8d1386773be9c28c6b3a5b5aa6838cf575189cedf17544105b95500c156b8f7e

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_09e28e9a94fee8af07007497677976fc.exe
Size

327KB
MD5

09e28e9a94fee8af07007497677976fc
SHA1

383a448b39b3eb8917cf36661996ca2c933ae53e
SHA256

8d1386773be9c28c6b3a5b5aa6838cf575189cedf17544105b95500c156b8f7e
SHA512

a7a705bfa8cec58de945e86e82f2dcdb658b8f0b1d8aa606caf35e1d6860e2d3ea890c6d974dd8c692ae260d1d342f2ff875880a04f247290089c477cc9d4c02
SSDEEP

6144:UpLp0syTnvooi3umGCJ1aynXgtGF0bo8ZZma/PC4yUYS5xCKszrQZ9:UpLesyNiVRJ1a6Xgtf3ZFPRY1zrU

Score

10^/10

defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+wupte.txt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a miracle and get your price doubled , or start obtaining BITCOIN NOW !!!!! , and restore your data easy way If You have really valuable data, you better not waste your time, because there is no other way to get your files , except make a payment For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below * http://t54ndnku456ngkwsudqer.wallymac.com/A7BAB338BE6B889 * http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/A7BAB338BE6B889 * http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/A7BAB338BE6B889 If for some reasons the addresses are not available, follow these steps * Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en * After a successful installation, run the browser * Type in the address bar: xlowfznrg4wf7dli.onion/A7BAB338BE6B889 * Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://t54ndnku456ngkwsudqer.wallymac.com/A7BAB338BE6B889 http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/A7BAB338BE6B889 http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/A7BAB338BE6B889

URLs

http://t54ndnku456ngkwsudqer.wallymac.com/A7BAB338BE6B889

http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/A7BAB338BE6B889

http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/A7BAB338BE6B889

http://xlowfznrg4wf7dli.onion/A7BAB338BE6B889

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (879) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	VirusShare_09e28e9a94fee8af07007497677976fc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	ejxvtuabprej.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+wupte.txt	ejxvtuabprej.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+wupte.html	ejxvtuabprej.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+wupte.png	ejxvtuabprej.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+wupte.txt	ejxvtuabprej.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+wupte.html	ejxvtuabprej.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+wupte.png	ejxvtuabprej.exe

