teslacrypt | a878058e1c857a46a565cd950a6e26c2b6d30fca17ef97efb7488625c326aaba

Analysis

max time kernel
143s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe
Size

388KB
MD5

1fe6fdfb7796bf1ec5bdf80f86fa9dc5
SHA1

c4f86755ca60567fedc3a05ce88c4a342219c8b4
SHA256

a878058e1c857a46a565cd950a6e26c2b6d30fca17ef97efb7488625c326aaba
SHA512

22cfa91dfb8f8a885932b269202b4e68da7b94316213f47729b3fc2a10050e7629abe310ffa583ca1211b54dbbc37b040f76442c1c2e774a6dfd79e3fd80d9b6
SSDEEP

6144:nYMk7V7PQkaYO0iNq/PimTBQNEETJYOo0DldfrvwmjcMVW5OouUI5KtrQ8POyU:nnSdO0iNEPn+TGOoYzwscMSOXUIJ

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+jukwp.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/76C373CAFA1A49BA 2. http://kkd47eh4hdjshb5t.angortra.at/76C373CAFA1A49BA 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/76C373CAFA1A49BA If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/76C373CAFA1A49BA 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/76C373CAFA1A49BA http://kkd47eh4hdjshb5t.angortra.at/76C373CAFA1A49BA http://ytrest84y5i456hghadefdsd.pontogrot.com/76C373CAFA1A49BA *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/76C373CAFA1A49BA

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/76C373CAFA1A49BA

http://kkd47eh4hdjshb5t.angortra.at/76C373CAFA1A49BA

http://ytrest84y5i456hghadefdsd.pontogrot.com/76C373CAFA1A49BA

http://xlowfznrg4wf7dli.ONION/76C373CAFA1A49BA

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (863) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	waqhlibjyktd.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+jukwp.png	waqhlibjyktd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+jukwp.txt	waqhlibjyktd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+jukwp.html	waqhlibjyktd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+jukwp.png	waqhlibjyktd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+jukwp.txt	waqhlibjyktd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+jukwp.html	waqhlibjyktd.exe

Executes dropped EXE 2 IoCs

pid	Process
3248	waqhlibjyktd.exe
4716	waqhlibjyktd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbespojsvoil = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\waqhlibjyktd.exe\""	waqhlibjyktd.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4720 set thread context of 2032	4720	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe	88
PID 3248 set thread context of 4716	3248	waqhlibjyktd.exe	92

