teslacrypt | 1d42b72a61bdfdb6aecc1df67f1705ebeadef1bc48aaa011b97c85de2f932e06

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a2d0acdc0543f253985adf481e5d5003e20038b568e07e5292775c13cfb3812.exe
Size

575KB
MD5

6d73b7e3967ec42f90bae88b410a8351
SHA1

2ff8579cc1102be946eaa8e8b6704463965fea74
SHA256

1d42b72a61bdfdb6aecc1df67f1705ebeadef1bc48aaa011b97c85de2f932e06
SHA512

34c5b26d2839c9617f42b2b125ecd8569f16b2654c55673d19ba3e646b2c1c1757c76082abd3b9970bf1b1db39fbabf25270d2999ab45cd629f3f87736ee5117
SSDEEP

12288:Hz+YmJJuGZYbzz2IgfFblCJxfS6ysoraDfqf1b/gjP2A9Ps6:dsJJYaICOR1FZDfqf1b/gjP2QP7

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_RECoVERY_+leifn.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/A75650976458F13F 2. http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/A75650976458F13F 3. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/A75650976458F13F If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/A75650976458F13F 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/A75650976458F13F http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/A75650976458F13F http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/A75650976458F13F *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/A75650976458F13F

URLs

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/A75650976458F13F

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/A75650976458F13F

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/A75650976458F13F

http://xlowfznrg4wf7dli.ONION/A75650976458F13F

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (882) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	0a2d0acdc0543f253985adf481e5d5003e20038b568e07e5292775c13cfb3812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	jftucvcupppn.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+leifn.png	jftucvcupppn.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+leifn.txt	jftucvcupppn.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+leifn.html	jftucvcupppn.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+leifn.png	jftucvcupppn.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+leifn.txt	jftucvcupppn.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+leifn.html	jftucvcupppn.exe

