teslacrypt | 153ba034dc65a8a277f8911c555b8126549e35f40fdf4591bbe07bff8427ba16

Analysis

max time kernel
118s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15-08-2024 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62970d3ad9a12b875acc60a0a8310150N.exe
Size

496KB
MD5

62970d3ad9a12b875acc60a0a8310150
SHA1

fe4a5b2f1e43bb0a4776194765b81309b3b133cb
SHA256

153ba034dc65a8a277f8911c555b8126549e35f40fdf4591bbe07bff8427ba16
SHA512

5e71f110d9dee34126566ff7949726adb3ac06ef996201919e67d1396a3ec324dac18c6bc2a4b947fec961b98ea9ef34e627e6205d9899f7f4f74c689fd8ba47
SSDEEP

12288:sEOgCOhJJJh9x+5Q5oDfXCIWhM9QXpzFq:sEv5JiQ5EfyXm

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+twywq.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/8916E28566B6B45 2 - http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/8916E28566B6B45 3 - http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/8916E28566B6B45 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/8916E28566B6B45 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/8916E28566B6B45 http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/8916E28566B6B45 http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/8916E28566B6B45 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/8916E28566B6B45

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/8916E28566B6B45

http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/8916E28566B6B45

http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/8916E28566B6B45

http://xlowfznrg4wf7dli.ONION/8916E28566B6B45

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (882) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	62970d3ad9a12b875acc60a0a8310150N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	qxidqvofpvox.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+twywq.png	qxidqvofpvox.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+twywq.txt	qxidqvofpvox.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+twywq.html	qxidqvofpvox.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+twywq.png	qxidqvofpvox.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+twywq.txt	qxidqvofpvox.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+twywq.html	qxidqvofpvox.exe