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-200.HCBlack.png	waqhlibjyktd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\Recovery+jukwp.txt	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Nose.png	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-32_altform-lightunplated.png	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Recovery+jukwp.html	waqhlibjyktd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-180.png	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\FileSway32x32.png	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Light.scale-300.png	waqhlibjyktd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\Recovery+jukwp.txt	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\eml.scale-32.png	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\af-ZA\Recovery+jukwp.html	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\Recovery+jukwp.txt	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\Logo.scale-125_contrast-black.png	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Recovery+jukwp.txt	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-24_altform-unplated.png	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+jukwp.png	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-80.png	waqhlibjyktd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\images\Recovery+jukwp.png	waqhlibjyktd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\Recovery+jukwp.png	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\SmallTile.scale-200.png	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\Win10\Recovery+jukwp.html	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-200_contrast-black.png	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Speech\Recovery+jukwp.html	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-64_altform-unplated.png	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-30_altform-lightunplated.png	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\Recovery+jukwp.txt	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-60_altform-unplated.png	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlOuterCircleHover.png	waqhlibjyktd.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\sv.pak	waqhlibjyktd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\Recovery+jukwp.html	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-100_contrast-white.png	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+jukwp.html	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg1a.jpg	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Light.scale-125.png	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeWideTile.scale-150.png	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-200_contrast-white.png	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireLargeTile.scale-100.jpg	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fi-FI\Recovery+jukwp.html	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\EnsoUI\id_arrow_black.png	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg2_thumb.png	waqhlibjyktd.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Recovery+jukwp.html	waqhlibjyktd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-80.png	waqhlibjyktd.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\Recovery+jukwp.html	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-36.png	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fa-IR\View3d\Recovery+jukwp.txt	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\Recovery+jukwp.txt	waqhlibjyktd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\modules\Recovery+jukwp.png	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.scale-400.png	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Outlook.scale-150.png	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.513.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\Recovery+jukwp.html	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_LogoSmall.targetsize-32.png	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\accessibilitychecker\styles.css	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_scale-200.png	waqhlibjyktd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\Recovery+jukwp.png	waqhlibjyktd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\server\Recovery+jukwp.html	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-standard\theme-light\Recovery+jukwp.html	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\32.jpg	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\nav_icons_connect.targetsize-48.png	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteSmallTile.scale-100.png	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\WinMetadata\Recovery+jukwp.png	waqhlibjyktd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96_contrast-black.png	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\hu-HU\View3d\Recovery+jukwp.txt	waqhlibjyktd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\Recovery+jukwp.html	waqhlibjyktd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\waqhlibjyktd.exe	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe
File opened for modification	C:\Windows\waqhlibjyktd.exe	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	waqhlibjyktd.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3628	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe
4716	waqhlibjyktd.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe
Token: SeDebugPrivilege	4716	waqhlibjyktd.exe
Token: SeIncreaseQuotaPrivilege	912	WMIC.exe
Token: SeSecurityPrivilege	912	WMIC.exe
Token: SeTakeOwnershipPrivilege	912	WMIC.exe
Token: SeLoadDriverPrivilege	912	WMIC.exe
Token: SeSystemProfilePrivilege	912	WMIC.exe
