teslacrypt | e37b974823a5def88d1b8857cbe4262ed60d59a7ef7b6854e407d6a2dc8cdc68

Analysis

max time kernel
139s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2024, 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_e5e83d8209a8e06089d70e65901b7481.exe
Size

328KB
MD5

e5e83d8209a8e06089d70e65901b7481
SHA1

dba4cc12a51f6ab845673de37756d2b3f31825e6
SHA256

e37b974823a5def88d1b8857cbe4262ed60d59a7ef7b6854e407d6a2dc8cdc68
SHA512

63b61ab3d5d26aaa318ae36a29dfc2107deedd6b340c54abbeec40b9598a5d6ea1743bdd6c320dddcbafcea5820b2620e4b0b9bfc4d5a45a8808c09b148503b2
SSDEEP

6144:EEKwa30luX+sChrlTxO9M4wt8lfJBXfvUmaeyfXMx3/mQ6YroqS8j6M54IaHSJ7+:jK8luX+ssxTI9WkxxvPWUpeG/+bIn70

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+cgeyu.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/F9C62C89B917E6F 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/F9C62C89B917E6F 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/F9C62C89B917E6F If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/F9C62C89B917E6F 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/F9C62C89B917E6F http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/F9C62C89B917E6F http://yyre45dbvn2nhbefbmh.begumvelic.at/F9C62C89B917E6F Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/F9C62C89B917E6F

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/F9C62C89B917E6F

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/F9C62C89B917E6F

http://yyre45dbvn2nhbefbmh.begumvelic.at/F9C62C89B917E6F

http://xlowfznrg4wf7dli.ONION/F9C62C89B917E6F

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (876) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	VirusShare_e5e83d8209a8e06089d70e65901b7481.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	gnxdrngpxgqu.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+cgeyu.html	gnxdrngpxgqu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+cgeyu.png	gnxdrngpxgqu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+cgeyu.txt	gnxdrngpxgqu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+cgeyu.html	gnxdrngpxgqu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+cgeyu.png	gnxdrngpxgqu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+cgeyu.txt	gnxdrngpxgqu.exe