Executes dropped EXE 1 IoCs

pid	Process
372	qxidqvofpvox.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kvymrso = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\qxidqvofpvox.exe"	qxidqvofpvox.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ie\_ReCoVeRy_+twywq.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\CoreEngine\Data\_ReCoVeRy_+twywq.txt	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-40_altform-unplated.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoFrameExtractor\Views\_ReCoVeRy_+twywq.txt	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxLargeTile.scale-200.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-96_contrast-black.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_altform-unplated_contrast-white.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\_ReCoVeRy_+twywq.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp4.scale-125.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\_ReCoVeRy_+twywq.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+twywq.html	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square150x150\_ReCoVeRy_+twywq.txt	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSplashLogo.scale-100.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Images\_ReCoVeRy_+twywq.txt	qxidqvofpvox.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\_ReCoVeRy_+twywq.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-125_contrast-white.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-32_altform-unplated.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-20_altform-unplated.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxBadge.scale-100.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailSmallTile.scale-400.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square150x150Logo.scale-400.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fi-FI\View3d\_ReCoVeRy_+twywq.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_altform-unplated_contrast-white.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\_ReCoVeRy_+twywq.html	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W6.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\MoveToFolderToastQuickAction.scale-80.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_school.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\LargeTile.scale-125.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\_ReCoVeRy_+twywq.txt	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+twywq.txt	qxidqvofpvox.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\_ReCoVeRy_+twywq.txt	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-40.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\_ReCoVeRy_+twywq.html	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-30.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\_ReCoVeRy_+twywq.txt	qxidqvofpvox.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\_ReCoVeRy_+twywq.html	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteWideTile.scale-125.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-20_altform-unplated.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\_ReCoVeRy_+twywq.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+twywq.txt	qxidqvofpvox.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\_ReCoVeRy_+twywq.txt	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+twywq.html	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageWideTile.scale-200.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\_ReCoVeRy_+twywq.txt	qxidqvofpvox.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\_ReCoVeRy_+twywq.txt	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-96_altform-unplated.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\_ReCoVeRy_+twywq.html	qxidqvofpvox.exe
File opened for modification	C:\Program Files\ConvertToGet.m4a	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-48.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreLogo.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Content\SaturationGradient.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-32_altform-unplated.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-200.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\_ReCoVeRy_+twywq.txt	qxidqvofpvox.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\_ReCoVeRy_+twywq.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-125_contrast-white.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-96_altform-unplated_devicefamily-colorfulunplated.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-96_altform-fullcolor.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\WideTile.scale-100.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageWideTile.scale-125.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\wiggle350.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-125_contrast-black.png	qxidqvofpvox.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_altform-unplated_contrast-black.png	qxidqvofpvox.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\qxidqvofpvox.exe	62970d3ad9a12b875acc60a0a8310150N.exe
File opened for modification	C:\Windows\qxidqvofpvox.exe	62970d3ad9a12b875acc60a0a8310150N.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62970d3ad9a12b875acc60a0a8310150N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qxidqvofpvox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	qxidqvofpvox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4240	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe
372	qxidqvofpvox.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3816	62970d3ad9a12b875acc60a0a8310150N.exe
Token: SeDebugPrivilege	372	qxidqvofpvox.exe
Token: SeIncreaseQuotaPrivilege	472	WMIC.exe
Token: SeSecurityPrivilege	472	WMIC.exe
Token: SeTakeOwnershipPrivilege	472	WMIC.exe
Token: SeLoadDriverPrivilege	472	WMIC.exe
Token: SeSystemProfilePrivilege	472	WMIC.exe
Token: SeSystemtimePrivilege	472	WMIC.exe
Token: SeProfSingleProcessPrivilege	472	WMIC.exe
Token: SeIncBasePriorityPrivilege	472	WMIC.exe
Token: SeCreatePagefilePrivilege	472	WMIC.exe
Token: SeBackupPrivilege	472	WMIC.exe
Token: SeRestorePrivilege	472	WMIC.exe
Token: SeShutdownPrivilege	472	WMIC.exe
Token: SeDebugPrivilege	472	WMIC.exe
Token: SeSystemEnvironmentPrivilege	472	WMIC.exe
Token: SeRemoteShutdownPrivilege	472	WMIC.exe
Token: SeUndockPrivilege	472	WMIC.exe
Token: SeManageVolumePrivilege	472	WMIC.exe
Token: 33	472	WMIC.exe
Token: 34	472	WMIC.exe
Token: 35	472	WMIC.exe
Token: 36	472	WMIC.exe
Token: SeIncreaseQuotaPrivilege	472	WMIC.exe
Token: SeSecurityPrivilege	472	WMIC.exe
Token: SeTakeOwnershipPrivilege	472	WMIC.exe
Token: SeLoadDriverPrivilege	472	WMIC.exe
Token: SeSystemProfilePrivilege	472	WMIC.exe
Token: SeSystemtimePrivilege	472	WMIC.exe
Token: SeProfSingleProcessPrivilege	472	WMIC.exe
Token: SeIncBasePriorityPrivilege	472	WMIC.exe
Token: SeCreatePagefilePrivilege	472	WMIC.exe
Token: SeBackupPrivilege	472	WMIC.exe
Token: SeRestorePrivilege	472	WMIC.exe
Token: SeShutdownPrivilege	472	WMIC.exe
Token: SeDebugPrivilege	472	WMIC.exe
Token: SeSystemEnvironmentPrivilege	472	WMIC.exe
Token: SeRemoteShutdownPrivilege	472	WMIC.exe
Token: SeUndockPrivilege	472	WMIC.exe
Token: SeManageVolumePrivilege	472	WMIC.exe
Token: 33	472	WMIC.exe
Token: 34	472	WMIC.exe
Token: 35	472	WMIC.exe
Token: 36	472	WMIC.exe
Token: SeBackupPrivilege	4908	vssvc.exe
Token: SeRestorePrivilege	4908	vssvc.exe
Token: SeAuditPrivilege	4908	vssvc.exe
Token: SeIncreaseQuotaPrivilege	444	WMIC.exe
Token: SeSecurityPrivilege	444	WMIC.exe
Token: SeTakeOwnershipPrivilege	444	WMIC.exe
Token: SeLoadDriverPrivilege	444	WMIC.exe
Token: SeSystemProfilePrivilege	444	WMIC.exe
Token: SeSystemtimePrivilege	444	WMIC.exe
Token: SeProfSingleProcessPrivilege	444	WMIC.exe
Token: SeIncBasePriorityPrivilege	444	WMIC.exe
Token: SeCreatePagefilePrivilege	444	WMIC.exe
Token: SeBackupPrivilege	444	WMIC.exe
Token: SeRestorePrivilege	444	WMIC.exe
Token: SeShutdownPrivilege	444	WMIC.exe
Token: SeDebugPrivilege	444	WMIC.exe
Token: SeSystemEnvironmentPrivilege	444	WMIC.exe
Token: SeRemoteShutdownPrivilege	444	WMIC.exe
Token: SeUndockPrivilege	444	WMIC.exe
Token: SeManageVolumePrivilege	444	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3816 wrote to memory of 372	3816	62970d3ad9a12b875acc60a0a8310150N.exe	88
PID 3816 wrote to memory of 372	3816	62970d3ad9a12b875acc60a0a8310150N.exe	88
PID 3816 wrote to memory of 372	3816	62970d3ad9a12b875acc60a0a8310150N.exe	88
PID 3816 wrote to memory of 1700	3816	62970d3ad9a12b875acc60a0a8310150N.exe	89
PID 3816 wrote to memory of 1700	3816	62970d3ad9a12b875acc60a0a8310150N.exe	89
PID 3816 wrote to memory of 1700	3816	62970d3ad9a12b875acc60a0a8310150N.exe	89
PID 372 wrote to memory of 472	372	qxidqvofpvox.exe	91
PID 372 wrote to memory of 472	372	qxidqvofpvox.exe	91
PID 372 wrote to memory of 4240	372	qxidqvofpvox.exe	106
PID 372 wrote to memory of 4240	372	qxidqvofpvox.exe	106
PID 372 wrote to memory of 4240	372	qxidqvofpvox.exe	106
PID 372 wrote to memory of 1888	372	qxidqvofpvox.exe	107
PID 372 wrote to memory of 1888	372	qxidqvofpvox.exe	107
PID 1888 wrote to memory of 772	1888	msedge.exe	108
PID 1888 wrote to memory of 772	1888	msedge.exe	108
PID 372 wrote to memory of 444	372	qxidqvofpvox.exe	109
PID 372 wrote to memory of 444	372	qxidqvofpvox.exe	109
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 2660	1888	msedge.exe	111
PID 1888 wrote to memory of 3208	1888	msedge.exe	112
PID 1888 wrote to memory of 3208	1888	msedge.exe	112
PID 1888 wrote to memory of 3964	1888	msedge.exe	113
PID 1888 wrote to memory of 3964	1888	msedge.exe	113
PID 1888 wrote to memory of 3964	1888	msedge.exe	113
PID 1888 wrote to memory of 3964	1888	msedge.exe	113
PID 1888 wrote to memory of 3964	1888	msedge.exe	113

