teslacrypt | 84b3cdcc6f4bf098bd8574f5137d6ce863c300e6e2a5512cd6744e6f167459ec

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55ef5620d1205df70163818bf84688cd_JaffaCakes118.exe
Size

336KB
MD5

55ef5620d1205df70163818bf84688cd
SHA1

d883ae424be4f1968797f5d1ef3d7968932ab650
SHA256

84b3cdcc6f4bf098bd8574f5137d6ce863c300e6e2a5512cd6744e6f167459ec
SHA512

82f7284808f2e513dac7d3de3cbd13e56699dfa37aa45e936c7b36a7a76ff42ace05d0acb75e454c495a50f0c2d7862114bd9ed23417f1698fc1eb9afcb4b2cd
SSDEEP

6144:0xy9nRqDo0RAua922DNcbCfFpHVKY8E4IvFBJ1KTBNqG:0w9noocAxxDNcbCdfH8E7vtw9Nq

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_RECoVERY_+efcwv.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://yyre45dbvn2nhbefbmh.begumvelic.at/6F9218EA529D3B4 2. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/6F9218EA529D3B4 3. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/6F9218EA529D3B4 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/6F9218EA529D3B4 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://yyre45dbvn2nhbefbmh.begumvelic.at/6F9218EA529D3B4 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/6F9218EA529D3B4 http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/6F9218EA529D3B4 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/6F9218EA529D3B4

URLs

http://yyre45dbvn2nhbefbmh.begumvelic.at/6F9218EA529D3B4

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/6F9218EA529D3B4

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/6F9218EA529D3B4

http://xlowfznrg4wf7dli.ONION/6F9218EA529D3B4

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (884) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	55ef5620d1205df70163818bf84688cd_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	dbpypankoofk.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+efcwv.png	dbpypankoofk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+efcwv.txt	dbpypankoofk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+efcwv.html	dbpypankoofk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+efcwv.png	dbpypankoofk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+efcwv.txt	dbpypankoofk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+efcwv.html	dbpypankoofk.exe