Executes dropped EXE 1 IoCs

pid	Process
2712	jftucvcupppn.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iarhmokocguu = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\jftucvcupppn.exe\""	jftucvcupppn.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\_RECoVERY_+leifn.txt	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_targetsize-24.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+NewSQLServerConnection.odc	jftucvcupppn.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\en-US\_RECoVERY_+leifn.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\dotnet\ThirdPartyNotices.txt	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+leifn.txt	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailWideTile.scale-100.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\_RECoVERY_+leifn.txt	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-150_contrast-white.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Text\_RECoVERY_+leifn.html	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\_RECoVERY_+leifn.html	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Light\Default.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageLargeTile.scale-200.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-24_altform-colorize.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\Images\Home-Placeholder.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedAppList.scale-200_contrast-white.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe\_RECoVERY_+leifn.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsLargeTile.scale-100.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_altform-unplated_contrast-white.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Office365LogoWLockup.scale-180.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Light\_RECoVERY_+leifn.txt	jftucvcupppn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_RECoVERY_+leifn.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_contrast-black.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_LogoSmall.targetsize-256_altform-unplated.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+leifn.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-125_contrast-white.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\splashscreen.scale-200.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\_RECoVERY_+leifn.html	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\_RECoVERY_+leifn.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\_RECoVERY_+leifn.html	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\154.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-24_altform-unplated_contrast-black.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-72_altform-lightunplated.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FetchingMail.scale-100.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	jftucvcupppn.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\_RECoVERY_+leifn.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderLogoExtensions.targetsize-256.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+leifn.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-32_altform-unplated.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\RotateX.PNG	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\PhotosApp\Assets\ThirdPartyNotices\_RECoVERY_+leifn.txt	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-48_altform-lightunplated.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-125_contrast-black.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-140.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+leifn.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionLargeTile.scale-400.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_2019.430.2026.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+leifn.html	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+leifn.html	jftucvcupppn.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\_RECoVERY_+leifn.html	jftucvcupppn.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\_RECoVERY_+leifn.html	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+leifn.txt	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\eu-ES\View3d\_RECoVERY_+leifn.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyView.scale-125.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\CoreEngine\Data\_RECoVERY_+leifn.txt	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteWideTile.scale-125.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-96_altform-unplated.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlMiddleCircle.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+leifn.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\FileAssociation\FileAssociation.targetsize-48.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleAppAssets\Videos\_RECoVERY_+leifn.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\_RECoVERY_+leifn.txt	jftucvcupppn.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\_RECoVERY_+leifn.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-40_altform-unplated_contrast-white.png	jftucvcupppn.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedSplash.scale-100_contrast-white.png	jftucvcupppn.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\jftucvcupppn.exe	0a2d0acdc0543f253985adf481e5d5003e20038b568e07e5292775c13cfb3812.exe
File opened for modification	C:\Windows\jftucvcupppn.exe	0a2d0acdc0543f253985adf481e5d5003e20038b568e07e5292775c13cfb3812.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	jftucvcupppn.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1492	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe
2712	jftucvcupppn.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2408	0a2d0acdc0543f253985adf481e5d5003e20038b568e07e5292775c13cfb3812.exe
Token: SeDebugPrivilege	2712	jftucvcupppn.exe
Token: SeIncreaseQuotaPrivilege	8	WMIC.exe
Token: SeSecurityPrivilege	8	WMIC.exe
Token: SeTakeOwnershipPrivilege	8	WMIC.exe
Token: SeLoadDriverPrivilege	8	WMIC.exe
Token: SeSystemProfilePrivilege	8	WMIC.exe
Token: SeSystemtimePrivilege	8	WMIC.exe
Token: SeProfSingleProcessPrivilege	8	WMIC.exe
Token: SeIncBasePriorityPrivilege	8	WMIC.exe
Token: SeCreatePagefilePrivilege	8	WMIC.exe
Token: SeBackupPrivilege	8	WMIC.exe
Token: SeRestorePrivilege	8	WMIC.exe
Token: SeShutdownPrivilege	8	WMIC.exe
Token: SeDebugPrivilege	8	WMIC.exe
Token: SeSystemEnvironmentPrivilege	8	WMIC.exe
Token: SeRemoteShutdownPrivilege	8	WMIC.exe
Token: SeUndockPrivilege	8	WMIC.exe
Token: SeManageVolumePrivilege	8	WMIC.exe
Token: 33	8	WMIC.exe
Token: 34	8	WMIC.exe
Token: 35	8	WMIC.exe
Token: 36	8	WMIC.exe
Token: SeIncreaseQuotaPrivilege	8	WMIC.exe
Token: SeSecurityPrivilege	8	WMIC.exe
Token: SeTakeOwnershipPrivilege	8	WMIC.exe
Token: SeLoadDriverPrivilege	8	WMIC.exe
Token: SeSystemProfilePrivilege	8	WMIC.exe
Token: SeSystemtimePrivilege	8	WMIC.exe
Token: SeProfSingleProcessPrivilege	8	WMIC.exe
Token: SeIncBasePriorityPrivilege	8	WMIC.exe
Token: SeCreatePagefilePrivilege	8	WMIC.exe
Token: SeBackupPrivilege	8	WMIC.exe
Token: SeRestorePrivilege	8	WMIC.exe
Token: SeShutdownPrivilege	8	WMIC.exe
Token: SeDebugPrivilege	8	WMIC.exe
Token: SeSystemEnvironmentPrivilege	8	WMIC.exe
Token: SeRemoteShutdownPrivilege	8	WMIC.exe
Token: SeUndockPrivilege	8	WMIC.exe
Token: SeManageVolumePrivilege	8	WMIC.exe
Token: 33	8	WMIC.exe
Token: 34	8	WMIC.exe
Token: 35	8	WMIC.exe
Token: 36	8	WMIC.exe
Token: SeBackupPrivilege	1232	vssvc.exe
Token: SeRestorePrivilege	1232	vssvc.exe
Token: SeAuditPrivilege	1232	vssvc.exe
Token: SeIncreaseQuotaPrivilege	396	WMIC.exe
Token: SeSecurityPrivilege	396	WMIC.exe
Token: SeTakeOwnershipPrivilege	396	WMIC.exe
Token: SeLoadDriverPrivilege	396	WMIC.exe
Token: SeSystemProfilePrivilege	396	WMIC.exe
Token: SeSystemtimePrivilege	396	WMIC.exe
Token: SeProfSingleProcessPrivilege	396	WMIC.exe
Token: SeIncBasePriorityPrivilege	396	WMIC.exe
Token: SeCreatePagefilePrivilege	396	WMIC.exe
Token: SeBackupPrivilege	396	WMIC.exe
Token: SeRestorePrivilege	396	WMIC.exe
Token: SeShutdownPrivilege	396	WMIC.exe
Token: SeDebugPrivilege	396	WMIC.exe
Token: SeSystemEnvironmentPrivilege	396	WMIC.exe
Token: SeRemoteShutdownPrivilege	396	WMIC.exe
Token: SeUndockPrivilege	396	WMIC.exe
Token: SeManageVolumePrivilege	396	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2712	2408	0a2d0acdc0543f253985adf481e5d5003e20038b568e07e5292775c13cfb3812.exe	86
PID 2408 wrote to memory of 2712	2408	0a2d0acdc0543f253985adf481e5d5003e20038b568e07e5292775c13cfb3812.exe	86
PID 2408 wrote to memory of 2712	2408	0a2d0acdc0543f253985adf481e5d5003e20038b568e07e5292775c13cfb3812.exe	86
PID 2408 wrote to memory of 3624	2408	0a2d0acdc0543f253985adf481e5d5003e20038b568e07e5292775c13cfb3812.exe	87
PID 2408 wrote to memory of 3624	2408	0a2d0acdc0543f253985adf481e5d5003e20038b568e07e5292775c13cfb3812.exe	87
PID 2408 wrote to memory of 3624	2408	0a2d0acdc0543f253985adf481e5d5003e20038b568e07e5292775c13cfb3812.exe	87
PID 2712 wrote to memory of 8	2712	jftucvcupppn.exe	89
PID 2712 wrote to memory of 8	2712	jftucvcupppn.exe	89
PID 2712 wrote to memory of 1492	2712	jftucvcupppn.exe	104
PID 2712 wrote to memory of 1492	2712	jftucvcupppn.exe	104
PID 2712 wrote to memory of 1492	2712	jftucvcupppn.exe	104
PID 2712 wrote to memory of 4932	2712	jftucvcupppn.exe	105
PID 2712 wrote to memory of 4932	2712	jftucvcupppn.exe	105
PID 4932 wrote to memory of 60	4932	msedge.exe	106
PID 4932 wrote to memory of 60	4932	msedge.exe	106
PID 2712 wrote to memory of 396	2712	jftucvcupppn.exe	107
PID 2712 wrote to memory of 396	2712	jftucvcupppn.exe	107
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 1824	4932	msedge.exe	109
PID 4932 wrote to memory of 4824	4932	msedge.exe	110
PID 4932 wrote to memory of 4824	4932	msedge.exe	110
PID 4932 wrote to memory of 868	4932	msedge.exe	111
PID 4932 wrote to memory of 868	4932	msedge.exe	111
PID 4932 wrote to memory of 868	4932	msedge.exe	111
PID 4932 wrote to memory of 868	4932	msedge.exe	111
PID 4932 wrote to memory of 868	4932	msedge.exe	111

