teslacrypt | 1356acd718a156e106163e91fa87a415e4f6855606d2712d8408d65190a95dad

Analysis

max time kernel
147s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_9213073f63c1542315acdad27c0b8b78.exe
Size

360KB
MD5

9213073f63c1542315acdad27c0b8b78
SHA1

77b5765cd37ccfb7608611291d66e68b7d68e2dc
SHA256

1356acd718a156e106163e91fa87a415e4f6855606d2712d8408d65190a95dad
SHA512

9ae5d76345825b0cd012d4ce8189a1b6864b3d76be93ae7fad22eb28387097346213d7763a989098ae2dd5a921afd3ab8ef72cc308d4d9bfc8e7e7efa3a92735
SSDEEP

6144:YaaRWvS8RStjunQ/ocbbOeEQZlPX6kKhWbyFqoMU2sEEbsOI/4Yi:YFWvNS8EE4+WOeU22bnI/4Yi

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+ldhtc.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/905EAB3219B17E3E 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/905EAB3219B17E3E 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/905EAB3219B17E3E If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/905EAB3219B17E3E 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/905EAB3219B17E3E http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/905EAB3219B17E3E http://yyre45dbvn2nhbefbmh.begumvelic.at/905EAB3219B17E3E Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/905EAB3219B17E3E

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/905EAB3219B17E3E

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/905EAB3219B17E3E

http://yyre45dbvn2nhbefbmh.begumvelic.at/905EAB3219B17E3E

http://xlowfznrg4wf7dli.ONION/905EAB3219B17E3E

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (871) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	jfywpocfbief.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	VirusShare_9213073f63c1542315acdad27c0b8b78.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+ldhtc.txt	jfywpocfbief.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+ldhtc.html	jfywpocfbief.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+ldhtc.png	jfywpocfbief.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+ldhtc.txt	jfywpocfbief.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+ldhtc.html	jfywpocfbief.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+ldhtc.png	jfywpocfbief.exe