Executes dropped EXE 1 IoCs

pid	Process
628	gnxdrngpxgqu.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inpfjri = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\gnxdrngpxgqu.exe"	gnxdrngpxgqu.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\AgentPlaceholder.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-30.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailSmallTile.scale-125.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-100_contrast-white.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VGX\_ReCoVeRy_+cgeyu.html	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\_ReCoVeRy_+cgeyu.txt	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe\_ReCoVeRy_+cgeyu.html	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\_ReCoVeRy_+cgeyu.html	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxBadge.scale-100.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\fonts\_ReCoVeRy_+cgeyu.html	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-125_contrast-white.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sv-SE\View3d\_ReCoVeRy_+cgeyu.html	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookWideTile.scale-400.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\_ReCoVeRy_+cgeyu.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\_ReCoVeRy_+cgeyu.txt	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSmallTile.scale-125.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\_ReCoVeRy_+cgeyu.html	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\LargeTile.scale-200.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\_ReCoVeRy_+cgeyu.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\_ReCoVeRy_+cgeyu.html	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-256_altform-lightunplated.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\_ReCoVeRy_+cgeyu.txt	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Star.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_ReCoVeRy_+cgeyu.html	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorWideTile.contrast-white_scale-125.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeLargeTile.scale-150.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-36.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ThirdPartyNotices.txt	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\_ReCoVeRy_+cgeyu.txt	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\12.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\styles\_ReCoVeRy_+cgeyu.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_ReCoVeRy_+cgeyu.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notetagsUI\main.js	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_altform-unplated_contrast-white.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\_ReCoVeRy_+cgeyu.html	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\SmallTile.scale-100.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\_ReCoVeRy_+cgeyu.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notificationsUI\notification-checkbox.css	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsSplashScreen.contrast-black_scale-100.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-36.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-40_altform-unplated_contrast-white.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSplashLogo.scale-200.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-16_contrast-white.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-36_altform-unplated.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\_ReCoVeRy_+cgeyu.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color32.jpg	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockMedTile.contrast-white_scale-125.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_ReCoVeRy_+cgeyu.txt	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.scale-100_contrast-black.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ta-IN\_ReCoVeRy_+cgeyu.txt	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyCalendarSearch.scale-125.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-60_altform-lightunplated.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\_ReCoVeRy_+cgeyu.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-80.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\_ReCoVeRy_+cgeyu.html	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+cgeyu.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\1.jpg	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-64.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-140.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Retail\guest.png	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\AppCore\Location\Shifter\_ReCoVeRy_+cgeyu.txt	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\_ReCoVeRy_+cgeyu.html	gnxdrngpxgqu.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\_ReCoVeRy_+cgeyu.png	gnxdrngpxgqu.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\gnxdrngpxgqu.exe	VirusShare_e5e83d8209a8e06089d70e65901b7481.exe
File opened for modification	C:\Windows\gnxdrngpxgqu.exe	VirusShare_e5e83d8209a8e06089d70e65901b7481.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	gnxdrngpxgqu.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
220	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe
628	gnxdrngpxgqu.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1640	VirusShare_e5e83d8209a8e06089d70e65901b7481.exe
Token: SeDebugPrivilege	628	gnxdrngpxgqu.exe
Token: SeIncreaseQuotaPrivilege	2324	WMIC.exe
Token: SeSecurityPrivilege	2324	WMIC.exe
Token: SeTakeOwnershipPrivilege	2324	WMIC.exe
Token: SeLoadDriverPrivilege	2324	WMIC.exe
Token: SeSystemProfilePrivilege	2324	WMIC.exe
Token: SeSystemtimePrivilege	2324	WMIC.exe
Token: SeProfSingleProcessPrivilege	2324	WMIC.exe
Token: SeIncBasePriorityPrivilege	2324	WMIC.exe
Token: SeCreatePagefilePrivilege	2324	WMIC.exe
Token: SeBackupPrivilege	2324	WMIC.exe
Token: SeRestorePrivilege	2324	WMIC.exe
Token: SeShutdownPrivilege	2324	WMIC.exe
Token: SeDebugPrivilege	2324	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2324	WMIC.exe
Token: SeRemoteShutdownPrivilege	2324	WMIC.exe
Token: SeUndockPrivilege	2324	WMIC.exe
Token: SeManageVolumePrivilege	2324	WMIC.exe
Token: 33	2324	WMIC.exe
Token: 34	2324	WMIC.exe
Token: 35	2324	WMIC.exe
Token: 36	2324	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2324	WMIC.exe
Token: SeSecurityPrivilege	2324	WMIC.exe
Token: SeTakeOwnershipPrivilege	2324	WMIC.exe
Token: SeLoadDriverPrivilege	2324	WMIC.exe
Token: SeSystemProfilePrivilege	2324	WMIC.exe
Token: SeSystemtimePrivilege	2324	WMIC.exe
Token: SeProfSingleProcessPrivilege	2324	WMIC.exe
Token: SeIncBasePriorityPrivilege	2324	WMIC.exe
Token: SeCreatePagefilePrivilege	2324	WMIC.exe
Token: SeBackupPrivilege	2324	WMIC.exe
Token: SeRestorePrivilege	2324	WMIC.exe
Token: SeShutdownPrivilege	2324	WMIC.exe
Token: SeDebugPrivilege	2324	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2324	WMIC.exe
Token: SeRemoteShutdownPrivilege	2324	WMIC.exe
Token: SeUndockPrivilege	2324	WMIC.exe
Token: SeManageVolumePrivilege	2324	WMIC.exe
Token: 33	2324	WMIC.exe
Token: 34	2324	WMIC.exe
Token: 35	2324	WMIC.exe
Token: 36	2324	WMIC.exe
Token: SeBackupPrivilege	5084	vssvc.exe
Token: SeRestorePrivilege	5084	vssvc.exe
Token: SeAuditPrivilege	5084	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1980	WMIC.exe
Token: SeSecurityPrivilege	1980	WMIC.exe
Token: SeTakeOwnershipPrivilege	1980	WMIC.exe
Token: SeLoadDriverPrivilege	1980	WMIC.exe
Token: SeSystemProfilePrivilege	1980	WMIC.exe
Token: SeSystemtimePrivilege	1980	WMIC.exe
Token: SeProfSingleProcessPrivilege	1980	WMIC.exe
Token: SeIncBasePriorityPrivilege	1980	WMIC.exe
Token: SeCreatePagefilePrivilege	1980	WMIC.exe
Token: SeBackupPrivilege	1980	WMIC.exe
Token: SeRestorePrivilege	1980	WMIC.exe
Token: SeShutdownPrivilege	1980	WMIC.exe
Token: SeDebugPrivilege	1980	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1980	WMIC.exe
Token: SeRemoteShutdownPrivilege	1980	WMIC.exe
Token: SeUndockPrivilege	1980	WMIC.exe
Token: SeManageVolumePrivilege	1980	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 628	1640	VirusShare_e5e83d8209a8e06089d70e65901b7481.exe	86
PID 1640 wrote to memory of 628	1640	VirusShare_e5e83d8209a8e06089d70e65901b7481.exe	86
PID 1640 wrote to memory of 628	1640	VirusShare_e5e83d8209a8e06089d70e65901b7481.exe	86
PID 1640 wrote to memory of 2812	1640	VirusShare_e5e83d8209a8e06089d70e65901b7481.exe	88
PID 1640 wrote to memory of 2812	1640	VirusShare_e5e83d8209a8e06089d70e65901b7481.exe	88
PID 1640 wrote to memory of 2812	1640	VirusShare_e5e83d8209a8e06089d70e65901b7481.exe	88
PID 628 wrote to memory of 2324	628	gnxdrngpxgqu.exe	90
PID 628 wrote to memory of 2324	628	gnxdrngpxgqu.exe	90
PID 628 wrote to memory of 220	628	gnxdrngpxgqu.exe	103
PID 628 wrote to memory of 220	628	gnxdrngpxgqu.exe	103
PID 628 wrote to memory of 220	628	gnxdrngpxgqu.exe	103
PID 628 wrote to memory of 8	628	gnxdrngpxgqu.exe	104
PID 628 wrote to memory of 8	628	gnxdrngpxgqu.exe	104
PID 8 wrote to memory of 2584	8	msedge.exe	105
PID 8 wrote to memory of 2584	8	msedge.exe	105
PID 628 wrote to memory of 1980	628	gnxdrngpxgqu.exe	106
PID 628 wrote to memory of 1980	628	gnxdrngpxgqu.exe	106
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 4204	8	msedge.exe	108
PID 8 wrote to memory of 1948	8	msedge.exe	109
PID 8 wrote to memory of 1948	8	msedge.exe	109
PID 8 wrote to memory of 4144	8	msedge.exe	110
PID 8 wrote to memory of 4144	8	msedge.exe	110
PID 8 wrote to memory of 4144	8	msedge.exe	110
PID 8 wrote to memory of 4144	8	msedge.exe	110
PID 8 wrote to memory of 4144	8	msedge.exe	110

