxvpwsuuqh.exe	5e877e8c5020bc0eb13b27e07c066c07_JaffaCakes118.exe
File opened for modification	C:\Windows\dfpxvpwsuuqh.exe	5e877e8c5020bc0eb13b27e07c066c07_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	dfpxvpwsuuqh.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3728	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe
4288	dfpxvpwsuuqh.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4924	5e877e8c5020bc0eb13b27e07c066c07_JaffaCakes118.exe
Token: SeDebugPrivilege	4288	dfpxvpwsuuqh.exe
Token: SeIncreaseQuotaPrivilege	4956	WMIC.exe
Token: SeSecurityPrivilege	4956	WMIC.exe
Token: SeTakeOwnershipPrivilege	4956	WMIC.exe
Token: SeLoadDriverPrivilege	4956	WMIC.exe
Token: SeSystemProfilePrivilege	4956	WMIC.exe
Token: SeSystemtimePrivilege	4956	WMIC.exe
Token: SeProfSingleProcessPrivilege	4956	WMIC.exe
Token: SeIncBasePriorityPrivilege	4956	WMIC.exe
Token: SeCreatePagefilePrivilege	4956	WMIC.exe
Token: SeBackupPrivilege	4956	WMIC.exe
Token: SeRestorePrivilege	4956	WMIC.exe
Token: SeShutdownPrivilege	4956	WMIC.exe
Token: SeDebugPrivilege	4956	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4956	WMIC.exe
Token: SeRemoteShutdownPrivilege	4956	WMIC.exe
Token: SeUndockPrivilege	4956	WMIC.exe
Token: SeManageVolumePrivilege	4956	WMIC.exe
Token: 33	4956	WMIC.exe
Token: 34	4956	WMIC.exe
Token: 35	4956	WMIC.exe
Token: 36	4956	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4956	WMIC.exe
Token: SeSecurityPrivilege	4956	WMIC.exe
Token: SeTakeOwnershipPrivilege	4956	WMIC.exe
Token: SeLoadDriverPrivilege	4956	WMIC.exe
Token: SeSystemProfilePrivilege	4956	WMIC.exe
Token: SeSystemtimePrivilege	4956	WMIC.exe
Token: SeProfSingleProcessPrivilege	4956	WMIC.exe
Token: SeIncBasePriorityPrivilege	4956	WMIC.exe
Token: SeCreatePagefilePrivilege	4956	WMIC.exe
Token: SeBackupPrivilege	4956	WMIC.exe
Token: SeRestorePrivilege	4956	WMIC.exe
Token: SeShutdownPrivilege	4956	WMIC.exe
Token: SeDebugPrivilege	4956	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4956	WMIC.exe
Token: SeRemoteShutdownPrivilege	4956	WMIC.exe
Token: SeUndockPrivilege	4956	WMIC.exe
Token: SeManageVolumePrivilege	4956	WMIC.exe
Token: 33	4956	WMIC.exe
Token: 34	4956	WMIC.exe
Token: 35	4956	WMIC.exe
Token: 36	4956	WMIC.exe
Token: SeBackupPrivilege	692	vssvc.exe
Token: SeRestorePrivilege	692	vssvc.exe
Token: SeAuditPrivilege	692	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2172	WMIC.exe
Token: SeSecurityPrivilege	2172	WMIC.exe
Token: SeTakeOwnershipPrivilege	2172	WMIC.exe
Token: SeLoadDriverPrivilege	2172	WMIC.exe
Token: SeSystemProfilePrivilege	2172	WMIC.exe
Token: SeSystemtimePrivilege	2172	WMIC.exe
Token: SeProfSingleProcessPrivilege	2172	WMIC.exe
Token: SeIncBasePriorityPrivilege	2172	WMIC.exe
Token: SeCreatePagefilePrivilege	2172	WMIC.exe
Token: SeBackupPrivilege	2172	WMIC.exe
Token: SeRestorePrivilege	2172	WMIC.exe
Token: SeShutdownPrivilege	2172	WMIC.exe
Token: SeDebugPrivilege	2172	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2172	WMIC.exe
Token: SeRemoteShutdownPrivilege	2172	WMIC.exe
Token: SeUndockPrivilege	2172	WMIC.exe
Token: SeManageVolumePrivilege	2172	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 4288	4924	5e877e8c5020bc0eb13b27e07c066c07_JaffaCakes118.exe	86
PID 4924 wrote to memory of 4288	4924	5e877e8c5020bc0eb13b27e07c066c07_JaffaCakes118.exe	86
PID 4924 wrote to memory of 4288	4924	5e877e8c5020bc0eb13b27e07c066c07_JaffaCakes118.exe	86
PID 4924 wrote to memory of 2944	4924	5e877e8c5020bc0eb13b27e07c066c07_JaffaCakes118.exe	88
PID 4924 wrote to memory of 2944	4924	5e877e8c5020bc0eb13b27e07c066c07_JaffaCakes118.exe	88
PID 4924 wrote to memory of 2944	4924	5e877e8c5020bc0eb13b27e07c066c07_JaffaCakes118.exe	88
PID 4288 wrote to memory of 4956	4288	dfpxvpwsuuqh.exe	90
PID 4288 wrote to memory of 4956	4288	dfpxvpwsuuqh.exe	90
PID 4288 wrote to memory of 3728	4288	dfpxvpwsuuqh.exe	109
PID 4288 wrote to memory of 3728	4288	dfpxvpwsuuqh.exe	109
PID 4288 wrote to memory of 3728	4288	dfpxvpwsuuqh.exe	109
PID 4288 wrote to memory of 3184	4288	dfpxvpwsuuqh.exe	110
PID 4288 wrote to memory of 3184	4288	dfpxvpwsuuqh.exe	110
PID 3184 wrote to memory of 5716	3184	msedge.exe	111
PID 3184 wrote to memory of 5716	3184	msedge.exe	111
PID 4288 wrote to memory of 2172	4288	dfpxvpwsuuqh.exe	112
PID 4288 wrote to memory of 2172	4288	dfpxvpwsuuqh.exe	112
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5636	3184	msedge.exe	114
PID 3184 wrote to memory of 5072	3184	msedge.exe	115
PID 3184 wrote to memory of 5072	3184	msedge.exe	115
PID 3184 wrote to memory of 3204	3184	msedge.exe	116
PID 3184 wrote to memory of 3204	3184	msedge.exe	116
PID 3184 wrote to memory of 3204	3184	msedge.exe	116
PID 3184 wrote to memory of 3204	3184	msedge.exe	116
PID 3184 wrote to memory of 3204	3184	msedge.exe	116

