teslacrypt | 0c3627d59f3087a2b3a83b4446eb4446b662c2351f52db9cc0729dda9bcdee43

Analysis

max time kernel
150s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6cd9b22cd6b3ac432bf8690eba4d5348_JaffaCakes118.exe
Size

340KB
MD5

6cd9b22cd6b3ac432bf8690eba4d5348
SHA1

c4983823c3e53ce2eed20939b7c2b2e098fff7b9
SHA256

0c3627d59f3087a2b3a83b4446eb4446b662c2351f52db9cc0729dda9bcdee43
SHA512

9227b3543c6a79d714bc81a5b16b55a7ec63e4691f31d6fb68416ad2c3473a97ef827189eea10d7d05ec7bb4b957cf3ad677aecbc1e654ddcc9e90be5f2cabce
SSDEEP

6144:0WFLFLkNpvlmNCp27PoWZRwwXvFw0OH2paKZwE+VcF3GCF9IyjVLe:0Wnkbvlm3FeHdKZICF3nb1j

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+vuape.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/504E46C7CDDC57C 2. http://tes543berda73i48fsdfsd.keratadze.at/504E46C7CDDC57C 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/504E46C7CDDC57C If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/504E46C7CDDC57C 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/504E46C7CDDC57C http://tes543berda73i48fsdfsd.keratadze.at/504E46C7CDDC57C http://tt54rfdjhb34rfbnknaerg.milerteddy.com/504E46C7CDDC57C *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/504E46C7CDDC57C

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/504E46C7CDDC57C

http://tes543berda73i48fsdfsd.keratadze.at/504E46C7CDDC57C

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/504E46C7CDDC57C

http://xlowfznrg4wf7dli.ONION/504E46C7CDDC57C

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (864) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6cd9b22cd6b3ac432bf8690eba4d5348_JaffaCakes118.exeaghhysmkaljl.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	6cd9b22cd6b3ac432bf8690eba4d5348_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	aghhysmkaljl.exe

Drops startup file 6 IoCs

Processes:

aghhysmkaljl.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+vuape.html	aghhysmkaljl.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+vuape.png	aghhysmkaljl.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+vuape.txt	aghhysmkaljl.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+vuape.html	aghhysmkaljl.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+vuape.png	aghhysmkaljl.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+vuape.txt	aghhysmkaljl.exe

Executes dropped EXE 1 IoCs

Processes:

aghhysmkaljl.exe

pid	Process
2416	aghhysmkaljl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

aghhysmkaljl.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wpolcefbiefk = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\aghhysmkaljl.exe\""	aghhysmkaljl.exe

Drops file in Program Files directory 64 IoCs

Processes:

aghhysmkaljl.exe

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\canvas_dark.jpg	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-100_contrast-black.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailLargeTile.scale-200.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\assembly\Recovery+vuape.txt	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\people\Recovery+vuape.txt	aghhysmkaljl.exe
File opened for modification	C:\Program Files\Windows Media Player\Skins\Recovery+vuape.html	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\LargeLogo.scale-100_contrast-black.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\Recovery+vuape.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\Recovery+vuape.txt	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeWideTile.scale-200.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\id-ID\View3d\Recovery+vuape.html	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-36_altform-unplated.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeSmallTile.scale-150.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_contrast-black.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-200_contrast-black.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-60.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-64_altform-lightunplated.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\WinMetadata\Recovery+vuape.html	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\NoProfilePicture.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-200.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\Recovery+vuape.txt	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Recovery+vuape.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\StopwatchWideTile.contrast-white_scale-100.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-256_altform-lightunplated.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\Recovery+vuape.html	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\FileAssociation\Recovery+vuape.html	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.scale-200_contrast-black.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\Recovery+vuape.txt	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\Recovery+vuape.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-100_contrast-black.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	aghhysmkaljl.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\Recovery+vuape.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchWide310x150Logo.scale-125_contrast-white.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Recovery+vuape.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\Recovery+vuape.html	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockWideTile.contrast-black_scale-125.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\iadata\Recovery+vuape.html	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\LiveTiles\Recovery+vuape.html	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-24_altform-unplated.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-36.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\LargeTile.scale-100.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Recovery+vuape.txt	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-20.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\Recovery+vuape.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_LogoSmall.targetsize-24_altform-unplated.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxSmallTile.scale-100.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\LargeTile.scale-100.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg4_thumb.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-256_altform-unplated_contrast-white.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-moreimages.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-125.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\contacts_variant2_v3.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40_altform-unplated.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_contrast-white.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\Recovery+vuape.txt	aghhysmkaljl.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\Recovery+vuape.txt	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Programmer.targetsize-32_contrast-white.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\Recovery+vuape.txt	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square310x310\PaintLargeTile.scale-100.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Recovery+vuape.html	aghhysmkaljl.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\javafx\Recovery+vuape.html	aghhysmkaljl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\Recovery+vuape.png	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\AppxMetadata\Recovery+vuape.txt	aghhysmkaljl.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubMedTile.scale-125_contrast-black.png	aghhysmkaljl.exe