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gnxdrngpxgqu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	gnxdrngpxgqu.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_e5e83d8209a8e06089d70e65901b7481.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_e5e83d8209a8e06089d70e65901b7481.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\gnxdrngpxgqu.exe
  C:\Windows\gnxdrngpxgqu.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:628
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2324
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:220
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:8
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb570546f8,0x7ffb57054708,0x7ffb57054718
      4⤵
      PID:2584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,3726729354297097085,1422498835502145863,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
      4⤵
      PID:4204
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,3726729354297097085,1422498835502145863,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
      4⤵
      PID:1948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,3726729354297097085,1422498835502145863,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
      4⤵
      PID:4144
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3726729354297097085,1422498835502145863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
      4⤵
      PID:1304
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3726729354297097085,1422498835502145863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
      4⤵
      PID:292
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,3726729354297097085,1422498835502145863,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
      4⤵
      PID:640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,3726729354297097085,1422498835502145863,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
      4⤵
      PID:4476
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3726729354297097085,1422498835502145863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
      4⤵
      PID:4868
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3726729354297097085,1422498835502145863,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
      4⤵
      PID:4492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3726729354297097085,1422498835502145863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
      4⤵
      PID:3660
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3726729354297097085,1422498835502145863,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
      4⤵
      PID:4696
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\GNXDRN~1.EXE
    3⤵
    PID:3924
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
  2⤵
  PID:2812

