teslacrypt | dfd96eb0d24ab0e64e6e2078eca2ae8e969295be95b0862456371f79a22333a2

Analysis

max time kernel
145s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2024, 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_e7f147af11b3494756d8c07149de56c5.exe
Size

352KB
MD5

e7f147af11b3494756d8c07149de56c5
SHA1

c3b7a6a4b77eebaef88b1f874317d55783c10e82
SHA256

dfd96eb0d24ab0e64e6e2078eca2ae8e969295be95b0862456371f79a22333a2
SHA512

a0dd11b4c085c3642ec109ae33ded492db4f0e73c42bdb45e42bfe8243ad7b770362cfa966d45bdd90579f34e70ed595340d6b65379fd69e65c19c9ec2180027
SSDEEP

6144:oMeb/EDtpBx1aRXJub19pf3gOURaJmf+ubexB3wLaYZSzvF:oTb/wtN1aRXJg1f3gO9Jm+u2BgeYkzv

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+euyic.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/166B66C48E59E788 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/166B66C48E59E788 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/166B66C48E59E788 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/166B66C48E59E788 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/166B66C48E59E788 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/166B66C48E59E788 http://yyre45dbvn2nhbefbmh.begumvelic.at/166B66C48E59E788 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/166B66C48E59E788

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/166B66C48E59E788

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/166B66C48E59E788

http://yyre45dbvn2nhbefbmh.begumvelic.at/166B66C48E59E788

http://xlowfznrg4wf7dli.ONION/166B66C48E59E788

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (882) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	VirusShare_e7f147af11b3494756d8c07149de56c5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	ltnjvebldgpl.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+euyic.png	ltnjvebldgpl.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+euyic.txt	ltnjvebldgpl.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+euyic.html	ltnjvebldgpl.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+euyic.png	ltnjvebldgpl.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+euyic.txt	ltnjvebldgpl.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+euyic.html	ltnjvebldgpl.exe