Drops file in Windows directory 2 IoCs

Processes:

6cd9b22cd6b3ac432bf8690eba4d5348_JaffaCakes118.exe

description	ioc	Process
File created	C:\Windows\aghhysmkaljl.exe	6cd9b22cd6b3ac432bf8690eba4d5348_JaffaCakes118.exe
File opened for modification	C:\Windows\aghhysmkaljl.exe	6cd9b22cd6b3ac432bf8690eba4d5348_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

aghhysmkaljl.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	aghhysmkaljl.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
4400	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

aghhysmkaljl.exe

pid	Process
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe
2416	aghhysmkaljl.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid	Process
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

6cd9b22cd6b3ac432bf8690eba4d5348_JaffaCakes118.exeaghhysmkaljl.exeWMIC.exevssvc.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	2996	6cd9b22cd6b3ac432bf8690eba4d5348_JaffaCakes118.exe
Token: SeDebugPrivilege	2416	aghhysmkaljl.exe
Token: SeIncreaseQuotaPrivilege	5216	WMIC.exe
Token: SeSecurityPrivilege	5216	WMIC.exe
Token: SeTakeOwnershipPrivilege	5216	WMIC.exe
Token: SeLoadDriverPrivilege	5216	WMIC.exe
Token: SeSystemProfilePrivilege	5216	WMIC.exe
Token: SeSystemtimePrivilege	5216	WMIC.exe
Token: SeProfSingleProcessPrivilege	5216	WMIC.exe
Token: SeIncBasePriorityPrivilege	5216	WMIC.exe
Token: SeCreatePagefilePrivilege	5216	WMIC.exe
Token: SeBackupPrivilege	5216	WMIC.exe
Token: SeRestorePrivilege	5216	WMIC.exe
Token: SeShutdownPrivilege	5216	WMIC.exe
Token: SeDebugPrivilege	5216	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5216	WMIC.exe
Token: SeRemoteShutdownPrivilege	5216	WMIC.exe
Token: SeUndockPrivilege	5216	WMIC.exe
Token: SeManageVolumePrivilege	5216	WMIC.exe
Token: 33	5216	WMIC.exe
Token: 34	5216	WMIC.exe
Token: 35	5216	WMIC.exe
Token: 36	5216	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5216	WMIC.exe
Token: SeSecurityPrivilege	5216	WMIC.exe
Token: SeTakeOwnershipPrivilege	5216	WMIC.exe
Token: SeLoadDriverPrivilege	5216	WMIC.exe
Token: SeSystemProfilePrivilege	5216	WMIC.exe
Token: SeSystemtimePrivilege	5216	WMIC.exe
Token: SeProfSingleProcessPrivilege	5216	WMIC.exe
Token: SeIncBasePriorityPrivilege	5216	WMIC.exe
Token: SeCreatePagefilePrivilege	5216	WMIC.exe
Token: SeBackupPrivilege	5216	WMIC.exe
Token: SeRestorePrivilege	5216	WMIC.exe
Token: SeShutdownPrivilege	5216	WMIC.exe
Token: SeDebugPrivilege	5216	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5216	WMIC.exe
Token: SeRemoteShutdownPrivilege	5216	WMIC.exe
Token: SeUndockPrivilege	5216	WMIC.exe
Token: SeManageVolumePrivilege	5216	WMIC.exe
Token: 33	5216	WMIC.exe
Token: 34	5216	WMIC.exe
Token: 35	5216	WMIC.exe
Token: 36	5216	WMIC.exe
Token: SeBackupPrivilege	4996	vssvc.exe
Token: SeRestorePrivilege	4996	vssvc.exe
Token: SeAuditPrivilege	4996	vssvc.exe
Token: SeIncreaseQuotaPrivilege	5492	WMIC.exe
Token: SeSecurityPrivilege	5492	WMIC.exe
Token: SeTakeOwnershipPrivilege	5492	WMIC.exe
Token: SeLoadDriverPrivilege	5492	WMIC.exe
Token: SeSystemProfilePrivilege	5492	WMIC.exe
Token: SeSystemtimePrivilege	5492	WMIC.exe
Token: SeProfSingleProcessPrivilege	5492	WMIC.exe
Token: SeIncBasePriorityPrivilege	5492	WMIC.exe
Token: SeCreatePagefilePrivilege	5492	WMIC.exe
Token: SeBackupPrivilege	5492	WMIC.exe
Token: SeRestorePrivilege	5492	WMIC.exe
Token: SeShutdownPrivilege	5492	WMIC.exe
Token: SeDebugPrivilege	5492	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5492	WMIC.exe
Token: SeRemoteShutdownPrivilege	5492	WMIC.exe
Token: SeUndockPrivilege	5492	WMIC.exe
Token: SeManageVolumePrivilege	5492	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	Process
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	Process
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6cd9b22cd6b3ac432bf8690eba4d5348_JaffaCakes118.exeaghhysmkaljl.exemsedge.exe