Token: SeSystemtimePrivilege	912	WMIC.exe
Token: SeProfSingleProcessPrivilege	912	WMIC.exe
Token: SeIncBasePriorityPrivilege	912	WMIC.exe
Token: SeCreatePagefilePrivilege	912	WMIC.exe
Token: SeBackupPrivilege	912	WMIC.exe
Token: SeRestorePrivilege	912	WMIC.exe
Token: SeShutdownPrivilege	912	WMIC.exe
Token: SeDebugPrivilege	912	WMIC.exe
Token: SeSystemEnvironmentPrivilege	912	WMIC.exe
Token: SeRemoteShutdownPrivilege	912	WMIC.exe
Token: SeUndockPrivilege	912	WMIC.exe
Token: SeManageVolumePrivilege	912	WMIC.exe
Token: 33	912	WMIC.exe
Token: 34	912	WMIC.exe
Token: 35	912	WMIC.exe
Token: 36	912	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2084	WMIC.exe
Token: SeSecurityPrivilege	2084	WMIC.exe
Token: SeTakeOwnershipPrivilege	2084	WMIC.exe
Token: SeLoadDriverPrivilege	2084	WMIC.exe
Token: SeSystemProfilePrivilege	2084	WMIC.exe
Token: SeSystemtimePrivilege	2084	WMIC.exe
Token: SeProfSingleProcessPrivilege	2084	WMIC.exe
Token: SeIncBasePriorityPrivilege	2084	WMIC.exe
Token: SeCreatePagefilePrivilege	2084	WMIC.exe
Token: SeBackupPrivilege	2084	WMIC.exe
Token: SeRestorePrivilege	2084	WMIC.exe
Token: SeShutdownPrivilege	2084	WMIC.exe
Token: SeDebugPrivilege	2084	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2084	WMIC.exe
Token: SeRemoteShutdownPrivilege	2084	WMIC.exe
Token: SeUndockPrivilege	2084	WMIC.exe
Token: SeManageVolumePrivilege	2084	WMIC.exe
Token: 33	2084	WMIC.exe
Token: 34	2084	WMIC.exe
Token: 35	2084	WMIC.exe
Token: 36	2084	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 2032	4720	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe	88
PID 4720 wrote to memory of 2032	4720	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe	88
PID 4720 wrote to memory of 2032	4720	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe	88
PID 4720 wrote to memory of 2032	4720	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe	88
PID 4720 wrote to memory of 2032	4720	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe	88
PID 4720 wrote to memory of 2032	4720	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe	88
PID 4720 wrote to memory of 2032	4720	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe	88
PID 4720 wrote to memory of 2032	4720	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe	88
PID 4720 wrote to memory of 2032	4720	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe	88
PID 4720 wrote to memory of 2032	4720	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe	88
PID 2032 wrote to memory of 3248	2032	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe	89
PID 2032 wrote to memory of 3248	2032	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe	89
PID 2032 wrote to memory of 3248	2032	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe	89
PID 2032 wrote to memory of 4968	2032	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe	90
PID 2032 wrote to memory of 4968	2032	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe	90
PID 2032 wrote to memory of 4968	2032	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe	90
PID 3248 wrote to memory of 4716	3248	waqhlibjyktd.exe	92
PID 3248 wrote to memory of 4716	3248	waqhlibjyktd.exe	92
PID 3248 wrote to memory of 4716	3248	waqhlibjyktd.exe	92
PID 3248 wrote to memory of 4716	3248	waqhlibjyktd.exe	92
PID 3248 wrote to memory of 4716	3248	waqhlibjyktd.exe	92
PID 3248 wrote to memory of 4716	3248	waqhlibjyktd.exe	92
PID 3248 wrote to memory of 4716	3248	waqhlibjyktd.exe	92
PID 3248 wrote to memory of 4716	3248	waqhlibjyktd.exe	92
PID 3248 wrote to memory of 4716	3248	waqhlibjyktd.exe	92
PID 3248 wrote to memory of 4716	3248	waqhlibjyktd.exe	92
PID 4716 wrote to memory of 912	4716	waqhlibjyktd.exe	93
PID 4716 wrote to memory of 912	4716	waqhlibjyktd.exe	93
PID 4716 wrote to memory of 3628	4716	waqhlibjyktd.exe	96
PID 4716 wrote to memory of 3628	4716	waqhlibjyktd.exe	96
PID 4716 wrote to memory of 3628	4716	waqhlibjyktd.exe	96
PID 4716 wrote to memory of 3000	4716	waqhlibjyktd.exe	97
PID 4716 wrote to memory of 3000	4716	waqhlibjyktd.exe	97
PID 3000 wrote to memory of 4692	3000	msedge.exe	98
PID 3000 wrote to memory of 4692	3000	msedge.exe	98
PID 4716 wrote to memory of 2084	4716	waqhlibjyktd.exe	99
PID 4716 wrote to memory of 2084	4716	waqhlibjyktd.exe	99
PID 3000 wrote to memory of 1152	3000	msedge.exe	101
PID 3000 wrote to memory of 1152	3000	msedge.exe	101
PID 3000 wrote to memory of 1152	3000	msedge.exe	101
PID 3000 wrote to memory of 1152	3000	msedge.exe	101
PID 3000 wrote to memory of 1152	3000	msedge.exe	101
PID 3000 wrote to memory of 1152	3000	msedge.exe	101
PID 3000 wrote to memory of 1152	3000	msedge.exe	101
PID 3000 wrote to memory of 1152	3000	msedge.exe	101
PID 3000 wrote to memory of 1152	3000	msedge.exe	101
PID 3000 wrote to memory of 1152	3000	msedge.exe	101
PID 3000 wrote to memory of 1152	3000	msedge.exe	101
PID 3000 wrote to memory of 1152	3000	msedge.exe	101
PID 3000 wrote to memory of 1152	3000	msedge.exe	101
PID 3000 wrote to memory of 1152	3000	msedge.exe	101
PID 3000 wrote to memory of 1152	3000	msedge.exe	101
PID 3000 wrote to memory of 1152	3000	msedge.exe	101
PID 3000 wrote to memory of 1152	3000	msedge.exe	101
PID 3000 wrote to memory of 1152	3000	msedge.exe	101
PID 3000 wrote to memory of 1152	3000	msedge.exe	101
PID 3000 wrote to memory of 1152	3000	msedge.exe	101
PID 3000 wrote to memory of 1152	3000	msedge.exe	101
PID 3000 wrote to memory of 1152	3000	msedge.exe	101
PID 3000 wrote to memory of 1152	3000	msedge.exe	101
PID 3000 wrote to memory of 1152	3000	msedge.exe	101
PID 3000 wrote to memory of 1152	3000	msedge.exe	101
PID 3000 wrote to memory of 1152	3000	msedge.exe	101
PID 3000 wrote to memory of 1152	3000	msedge.exe	101