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	qxidqvofpvox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	qxidqvofpvox.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\62970d3ad9a12b875acc60a0a8310150N.exe
"C:\Users\Admin\AppData\Local\Temp\62970d3ad9a12b875acc60a0a8310150N.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3816
- C:\Windows\qxidqvofpvox.exe
  C:\Windows\qxidqvofpvox.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:372
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:472
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:4240
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ffa0fc346f8,0x7ffa0fc34708,0x7ffa0fc34718
      4⤵
      PID:772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,9768689635654167139,8399931605835492628,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
      4⤵
      PID:2660
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,9768689635654167139,8399931605835492628,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
      4⤵
      PID:3208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,9768689635654167139,8399931605835492628,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
      4⤵
      PID:3964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9768689635654167139,8399931605835492628,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
      4⤵
      PID:1880
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9768689635654167139,8399931605835492628,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
      4⤵
      PID:844
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,9768689635654167139,8399931605835492628,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
      4⤵
      PID:3604
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,9768689635654167139,8399931605835492628,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
      4⤵
      PID:4468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9768689635654167139,8399931605835492628,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
      4⤵
      PID:4988
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9768689635654167139,8399931605835492628,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
      4⤵
      PID:4320
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9768689635654167139,8399931605835492628,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
      4⤵
      PID:1680
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9768689635654167139,8399931605835492628,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
      4⤵
      PID:4084
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:444
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\QXIDQV~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4016
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\62970D~1.EXE
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1700

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+twywq.html

Filesize
11KB

MD5
282be0ea12770429ce1122a43476e974

SHA1
c06f6ce87ca79efa5931541d6456360342ff3a21

SHA256
fedbcd0781f7e521bb7dd8a1cf1ded33c9988d3d2fea3b6d3d14c767c99b16be

SHA512
40419e4e4f2ed815906444c54b87a05acc8a956f5d7627816c3d0ae54bb0b01dbb187de50cf3c8767b9db96656edd9f5b9a8f0fe259bbe199a49177005471654

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+twywq.png

Filesize
64KB

MD5
6a673b166fc94a0d6a7f9d9591d55a42

SHA1
cb49dbb9024c897fc97b6eaf3373521601fb315a

SHA256
33b4cfc4a1394113ae5af266d0fb1f2aa423b4776f95658af68abb6749deb05b

SHA512
9a6f3defd4b9b7c69cc79fe21e101341962189bd098f7f12eaf30f4d13aec0d3f556620e0f0f31bd1b8cfa9e8f73f6ed327182059210269307cd7cb6c3841b76

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+twywq.txt

Filesize
1KB

MD5
3337ef84137c39d80271fdd943c434b5

SHA1
7add9b4ec2dd5242271e58b896ef34c147c5c617

SHA256
b2162ff4830f8daf4a020320651c2d35027ac424f94a26682b0c2d5da7b287a9

SHA512
9b09549e91c686fa3e7c16d3dc997be3a6ab31c84b8a7849bdb5f80963fc56c13559fe2c530f35aa30afcd89c6cc12f0d77cde2f0099e422ae8cf14c45d84c43

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
7e60fdaf681ca928d1d75d95d4c4df58