Executes dropped EXE 1 IoCs

pid	Process
624	ejxvtuabprej.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aroinics_svc = "C:\\Windows\\SYSTEM32\\CMD.EXE /C START C:\\Windows\\ejxvtuabprej.exe"	ejxvtuabprej.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\_ReCoVeRy_+wupte.html	ejxvtuabprej.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\_ReCoVeRy_+wupte.html	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-256.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.contrast-white_scale-200.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-80.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-40_altform-unplated.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteSmallTile.scale-125.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\x64\_ReCoVeRy_+wupte.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailSplashLogo.scale-200.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\_ReCoVeRy_+wupte.txt	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-200_contrast-high.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-30.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\_ReCoVeRy_+wupte.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_altform-unplated_contrast-white.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\_ReCoVeRy_+wupte.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+wupte.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-60_altform-unplated_contrast-white.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-80_altform-lightunplated.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\MedTile.scale-125.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_neutral_~_8wekyb3d8bbwe\_ReCoVeRy_+wupte.txt	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailWideTile.scale-100.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-256.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\_ReCoVeRy_+wupte.txt	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-125_contrast-black.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\WideTile.scale-100.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\_ReCoVeRy_+wupte.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\_ReCoVeRy_+wupte.txt	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-80_altform-unplated_contrast-white.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\_ReCoVeRy_+wupte.html	ejxvtuabprej.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\_ReCoVeRy_+wupte.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nb-NO\View3d\_ReCoVeRy_+wupte.txt	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionMedTile.scale-125.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-256_altform-lightunplated.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Exchange.scale-125.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\_ReCoVeRy_+wupte.txt	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-200_contrast-white.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\_ReCoVeRy_+wupte.txt	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Hedge.jpg	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\avatar_group_large.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-125_contrast-white.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\Icons\icon_play_prs.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_WideTile.scale-200.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\_ReCoVeRy_+wupte.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageLargeTile.scale-100_contrast-white.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\55.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Fonts\_ReCoVeRy_+wupte.txt	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Tongue.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteLargeTile.scale-400.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\MovedPackages\_ReCoVeRy_+wupte.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\_ReCoVeRy_+wupte.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ta\_ReCoVeRy_+wupte.txt	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_altform-unplated_contrast-white.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-Toolkit\_ReCoVeRy_+wupte.html	ejxvtuabprej.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\_ReCoVeRy_+wupte.html	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchSplashScreen.scale-125_contrast-white.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-72_altform-lightunplated.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageWideTile.scale-100.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\Timer3Sec.targetsize-16.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\_ReCoVeRy_+wupte.html	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\_ReCoVeRy_+wupte.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\GenericEnglish-3.jpg	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_altform-unplated_contrast-black.png	ejxvtuabprej.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OrientationControlFrontIndicator.png	ejxvtuabprej.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ejxvtuabprej.exe	VirusShare_09e28e9a94fee8af07007497677976fc.exe
File opened for modification	C:\Windows\ejxvtuabprej.exe	VirusShare_09e28e9a94fee8af07007497677976fc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	ejxvtuabprej.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
944	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe
624	ejxvtuabprej.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2544	VirusShare_09e28e9a94fee8af07007497677976fc.exe
Token: SeDebugPrivilege	624	ejxvtuabprej.exe
Token: SeIncreaseQuotaPrivilege	1212	WMIC.exe
Token: SeSecurityPrivilege	1212	WMIC.exe
Token: SeTakeOwnershipPrivilege	1212	WMIC.exe
Token: SeLoadDriverPrivilege	1212	WMIC.exe
Token: SeSystemProfilePrivilege	1212	WMIC.exe
Token: SeSystemtimePrivilege	1212	WMIC.exe
Token: SeProfSingleProcessPrivilege	1212	WMIC.exe
Token: SeIncBasePriorityPrivilege	1212	WMIC.exe
Token: SeCreatePagefilePrivilege	1212	WMIC.exe
Token: SeBackupPrivilege	1212	WMIC.exe
Token: SeRestorePrivilege	1212	WMIC.exe
Token: SeShutdownPrivilege	1212	WMIC.exe
Token: SeDebugPrivilege	1212	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1212	WMIC.exe
Token: SeRemoteShutdownPrivilege	1212	WMIC.exe
Token: SeUndockPrivilege	1212	WMIC.exe
Token: SeManageVolumePrivilege	1212	WMIC.exe
Token: 33	1212	WMIC.exe
Token: 34	1212	WMIC.exe
Token: 35	1212	WMIC.exe
Token: 36	1212	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1212	WMIC.exe
Token: SeSecurityPrivilege	1212	WMIC.exe
Token: SeTakeOwnershipPrivilege	1212	WMIC.exe
Token: SeLoadDriverPrivilege	1212	WMIC.exe
Token: SeSystemProfilePrivilege	1212	WMIC.exe
Token: SeSystemtimePrivilege	1212	WMIC.exe
Token: SeProfSingleProcessPrivilege	1212	WMIC.exe
Token: SeIncBasePriorityPrivilege	1212	WMIC.exe
Token: SeCreatePagefilePrivilege	1212	WMIC.exe
Token: SeBackupPrivilege	1212	WMIC.exe
Token: SeRestorePrivilege	1212	WMIC.exe
Token: SeShutdownPrivilege	1212	WMIC.exe
Token: SeDebugPrivilege	1212	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1212	WMIC.exe
Token: SeRemoteShutdownPrivilege	1212	WMIC.exe
Token: SeUndockPrivilege	1212	WMIC.exe
Token: SeManageVolumePrivilege	1212	WMIC.exe
Token: 33	1212	WMIC.exe
Token: 34	1212	WMIC.exe
Token: 35	1212	WMIC.exe
Token: 36	1212	WMIC.exe
Token: SeBackupPrivilege	4100	vssvc.exe
Token: SeRestorePrivilege	4100	vssvc.exe
Token: SeAuditPrivilege	4100	vssvc.exe
Token: SeIncreaseQuotaPrivilege	288	WMIC.exe
Token: SeSecurityPrivilege	288	WMIC.exe
Token: SeTakeOwnershipPrivilege	288	WMIC.exe
Token: SeLoadDriverPrivilege	288	WMIC.exe
Token: SeSystemProfilePrivilege	288	WMIC.exe
Token: SeSystemtimePrivilege	288	WMIC.exe
Token: SeProfSingleProcessPrivilege	288	WMIC.exe
Token: SeIncBasePriorityPrivilege	288	WMIC.exe
Token: SeCreatePagefilePrivilege	288	WMIC.exe
Token: SeBackupPrivilege	288	WMIC.exe
Token: SeRestorePrivilege	288	WMIC.exe
Token: SeShutdownPrivilege	288	WMIC.exe
Token: SeDebugPrivilege	288	WMIC.exe
Token: SeSystemEnvironmentPrivilege	288	WMIC.exe
Token: SeRemoteShutdownPrivilege	288	WMIC.exe
Token: SeUndockPrivilege	288	WMIC.exe
Token: SeManageVolumePrivilege	288	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 624	2544	VirusShare_09e28e9a94fee8af07007497677976fc.exe	83
PID 2544 wrote to memory of 624	2544	VirusShare_09e28e9a94fee8af07007497677976fc.exe	83
PID 2544 wrote to memory of 624	2544	VirusShare_09e28e9a94fee8af07007497677976fc.exe	83
PID 2544 wrote to memory of 4124	2544	VirusShare_09e28e9a94fee8af07007497677976fc.exe	85
PID 2544 wrote to memory of 4124	2544	VirusShare_09e28e9a94fee8af07007497677976fc.exe	85
PID 2544 wrote to memory of 4124	2544	VirusShare_09e28e9a94fee8af07007497677976fc.exe	85
PID 624 wrote to memory of 1212	624	ejxvtuabprej.exe	87
PID 624 wrote to memory of 1212	624	ejxvtuabprej.exe	87
PID 624 wrote to memory of 944	624	ejxvtuabprej.exe	100
PID 624 wrote to memory of 944	624	ejxvtuabprej.exe	100
PID 624 wrote to memory of 944	624	ejxvtuabprej.exe	100
PID 624 wrote to memory of 1076	624	ejxvtuabprej.exe	101
PID 624 wrote to memory of 1076	624	ejxvtuabprej.exe	101
PID 1076 wrote to memory of 728	1076	msedge.exe	102
PID 1076 wrote to memory of 728	1076	msedge.exe	102
PID 624 wrote to memory of 288	624	ejxvtuabprej.exe	103
PID 624 wrote to memory of 288	624	ejxvtuabprej.exe	103
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 1824	1076	msedge.exe	105
PID 1076 wrote to memory of 3292	1076	msedge.exe	106
PID 1076 wrote to memory of 3292	1076	msedge.exe	106
PID 1076 wrote to memory of 4024	1076	msedge.exe	107
PID 1076 wrote to memory of 4024	1076	msedge.exe	107
PID 1076 wrote to memory of 4024	1076	msedge.exe	107
PID 1076 wrote to memory of 4024	1076	msedge.exe	107
PID 1076 wrote to memory of 4024	1076	msedge.exe	107