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jftucvcupppn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	jftucvcupppn.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0a2d0acdc0543f253985adf481e5d5003e20038b568e07e5292775c13cfb3812.exe
"C:\Users\Admin\AppData\Local\Temp\0a2d0acdc0543f253985adf481e5d5003e20038b568e07e5292775c13cfb3812.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\jftucvcupppn.exe
  C:\Windows\jftucvcupppn.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2712
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe76e446f8,0x7ffe76e44708,0x7ffe76e44718
      4⤵
      PID:60
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,14194748146837196201,6522265335002344586,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
      4⤵
      PID:1824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,14194748146837196201,6522265335002344586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
      4⤵
      PID:4824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,14194748146837196201,6522265335002344586,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
      4⤵
      PID:868
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,14194748146837196201,6522265335002344586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
      4⤵
      PID:2024
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,14194748146837196201,6522265335002344586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
      4⤵
      PID:1724
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,14194748146837196201,6522265335002344586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 /prefetch:8
      4⤵
      PID:4124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,14194748146837196201,6522265335002344586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 /prefetch:8
      4⤵
      PID:4588
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,14194748146837196201,6522265335002344586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
      4⤵
      PID:1236
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,14194748146837196201,6522265335002344586,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
      4⤵
      PID:4948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,14194748146837196201,6522265335002344586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
      4⤵
      PID:5176
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,14194748146837196201,6522265335002344586,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1
      4⤵
      PID:5184
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:396
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\JFTUCV~1.EXE
    3⤵
    PID:5372
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\0A2D0A~1.EXE
  2⤵
  PID:3624