Executes dropped EXE 1 IoCs

pid	Process
2704	ltnjvebldgpl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hosvyke = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\ltnjvebldgpl.exe"	ltnjvebldgpl.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\_ReCoVeRy_+euyic.txt	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\_ReCoVeRy_+euyic.html	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\_ReCoVeRy_+euyic.png	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PlaceCard\contrast-white\OfflineError.svg	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\_ReCoVeRy_+euyic.png	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\_ReCoVeRy_+euyic.txt	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\_ReCoVeRy_+euyic.png	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\_ReCoVeRy_+euyic.png	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\FileAssociation\FileAssociation.targetsize-256.png	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+euyic.txt	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\THMBNAIL.PNG	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\_ReCoVeRy_+euyic.png	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\_ReCoVeRy_+euyic.txt	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\Google\_ReCoVeRy_+euyic.txt	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\WinMetadata\_ReCoVeRy_+euyic.html	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-64.png	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-36_altform-unplated_contrast-white.png	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubMedTile.scale-125_contrast-black.png	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\_ReCoVeRy_+euyic.txt	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\strings\_ReCoVeRy_+euyic.txt	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteMediumTile.scale-400.png	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-200_contrast-black.png	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-24_altform-colorize.png	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\_ReCoVeRy_+euyic.png	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\_ReCoVeRy_+euyic.png	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\MedTile.scale-100.png	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7d5.png	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\_ReCoVeRy_+euyic.png	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\_ReCoVeRy_+euyic.txt	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookWideTile.scale-150.png	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeLargeTile.scale-400.png	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\_ReCoVeRy_+euyic.txt	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\iheart-radio.scale-200_contrast-white.png	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Programmer.targetsize-32_contrast-black.png	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+euyic.png	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Message_Sent.m4a	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.513.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+euyic.html	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-180.png	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-200_contrast-white.png	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeWideTile.scale-100_contrast-black.png	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg3.jpg	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeLargeTile.scale-400.png	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-36_altform-unplated_contrast-white.png	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\_ReCoVeRy_+euyic.html	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\_ReCoVeRy_+euyic.txt	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-100.png	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\WideTile.scale-100_contrast-black.png	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_ReCoVeRy_+euyic.txt	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\index.win32.bundle.map	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_TileSmallSquare.scale-200.png	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_ReCoVeRy_+euyic.html	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-100_contrast-white.png	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-100.png	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-200.png	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_ReCoVeRy_+euyic.txt	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Marble.jpg	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\_ReCoVeRy_+euyic.html	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarBadge.scale-200.png	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\_ReCoVeRy_+euyic.html	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-140.png	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\_ReCoVeRy_+euyic.txt	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_altform-unplated_contrast-black.png	ltnjvebldgpl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\LargeTile.scale-200.png	ltnjvebldgpl.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ltnjvebldgpl.exe	VirusShare_e7f147af11b3494756d8c07149de56c5.exe
File opened for modification	C:\Windows\ltnjvebldgpl.exe	VirusShare_e7f147af11b3494756d8c07149de56c5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	ltnjvebldgpl.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3952	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe
2704	ltnjvebldgpl.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4292	VirusShare_e7f147af11b3494756d8c07149de56c5.exe
Token: SeDebugPrivilege	2704	ltnjvebldgpl.exe
Token: SeIncreaseQuotaPrivilege	4800	WMIC.exe
Token: SeSecurityPrivilege	4800	WMIC.exe
Token: SeTakeOwnershipPrivilege	4800	WMIC.exe
Token: SeLoadDriverPrivilege	4800	WMIC.exe
Token: SeSystemProfilePrivilege	4800	WMIC.exe
Token: SeSystemtimePrivilege	4800	WMIC.exe
Token: SeProfSingleProcessPrivilege	4800	WMIC.exe
Token: SeIncBasePriorityPrivilege	4800	WMIC.exe
Token: SeCreatePagefilePrivilege	4800	WMIC.exe
Token: SeBackupPrivilege	4800	WMIC.exe
Token: SeRestorePrivilege	4800	WMIC.exe
Token: SeShutdownPrivilege	4800	WMIC.exe
Token: SeDebugPrivilege	4800	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4800	WMIC.exe
Token: SeRemoteShutdownPrivilege	4800	WMIC.exe
Token: SeUndockPrivilege	4800	WMIC.exe
Token: SeManageVolumePrivilege	4800	WMIC.exe
Token: 33	4800	WMIC.exe
Token: 34	4800	WMIC.exe
Token: 35	4800	WMIC.exe
Token: 36	4800	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4800	WMIC.exe
Token: SeSecurityPrivilege	4800	WMIC.exe
Token: SeTakeOwnershipPrivilege	4800	WMIC.exe
Token: SeLoadDriverPrivilege	4800	WMIC.exe
Token: SeSystemProfilePrivilege	4800	WMIC.exe
Token: SeSystemtimePrivilege	4800	WMIC.exe
Token: SeProfSingleProcessPrivilege	4800	WMIC.exe
Token: SeIncBasePriorityPrivilege	4800	WMIC.exe
Token: SeCreatePagefilePrivilege	4800	WMIC.exe
Token: SeBackupPrivilege	4800	WMIC.exe
Token: SeRestorePrivilege	4800	WMIC.exe
Token: SeShutdownPrivilege	4800	WMIC.exe
Token: SeDebugPrivilege	4800	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4800	WMIC.exe
Token: SeRemoteShutdownPrivilege	4800	WMIC.exe
Token: SeUndockPrivilege	4800	WMIC.exe
Token: SeManageVolumePrivilege	4800	WMIC.exe
Token: 33	4800	WMIC.exe
Token: 34	4800	WMIC.exe
Token: 35	4800	WMIC.exe
Token: 36	4800	WMIC.exe
Token: SeBackupPrivilege	5012	vssvc.exe
Token: SeRestorePrivilege	5012	vssvc.exe
Token: SeAuditPrivilege	5012	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1756	WMIC.exe
Token: SeSecurityPrivilege	1756	WMIC.exe
Token: SeTakeOwnershipPrivilege	1756	WMIC.exe
Token: SeLoadDriverPrivilege	1756	WMIC.exe
Token: SeSystemProfilePrivilege	1756	WMIC.exe
Token: SeSystemtimePrivilege	1756	WMIC.exe
Token: SeProfSingleProcessPrivilege	1756	WMIC.exe
Token: SeIncBasePriorityPrivilege	1756	WMIC.exe
Token: SeCreatePagefilePrivilege	1756	WMIC.exe
Token: SeBackupPrivilege	1756	WMIC.exe
Token: SeRestorePrivilege	1756	WMIC.exe
Token: SeShutdownPrivilege	1756	WMIC.exe
Token: SeDebugPrivilege	1756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1756	WMIC.exe
Token: SeRemoteShutdownPrivilege	1756	WMIC.exe
Token: SeUndockPrivilege	1756	WMIC.exe
Token: SeManageVolumePrivilege	1756	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4292 wrote to memory of 2704	4292	VirusShare_e7f147af11b3494756d8c07149de56c5.exe	86
PID 4292 wrote to memory of 2704	4292	VirusShare_e7f147af11b3494756d8c07149de56c5.exe	86
PID 4292 wrote to memory of 2704	4292	VirusShare_e7f147af11b3494756d8c07149de56c5.exe	86
PID 4292 wrote to memory of 944	4292	VirusShare_e7f147af11b3494756d8c07149de56c5.exe	87
PID 4292 wrote to memory of 944	4292	VirusShare_e7f147af11b3494756d8c07149de56c5.exe	87
PID 4292 wrote to memory of 944	4292	VirusShare_e7f147af11b3494756d8c07149de56c5.exe	87
PID 2704 wrote to memory of 4800	2704	ltnjvebldgpl.exe	89
PID 2704 wrote to memory of 4800	2704	ltnjvebldgpl.exe	89
PID 2704 wrote to memory of 3952	2704	ltnjvebldgpl.exe	102
PID 2704 wrote to memory of 3952	2704	ltnjvebldgpl.exe	102
PID 2704 wrote to memory of 3952	2704	ltnjvebldgpl.exe	102
PID 2704 wrote to memory of 2472	2704	ltnjvebldgpl.exe	103
PID 2704 wrote to memory of 2472	2704	ltnjvebldgpl.exe	103
PID 2472 wrote to memory of 4240	2472	msedge.exe	104
PID 2472 wrote to memory of 4240	2472	msedge.exe	104
PID 2704 wrote to memory of 1756	2704	ltnjvebldgpl.exe	105
PID 2704 wrote to memory of 1756	2704	ltnjvebldgpl.exe	105
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1220	2472	msedge.exe	107
PID 2472 wrote to memory of 1960	2472	msedge.exe	108
PID 2472 wrote to memory of 1960	2472	msedge.exe	108
PID 2472 wrote to memory of 2276	2472	msedge.exe	109
PID 2472 wrote to memory of 2276	2472	msedge.exe	109
PID 2472 wrote to memory of 2276	2472	msedge.exe	109
PID 2472 wrote to memory of 2276	2472	msedge.exe	109
PID 2472 wrote to memory of 2276	2472	msedge.exe	109

