teslacrypt | dfd96eb0d24ab0e64e6e2078eca2ae8e969295be95b0862456371f79a22333a2

Analysis

max time kernel
140s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7f147af11b3494756d8c07149de56c5_JaffaCakes118.exe
Size

352KB
MD5

e7f147af11b3494756d8c07149de56c5
SHA1

c3b7a6a4b77eebaef88b1f874317d55783c10e82
SHA256

dfd96eb0d24ab0e64e6e2078eca2ae8e969295be95b0862456371f79a22333a2
SHA512

a0dd11b4c085c3642ec109ae33ded492db4f0e73c42bdb45e42bfe8243ad7b770362cfa966d45bdd90579f34e70ed595340d6b65379fd69e65c19c9ec2180027
SSDEEP

6144:oMeb/EDtpBx1aRXJub19pf3gOURaJmf+ubexB3wLaYZSzvF:oTb/wtN1aRXJg1f3gO9Jm+u2BgeYkzv

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+xyshw.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/EDA5679AE795A2BF 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/EDA5679AE795A2BF 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/EDA5679AE795A2BF If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/EDA5679AE795A2BF 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/EDA5679AE795A2BF http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/EDA5679AE795A2BF http://yyre45dbvn2nhbefbmh.begumvelic.at/EDA5679AE795A2BF Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/EDA5679AE795A2BF

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/EDA5679AE795A2BF

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/EDA5679AE795A2BF

http://yyre45dbvn2nhbefbmh.begumvelic.at/EDA5679AE795A2BF

http://xlowfznrg4wf7dli.ONION/EDA5679AE795A2BF

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (867) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	e7f147af11b3494756d8c07149de56c5_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	docdgqfarcce.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+xyshw.png	docdgqfarcce.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+xyshw.txt	docdgqfarcce.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+xyshw.html	docdgqfarcce.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+xyshw.png	docdgqfarcce.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+xyshw.txt	docdgqfarcce.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+xyshw.html	docdgqfarcce.exe