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ejxvtuabprej.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	ejxvtuabprej.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_09e28e9a94fee8af07007497677976fc.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_09e28e9a94fee8af07007497677976fc.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\ejxvtuabprej.exe
  C:\Windows\ejxvtuabprej.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:624
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1212
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1076
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb9c9546f8,0x7ffb9c954708,0x7ffb9c954718
      4⤵
      PID:728
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,17030103662696568001,10457560959867035928,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
      4⤵
      PID:1824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,17030103662696568001,10457560959867035928,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
      4⤵
      PID:3292
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,17030103662696568001,10457560959867035928,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:8
      4⤵
      PID:4024
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17030103662696568001,10457560959867035928,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2820 /prefetch:1
      4⤵
      PID:3200
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17030103662696568001,10457560959867035928,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2832 /prefetch:1
      4⤵
      PID:4860
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,17030103662696568001,10457560959867035928,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
      4⤵
      PID:4924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,17030103662696568001,10457560959867035928,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
      4⤵
      PID:3296
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17030103662696568001,10457560959867035928,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
      4⤵
      PID:2040
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17030103662696568001,10457560959867035928,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
      4⤵
      PID:808
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17030103662696568001,10457560959867035928,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
      4⤵
      PID:2060
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17030103662696568001,10457560959867035928,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
      4⤵
      PID:4756
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:288
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
  2⤵
  PID:4124

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+wupte.html

Filesize
11KB

MD5
9db7af67de51408157cb0d5dec53d700

SHA1
d74b22f55189eb1e1e0147f284303aea5173a85d

SHA256
4ba5b362a9850b7d3734bcd2ef89502edbc3a6870874ae18325d15c6ed339918

SHA512
112beed4485a379e5b77f5e7b8492e6e50e44df75f0d2b9e4ee43ce1fcaba230dbda099a3ebc279d248de8682b5333fdcabd52fb4b60727970573199a6eb9944

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+wupte.png

Filesize
61KB

MD5
0104fa78d91160fcbc627562af8345c3

SHA1
6623b5d0377b0c7ea0669267d8f87251d76af7fd

SHA256
273eb21d9d1a3f5f068266e2730bdeede525d58ad105edf925ae34a4672f458d

SHA512
3b3a15d7d7b276f0f686d2364d1717d8e5f30b318ccad5f4ae5f8438a58088658aa04d0fafbec8ed07b6374c02dd524f4d7a90a2b136f4e66f8711d076ca605e

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+wupte.txt

Filesize
1KB

MD5
0cdfd1acc88723fd9952bd30989daceb

SHA1
0f3400b2a9770f7505782398caf045eb59a74208

SHA256
38e42e00418b21fe0a139fc1fab0a252fc688c524b3a75d0c4041345e9d6cefc

SHA512
3c336a70d928d098a6019e6e774114f6df9d30bf1c1ad6d2a78f2c6b58965e76792188ccb03d8810bd52957dc552cef893453a8c2cd0fc88784d01e6c083748e