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ltnjvebldgpl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	ltnjvebldgpl.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_e7f147af11b3494756d8c07149de56c5.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_e7f147af11b3494756d8c07149de56c5.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4292
- C:\Windows\ltnjvebldgpl.exe
  C:\Windows\ltnjvebldgpl.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2704
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4800
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:3952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9008446f8,0x7ff900844708,0x7ff900844718
      4⤵
      PID:4240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,1455703389732680009,8669680359200881283,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
      4⤵
      PID:1220
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,1455703389732680009,8669680359200881283,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:3
      4⤵
      PID:1960
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,1455703389732680009,8669680359200881283,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2300 /prefetch:8
      4⤵
      PID:2276
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1455703389732680009,8669680359200881283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
      4⤵
      PID:4564
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1455703389732680009,8669680359200881283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
      4⤵
      PID:3108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,1455703389732680009,8669680359200881283,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
      4⤵
      PID:1008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,1455703389732680009,8669680359200881283,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
      4⤵
      PID:452
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1455703389732680009,8669680359200881283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
      4⤵
      PID:4068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1455703389732680009,8669680359200881283,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
      4⤵
      PID:2692
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1455703389732680009,8669680359200881283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
      4⤵
      PID:3760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1455703389732680009,8669680359200881283,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
      4⤵
      PID:4784
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1756
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\LTNJVE~1.EXE
    3⤵
    PID:3576
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
  2⤵
  PID:944

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+euyic.html

Filesize
12KB

MD5
5064b87e729de7cb88c83eba2c105fd9

SHA1
460de98d98482f883dffdb8507cb1a543a1cca0a

SHA256
a987c40a26748a9be051987f86a087ee3c0f34cb1567aaa65eb9df5d61c422f4

SHA512
f5bbab17d624a8bd61546b299e08e932366202852de699194c4dbb980674c8a544cc2bdc5152c561ebca50da8a0af006c0e96b62197dbedb79463f288c254b16

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+euyic.png

Filesize
64KB

MD5
2bf5ac6bda36cd2fe3a859d48096bdac

SHA1
ced6e8afd25d48d4d472d3a3c2f3ee7aad33935c

SHA256
056c3048c167a5e654f9d7565a13c6e9b97cd12dfb1fe8731da21181de7972f7

SHA512
5969b2dc1af357fcb1ef18dc14713f3ccd0dcc10cf6f0da0bbb21944edb6cf3eaf3f00905e2f0db1827c69d7f01e478898c46fabe834d420c2f0122dee53e04f

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+euyic.txt

Filesize
1KB

MD5
d7e6a1e427eda20c918049210c960a20

SHA1
799869aac1b56a32df70a8b5dbbc99a73abccc5d

SHA256
3deaf049d483fbba4edf932a49ecbadf6a921705e76da05e6ab66606efe14931

SHA512
c7ad5ade8dd663d72e728169e04c62b98d58c7c020a68004a64a246e8e94441547bf7e65c9766fc4e5d445e10c0a454f0636cd7ca85afb18db2043e820d431b3