Executes dropped EXE 1 IoCs

pid	Process
4224	docdgqfarcce.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rsljjud = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\docdgqfarcce.exe"	docdgqfarcce.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\_ReCoVeRy_+xyshw.txt	docdgqfarcce.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\_ReCoVeRy_+xyshw.png	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OrientationControlOuterCircleHover.png	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+xyshw.png	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60.png	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lt-LT\_ReCoVeRy_+xyshw.txt	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+xyshw.html	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\_ReCoVeRy_+xyshw.png	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\_ReCoVeRy_+xyshw.html	docdgqfarcce.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\_ReCoVeRy_+xyshw.html	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\15.jpg	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-96_altform-lightunplated.png	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-24_altform-unplated_contrast-black.png	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-16_altform-unplated.png	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\_ReCoVeRy_+xyshw.html	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-24_contrast-black.png	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_altform-unplated_devicefamily-colorfulunplated.png	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteMediumTile.scale-100.png	docdgqfarcce.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\_ReCoVeRy_+xyshw.txt	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_contrast-black.png	docdgqfarcce.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\_ReCoVeRy_+xyshw.html	docdgqfarcce.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\_ReCoVeRy_+xyshw.txt	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\_ReCoVeRy_+xyshw.txt	docdgqfarcce.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\_ReCoVeRy_+xyshw.html	docdgqfarcce.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hr.pak	docdgqfarcce.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\_ReCoVeRy_+xyshw.txt	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Images\_ReCoVeRy_+xyshw.txt	docdgqfarcce.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\_ReCoVeRy_+xyshw.html	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageLargeTile.scale-200.png	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PlaceCard\contrast-white\_ReCoVeRy_+xyshw.html	docdgqfarcce.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\th\_ReCoVeRy_+xyshw.txt	docdgqfarcce.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\_ReCoVeRy_+xyshw.html	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-24.png	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+xyshw.html	docdgqfarcce.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\_ReCoVeRy_+xyshw.png	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosMedTile.contrast-black_scale-100.png	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\webviewBoot.min.js	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-40_altform-fullcolor.png	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\_ReCoVeRy_+xyshw.png	docdgqfarcce.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\_ReCoVeRy_+xyshw.png	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppPackageWideTile.scale-125.png	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\_ReCoVeRy_+xyshw.txt	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\_ReCoVeRy_+xyshw.html	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\_ReCoVeRy_+xyshw.html	docdgqfarcce.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\amd64\_ReCoVeRy_+xyshw.txt	docdgqfarcce.exe
File opened for modification	C:\Program Files\ModifiableWindowsApps\_ReCoVeRy_+xyshw.txt	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\_ReCoVeRy_+xyshw.png	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\Pyramid.Medium.png	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+xyshw.png	docdgqfarcce.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\_ReCoVeRy_+xyshw.txt	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fr-CA\View3d\_ReCoVeRy_+xyshw.txt	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-48_altform-fullcolor.png	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\_ReCoVeRy_+xyshw.html	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionMedTile.scale-100.png	docdgqfarcce.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ko.pak	docdgqfarcce.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-180.png	docdgqfarcce.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\_ReCoVeRy_+xyshw.html	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Dark\MilitaryLeft.png	docdgqfarcce.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-80.png	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-200.png	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_altform-unplated_contrast-black.png	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\_ReCoVeRy_+xyshw.html	docdgqfarcce.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-180.png	docdgqfarcce.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\2876_24x24x32.png	docdgqfarcce.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\docdgqfarcce.exe	e7f147af11b3494756d8c07149de56c5_JaffaCakes118.exe
File opened for modification	C:\Windows\docdgqfarcce.exe	e7f147af11b3494756d8c07149de56c5_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7f147af11b3494756d8c07149de56c5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	docdgqfarcce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	docdgqfarcce.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
428	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe
4224	docdgqfarcce.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4272	e7f147af11b3494756d8c07149de56c5_JaffaCakes118.exe
Token: SeDebugPrivilege	4224	docdgqfarcce.exe
Token: SeIncreaseQuotaPrivilege	3600	WMIC.exe
Token: SeSecurityPrivilege	3600	WMIC.exe
Token: SeTakeOwnershipPrivilege	3600	WMIC.exe
Token: SeLoadDriverPrivilege	3600	WMIC.exe
Token: SeSystemProfilePrivilege	3600	WMIC.exe
Token: SeSystemtimePrivilege	3600	WMIC.exe
Token: SeProfSingleProcessPrivilege	3600	WMIC.exe
Token: SeIncBasePriorityPrivilege	3600	WMIC.exe
Token: SeCreatePagefilePrivilege	3600	WMIC.exe
Token: SeBackupPrivilege	3600	WMIC.exe
Token: SeRestorePrivilege	3600	WMIC.exe
Token: SeShutdownPrivilege	3600	WMIC.exe
Token: SeDebugPrivilege	3600	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3600	WMIC.exe
Token: SeRemoteShutdownPrivilege	3600	WMIC.exe
Token: SeUndockPrivilege	3600	WMIC.exe
Token: SeManageVolumePrivilege	3600	WMIC.exe
Token: 33	3600	WMIC.exe
Token: 34	3600	WMIC.exe
Token: 35	3600	WMIC.exe
Token: 36	3600	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3600	WMIC.exe
Token: SeSecurityPrivilege	3600	WMIC.exe
Token: SeTakeOwnershipPrivilege	3600	WMIC.exe
Token: SeLoadDriverPrivilege	3600	WMIC.exe
Token: SeSystemProfilePrivilege	3600	WMIC.exe
Token: SeSystemtimePrivilege	3600	WMIC.exe
Token: SeProfSingleProcessPrivilege	3600	WMIC.exe
Token: SeIncBasePriorityPrivilege	3600	WMIC.exe
Token: SeCreatePagefilePrivilege	3600	WMIC.exe
Token: SeBackupPrivilege	3600	WMIC.exe
Token: SeRestorePrivilege	3600	WMIC.exe
Token: SeShutdownPrivilege	3600	WMIC.exe
Token: SeDebugPrivilege	3600	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3600	WMIC.exe
Token: SeRemoteShutdownPrivilege	3600	WMIC.exe
Token: SeUndockPrivilege	3600	WMIC.exe
Token: SeManageVolumePrivilege	3600	WMIC.exe
Token: 33	3600	WMIC.exe
Token: 34	3600	WMIC.exe
Token: 35	3600	WMIC.exe
Token: 36	3600	WMIC.exe
Token: SeBackupPrivilege	652	vssvc.exe
Token: SeRestorePrivilege	652	vssvc.exe
Token: SeAuditPrivilege	652	vssvc.exe
Token: SeIncreaseQuotaPrivilege	332	WMIC.exe
Token: SeSecurityPrivilege	332	WMIC.exe
Token: SeTakeOwnershipPrivilege	332	WMIC.exe
Token: SeLoadDriverPrivilege	332	WMIC.exe
Token: SeSystemProfilePrivilege	332	WMIC.exe
Token: SeSystemtimePrivilege	332	WMIC.exe
Token: SeProfSingleProcessPrivilege	332	WMIC.exe
Token: SeIncBasePriorityPrivilege	332	WMIC.exe
Token: SeCreatePagefilePrivilege	332	WMIC.exe
Token: SeBackupPrivilege	332	WMIC.exe
Token: SeRestorePrivilege	332	WMIC.exe
Token: SeShutdownPrivilege	332	WMIC.exe
Token: SeDebugPrivilege	332	WMIC.exe
Token: SeSystemEnvironmentPrivilege	332	WMIC.exe
Token: SeRemoteShutdownPrivilege	332	WMIC.exe
Token: SeUndockPrivilege	332	WMIC.exe
Token: SeManageVolumePrivilege	332	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 4224	4272	e7f147af11b3494756d8c07149de56c5_JaffaCakes118.exe	84
PID 4272 wrote to memory of 4224	4272	e7f147af11b3494756d8c07149de56c5_JaffaCakes118.exe	84
PID 4272 wrote to memory of 4224	4272	e7f147af11b3494756d8c07149de56c5_JaffaCakes118.exe	84
PID 4272 wrote to memory of 452	4272	e7f147af11b3494756d8c07149de56c5_JaffaCakes118.exe	85
PID 4272 wrote to memory of 452	4272	e7f147af11b3494756d8c07149de56c5_JaffaCakes118.exe	85
PID 4272 wrote to memory of 452	4272	e7f147af11b3494756d8c07149de56c5_JaffaCakes118.exe	85
PID 4224 wrote to memory of 3600	4224	docdgqfarcce.exe	87
PID 4224 wrote to memory of 3600	4224	docdgqfarcce.exe	87
PID 4224 wrote to memory of 428	4224	docdgqfarcce.exe	108
PID 4224 wrote to memory of 428	4224	docdgqfarcce.exe	108
PID 4224 wrote to memory of 428	4224	docdgqfarcce.exe	108
PID 4224 wrote to memory of 2136	4224	docdgqfarcce.exe	109
PID 4224 wrote to memory of 2136	4224	docdgqfarcce.exe	109
PID 2136 wrote to memory of 4244	2136	msedge.exe	110
PID 2136 wrote to memory of 4244	2136	msedge.exe	110
PID 4224 wrote to memory of 332	4224	docdgqfarcce.exe	111
PID 4224 wrote to memory of 332	4224	docdgqfarcce.exe	111
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 2316	2136	msedge.exe	113
PID 2136 wrote to memory of 4920	2136	msedge.exe	114
PID 2136 wrote to memory of 4920	2136	msedge.exe	114
PID 2136 wrote to memory of 2812	2136	msedge.exe	115
PID 2136 wrote to memory of 2812	2136	msedge.exe	115
PID 2136 wrote to memory of 2812	2136	msedge.exe	115
PID 2136 wrote to memory of 2812	2136	msedge.exe	115
PID 2136 wrote to memory of 2812	2136	msedge.exe	115