Executes dropped EXE 1 IoCs

pid	Process
2404	dbpypankoofk.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soqjjmexbfgp = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\dbpypankoofk.exe\""	dbpypankoofk.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\LargeTile.scale-100.png	dbpypankoofk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\_RECoVERY_+efcwv.png	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\_RECoVERY_+efcwv.html	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GameBar_StoreLogo.scale-125.png	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\_RECoVERY_+efcwv.txt	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MicrosoftLogo.scale-200.png	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\WideTile.scale-125.png	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-36_altform-lightunplated.png	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailWideTile.scale-200.png	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\_RECoVERY_+efcwv.png	dbpypankoofk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\_RECoVERY_+efcwv.html	dbpypankoofk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\_RECoVERY_+efcwv.html	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Ear.png	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-80_altform-fullcolor.png	dbpypankoofk.exe
File opened for modification	C:\Program Files\dotnet\swidtag\_RECoVERY_+efcwv.txt	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\157.png	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+efcwv.txt	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-150_contrast-black.png	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-36_altform-unplated_contrast-black.png	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\_RECoVERY_+efcwv.html	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-20_altform-unplated.png	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Sun.png	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\word_art\_RECoVERY_+efcwv.png	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Outlook.scale-200.png	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailWideTile.scale-125.png	dbpypankoofk.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_RECoVERY_+efcwv.png	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_~_kzf8qxf38zg5c\_RECoVERY_+efcwv.html	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\_RECoVERY_+efcwv.html	dbpypankoofk.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\_RECoVERY_+efcwv.png	dbpypankoofk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-100.png	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-200.png	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\_RECoVERY_+efcwv.txt	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-96_altform-unplated_contrast-white.png	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Microsoft.Xbox.SmartGlass.Controls\_RECoVERY_+efcwv.html	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_~_8wekyb3d8bbwe\_RECoVERY_+efcwv.txt	dbpypankoofk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Triedit\en-US\_RECoVERY_+efcwv.txt	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-36_altform-lightunplated.png	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\Bundle\_RECoVERY_+efcwv.png	dbpypankoofk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OneNote\_RECoVERY_+efcwv.txt	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-60_altform-unplated_contrast-black.png	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\_RECoVERY_+efcwv.html	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\_RECoVERY_+efcwv.html	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FirstRunCalendarBlurred.layoutdir-LTR.jpg	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\MedTile.scale-200.png	dbpypankoofk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\_RECoVERY_+efcwv.txt	dbpypankoofk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\_RECoVERY_+efcwv.html	dbpypankoofk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\_RECoVERY_+efcwv.png	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-16_altform-unplated.png	dbpypankoofk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\_RECoVERY_+efcwv.png	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+efcwv.html	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewer\_RECoVERY_+efcwv.txt	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomSetupDisambig_RoomScale.jpg	dbpypankoofk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\_RECoVERY_+efcwv.html	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-white\Settings.png	dbpypankoofk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uz\_RECoVERY_+efcwv.html	dbpypankoofk.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\en-US\_RECoVERY_+efcwv.html	dbpypankoofk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VC\_RECoVERY_+efcwv.txt	dbpypankoofk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\_RECoVERY_+efcwv.html	dbpypankoofk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\_RECoVERY_+efcwv.png	dbpypankoofk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\_RECoVERY_+efcwv.png	dbpypankoofk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\management\_RECoVERY_+efcwv.txt	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ImmersiveVideoPlayback\_RECoVERY_+efcwv.html	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\_RECoVERY_+efcwv.txt	dbpypankoofk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoEditor.Common\Resources\_RECoVERY_+efcwv.html	dbpypankoofk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\dbpypankoofk.exe	55ef5620d1205df70163818bf84688cd_JaffaCakes118.exe
File opened for modification	C:\Windows\dbpypankoofk.exe	55ef5620d1205df70163818bf84688cd_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55ef5620d1205df70163818bf84688cd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbpypankoofk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	dbpypankoofk.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4208	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe
2404	dbpypankoofk.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4728	55ef5620d1205df70163818bf84688cd_JaffaCakes118.exe
Token: SeDebugPrivilege	2404	dbpypankoofk.exe
Token: SeIncreaseQuotaPrivilege	4828	WMIC.exe
Token: SeSecurityPrivilege	4828	WMIC.exe
Token: SeTakeOwnershipPrivilege	4828	WMIC.exe
Token: SeLoadDriverPrivilege	4828	WMIC.exe
Token: SeSystemProfilePrivilege	4828	WMIC.exe
Token: SeSystemtimePrivilege	4828	WMIC.exe
Token: SeProfSingleProcessPrivilege	4828	WMIC.exe
Token: SeIncBasePriorityPrivilege	4828	WMIC.exe
Token: SeCreatePagefilePrivilege	4828	WMIC.exe
Token: SeBackupPrivilege	4828	WMIC.exe
Token: SeRestorePrivilege	4828	WMIC.exe
Token: SeShutdownPrivilege	4828	WMIC.exe
Token: SeDebugPrivilege	4828	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4828	WMIC.exe
Token: SeRemoteShutdownPrivilege	4828	WMIC.exe
Token: SeUndockPrivilege	4828	WMIC.exe
Token: SeManageVolumePrivilege	4828	WMIC.exe
Token: 33	4828	WMIC.exe
Token: 34	4828	WMIC.exe
Token: 35	4828	WMIC.exe
Token: 36	4828	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4828	WMIC.exe
Token: SeSecurityPrivilege	4828	WMIC.exe
Token: SeTakeOwnershipPrivilege	4828	WMIC.exe
Token: SeLoadDriverPrivilege	4828	WMIC.exe
Token: SeSystemProfilePrivilege	4828	WMIC.exe
Token: SeSystemtimePrivilege	4828	WMIC.exe
Token: SeProfSingleProcessPrivilege	4828	WMIC.exe
Token: SeIncBasePriorityPrivilege	4828	WMIC.exe
Token: SeCreatePagefilePrivilege	4828	WMIC.exe
Token: SeBackupPrivilege	4828	WMIC.exe
Token: SeRestorePrivilege	4828	WMIC.exe
Token: SeShutdownPrivilege	4828	WMIC.exe
Token: SeDebugPrivilege	4828	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4828	WMIC.exe
Token: SeRemoteShutdownPrivilege	4828	WMIC.exe
Token: SeUndockPrivilege	4828	WMIC.exe
Token: SeManageVolumePrivilege	4828	WMIC.exe
Token: 33	4828	WMIC.exe
Token: 34	4828	WMIC.exe
Token: 35	4828	WMIC.exe
Token: 36	4828	WMIC.exe
Token: SeBackupPrivilege	2348	vssvc.exe
Token: SeRestorePrivilege	2348	vssvc.exe
Token: SeAuditPrivilege	2348	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3472	WMIC.exe
Token: SeSecurityPrivilege	3472	WMIC.exe
Token: SeTakeOwnershipPrivilege	3472	WMIC.exe
Token: SeLoadDriverPrivilege	3472	WMIC.exe
Token: SeSystemProfilePrivilege	3472	WMIC.exe
Token: SeSystemtimePrivilege	3472	WMIC.exe
Token: SeProfSingleProcessPrivilege	3472	WMIC.exe
Token: SeIncBasePriorityPrivilege	3472	WMIC.exe
Token: SeCreatePagefilePrivilege	3472	WMIC.exe
Token: SeBackupPrivilege	3472	WMIC.exe
Token: SeRestorePrivilege	3472	WMIC.exe
Token: SeShutdownPrivilege	3472	WMIC.exe
Token: SeDebugPrivilege	3472	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3472	WMIC.exe
Token: SeRemoteShutdownPrivilege	3472	WMIC.exe
Token: SeUndockPrivilege	3472	WMIC.exe
Token: SeManageVolumePrivilege	3472	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 2404	4728	55ef5620d1205df70163818bf84688cd_JaffaCakes118.exe	87
PID 4728 wrote to memory of 2404	4728	55ef5620d1205df70163818bf84688cd_JaffaCakes118.exe	87
PID 4728 wrote to memory of 2404	4728	55ef5620d1205df70163818bf84688cd_JaffaCakes118.exe	87
PID 4728 wrote to memory of 4756	4728	55ef5620d1205df70163818bf84688cd_JaffaCakes118.exe	88
PID 4728 wrote to memory of 4756	4728	55ef5620d1205df70163818bf84688cd_JaffaCakes118.exe	88
PID 4728 wrote to memory of 4756	4728	55ef5620d1205df70163818bf84688cd_JaffaCakes118.exe	88
PID 2404 wrote to memory of 4828	2404	dbpypankoofk.exe	90
PID 2404 wrote to memory of 4828	2404	dbpypankoofk.exe	90
PID 2404 wrote to memory of 4208	2404	dbpypankoofk.exe	105
PID 2404 wrote to memory of 4208	2404	dbpypankoofk.exe	105
PID 2404 wrote to memory of 4208	2404	dbpypankoofk.exe	105
PID 2404 wrote to memory of 1964	2404	dbpypankoofk.exe	106
PID 2404 wrote to memory of 1964	2404	dbpypankoofk.exe	106
PID 1964 wrote to memory of 508	1964	msedge.exe	107
PID 1964 wrote to memory of 508	1964	msedge.exe	107
PID 2404 wrote to memory of 3472	2404	dbpypankoofk.exe	108
PID 2404 wrote to memory of 3472	2404	dbpypankoofk.exe	108
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4860	1964	msedge.exe	110
PID 1964 wrote to memory of 4432	1964	msedge.exe	111
PID 1964 wrote to memory of 4432	1964	msedge.exe	111
PID 1964 wrote to memory of 868	1964	msedge.exe	112
PID 1964 wrote to memory of 868	1964	msedge.exe	112
PID 1964 wrote to memory of 868	1964	msedge.exe	112
PID 1964 wrote to memory of 868	1964	msedge.exe	112
PID 1964 wrote to memory of 868	1964	msedge.exe	112