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_RECoVERY_+leifn.html

Filesize
11KB

MD5
c083001e36153819e5fed3ce732456aa

SHA1
9e0095d867a81630c9d72091605f6f544339aaad

SHA256
2e91d1ad137b9fcadaece149612f61f9d2ec301833b717cc0968a5d107d1f20e

SHA512
41ecd2d59a556020f6145d35cdd063cc115f44f362e077a2298743b70147e5376aa900a14d2d091f49fad378e54f1a9bf7d081af9dffb5e3c30ac4232d4b9229

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+leifn.png

Filesize
64KB

MD5
9cc23db965caaf26d380d9995e97b0b4

SHA1
29e3569d4ec3f6b2e19204e4d9bd538c6ade9b24

SHA256
13c060bedfb87b7c76d04516f2e855987f5f45d3c67d00b1642f97a4b1f2295e

SHA512
176535c42f7f178a3de45a578d9223498d83c9a4e6c980c94dfda7b37704d2a45f5b201300f03b2371cdde662740de9341d25b80bd2ead52faade72e024729f6

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+leifn.txt

Filesize
1KB

MD5
affa3d3d3a472ca836db7d2193bfe353

SHA1
74b157bf69a8129eab119439e2776cf55549c97a

SHA256
004c3cce433ab283bd9776397a316574c11174a5959be684c567be81d4f2fcfe

SHA512
7336df9a37040bfeac3ea1242e122a322c344fbaac27df8e6fdeb2061343040218286b3f8982105d9811dbd3595d747384ce1ecdb577599144bee9c82c50d2fb

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
2b62c9533d15d7febe8a3a6542ef4573

SHA1
5292a34f564fa6db7c47bcd50423653d3077e3f3

SHA256
536150d41c89b5695a78862619641591393bba4132456a3af18e8d449a2a17e5

SHA512
3479543bc557ef48fbf4d0a7cb4c0eb49c4921fb2e2cf830b13a7c4c1c080ad384d6123041605f82934e55ddf2b86b1fa7424011698edbb812ce1ee438ff56e4

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
1a95e8ceabac4ed77d1d3b4c0ee672d9

SHA1
2568139d28345c2758abe19aae8c637d188fd862

SHA256
13afcb0c3687539f9a9af567162ea7fc58924a6e211a3eb7474d84d24b60b306

SHA512
a292d3d589515b647a9a4005ce804cc12b93de69d1becc6d33d29c3cd79a891b0e03f116288bdbd4d1234843c3a63cece12732285416d9a2f6d0bf890661f772

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
49ff5e03173aa741e4bf6bb74797d5bb