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
948a3be0caaf15214c9fbe6e44787637

SHA1
7230909796370614b253ffae56dfa11b19325f7a

SHA256
b9fb4b43b77df429a5c591175cf37b99b9bb8224bb132f900e04cd6e9561ac1d

SHA512
39c81283b24a1da949822aa138d6c7c800558831930c65562a39f19c895a3ae0d9d9c3f3f2d65578c3c377d6e523841fa56445592846831b74a9ee8d2bf34e74

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
2ac3ea18c07b6b1530498287e7529f75

SHA1
81affe2a5080922927cab106b4418abbbe91a071

SHA256
7c1de82bd340a332fe9bc9d94a1618dce9b09b91e0c2d7694d316e3dcb0aafc5

SHA512
ed2b00598f90a2b9e0b912012f1a733a2b9d50eace59710e20bb1a6e73699d5ad091a603ad37e5d4228228f4c933c900ede25071cb54a1832b2500eacac584a6

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
5071a162b8c05e318b578920a2ea87bb

SHA1
0ecc86dc4e9f1aa400ae5b8deb4cef57975a3e73

SHA256
4b58e553bd830be867afa9439172d43afbb72d2b939e7cd8dad69b4258f745c0

SHA512
050d364ed66ae8f66c26b7a88f3fe5294b61fe783cb4962b3b009a52f016a0fdbbfb1c8d2a163b05ce182225743d4834b3371c2aba10bc5a5b144aed470da9d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c1fc17393b25ecc692fd3cdde33f1a44

SHA1
902a74e9290a5058ac6059c08d787c4805032a61

SHA256
92cf93f1370897442fb96ab1c9625df71dd07f1ae8ee69779683aa628c4c11e8

SHA512
c8e29c0ad9b464e23792ed0eeeca6f64e433756a81e996c807ced7ceb078e29349709cf97b581f5e7390801092531bfe5e1d9173d838b4de1ed5672131066afe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
07f888445bd9238736fa66875c881174

SHA1
23c0cd112724edca36e9007ac984f6acf77f144c

SHA256
4885ecc00f67e48416862599b7de49ba73c30fac1b5b0fa2eff768a8acfb3884

SHA512
d5d88ee3d0a23add3bb7f68bc74b030aa550a5db619e5ba65bebe51a5ae70dbe6d94284bd2783862eca89dc1af240be455134365a51b5c8993c0e27dcf0cf892

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e1c7ad0a042225e6315604d15d3311d1

SHA1
437457c6b624ca0dd1d637d7ce13c3d61d3a0522

SHA256
7cc5a3d6bdbbe931629f1d8710244b1ff26a7be44d1f005d3fbe9432c7c72574

SHA512
4627544c77f46e23fe8effa026e7cea04eb772676017c4dc4e943f567bffd29742e958625a69df30f8d5c499da35926ebb823dd6f20e65198ba5ff2b4a9c68c8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586109347538582.txt

Filesize
75KB

MD5
61eaf397db73149ba1ebb517ac4ee4fe

SHA1
7c38a5c43ab75f0a8e714c8330e093a32eb28c62

SHA256
3ed9f31a857a6987acd04b87829ca14e406a2928e5115c05200bc0d2f7ce6d6f

SHA512
a325dcc5016a0eeeb8d01b30acb3333879e436f820ddb0c2bbd099a1d27376546e04fcddee241587bda8826512b01ac43ad651b8d2c00bed0cb058fa956932e8

Download Submit
C:\Windows\ltnjvebldgpl.exe

Filesize
352KB

MD5
e7f147af11b3494756d8c07149de56c5

SHA1
c3b7a6a4b77eebaef88b1f874317d55783c10e82

SHA256
dfd96eb0d24ab0e64e6e2078eca2ae8e969295be95b0862456371f79a22333a2

SHA512
a0dd11b4c085c3642ec109ae33ded492db4f0e73c42bdb45e42bfe8243ad7b770362cfa966d45bdd90579f34e70ed595340d6b65379fd69e65c19c9ec2180027

Download Submit
memory/2704-2590-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2704-8596-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2704-10409-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2704-5172-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2704-14-0x0000000002140000-0x00000000021C6000-memory.dmp

Filesize
536KB

Download
memory/2704-10453-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2704-6038-0x0000000002140000-0x00000000021C6000-memory.dmp

Filesize
536KB

Download
memory/4292-1-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4292-0-0x0000000002190000-0x0000000002216000-memory.dmp

Filesize
536KB

Download
memory/4292-10-0x0000000002190000-0x0000000002216000-memory.dmp

Filesize
536KB

Download
memory/4292-9-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download