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	dbpypankoofk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	dbpypankoofk.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\55ef5620d1205df70163818bf84688cd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\55ef5620d1205df70163818bf84688cd_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Windows\dbpypankoofk.exe
  C:\Windows\dbpypankoofk.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2404
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4828
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:4208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc02fd46f8,0x7ffc02fd4708,0x7ffc02fd4718
      4⤵
      PID:508
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,3581945669343904467,11409680376458308284,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
      4⤵
      PID:4860
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,3581945669343904467,11409680376458308284,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
      4⤵
      PID:4432
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,3581945669343904467,11409680376458308284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
      4⤵
      PID:868
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3581945669343904467,11409680376458308284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
      4⤵
      PID:4508
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3581945669343904467,11409680376458308284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
      4⤵
      PID:904
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,3581945669343904467,11409680376458308284,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 /prefetch:8
      4⤵
      PID:2080
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,3581945669343904467,11409680376458308284,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 /prefetch:8
      4⤵
      PID:900
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3581945669343904467,11409680376458308284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
      4⤵
      PID:4820
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3581945669343904467,11409680376458308284,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
      4⤵
      PID:5048
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3581945669343904467,11409680376458308284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
      4⤵
      PID:832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3581945669343904467,11409680376458308284,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
      4⤵
      PID:3496
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3472
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\DBPYPA~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4980
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\55EF56~1.EXE
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4756