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	docdgqfarcce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	docdgqfarcce.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e7f147af11b3494756d8c07149de56c5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e7f147af11b3494756d8c07149de56c5_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Windows\docdgqfarcce.exe
  C:\Windows\docdgqfarcce.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4224
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3600
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:428
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xc0,0x108,0x7ffbc35646f8,0x7ffbc3564708,0x7ffbc3564718
      4⤵
      PID:4244
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,8140376601695390577,8098305533382950272,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
      4⤵
      PID:2316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,8140376601695390577,8098305533382950272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
      4⤵
      PID:4920
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,8140376601695390577,8098305533382950272,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:8
      4⤵
      PID:2812
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8140376601695390577,8098305533382950272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
      4⤵
      PID:1228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8140376601695390577,8098305533382950272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
      4⤵
      PID:2700
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,8140376601695390577,8098305533382950272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
      4⤵
      PID:2380
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,8140376601695390577,8098305533382950272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
      4⤵
      PID:4352
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8140376601695390577,8098305533382950272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
      4⤵
      PID:2740
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8140376601695390577,8098305533382950272,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
      4⤵
      PID:1904
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8140376601695390577,8098305533382950272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
      4⤵
      PID:2440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8140376601695390577,8098305533382950272,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
      4⤵
      PID:3680
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:332
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\DOCDGQ~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:292
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\E7F147~1.EXE
  2⤵
  - System Location Discovery: System Language Discovery
  PID:452