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
22ef10f74385fbc3a560f255ea4e783b

SHA1
58651fbe10fdc34bbac30fa1d8514d2cdd4546f4

SHA256
ad9a6b20ad92d536f2dcae92e34ebcff617c370aaf5d6ba6058d9d337b687070

SHA512
3b53be006bc1b5e63bc3856f5aa0c43d7df3255fc67fe8647fa1912f637cb26475635a2b58ed5fc3ab9b27b240cebfbf50befd997b46d9ec4828ea4f6b24540a

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
caad2c59b6f2ebcb412102ba2a8f4b8e

SHA1
3ea55ceb762492416de22e5faa0590cdc14ed1f1

SHA256
e982d87708c07cf9340306ae16da879f8d383ee5d0aa70b13aee860d1af4e558

SHA512
43a542e33369b31c591003b1e1c500284f66f56d69b0e79365cfa89f9d06a35789a0a9bc665d3afc9d31412d18a49a76357f51902eca4c77563283e103ead311

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
9451e53b1f7881cf4e56b4fcdcc2cacf

SHA1
4cc254927cee5653ec9bc891793603aa25323104

SHA256
13190c0a5a5bbf8411b1f6263114f392444124c17f8dc08a0b2dc4fc08084b59

SHA512
23a66523f9acf69615c1004406e0b9f876ee3f1435acf90b1354f6a0136e4ceff661ec35b3b9296f222180cc945e10d9ad91c7d40103d8782ace93d50d5cd8c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f53207a5ca2ef5c7e976cbb3cb26d870

SHA1
49a8cc44f53da77bb3dfb36fc7676ed54675db43

SHA256
19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23

SHA512
be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ae54e9db2e89f2c54da8cc0bfcbd26bd

SHA1
a88af6c673609ecbc51a1a60dfbc8577830d2b5d

SHA256
5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af

SHA512
e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7ffce96a1f53c2926c4328fb312628d6

SHA1
6908802960b9f0238497e061f0bd3e57993e5e88

SHA256
f43a895b7e2dc290551a04875c63f9b0791a488818700330f27338a37f68ef78

SHA512
d2ea93fa34ea8bc8dc448288e3b492a75a04b08fc6c4089835b94d1ee6dead686798e404652c2daa31e287ab64fedf71730fdb39e69391f937f340b18810bb60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
29d26a488f5f126d4492fc27ea60269d

SHA1
bb8545b1bf7577eb3640acb296dd246d4243bd29

SHA256
f3ef5b6213dd7f0da28b1b7a8e0fb62dde364698e84701c0fd2d18cc415468e1

SHA512
8573c65d10b95b0382e43b3756f003442971ad384b89a487bb96f43f7f64d640885ec2e1e2d22e2f5d2e0db237b343aeac05ca42ccb8e4c91fafca79d82667b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f9d18f232fb88e3361a23e7927c19254

SHA1
74822b30d595bec7d5b919f29519831a52ae85c4

SHA256
f60f430ae0d070c281f826365875b6de6f5d59817e5f99548b067d8dd7955947

SHA512
69ac0643615acb72885435b4f043006a7447d22b0f662c5e5f19c4745f8a486aa1841c7bae8727aeaf323169da808f6117063b4bcab101183a40a3d98a4c6cec

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586120609615741.txt

Filesize
75KB

MD5
9e27c4fb1bd290d7d3b924fdad406292

SHA1
29d8482555af2be70535a492ecfc4ef2c99de59e

SHA256
e5f37531df10739c409ec3dff8c36d55fa725f3408b17473139e9cc642d1e8b9

SHA512
a20aec76737050bb6fd56dae6dbd2af2d78d17a37a270c66c3ae442d434756d7890e3a16b72363088e894e9c61cc3a802e2a8ca7798be388f962f25e293a6348

Download Submit
C:\Windows\ejxvtuabprej.exe

Filesize
327KB

MD5
09e28e9a94fee8af07007497677976fc

SHA1
383a448b39b3eb8917cf36661996ca2c933ae53e

SHA256
8d1386773be9c28c6b3a5b5aa6838cf575189cedf17544105b95500c156b8f7e

SHA512
a7a705bfa8cec58de945e86e82f2dcdb658b8f0b1d8aa606caf35e1d6860e2d3ea890c6d974dd8c692ae260d1d342f2ff875880a04f247290089c477cc9d4c02

Download Submit
memory/624-10394-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/624-8783-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/624-5272-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/624-2472-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/624-10440-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/2544-0-0x0000000000820000-0x00000000008A6000-memory.dmp

Filesize
536KB

Download
memory/2544-13-0x0000000000820000-0x00000000008A6000-memory.dmp

Filesize
536KB

Download
memory/2544-9-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/2544-1-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download