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_RECoVERY_+efcwv.html

Filesize
10KB

MD5
15f22e882dab5219038d19f5afc1a6f3

SHA1
91794bcdd9f0f686c08dfa7152fa0da5ef86bb48

SHA256
4aaae2aef30e0baedc47bd007c37c50b4c62b004ab440f4055878ce9e3bd721c

SHA512
058b9bc05655025611abea0eb38a89acc382d9fc5b854511bc927338ee0853fe26fabc3fd28549f1f6759a5c1e727307341d7809b397c3cbdd27ebfd13929563

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+efcwv.png

Filesize
63KB

MD5
cebf4c347bafa547db6d3d037933185f

SHA1
c1afc4aaf1aa7f74a34a4a78300f4e8e252e6244

SHA256
4c2b06ca4943b948add1216a20f1cfa565afe243d0c1fe44660d7ce1f70560c3

SHA512
eb5e5152a24ce03be4880f996a584fea49c2ebafdebc4d0f2b950451a059022de0bb1408058117e41670e619dc64b8827b4fcd4598369e52e1b0b8c3eb42cbef

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+efcwv.txt

Filesize
1KB

MD5
49c6a65e4cb571e72f4912736ece7422

SHA1
b282f0c01b13ea8c43be44650a71737e516bd0cb

SHA256
156421854555d336f25c6119e74b006e5f278df0f4228f0ca6cb18abe84b63d5

SHA512
9fe334c956d5077f4125329ca1714c8a683b3fdce5fd2d27be5f40acf9a4a84f8a658c12a97b9552af45f0abc215447e49f935041739b285194f3f36ca5ca9f4

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
6afa2b01220a66cc25994895c756019e

SHA1
e7dc2f91e8d5300311b6c97eafcc2d2c753b0811

SHA256
66828315196f4b86eb26b68e855328e0af0f915794b187e111823e26058a66ba

SHA512
a9790e5651182e749143c11d952c7531f31e54da192d785cbde50586c2d5aaa689aa958bcb55451322f213243c5ab5eb1c145954c59fd8359992d767424f21df

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
ed76f50435036b1206da8d6ea8c13677