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+cgeyu.html

Filesize
12KB

MD5
997c835b63aba2a32abfac24ed1139e3

SHA1
e92af0f7bc985d41023b96e732898d522bab6cea

SHA256
9dbb898c47f546d03dd474b9b5eacd0e8a0fbee434c4be3f7d09a19839e7aad4

SHA512
81304e41a3ffc28a5e41679566cca9a13e00d2af31d2b488b681604461096ba8764c2d3c3129817d98ada4a000479525ba6ec37e0c6e6f6a2bfd9842af4659e5

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+cgeyu.png

Filesize
64KB

MD5
d32077641b4ec91086406c0f43026849

SHA1
ca24017ca453eed4f2fccdf643d343bff79d9b82

SHA256
73c1e4eebf1a4e62313244085a243e5d7ceeb81f875b26e2b45c328efd7d345d

SHA512
0bea3de11c82395a6ca0952051ae74eea11d8631f1f244d374ed0978168ee99591d3218684489b830d24dc50b2db01107d35d056416eec5f9061e380e9b94960

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+cgeyu.txt

Filesize
1KB

MD5
c17ae64d3fe66f42bdd061f08ee08f93

SHA1
63df0a6b8b11f6e81c72c246a8fd950c224f4551

SHA256
7e2644b9076774212f85eca8a2a7ffa875e5b7c0a4242aa7070112a875cddec8

SHA512
8f8b3f0da48cd3b9f1b8945cc713368fee617e5843b305b3646c18b5169f701add3b2de5de0ea1e6f1600512aae58a9eeb6a06efffade87f586e195c1f142243

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
7bc69982e607f6c1599975cdcfbfc7c1

SHA1
39eeeee191ae5e4af6c7fb28cd4b154d99751769

SHA256
6adf15d18b1251227507af1acf71491246ec5df7ec2ab41f89eb79447f270938

SHA512
8b7b431db440651bf2714997630606e93406532e771c80ade82234de44c0fe6975cf35c9fb40609d75d15997a306e4c1197d30f08ef054b41550132e70ba5c1d

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
3b200134f4230c0d51255b1890d4f6dc

SHA1
4be619fa9d1ccfbdaa13645660056d1359600c5c

SHA256
95467bbc34b37bddd9a179dfb2609f2d2059c18e2361bd33d91b55d3e78b12f9

SHA512
dd7951e6b2b9b0491c0e310b4418d81cb605ba28391dd4e98ca67bb901b07ee59a39d9d2ef309b18e0d4aabd90a38aefa44930360820616050115e48c0073221

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
a2662d351a2cd853fe55da014063f6f6