description	pid	Process	procid_target
PID 2996 wrote to memory of 2416	2996	6cd9b22cd6b3ac432bf8690eba4d5348_JaffaCakes118.exe	87
PID 2996 wrote to memory of 2416	2996	6cd9b22cd6b3ac432bf8690eba4d5348_JaffaCakes118.exe	87
PID 2996 wrote to memory of 2416	2996	6cd9b22cd6b3ac432bf8690eba4d5348_JaffaCakes118.exe	87
PID 2996 wrote to memory of 1620	2996	6cd9b22cd6b3ac432bf8690eba4d5348_JaffaCakes118.exe	88
PID 2996 wrote to memory of 1620	2996	6cd9b22cd6b3ac432bf8690eba4d5348_JaffaCakes118.exe	88
PID 2996 wrote to memory of 1620	2996	6cd9b22cd6b3ac432bf8690eba4d5348_JaffaCakes118.exe	88
PID 2416 wrote to memory of 5216	2416	aghhysmkaljl.exe	90
PID 2416 wrote to memory of 5216	2416	aghhysmkaljl.exe	90
PID 2416 wrote to memory of 4400	2416	aghhysmkaljl.exe	112
PID 2416 wrote to memory of 4400	2416	aghhysmkaljl.exe	112
PID 2416 wrote to memory of 4400	2416	aghhysmkaljl.exe	112
PID 2416 wrote to memory of 4684	2416	aghhysmkaljl.exe	113
PID 2416 wrote to memory of 4684	2416	aghhysmkaljl.exe	113
PID 4684 wrote to memory of 1388	4684	msedge.exe	114
PID 4684 wrote to memory of 1388	4684	msedge.exe	114
PID 2416 wrote to memory of 5492	2416	aghhysmkaljl.exe	115
PID 2416 wrote to memory of 5492	2416	aghhysmkaljl.exe	115
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 5784	4684	msedge.exe	117
PID 4684 wrote to memory of 4660	4684	msedge.exe	118
PID 4684 wrote to memory of 4660	4684	msedge.exe	118
PID 4684 wrote to memory of 1596	4684	msedge.exe	119
PID 4684 wrote to memory of 1596	4684	msedge.exe	119
PID 4684 wrote to memory of 1596	4684	msedge.exe	119
PID 4684 wrote to memory of 1596	4684	msedge.exe	119
PID 4684 wrote to memory of 1596	4684	msedge.exe	119