SHA1
54d6be07ebde369975c61bd46b91ff31c4a2ca30

SHA256
54f2279a4ce42f5aef0e219b5e4f5120d7865313dec184b6ac1475b07885cc1e

SHA512
44a6bf55c463b2d3617dc69c83709bfc73f58a88fd91442063fada010d45a4da12fe35e96dabe23c739c46fa7559accc61673057eeedf06705e9e5f060ddd1e2

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
250263d1c6ee3a26a66114ae87b2fb3d

SHA1
2e2cb4cde901837d46f1bc4709a828e439d7ccfc

SHA256
a930bc3cb0681e3146882a22710474025bea172159eccdfbb80ec1c467e90c68

SHA512
6d9159b80602337fb2762769056b9627431e7cc7d25e3aecece76595fbe4b497c3bf90692945a674d822050fcaebf8b91bf11a95d9582ba58c67ee9135e91ddd

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
0637567889868172a6d53a347abc26f3

SHA1
ac258e06f2740064d4a5b41848ee26fc7e70b2b7

SHA256
ed40ae700580b5e95e51708adb40244b9edb28995fe332c6f6b42ed5d8cd4c96

SHA512
f38d75aa3b1889d891daffe0690c8af8477126cf75b525f2e0eab2826d4b4d82c7b9acc2dafd236e1115f44714b42c89fe1b7e6a754154f031668b0ebe4cfa84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a5306781597925ec0c7c9ca2bc68bbd1

SHA1
0893a5100baf0ba462d80f8a2b23f490590a7ba8

SHA256
c2e2b9a7770b115a903afdea1711bb7a3be838395927d5becdde9c690a0a28df

SHA512
591e737e4b1209696a177b3a53215397f876f62a62361228c75d23891354f82d4d931ce060ee1b7d84aa84f440414be5d63f6a20b21fc57d6b3ef0180d2424c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
caee5481b33c308ac17c5779231fcabb

SHA1
fd03ee8f087cde06f6d103e12346acac4b0a5e26

SHA256
e54e65a6ca00d0974229f985353e81c531cb012d6ecf0b4ee3d3b812ce5cce63

SHA512
c436b8aaefde870b27f6f5da52625e49d78e624c276f679ae08d94a9b2f0ff4a9e9223d59b6e898f76eceac5fc397983665d244d7f3537aae324c6ba9ed85184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3145ffe8654539b023dcaaff323d030c

SHA1
9157359169a5aa34b1331d7a76e491b3a36f5635

SHA256
5f487c8446d867a58f9c11be6a082885878985e5a6987b4171e23676d653f525

SHA512
7bd5d6be4901a955ce49962bbea7c5acfa5d48abb25f9f075ecf6928edade7a75678decfae28dc6dcae44f195f581e24a745cff3fd6ae2a4518376aed0b5eafd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670756182462133.txt

Filesize
47KB

MD5
ddd97833c4da16189152d804ef0271f8

SHA1
0511c6e3502e894b46729ece3e397da00e09e977

SHA256
1dea6e2e58b76a651c9eb5af019868fede267b309e2e39b7c33b58867fda43ab

SHA512
f7688c4f760e142dbdb59e4b7cfd43bfa15a543ad8179a9deb4b1097a0316d35c63d5a092aaa2ffc5e93f1cbe6f48d841b2ffc19eca9eff2fb83ccec7cf8b14b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670764368086779.txt

Filesize
74KB

MD5
430efb341fb217057eefeae0e04cf155

SHA1
01c3a4fd76fa7cbbcce4da888bd484648b8ca720

SHA256
e112816c8c42a14e1444177be325fc08571e3282e5644467d7294e1651ad8d63

SHA512
31f7a79c7f7927752ef199c6ba8e7029a1c4dbe404f660616005ebb045aedef50ed0863101ee1b8eadb13e971c8f1451413cd751b9099be64f01dce1cb5e2138

Download Submit
C:\Windows\qxidqvofpvox.exe

Filesize
496KB

MD5
62970d3ad9a12b875acc60a0a8310150

SHA1
fe4a5b2f1e43bb0a4776194765b81309b3b133cb

SHA256
153ba034dc65a8a277f8911c555b8126549e35f40fdf4591bbe07bff8427ba16

SHA512
5e71f110d9dee34126566ff7949726adb3ac06ef996201919e67d1396a3ec324dac18c6bc2a4b947fec961b98ea9ef34e627e6205d9899f7f4f74c689fd8ba47

Download Submit
memory/372-16-0x00000000021A0000-0x0000000002226000-memory.dmp

Filesize
536KB

Download
memory/372-2697-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/372-8823-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/372-10483-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/372-10486-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/372-5453-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/372-2390-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/372-10529-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/3816-0-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/3816-1-0x00000000021C0000-0x0000000002246000-memory.dmp

Filesize
536KB

Download
memory/3816-2-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/3816-12-0x00000000021C0000-0x0000000002246000-memory.dmp

Filesize
536KB

Download
memory/3816-11-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download