SHA1
30eee4f264b5491252bcd61d318cb4c3b9a8d2c5

SHA256
5a7a7a882191a0b9856a9fe39cfaf0e9641c0abae4233b471fdd345d6505d236

SHA512
486c61d9d929588a07b7f13e2a73945b52d739090ed4db02c4638f3c6e42f4d95afd204fa75b50bf99e2012511019a63861404125cff5d640042586d60282cbc

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
0269ce8892d559a2f48a3ce197f1c847

SHA1
9a97c20413170a5822ccef39d1c52c1ad7285647

SHA256
d4c55ae25c84440b3f8274f019614794437a11bcc89d5c7aff29bf4b7736e699

SHA512
4a982ca6889c8f2f4093a9f79e023599439e8f7c96f5a486ac9364caeb65bf9c9deda42fd44b2412ff1c6356a768a32074711ab71e6e7e1f820d1fe8a965395b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
84b68532c92c241b876d4581e78910ee

SHA1
7321d57a99e7ecb3ac731bd47ff26b8240213255

SHA256
566530bef971dd0754dd47abfd39be7b7b2fa446ba84c23d92ce42cf8a0a92c9

SHA512
0ddebc29354ade16c6ead85fc6ed8e2f00b7c4c216a16f9537c070983c047fe30113aa22c8c538edea4f90f25459d9ad3e49ec2317290b9705de0174d8a16db8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1cdd198c44c3dd31e51abc25c202a275

SHA1
eb643997dcbe0a84b79ae4065eb24fbdd8c08c23

SHA256
449097004409b3a3135c170677ba56a6cefc8f2e17c52395812b12ce116d0ef9

SHA512
eaea07cc1c6f1e65178ec1d80872aa622e252a6b7eceb220df13a61115794851a31533e004e4dcda997bac569e34b8b3af20a47004bafe581d38d756f84fe3a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ad04c7394d7a39c3ddcaca913df0b974

SHA1
9731b86df7ca3d39f8ab6c5e3b9eb1cdf08cd5d6

SHA256
08ebdef02eee2b17c7819eae06739b166457b1f76fdb56f96f47200679e41278

SHA512
91ee9bd0fbbabe103c46ebee2f718ea99adf94fd5df355a32b880c07ebc1ba140371d864a621cf4a4c85625cfcd773d81a681968e3e499e31168591922c5170b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727665766873969.txt

Filesize
74KB

MD5
302772cc5b3ada7a57539e98550a21dd

SHA1
7334445d11ebfd259aabc931bc2300a9a76e40cc

SHA256
b4fa708467a47206333df605c6f5a4ceac97d7fab5d8245267eaccd3bfd13622

SHA512
11d2cca2e2a56d995554ea21a6a6a309fc4c0c087bf6ea96011bf35de4ba95e031d36c41b6febf86834c745397aa257889d02b53e2782352c6ec0ac2983f2c2b

Download Submit
C:\Windows\dbpypankoofk.exe

Filesize
336KB

MD5
55ef5620d1205df70163818bf84688cd

SHA1
d883ae424be4f1968797f5d1ef3d7968932ab650

SHA256
84b3cdcc6f4bf098bd8574f5137d6ce863c300e6e2a5512cd6744e6f167459ec

SHA512
82f7284808f2e513dac7d3de3cbd13e56699dfa37aa45e936c7b36a7a76ff42ace05d0acb75e454c495a50f0c2d7862114bd9ed23417f1698fc1eb9afcb4b2cd

Download Submit
memory/2404-10828-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2404-10639-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2404-7895-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2404-4636-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2404-10874-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2404-2453-0x0000000002170000-0x00000000021F6000-memory.dmp

Filesize
536KB

Download
memory/2404-2452-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2404-9-0x0000000002170000-0x00000000021F6000-memory.dmp

Filesize
536KB

Download
memory/4728-13-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4728-1-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4728-0-0x00000000022F0000-0x0000000002376000-memory.dmp

Filesize
536KB

Download
memory/4728-14-0x00000000022F0000-0x0000000002376000-memory.dmp

Filesize
536KB

Download