SHA1
4441fd55ed3846e808a7a8f4445495fd58fb0a84

SHA256
c6a80d26115e1d61b6578e10d9d44f242bb91c0b5bf99fc024473b9f2ec920cf

SHA512
3b89fcabd733bd60cef7e9333ad1ca9e2fb1f7dadc27b2a51c9426cb6bf35bd6d733d10c5fb30a79a289b9599d65b1f26fa5bde2148981710d94e412066392f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4b94b0ba17d6421777e63028c7c7d0bd

SHA1
7075ea596551f211c5e517e886e301674c18312f

SHA256
9461bf4c758ed919cb6fde1d51a212a03c926e8998c8cd020251147210222f5e

SHA512
93574ef30787fac35a8d7e20c5b14a3e8dfee83cc6e8b5a32a10005aee552aa46d53a9c15e199c25fe508f77e6a4b283e328dc60ca0f0af615cae800ba5ae291

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1c47206bcc1d4cca72164e52b6883eb4

SHA1
2b52d3b76d78ce9ebbaed7411307bb1c58252046

SHA256
99d2564644fca6d1f855e5f2b8c5f42ec551c653bc530efd572f22bb11c54ddb

SHA512
de74ccf59180d7ea160613346395b572139ff799b99a7c79b7ca0f61f3f8d231a93e24e8acbd47db1b14be4ba9326f16c55f04adf52b3de5252b9dc200d86a5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3dc952bd1ec790a10fbeee09610255b3

SHA1
8f842ff0dfa69c3b9a8da28b67f83a71808e26c9

SHA256
cfd516903948617ad51b9a3f5aaa9ca9dcec6c76782d4889c40750c4a4c17dd3

SHA512
46441f6049a855136927a35b4f4c8481f30074d7b485bfae0adde02fbb6ad28ef49fb6a8b16017abada20855fa4684e771f96f4362963ff2db3a9a1bd138c879

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586088054759135.txt.mp3

Filesize
47KB

MD5
9d022fdf392886c5bce8025973e9d7bb

SHA1
1c726f9bac4fb8ce6e91fbfce1d73756a121e209

SHA256
ac7982dc3a68bd4e7e0ef392759094e8ffcab4b613300e35d499dfba85e5a2f2

SHA512
ead7e752006ead29e98f3294352ef0735216b98c8be0cabf040df96e97499a6a0136307c7ea56fa46ef4d751d1742c66a348a3ae0cd3c5d55bae3289c155a51b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586111482109979.txt

Filesize
75KB

MD5
48300f1452769af9f223d345199292c4

SHA1
a1407cee7b9fcb0c1ebaeea4e0404f4e2a348309

SHA256
ef4516bfe0c33e5b6c7f0228105b6fd2165f5f5c569cfb446fa3a14aa5a2694d

SHA512
1e2019b33f9e617414342e714ebb4d347b9aa1db25c20f4346f87724694b23c527c04382f3bb3ad93244e86b9df8a8082f1a99d85b71b2f9445e5a6c803d1014

Download Submit
C:\Windows\gnxdrngpxgqu.exe

Filesize
328KB

MD5
e5e83d8209a8e06089d70e65901b7481

SHA1
dba4cc12a51f6ab845673de37756d2b3f31825e6

SHA256
e37b974823a5def88d1b8857cbe4262ed60d59a7ef7b6854e407d6a2dc8cdc68

SHA512
63b61ab3d5d26aaa318ae36a29dfc2107deedd6b340c54abbeec40b9598a5d6ea1743bdd6c320dddcbafcea5820b2620e4b0b9bfc4d5a45a8808c09b148503b2

Download Submit
memory/628-8568-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/628-10387-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/628-12-0x0000000000750000-0x00000000007D6000-memory.dmp

Filesize
536KB

Download
memory/628-5116-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/628-2409-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/628-10431-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1640-0-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1640-3-0x0000000002110000-0x0000000002196000-memory.dmp

Filesize
536KB

Download
memory/1640-14-0x0000000002110000-0x0000000002196000-memory.dmp

Filesize
536KB

Download
memory/1640-13-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download