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	dfpxvpwsuuqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	dfpxvpwsuuqh.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5e877e8c5020bc0eb13b27e07c066c07_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5e877e8c5020bc0eb13b27e07c066c07_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Windows\dfpxvpwsuuqh.exe
  C:\Windows\dfpxvpwsuuqh.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4288
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4956
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:3728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3184
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa0e1246f8,0x7ffa0e124708,0x7ffa0e124718
      4⤵
      PID:5716
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,15675428010086780825,9665438421033367192,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
      4⤵
      PID:5636
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,15675428010086780825,9665438421033367192,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
      4⤵
      PID:5072
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,15675428010086780825,9665438421033367192,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
      4⤵
      PID:3204
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15675428010086780825,9665438421033367192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
      4⤵
      PID:3944
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15675428010086780825,9665438421033367192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
      4⤵
      PID:3008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,15675428010086780825,9665438421033367192,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
      4⤵
      PID:3700
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,15675428010086780825,9665438421033367192,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
      4⤵
      PID:4932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15675428010086780825,9665438421033367192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
      4⤵
      PID:5068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15675428010086780825,9665438421033367192,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
      4⤵
      PID:5448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15675428010086780825,9665438421033367192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1
      4⤵
      PID:6088
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15675428010086780825,9665438421033367192,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
      4⤵
      PID:4796
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2172
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\DFPXVP~1.EXE
    3⤵
    PID:4488
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\5E877E~1.EXE
  2⤵
  PID:2944

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4980

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+acmum.html

Filesize
12KB

MD5
906d3c14ac3cc6924aad40170530ff3f

SHA1
e13886102540f51a45809b5af1ce6d643afd6e47

SHA256
6f753299cd0818f317ba89f692e7e20800293710b19dd5dc81d2d3268dc279c6

SHA512
80d4be49f2390e23cdf93609a96f64a57909bd51aaa5bc6b841a32ecc27fe9b447713152da8f790c4ff8ab0de5e91038509a528ba13a78fc8ee71b59b7e8b664

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+acmum.png

Filesize
65KB

MD5
deb4c0a8ca4bc6a7d73e0e6748e576f2

SHA1
fbf123c0bf1f3dbf32498f26ff33db43445dbe75

SHA256
60ae00b334da1302e5dc2b8eccbad46e2b34d2991c3b77b14dff7793b51ddbc4

SHA512
7aba37569cc7769ee8cbcd45c8d067c0273e0846df2d82b9ec29a37c1878e7259387322ab3152b12f0719ecfde0d66431632a6f835798e2cdde223a223b77590

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+acmum.txt

Filesize
1KB

MD5
26834d6adcbdf62443bb59313d0255c6

SHA1
22f2e2c93b78520edd512e2bc3efc5b500a8baa3

SHA256
86dbf3c5235700b5878cc3278fb025b18203bc010935632a7b1c8630bb1a41e1

SHA512
c36bcaf6f4fbed75c3cf517f603795bbe341feea0ab68aa8dd60acec00657ef30e71fe6e2b4676373475ac33aedaf09c93e70830aa8679a4c305bc4a62c5c5da