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

aghhysmkaljl.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	aghhysmkaljl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	aghhysmkaljl.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6cd9b22cd6b3ac432bf8690eba4d5348_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6cd9b22cd6b3ac432bf8690eba4d5348_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\aghhysmkaljl.exe
  C:\Windows\aghhysmkaljl.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2416
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5216
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:4400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4684
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa02d446f8,0x7ffa02d44708,0x7ffa02d44718
      4⤵
      PID:1388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,11554327912860136841,6474162305791801601,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
      4⤵
      PID:5784
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,11554327912860136841,6474162305791801601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
      4⤵
      PID:4660
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,11554327912860136841,6474162305791801601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
      4⤵
      PID:1596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11554327912860136841,6474162305791801601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
      4⤵
      PID:3380
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11554327912860136841,6474162305791801601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
      4⤵
      PID:5496
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,11554327912860136841,6474162305791801601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
      4⤵
      PID:5172
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,11554327912860136841,6474162305791801601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
      4⤵
      PID:4404
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11554327912860136841,6474162305791801601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
      4⤵
      PID:3844
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11554327912860136841,6474162305791801601,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
      4⤵
      PID:3744
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11554327912860136841,6474162305791801601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4544 /prefetch:1
      4⤵
      PID:1552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11554327912860136841,6474162305791801601,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
      4⤵
      PID:5004
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5492
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\AGHHYS~1.EXE
    3⤵
    PID:4968
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\6CD9B2~1.EXE
  2⤵
  PID:1620

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\Recovery+vuape.html

Filesize
11KB

MD5
3a7a107d3fbece2470aa3630a2e7840b

SHA1
c916564ae2775406fcf798d56f5598e1db725542

SHA256
8ba5ad25057228f01fe96f286396ae6ad6fbff92a30f41ad92a8ad5877b0d0fb

SHA512
798b828f6ce9494bd4be93d2b311c2db03a19ad7daf85be084865c203050683fb14da9c4937239a8c2b9be7ef794c99813a2aa51e6c540f9b7285cd74f573a31

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+vuape.png

Filesize
63KB

MD5
c238d053e62ef40ef1162039d7987b9e

SHA1
6bc42cc291c27940411c5cc53aa31d0500f882a0

SHA256
efb5407ee6136bb1812cda8c2fb204be2c306b58811957ff2f5b330c5594d971

SHA512
27669df72c37ce2302b025f0888074ead232ee11c016b733b1821b40a14941ea1f5eae48f5464d5a99eec122360dc122e4b0e278988883a24b8f30d1c87bd80b

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+vuape.txt

Filesize
1KB

MD5
6eb8f47186be999bad0dfd40395418c3

SHA1
b2b51ec404d1a3ed9ff3b5ec6f71ac97390b4f91

SHA256
f2101b4157b38ee97ace2a0754aa5a4bec9a9cf092d165f39b3d06dea708b698

SHA512
2d17efacd0e8cd109083694a789605b3fb09875fb0e9e9c90177345a83db68efbcb2c6577ab83662ec8a5e6eafeb94add70fca2b2e36e9aa455d632bc4f32c2a

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
9a507391f2686afb935502e2ac6b97b2

SHA1
5dae213204169d48d6dedf1227bf66f60d7abbb0

SHA256
8ca060910adb6c8549e390ca147c69e195b2ce1e8a52ed598910a2dac1383d15

SHA512
e2e815f4f54b9dcdb680501c8d68b5577a8959392064a9b15d4d0de5ef719a93340636b5ea7a73381830c85a17105b765d0393b06c5a77b4eede5ba8146b657b

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
4cd3a82492779331b12aa48ca75015a1