Executes dropped EXE 1 IoCs

pid	Process
1908	jfywpocfbief.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xegniji = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\jfywpocfbief.exe"	jfywpocfbief.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\_ReCoVeRy_+ldhtc.png	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\snooze.contrast-white.png	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalStoreLogo.scale-125_contrast-black.png	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-200_contrast-white.png	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\_ReCoVeRy_+ldhtc.html	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\SmallTile.scale-100.png	jfywpocfbief.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ku_IQ\_ReCoVeRy_+ldhtc.png	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\_ReCoVeRy_+ldhtc.txt	jfywpocfbief.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\_ReCoVeRy_+ldhtc.html	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\_ReCoVeRy_+ldhtc.txt	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailBadge.scale-200.png	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreLargeTile.scale-200.png	jfywpocfbief.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\_ReCoVeRy_+ldhtc.html	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+ldhtc.png	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\sr-cyrl-cs\_ReCoVeRy_+ldhtc.txt	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-GoogleCloudCacheMini.scale-150.png	jfywpocfbief.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\_ReCoVeRy_+ldhtc.png	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\_ReCoVeRy_+ldhtc.png	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_ReCoVeRy_+ldhtc.png	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\_ReCoVeRy_+ldhtc.png	jfywpocfbief.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\_ReCoVeRy_+ldhtc.html	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Tongue.png	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosSmallTile.contrast-black_scale-200.png	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\_ReCoVeRy_+ldhtc.png	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\_ReCoVeRy_+ldhtc.html	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-256_contrast-white.png	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-36_contrast-white.png	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Dark\IsoLeft.png	jfywpocfbief.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\_ReCoVeRy_+ldhtc.txt	jfywpocfbief.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	jfywpocfbief.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\_ReCoVeRy_+ldhtc.png	jfywpocfbief.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\_ReCoVeRy_+ldhtc.txt	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteWideTile.scale-100.png	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+ldhtc.html	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\it\_ReCoVeRy_+ldhtc.html	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\contrast-standard\_ReCoVeRy_+ldhtc.txt	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.scale-100.png	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\en-us\_ReCoVeRy_+ldhtc.html	jfywpocfbief.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\_ReCoVeRy_+ldhtc.html	jfywpocfbief.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\_ReCoVeRy_+ldhtc.txt	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageSmallTile.scale-400.png	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_altform-unplated_contrast-black.png	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+ldhtc.txt	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+ldhtc.txt	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\_ReCoVeRy_+ldhtc.html	jfywpocfbief.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\_ReCoVeRy_+ldhtc.html	jfywpocfbief.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\_ReCoVeRy_+ldhtc.png	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-60_contrast-white.png	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\_ReCoVeRy_+ldhtc.txt	jfywpocfbief.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\_ReCoVeRy_+ldhtc.png	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedWideTile.scale-100_contrast-white.png	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-60_altform-lightunplated.png	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\_ReCoVeRy_+ldhtc.txt	jfywpocfbief.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\_ReCoVeRy_+ldhtc.png	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp7.scale-125.png	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.scale-100_contrast-white.png	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Text\_ReCoVeRy_+ldhtc.txt	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Wide310x150\PaintWideTile.scale-200.png	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\subscription_intro\_ReCoVeRy_+ldhtc.txt	jfywpocfbief.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_PT\_ReCoVeRy_+ldhtc.html	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uz-Latn-UZ\View3d\_ReCoVeRy_+ldhtc.png	jfywpocfbief.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_ReCoVeRy_+ldhtc.txt	jfywpocfbief.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\de.pak	jfywpocfbief.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\_ReCoVeRy_+ldhtc.html	jfywpocfbief.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\jfywpocfbief.exe	VirusShare_9213073f63c1542315acdad27c0b8b78.exe
File opened for modification	C:\Windows\jfywpocfbief.exe	VirusShare_9213073f63c1542315acdad27c0b8b78.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	jfywpocfbief.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2712	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe
1908	jfywpocfbief.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4200	VirusShare_9213073f63c1542315acdad27c0b8b78.exe
Token: SeDebugPrivilege	1908	jfywpocfbief.exe
Token: SeIncreaseQuotaPrivilege	5004	WMIC.exe
Token: SeSecurityPrivilege	5004	WMIC.exe
Token: SeTakeOwnershipPrivilege	5004	WMIC.exe
Token: SeLoadDriverPrivilege	5004	WMIC.exe
Token: SeSystemProfilePrivilege	5004	WMIC.exe
Token: SeSystemtimePrivilege	5004	WMIC.exe
Token: SeProfSingleProcessPrivilege	5004	WMIC.exe
Token: SeIncBasePriorityPrivilege	5004	WMIC.exe
Token: SeCreatePagefilePrivilege	5004	WMIC.exe
Token: SeBackupPrivilege	5004	WMIC.exe
Token: SeRestorePrivilege	5004	WMIC.exe
Token: SeShutdownPrivilege	5004	WMIC.exe
Token: SeDebugPrivilege	5004	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5004	WMIC.exe
Token: SeRemoteShutdownPrivilege	5004	WMIC.exe
Token: SeUndockPrivilege	5004	WMIC.exe
Token: SeManageVolumePrivilege	5004	WMIC.exe
Token: 33	5004	WMIC.exe
Token: 34	5004	WMIC.exe
Token: 35	5004	WMIC.exe
Token: 36	5004	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5004	WMIC.exe
Token: SeSecurityPrivilege	5004	WMIC.exe
Token: SeTakeOwnershipPrivilege	5004	WMIC.exe
Token: SeLoadDriverPrivilege	5004	WMIC.exe
Token: SeSystemProfilePrivilege	5004	WMIC.exe
Token: SeSystemtimePrivilege	5004	WMIC.exe
Token: SeProfSingleProcessPrivilege	5004	WMIC.exe
Token: SeIncBasePriorityPrivilege	5004	WMIC.exe
Token: SeCreatePagefilePrivilege	5004	WMIC.exe
Token: SeBackupPrivilege	5004	WMIC.exe
Token: SeRestorePrivilege	5004	WMIC.exe
Token: SeShutdownPrivilege	5004	WMIC.exe
Token: SeDebugPrivilege	5004	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5004	WMIC.exe
Token: SeRemoteShutdownPrivilege	5004	WMIC.exe
Token: SeUndockPrivilege	5004	WMIC.exe
Token: SeManageVolumePrivilege	5004	WMIC.exe
Token: 33	5004	WMIC.exe
Token: 34	5004	WMIC.exe
Token: 35	5004	WMIC.exe
Token: 36	5004	WMIC.exe
Token: SeBackupPrivilege	1104	vssvc.exe
Token: SeRestorePrivilege	1104	vssvc.exe
Token: SeAuditPrivilege	1104	vssvc.exe
Token: SeIncreaseQuotaPrivilege	708	WMIC.exe
Token: SeSecurityPrivilege	708	WMIC.exe
Token: SeTakeOwnershipPrivilege	708	WMIC.exe
Token: SeLoadDriverPrivilege	708	WMIC.exe
Token: SeSystemProfilePrivilege	708	WMIC.exe
Token: SeSystemtimePrivilege	708	WMIC.exe
Token: SeProfSingleProcessPrivilege	708	WMIC.exe
Token: SeIncBasePriorityPrivilege	708	WMIC.exe
Token: SeCreatePagefilePrivilege	708	WMIC.exe
Token: SeBackupPrivilege	708	WMIC.exe
Token: SeRestorePrivilege	708	WMIC.exe
Token: SeShutdownPrivilege	708	WMIC.exe
Token: SeDebugPrivilege	708	WMIC.exe
Token: SeSystemEnvironmentPrivilege	708	WMIC.exe
Token: SeRemoteShutdownPrivilege	708	WMIC.exe
Token: SeUndockPrivilege	708	WMIC.exe
Token: SeManageVolumePrivilege	708	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4200 wrote to memory of 1908	4200	VirusShare_9213073f63c1542315acdad27c0b8b78.exe	83
PID 4200 wrote to memory of 1908	4200	VirusShare_9213073f63c1542315acdad27c0b8b78.exe	83
PID 4200 wrote to memory of 1908	4200	VirusShare_9213073f63c1542315acdad27c0b8b78.exe	83
PID 4200 wrote to memory of 5028	4200	VirusShare_9213073f63c1542315acdad27c0b8b78.exe	85
PID 4200 wrote to memory of 5028	4200	VirusShare_9213073f63c1542315acdad27c0b8b78.exe	85
PID 4200 wrote to memory of 5028	4200	VirusShare_9213073f63c1542315acdad27c0b8b78.exe	85
PID 1908 wrote to memory of 5004	1908	jfywpocfbief.exe	87
PID 1908 wrote to memory of 5004	1908	jfywpocfbief.exe	87
PID 1908 wrote to memory of 2712	1908	jfywpocfbief.exe	100
PID 1908 wrote to memory of 2712	1908	jfywpocfbief.exe	100
PID 1908 wrote to memory of 2712	1908	jfywpocfbief.exe	100
PID 1908 wrote to memory of 4072	1908	jfywpocfbief.exe	101
PID 1908 wrote to memory of 4072	1908	jfywpocfbief.exe	101
PID 4072 wrote to memory of 3988	4072	msedge.exe	102
PID 4072 wrote to memory of 3988	4072	msedge.exe	102
PID 1908 wrote to memory of 708	1908	jfywpocfbief.exe	103
PID 1908 wrote to memory of 708	1908	jfywpocfbief.exe	103
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 3228	4072	msedge.exe	105
PID 4072 wrote to memory of 1932	4072	msedge.exe	106
PID 4072 wrote to memory of 1932	4072	msedge.exe	106
PID 4072 wrote to memory of 1368	4072	msedge.exe	107
PID 4072 wrote to memory of 1368	4072	msedge.exe	107
PID 4072 wrote to memory of 1368	4072	msedge.exe	107
PID 4072 wrote to memory of 1368	4072	msedge.exe	107
PID 4072 wrote to memory of 1368	4072	msedge.exe	107