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	waqhlibjyktd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	waqhlibjyktd.exe

C:\Users\Admin\AppData\Local\Temp\VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Users\Admin\AppData\Local\Temp\VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\waqhlibjyktd.exe
    C:\Windows\waqhlibjyktd.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3248
  - - C:\Windows\waqhlibjyktd.exe
      C:\Windows\waqhlibjyktd.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4716
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:3628
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3000
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ffea8db46f8,0x7ffea8db4708,0x7ffea8db4718
        6⤵
        
        PID:4692
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,14265670620808726717,1984320630424459806,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1992 /prefetch:2
        6⤵
        
        PID:1152
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,14265670620808726717,1984320630424459806,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
        6⤵
        
        PID:3056
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1976,14265670620808726717,1984320630424459806,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
        6⤵
        
        PID:4668
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,14265670620808726717,1984320630424459806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
        6⤵
        
        PID:872
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,14265670620808726717,1984320630424459806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
        6⤵
        
        PID:3732
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,14265670620808726717,1984320630424459806,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8
        6⤵
        
        PID:4916
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,14265670620808726717,1984320630424459806,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8
        6⤵
        
        PID:2256
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,14265670620808726717,1984320630424459806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
        6⤵
        
        PID:2856
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,14265670620808726717,1984320630424459806,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
        6⤵
        
        PID:1576
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,14265670620808726717,1984320630424459806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
        6⤵
        
        PID:1764
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,14265670620808726717,1984320630424459806,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
        6⤵
        
        PID:1760
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\WAQHLI~1.EXE
        5⤵
        
        PID:1356
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
    3⤵
    PID:4968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\Recovery+jukwp.html

Filesize
9KB

MD5
d2e67af998bb5b9b745572f7e5fe3a3c

SHA1
73b1e9bd38b69ceffc94a3ad1109e2bc0cfa4638

SHA256
6c6530d1b005a72412109d1e10a8b0fffa12c2bd0d748700cd42be9327f27503

SHA512
70700ebcae84d7b1e0f6a68d7237191975b6546183497acae02cf09677ed38541255a0391311629ed23865e2577d23b5f239d38cd24d4c57934eb7de0ad41a5c

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+jukwp.png

Filesize
63KB

MD5
3bf14663c98bea7e88c08a76db83fb2b

SHA1
f51e29d721aa56ca5587e0102629993e90387585

SHA256
cdffb96609d34ed0e69f84fb7da5bcac70d58100b1f227cdd7cd525615952586

SHA512
6cddc90d4feefc5b49d210298754bef50c4688cdae749baf96957d0059698fc3e0b1fd818e126d540ab192d392f2bf9d71a522e7852d2c55732c07750a8483fe

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+jukwp.txt

Filesize
1KB

MD5
73bc2c0922659a85ea703283f30891ac

SHA1
b0baf292fcb04bd8602be881dabfd607723a8e77

SHA256
9480af36af9bacfe1dd37c0b9af021bb0445f71a4c7002dfd0fc62ff8ce9dd7f

SHA512
04379f49f19dbb8c1383debe1f40f4fa9aa35479fdd68eb1167a34d3269c56fd306c48610ca2a89669d4688a3ca33571a771d4554169013f5d7bca5d6d05f28d

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
6365985709eb444e9acd3035e1910280

SHA1
071fb2ecb6b0b4e438f253ba7e953e318f1367dd

SHA256
6e0cc646fcded2fa63dac7ead399a1671c539e1fa58c2121e8dd6b67f22bd857

SHA512
ad923270500945773f41227f8989fdc1149f059d64b3fa74131a5502bb1e8b77eacb862528c918ec44df6bcedf058f28771f998346e8424574dcc3ce069cb71c

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
bf32a55878710ff7e2f9165c154918ff

SHA1
b54915af3f65891fc2d11f2a59df8904e864600a

SHA256
71d5434b431edebd36a2041162275eff5baf1843e66c5f7cf45841adc1bd934b

SHA512
78b4ff8428b0e8b4f49d158616894172c5279766bd6e4109558e67f7dbe61eb3d4aeaf279fdee25e92445766e54537fc181c5a24a68d8fcbb4e354f9419026bc

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
6e6e9373d711df0e292d0f4b0d22d9b5