SHA1
198dfcf002bf0f8e680ce90cd00dd7e60396e500

SHA256
1ff99756793537b468de7371fedd2a8639a1da26da1477d1a259d4ce5a219a12

SHA512
374cb81dbadd328292888514c0d801fc28267b7d3219ad4eeacb3da7e374deaf2e722c33e91fba4418b42dfdea002d6eb6f43d87e5010d6683a21243d0c8e32c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f14971351bddeaf0d44f9068c145f2b7

SHA1
7f4f9a4c58bd215fff42f82879026371e2de6df5

SHA256
3f119eb39695007258667c64b3d47dfe2bead0b4a130443368bc26f633788df3

SHA512
33ef0e6793b5720153236909b25960bb629e40f18aec5230d201baceb9d821b925eccc205bd15d85f7acb6c6f958734ee2d2006190f813d202bdf59eb250d231

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d5d0f376d1c692c630a1f7b8d227afe4

SHA1
44fd9d84d5dcb2e79717c5ed2e87ed5fa11a833c

SHA256
cb01bb720c6321b2656509b3530d8dc1877d52b1b6bb52f27dd06551bce2ead1

SHA512
3a2b29a20cb7724cc79beed80aceff1d9db82cb70a15b026ee26102a2a1224606eb694c340b78694d6bca4456281012c90da80cf7bb76115a9cf006c48faa5eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4fde3d3c98aeebf8c61044c4214f6d4b

SHA1
4cd6f4ba6cb4935557a400e03c2be3b6ce99cc63

SHA256
7065b4d3dc5522d6cecb12aab824fb659a4db5af50f0d1a99fbb227fe3d7d80f

SHA512
d81fec3580a1c20a964e41b33c4ba619d1dc427a2102acb87172059ce689247f202c66e91aecb2c6e1bbc5cde676c15afa584446846ef1f9eedda6db5f15f353

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586088054759135.txt

Filesize
47KB

MD5
a04c7e82b407e9732acef846b40004f7

SHA1
4c79271c69d69b24796a361839aa0f785b3ae10c

SHA256
0db126f00d9f86d117a2158e4950af1944143484edd5f9d987d13922e745096f

SHA512
6c482a9b53afe6cf657c9632ab1559888e7bf0b2efd27171129630ce2640bbb6ed06ba0e553406accd9f39c2a8a85d50c0e8e61c147021695b1814d94e03e757

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586120930347965.txt

Filesize
75KB

MD5
276fbe9c997c2f8674f4413b89564201

SHA1
ad3c207e3857af6a91b53836828171c3fa4f9418

SHA256
1a130cd09326f9b1d4e5ea28cd3d2660a3a8e02815f8b69de0b132eda0f01634

SHA512
12ed3d2a9c7034105f17ef06bcc6852a747a3c68c56bba98ae28b34cb2c198ce55573909a56ce3de48f06a741ee25c26dad6f88dbd68a7b84eacda013d7bf0bf

Download Submit
C:\Windows\jftucvcupppn.exe

Filesize
575KB

MD5
6d73b7e3967ec42f90bae88b410a8351

SHA1
2ff8579cc1102be946eaa8e8b6704463965fea74

SHA256
1d42b72a61bdfdb6aecc1df67f1705ebeadef1bc48aaa011b97c85de2f932e06

SHA512
34c5b26d2839c9617f42b2b125ecd8569f16b2654c55673d19ba3e646b2c1c1757c76082abd3b9970bf1b1db39fbabf25270d2999ab45cd629f3f87736ee5117

Download Submit
memory/2408-0-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2408-9-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2408-3-0x0000000002250000-0x00000000022D5000-memory.dmp

Filesize
532KB

Download
memory/2408-10-0x0000000002250000-0x00000000022D5000-memory.dmp

Filesize
532KB

Download
memory/2712-1436-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2712-10406-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2712-10393-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2712-8205-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2712-10459-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2712-4820-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2712-14-0x0000000000A00000-0x0000000000A85000-memory.dmp

Filesize
532KB

Download