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	jfywpocfbief.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jfywpocfbief.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_9213073f63c1542315acdad27c0b8b78.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_9213073f63c1542315acdad27c0b8b78.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4200
- C:\Windows\jfywpocfbief.exe
  C:\Windows\jfywpocfbief.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1908
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5004
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2712
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4072
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ff8b8f346f8,0x7ff8b8f34708,0x7ff8b8f34718
      4⤵
      PID:3988
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,7723786614226601125,2517997919160121864,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
      4⤵
      PID:3228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,7723786614226601125,2517997919160121864,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
      4⤵
      PID:1932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,7723786614226601125,2517997919160121864,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
      4⤵
      PID:1368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,7723786614226601125,2517997919160121864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
      4⤵
      PID:3552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,7723786614226601125,2517997919160121864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
      4⤵
      PID:4880
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,7723786614226601125,2517997919160121864,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
      4⤵
      PID:3044
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,7723786614226601125,2517997919160121864,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
      4⤵
      PID:880
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,7723786614226601125,2517997919160121864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
      4⤵
      PID:1632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,7723786614226601125,2517997919160121864,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
      4⤵
      PID:3252
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,7723786614226601125,2517997919160121864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
      4⤵
      PID:2208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,7723786614226601125,2517997919160121864,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
      4⤵
      PID:1928
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:708
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\JFYWPO~1.EXE
    3⤵
    PID:116
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
  2⤵
  PID:5028