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
1400d0695b029a29a448544057a64bb0

SHA1
9636173594fb9def5f6ac6e8166753052293900d

SHA256
691092bb90e2bdf8f2b4377908b4c7df9d82c85f6026b170e6eb4770e0a1d431

SHA512
70ea40844f27d4bbdf0ef1ad72ef5e9e806255f924a953049d3acc145cd1c6258575b366d6b2c8ddf96b83dc7ff9d0280a9b7233a516cd85fa25aeff733e9f1a

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
8c9d6676c57cdd1a68fb78aad918dc1e

SHA1
bb72c9d0bd569b1c7d9dd7773f469f44e0cee88d

SHA256
2a933080dcfe4f12c3d3141d3722c8824791e1a1e25fd7dfc26bcbf0a5bc2cc4

SHA512
6a2eb2735c3591b59670cb4556d86a1e22afa95668f362bbb446773f0c9576a6063e7a9a2416aeb03f57c3b5ed941bc5c4578890cc8d14ba227acaa92647b3cb

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
fe0f8e8fb137f4dbeb367ea968dece72

SHA1
03506ee6dec432e0602b0c358545f9e951121aaa

SHA256
d07eef2745050469ea9db291297b38d2091ab4a8f363ceb61dfe4ad2474ec262

SHA512
f487ad33f9cc6224dc421ccb8647bf6c79a80b2c8ceeb854046d2af32202e22b0279034359bf1643a4f11ae8367e7e1f9714ab0e0dbb11fa37648a8085ee82f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5ab964b117d7f60dd919c01353904553

SHA1
d2c464dfef936019704d8212d27b356391ee320f

SHA256
1f07cedc77e7648ed9e0ed778648eea778df2e91557d7c16d20f1839f3665dd6

SHA512
fc25524c7bb2c56cadbbceeb410bab6b07b84b7b39ea1ff44ceb70f508082b75aba481fc0bcd67da96638c73a2c62dca9b7ebe794efd4e065c638793f90ca4a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
96b0b099e1138e3ac49d360891176f53

SHA1
03aa235e18f659925fde96f9ab3638a6b4074aba

SHA256
1046cbcba91871d969554ec246a163d0a98f4774725be0a7bda05f111787bc25

SHA512
33267f0b2962f781024a59881dce22903ed99a83b7e3141b21bd3dec18083c2c2222c9dfb08aa3b6e2eb9b1b1e7a0abe6fc6021ce607028f6f05875c323ec109

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e7dd0c22ff1ecf787b630cacb2225c9b

SHA1
92afc2d48282075f3ec64bd5e92797f407a6d73f

SHA256
ab26851a1c6f838db1d10bfb13e47f6ad2feb2b37fb455593b62192edddd8eaf

SHA512
d78601762fed27d4d43aee62b137497737383a18ec98962407c13b37b69dc55f6aca4184089acc64c966fc490c92666d0abff851732e31ab8bf616651243b74a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586125373585275.txt

Filesize
75KB

MD5
82e12850ab5e34ed622d48ce84bdc66a

SHA1
e842ff90757cee7d60997c518eebc570ef7ddbed

SHA256
0b08a44e66f750e3fde030966dae708f68a2b17f16fc8950ac4d2e837dc71885

SHA512
7966bf23737017b173939e0b9a9ff6032637920125426d5122cce964b865daab746b6658dea12f2c538bd9cd403d73c167f5a2c2d9804b565f9aa8e26c62affc

Download Submit
C:\Windows\dfpxvpwsuuqh.exe

Filesize
360KB

MD5
5e877e8c5020bc0eb13b27e07c066c07

SHA1
c8bb1cf30af7ccf06358b5888c86245eb88a92d7

SHA256
4500cb0221426a2a102f03d23da913fcd6070b7b5cb8b1e0acaf5261c0c91758

SHA512
829a12f1068931e517e55c7245cd56139b46195f3485cf621743b0935ae22f614b6370bb14fe725c7661e04db6beb14ed7b04c989462a3b6485e1e3cdc5ed4b3

Download Submit
memory/4288-10354-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4288-14-0x0000000002100000-0x0000000002186000-memory.dmp

Filesize
536KB

Download
memory/4288-9992-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4288-7092-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4288-4215-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4288-10400-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4288-1991-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4924-0-0x0000000000980000-0x0000000000A06000-memory.dmp

Filesize
536KB

Download
memory/4924-1-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4924-10-0x0000000000980000-0x0000000000A06000-memory.dmp

Filesize
536KB

Download
memory/4924-9-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download