SHA1
f7b7216ef601236a7b7acceb68e67061f9cc5fdf

SHA256
730ad1cfbc5550c374f057fb0bcadb7bb96de0fd28387886f62db0591df48140

SHA512
7c417ff8459e774f12f933ff7ec494c4a28035e4c07c63320916aee1cbb7af115f4935bd5cd94b1e468005706af3cbdb3cfeedab1ae795005f10f6471b8cd8d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8b7c2db61ef0c188c5952d128def2461

SHA1
faa861ce39672b6be4266a6600307556e3eb47dc

SHA256
d379e7c0fc33734d3f899ff190fb93276bdb719b54a4f299b438051eda72e58e

SHA512
e6a88017ebb61996686ac79647268307402e2dd8e379b927db4b18ec055f2c40d5310d0e0d62ad49aa75b70fc060a476b52c6778597f37aedf5028ac97d05eb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
eed2c063e12f9e6f253313703dbfc914

SHA1
05750e8674864be6b44cda5177fbd6ad5bc5fc91

SHA256
113032cfc2407ed51f27beb477b5d5423674739a6a1149a36df99a05df17bf22

SHA512
84baa0d387bdad0cb1dfefd8f276f42094f6398757c2827a9dd767e7882877740d47670f0b6274280f7d09c757eab002b5dbc01ec3356ad844da667c644ea7c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6a1771565586b2626bc25d7f36cf6340

SHA1
03e1bc14198e8b94cb9775f947a0403df770e389

SHA256
e6d98f625dd072be9c75a59c18fa5f64cc80c3101408c71f2b5b49da5fab9df0

SHA512
41ccd54c7679831f3cf0d12273af44bef470b951248c84aaa705b96d53b771191d2eb3fb6b38cf490ecbd85d2ef7fca53eb5c8a198b59e4b0b3dd7eb6fd33003

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586088054759135.txt

Filesize
47KB

MD5
023cd232bbad99c700e2ec4bcaa35c3d

SHA1
dd2d57d890f0eee36f9fb50528c6e35c8b888c70

SHA256
a3c86274d63a3866ea7e02e09d3d81c6b2423dd5c1ae234a9dde6f83eed8688b

SHA512
812518fabbb21a3627fb44ba8b70da487ac1060861ee187dcd9bb72bb355436156518bf2e5bbfb84a609984f165a44bd20bc20356ad1f626f9a3b5cb173a3313

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586128869217645.txt

Filesize
75KB

MD5
ce9eca4b24b1eb238fe53e4095198b5a

SHA1
09b285704d3c188b00d78040c72db3f89fca5c3a

SHA256
46adefc25d7eece8ba0bf16846733af544b2d3ed3ed572af7789fceab0078295

SHA512
00b4959a100458c2c522ab7b00e47d3c084c9c66ab2af859c582f7294569d8dadfd1f339dd207426a0d19c39a6d932963d8b0a2882d51b49112de16d2a5d46ce

Download Submit
C:\Windows\waqhlibjyktd.exe

Filesize
388KB

MD5
1fe6fdfb7796bf1ec5bdf80f86fa9dc5

SHA1
c4f86755ca60567fedc3a05ce88c4a342219c8b4

SHA256
a878058e1c857a46a565cd950a6e26c2b6d30fca17ef97efb7488625c326aaba

SHA512
22cfa91dfb8f8a885932b269202b4e68da7b94316213f47729b3fc2a10050e7629abe310ffa583ca1211b54dbbc37b040f76442c1c2e774a6dfd79e3fd80d9b6

Download Submit
memory/2032-13-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2032-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2032-5-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2032-3-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2032-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3248-12-0x0000000000400000-0x000000000085C000-memory.dmp

Filesize
4.4MB

Download
memory/4716-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4716-2861-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4716-5426-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4716-447-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4716-24-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4716-8921-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4716-10372-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4716-10373-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4716-10381-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4716-10383-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4716-23-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4716-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4716-17-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4716-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4716-10424-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4720-0-0x0000000000EA0000-0x0000000000EA3000-memory.dmp

Filesize
12KB

Download
memory/4720-4-0x0000000000EA0000-0x0000000000EA3000-memory.dmp

Filesize
12KB

Download
memory/4720-1-0x0000000000EA0000-0x0000000000EA3000-memory.dmp

Filesize
12KB

Download