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+ldhtc.html

Filesize
12KB

MD5
aab259388c6c8eb0e1c260213e141171

SHA1
e21818b341137284b01176d155fbfcd15e4020bf

SHA256
6bc2a09b7f4b2b7c773f6ddc301bebcb8303e1707577b1975916dde56b61a94b

SHA512
4b86e5d3735eaae8a5a44f15da4025e6980b8d4c9cb712ef6263685221e031fc2022ddd2c4a2feb75255719dbb32a1f75af21ce1ac13401b182b0f5e8d1c95dd

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+ldhtc.png

Filesize
64KB

MD5
cec238f2682f27f1984762f82730d65c

SHA1
5791f6259326a19cda37878b4b1d69bc25375b83

SHA256
dc93c242f2f546dac4f2b74c2f16fb9383822673ba2e150e79d40100a7ce94a3

SHA512
f6dcb7bd2aff6dfe718958274c07cd28dbacfdd96a8a2e97a21dff025fa1fcfa4b33b12a4a0920a0e877bed4f4f417814823fed731bb8a0109364cec88327b84

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+ldhtc.txt

Filesize
1KB

MD5
679be06515af3113856cc97868f39937

SHA1
85ed58f1f79a8cdbd19caadda12a8b7096caf04a

SHA256
1f254e2372700a62d456a0fe41ddaa59c592f4da733f9c83c1cffde9ef790e08

SHA512
b71ed32d6aacfac501f0b4ffd89fa72950b4ccdeb5382d68c8b4740015fd65ca0681c7699a0c39852098f1f91c7a6fd079a930ed6ca9b154347772fee44d16b6

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
26598822c1c0853bcf7696d07028e8c6

SHA1
d369116390dc3186e7fc540f4cf5c83571ff0182

SHA256
c35a8c01ca02887a3bb9dd64a5bbb0569833c90e72302ff61d07a650ba0b1952

SHA512
0eaf14fa2741dad2ef959ebb8e0b6741763d45b7e1c240194f10a570c61ceae0d652b4b4286a5ee6255faf9cb60e684aab06c535f01e6f993d6c198335e65353

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
c3290a0d4d284d5a07739e8e1ba803e8

SHA1
3a9ad5b50a8b280b127f83b8a7b8018b3a5f9c5b

SHA256
a822f6f40ff20992960cf02687a58929de98d7c143239b0839b8155cffa5efb6

SHA512
2c7fa53d5e4babdeaa635bc6386d15dd32ff36372d94d1aed3a00036baff41f9fd996cb4971bcbf45f6ac6b076a1c5e9e8713824103e6e904336ef379f25d50e

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
0b2c20846b54bc04dcbc37d1e9ff1a9e