SHA1
6f1a354a62350f2ec10e682139f3af330f4696b7

SHA256
f34421808b8e5e53d837a1f2183212a094f54355bf1bccdcf666b9ac1349d120

SHA512
0a6590526cb1ca60229b6f9125c182d1aa2db8ec91cb41d61f1aa5d9185b09fa2f4ad504988b4952b8d4fd0f2b5b5bbdddebe38c96adf0009b053d9f7fa27f01

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
3ce04fd4849d7b0c374568f37783b405

SHA1
a6d80d441eca34ee250b14470f586323107f5aef

SHA256
d614b76ac19bcb0a5b2b0ffae7ec50ba021c9309ec2fb050b4dc636e6a37cf27

SHA512
986dd9d8a92ff9b631e181e560929a5e5febb35e95ec7feae1156681cbbabdad1050fe37db9b4a1d6716bf3830128ffda372719f3e84ce2fe4675750a622e90f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
799cd66fb562f76d86aaf19453832fca

SHA1
e7be743fc76bd768c48acc0d096c30f98609cf3c

SHA256
b74cfbb075158696ce099509e88d35b3c16325181f41674a4c76b3624da6dfb7

SHA512
8bcf4e8f6196a5c0efe26d9f5ca5dc78eb3630546ff7d0cabff4d4dd5627eb6e4060e020591e6d36cb0d5e1f1faa3c51c8847fe1896c9de496490ad6056e581f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7f1aedb44327e4b7e2c5909c0a1137fd

SHA1
5eaa280c4351b632bbc56092e13c8d0742cd3d26

SHA256
53964a0e5e1e270c916f124c4d61fe81b699e422be256ec876ee143a24254a1a

SHA512
145c28c492c2dd5fbdb0725c95bed921b8382631fe13ae29447b55fbe5c61c22988330cb3e32820aa2570c322894e39900b891ea1808550670fc9e40ab210629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c752598217e163c4b9b325c37ab9e845

SHA1
ce3cd08664aa5bd9b92abd25e92bb85130e80403

SHA256
c6eb1f2cdc90dbdbad7b1b4a8f96e19fc8b648d6d1931eb954a2734059415dcf

SHA512
72765b05569a23b2ced2a88c0d5f2737a25a90bfbe0972de41bc5f178d2e09c24eb5a4d8b37ea82999208ce6fa4c33f54239aacde2a7d1ff6993da64396c5e96

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596449526171674.txt

Filesize
75KB

MD5
f44080782f5bfa24e2a7dbcd8ecd7614

SHA1
eb751cf47f7b4053b0b12d882dba8121ad9362fc

SHA256
72421d89b28e3592fc9f26fd975da69d7d58da46e8197a7423850896c2e03650

SHA512
6eae6fd5df7618677fc439e983316cbbbf9cd5f3bd503756249fa79dc9050aad1aaab47a215c0c2b7f22a6caa0aba118776e77962ead6c177553f71c72615afe

Download Submit
C:\Windows\aghhysmkaljl.exe

Filesize
340KB

MD5
6cd9b22cd6b3ac432bf8690eba4d5348

SHA1
c4983823c3e53ce2eed20939b7c2b2e098fff7b9

SHA256
0c3627d59f3087a2b3a83b4446eb4446b662c2351f52db9cc0729dda9bcdee43

SHA512
9227b3543c6a79d714bc81a5b16b55a7ec63e4691f31d6fb68416ad2c3473a97ef827189eea10d7d05ec7bb4b957cf3ad677aecbc1e654ddcc9e90be5f2cabce

Download Submit
\??\pipe\LOCAL\crashpad_4684_QYKHDDJSMTNUDHUJ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2416-10346-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2416-8143-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2416-5604-0x0000000002170000-0x00000000021F6000-memory.dmp

Filesize
536KB

Download
memory/2416-4685-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2416-2199-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2416-10392-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2416-10407-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2416-12-0x0000000002170000-0x00000000021F6000-memory.dmp

Filesize
536KB

Download
memory/2996-13-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2996-0-0x0000000002270000-0x00000000022F6000-memory.dmp

Filesize
536KB

Download
memory/2996-1-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2996-14-0x0000000002270000-0x00000000022F6000-memory.dmp

Filesize
536KB

Download