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+xyshw.html

Filesize
12KB

MD5
ee029318ca0c8576f4a818389f398a12

SHA1
22e124ba2cda3f71ef39d98f949ad8006c121ca8

SHA256
85de661e11e71c84e84372e768f271d5e7eecaf00466abcab6687bc6ef83473f

SHA512
011f7dbe2e71dd444f2333e6e518418d1ae9abfab1125fcf306185dbbea37a5bfc9ee602f16893584f51b350ca77547c3abde52f9dfc63534d0fb5fd8891b772

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+xyshw.png

Filesize
64KB

MD5
ccd20e63829bfb2acafeac8f7005a7cb

SHA1
55251b6b453cb52ba574169afaa7e003f5fd6ae0

SHA256
09e3114fbcc7b23f3f7ef786967b15abe106a8d2fe4586bd90419b0d6fa831fb

SHA512
8870f160ba8857e82d02b359777e86a5ff6db537797430ade9e9cbeef4fe1e23716a37208d02e6a161ac54992157a55381638b88a4644be06c858ccb69d56682

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+xyshw.txt

Filesize
1KB

MD5
c923e22a171956606240db2028f86304

SHA1
ab8d1e1d9e1c2545f04c34d08903ebc787b661c2

SHA256
e541491f9091af539f68453aadc4bbb137a9c14c4f2022a48617dfe2367a172f

SHA512
b77ec31d5c895ed09b3d2cd9294b9a4e8c5f78cd275f9f0b5959d63f53703e99f94eaf5a47b3d6f394427789781112490ed870f118b5a4b7469ee0055a6f260d

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
25c57415b39d9f8fd8fe3481879ab97d

SHA1
cf1a57e097cfbe77efefbf29aaeb7a1e0a85b762

SHA256
b559f1da45a1fde17841f6a247051a770969a2a1fa6061cc9f6a2833b0ec319a

SHA512
2067fa7bffacd3e0487453a313e732de38319cd65a093f3248208bf51752e34b783027c9f1969ddd820ad80074d518d378f3302ee90eb99524f15577362a21fa

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
238f33725be48ba4f286b8494aef7bd5

SHA1
bafb56f4d42a3c671700a0a717a3b3797e899ec0

SHA256
88bda270bcc3d37aa91c5a142b67e783dbc245397050999aefadb9a0fa015348

SHA512
9580042322f5bc81803f9ec6e47cb391b2b5092d13e3c93a9a2be3177ebd1043e0f74271dc5800d552a6d212d085776825a924bccdbdb79dab213045eb6a473c

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
aa76af20b2501672dd8833f285cbe2f7

SHA1
44b205a0ba6a2378f5f7e58139ecc6dd8174163e

SHA256
53e5d28a041566735a5677bc6bafb6aca0f8c5ea973aa4c30cc7fb60b9b2e28c

SHA512
d3b4ae3bc55abe32af2de2682cf728d87dcc4776c9c7979e4f48d47839010b947dffe91c39e19498da46aace11fe67dc8de0327dde02d456becaabcbc4fa3b35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e7325dc65ed990f08ac20edfad5bd33d