SHA1
4209e54bd7e650b5363a9433e50fc78ff7e0c1bf

SHA256
00ae4e03c41701706e231e981819509af3b5ef7d7a6c4cf0b8bca6fdb36f885a

SHA512
cada6358c803d1fd794ec2a0c4c3c35f736b297d096817c0db55148f15b564f39aecef83dc9a70488ab41cee14e992f0458aefe3328f3205eaf5b9b110947cf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
47b3e817d0c8c11ffd0ad5619a4d6c97

SHA1
d714755cf62cdec2cba30e30810efdf7d44dbf03

SHA256
45727fd933035a10c18b60f29c831fdf3cb2585ebe739beebbe1c3897479b2d4

SHA512
c689497a7f02cc02b1b7f66ef1d133441412b6086f4892f097b6795e8ce9d457e22e83630cce30d11c193867c10364f2592918296bc297cc4d82b192f117ea80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2b2bb8aa626500cc173d4c22385d43c5

SHA1
cf20df8a1061e8310657de63867f703ca08c325c

SHA256
951fa312499e8fe643b9b586fe897a0208f43953d91c6df51aa4aacc41f66693

SHA512
31d9c5971ef191f9ef6d8ffe42b74e0617dc88662f4408d601b163830509ba270838f1a35c2937694b95626d0482cf10c0e9e0ebf4712a579afbfc3e655f206e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
63dc7eea669a523a2ab3908ee30e8e0e

SHA1
d644c91517514b0a63a0629f2cf3f31e2347342a

SHA256
9fa86fc4b10419fa9c72f9b1c05ac201776368209b567e3a1a5ededf4ed52cf1

SHA512
b4f05c93387b1580381b930b7730cf0865c950b97e77f95280fe2cb40bfecefadefa13c265ba8ece899d9445ae237b02d15dbfe4f39a2cccc6948bb92f217213

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586088054759135.txt

Filesize
47KB

MD5
d5463d82683b790b6ee5c50bb3fe2c51

SHA1
a4d83fe93bb7d91ddc77f0508d24d020ccd4d327

SHA256
b317c7420955882673a0cd51d88b0c3440b315a1172039ceff1f755e2e91f661

SHA512
559f0bb4329305c1425cffd3104253a3e2089c7af69783d2706015ccb098ec9cbe32f2fc4ca20dd2b307dfadc36dba0dd7a12760da273f2aad5ccc7aa1d10636

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586104966146694.txt

Filesize
75KB

MD5
2446181c91f3e2002e8a5d1590b1349c

SHA1
0bdcaad8cfff4d1e69ac60b58f22270eb8ea8d89

SHA256
a4986363876d45b887af3d23bbf2a05ac6ed6b254875f3789ce23f427b910ca2

SHA512
572448e39192e8acd6ca5d5c33f2c652fa52ca1acd671bf473ffe73840b94fd9606bd96aee921e7d179fa7a92ab5ac0d11bd0cb5c94117423ad30641d9177203

Download Submit
C:\Windows\jfywpocfbief.exe

Filesize
360KB

MD5
9213073f63c1542315acdad27c0b8b78

SHA1
77b5765cd37ccfb7608611291d66e68b7d68e2dc

SHA256
1356acd718a156e106163e91fa87a415e4f6855606d2712d8408d65190a95dad

SHA512
9ae5d76345825b0cd012d4ce8189a1b6864b3d76be93ae7fad22eb28387097346213d7763a989098ae2dd5a921afd3ab8ef72cc308d4d9bfc8e7e7efa3a92735

Download Submit
memory/1908-4653-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1908-7524-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1908-10236-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1908-10382-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1908-5392-0x0000000002130000-0x00000000021B6000-memory.dmp

Filesize
536KB

Download
memory/1908-10428-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1908-2257-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1908-12-0x0000000002130000-0x00000000021B6000-memory.dmp

Filesize
536KB

Download
memory/4200-0-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4200-3-0x0000000002030000-0x00000000020B6000-memory.dmp

Filesize
536KB

Download
memory/4200-13-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4200-14-0x0000000002030000-0x00000000020B6000-memory.dmp

Filesize
536KB

Download