SHA1
c27a0083b5366fc3a1eb8601f88e8aea3447d61c

SHA256
441888662e39e6c2f2b2efd165024fd93f60788c2e638afcc5d63371f93a6b51

SHA512
c511686ae4697ae701accee19b004ce0b06258fdceb1345b9e4309f1f3543ab5d5a75601e4aeaf6c1e1c1cc7d9b3c82225cb15b7047c4d2b28d16a06218e808a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
22042a10eb2c3db6958b5383d208d359

SHA1
c7e4d31a4cde5600055b2095bd1628613c27e69c

SHA256
6e4c95f8165cdc60c18a038603991c48200ff2b6a7528ae841e759850c571979

SHA512
145e1e30e286ba3d03694e4928bdd2f3995f7bb76af311d99cf0ec16feaf707e76395f43ffbb8cc6423daf6ac240cea76fee1dd877b6dd421fa48232cf56a692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8aa75a3d74bb41c4b387c5d77e950a99

SHA1
882e139fbe1443a4c4bed18c0a6c46033facf6fb

SHA256
c3b35b2a9dbef803cf042180f487ca8682a7d450529c51036ba31224001279cc

SHA512
7da0f0f017fbc12e0b3b933523774a946d1f3984ae09b085a3646b10d903ed2e63eb55141eed8387ac2c3bbbe9a6deebed8d4df57c503c4f35598dbc0569767c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656298443196.txt

Filesize
77KB

MD5
187a479505feda3b1e3826878475fb7b

SHA1
0987e0e1e18ffa4c1861258d8e2f5c4a97300101

SHA256
d88a913523eb7669c4143c21187520bf2993338454e7832da392c1472727c520

SHA512
817cab9f034b360d9dee5634b75db16310593ba6fe83abc4c62ce242a68f654fba3cf65515f29c7a88db0924e821d8abde34299d28c0f51a5ffb757899cb7ccd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727657999741523.txt

Filesize
47KB

MD5
e4f0b72db3afcad7129959fad00d8791

SHA1
26cff424990f7a80b8c2248ecc4bb33d667bd631

SHA256
2d970e460bf0175d1692187c6f47428894cd02ab470bd251334f85d0558e3819

SHA512
b051b9594917a1f7be12c7da553e31b0a1d0f9940144a05bc21822dfd193d2b60a9ee0b43bbd036829d4ff72c824e730e31126b134fb19eafc42c3bf322b6fca

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727666039184869.txt

Filesize
74KB

MD5
510f7a4f71ef73c1fd32c3b9d81aeaca

SHA1
cb616d1ba3b98beff6dbd3f1f3023162170c727f

SHA256
3c07ee8ab11e936aae04143af84125a76f7e413d7504653b99befb5748077da7

SHA512
7b0bd58addbb2cf4230d6f09172c561500fe64b4c675cb23141da9a073bb987616e979a17ab027fcbe1b1e4254cdf95b3e82419eb87c950afceffeaa4eab63ad

Download Submit
C:\Windows\docdgqfarcce.exe

Filesize
352KB

MD5
e7f147af11b3494756d8c07149de56c5

SHA1
c3b7a6a4b77eebaef88b1f874317d55783c10e82

SHA256
dfd96eb0d24ab0e64e6e2078eca2ae8e969295be95b0862456371f79a22333a2

SHA512
a0dd11b4c085c3642ec109ae33ded492db4f0e73c42bdb45e42bfe8243ad7b770362cfa966d45bdd90579f34e70ed595340d6b65379fd69e65c19c9ec2180027

Download Submit
memory/4224-2620-0x0000000002000000-0x0000000002086000-memory.dmp

Filesize
536KB

Download
memory/4224-8737-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4224-10724-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4224-5264-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4224-10768-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4224-2619-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4224-9-0x0000000002000000-0x0000000002086000-memory.dmp

Filesize
536KB

Download
memory/4272-1-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4272-0-0x0000000002190000-0x0000000002216000-memory.dmp

Filesize
536KB

Download
memory/4272-14-0x0000000002190000-0x0000000002216000-memory.dmp

Filesize
536KB

Download
memory/4272-13-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download