c1912debaaa2978d389f5e4a6994c9ad4f5ff1d94a4f0f52dde1a75f92021c21

Analysis

max time kernel
148s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2024, 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_08d2aa597f4ded68db1d15a7a29c0adc.exe
Size

316KB
MD5

08d2aa597f4ded68db1d15a7a29c0adc
SHA1

bd4cbbfccf4f47656f767ebe473b6d225cc5865e
SHA256

c1912debaaa2978d389f5e4a6994c9ad4f5ff1d94a4f0f52dde1a75f92021c21
SHA512

6073f284a07ea1d91543b6b520915a33ccca9449458828eb86467104b7e234c31063c9de987f5fdd585a8744b06531a052b00b6ea0358c07caedc2d1bf80b5e6
SSDEEP

6144:Y83+tYd7/TNoDtH2zlxTMChh1Er180i6hZW8O4coT:jOtY7raxWzlB3ErG0iBm

Score

10^/10

defense_evasion evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\how_recover+rwc.txt

Ransom Note

++++++==============================================================================================================+++++++====== NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) What does this mean ? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. How did this happen ? Specially for your PC was generated personal RSA2048 KEY, both public and private. All your files were encrypted with the public key, which has been transferred to your computer via the Internet. ++++++==============================================================================================================+++++++====== Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BTC NOW, and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://alcov44uvcwkrend.softpay4562.com/4C07A6E1C3CEF46 2. http://tsbfdsv.extr6mchf.com/4C07A6E1C3CEF46 3. http://psbc532jm8c.hsh73cu37n1.net/4C07A6E1C3CEF46 4. https://vf4xdqg4mp3hnw5g.onion.to/4C07A6E1C3CEF46 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: vf4xdqg4mp3hnw5g.onion/4C07A6E1C3CEF46 4. Follow the instructions on the site. IMPORTANT INFORMATION: Your personal pages: http://alcov44uvcwkrend.softpay4562.com/4C07A6E1C3CEF46 http://tsbfdsv.extr6mchf.com/4C07A6E1C3CEF46 http://psbc532jm8c.hsh73cu37n1.net/4C07A6E1C3CEF46 https://vf4xdqg4mp3hnw5g.onion.to/4C07A6E1C3CEF46 Your personal page (using TOR-Browser): vf4xdqg4mp3hnw5g.onion/4C07A6E1C3CEF46 Your personal identification number (if you open the site (or TOR-Browser's) directly): 4C07A6E1C3CEF46 ++++++==============================================================================================================+++++++======

URLs

http://alcov44uvcwkrend.softpay4562.com/4C07A6E1C3CEF46

http://tsbfdsv.extr6mchf.com/4C07A6E1C3CEF46

http://psbc532jm8c.hsh73cu37n1.net/4C07A6E1C3CEF46

https://vf4xdqg4mp3hnw5g.onion.to/4C07A6E1C3CEF46

http://vf4xdqg4mp3hnw5g.onion/4C07A6E1C3CEF46

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 5 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1556	bcdedit.exe
4456	bcdedit.exe
4892	bcdedit.exe
3908	bcdedit.exe
3560	bcdedit.exe

Renames multiple (879) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	VirusShare_08d2aa597f4ded68db1d15a7a29c0adc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	sniey-bc.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+rwc.txt	sniey-bc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+rwc.html	sniey-bc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_recover+rwc.txt	sniey-bc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_recover+rwc.html	sniey-bc.exe

Executes dropped EXE 2 IoCs

pid	Process
2000	sniey-bc.exe
2964	sniey-bc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Acronis = "C:\\Users\\Admin\\AppData\\Roaming\\sniey-bc.exe"	sniey-bc.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	myexternalip.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3576 set thread context of 4512	3576	VirusShare_08d2aa597f4ded68db1d15a7a29c0adc.exe	86
PID 2000 set thread context of 2964	2000	sniey-bc.exe	92

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\31.jpg	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-72_contrast-white.png	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\remixCTA_welcome.png	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookLargeTile.scale-125.png	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\Doughboy.scale-250.png	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyCalendarSearch-Dark.scale-200.png	sniey-bc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\how_recover+rwc.html	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\word_art\how_recover+rwc.txt	sniey-bc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\how_recover+rwc.html	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\how_recover+rwc.html	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_altform-unplated_contrast-white.png	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-32_altform-unplated.png	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteMediumTile.scale-125.png	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteWideTile.scale-400.png	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-125.png	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\how_recover+rwc.txt	sniey-bc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca\how_recover+rwc.txt	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Google.scale-125.png	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\images\how_recover+rwc.txt	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-80_altform-unplated_contrast-white.png	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\eml.scale-16.png	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailWideTile.scale-200.png	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.scale-100.png	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-16_altform-unplated_contrast-white.png	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\LargeTile.scale-200.png	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\how_recover+rwc.txt	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-60_altform-unplated.png	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-200_contrast-black.png	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\how_recover+rwc.html	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square71x71Logo.scale-400.png	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-96.png	sniey-bc.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\how_recover+rwc.html	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageLargeTile.scale-125_contrast-black.png	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Confirmation.m4a	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64_altform-unplated.png	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSmallTile.scale-150.png	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-100_contrast-black.png	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\how_recover+rwc.txt	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OrientationControlCone.png	sniey-bc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\how_recover+rwc.html	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SplashScreen.scale-100.png	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\91.png	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSplashLogo.scale-250.png	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-100_contrast-high.png	sniey-bc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\how_recover+rwc.txt	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Light\MilitaryRight.png	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosWideTile.contrast-white_scale-200.png	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailLargeTile.scale-125.png	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-96_altform-lightunplated.png	sniey-bc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\how_recover+rwc.html	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-256_altform-unplated_contrast-white.png	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\how_recover+rwc.txt	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-150.png	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\how_recover+rwc.txt	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-72.png	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\how_recover+rwc.txt	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-32_contrast-black.png	sniey-bc.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\en-US\how_recover+rwc.html	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-125_contrast-black.png	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-40_contrast-black.png	sniey-bc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-125_contrast-black.png	sniey-bc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\keystore\how_recover+rwc.html	sniey-bc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-80.png	sniey-bc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\how_recover+rwc.txt	sniey-bc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4332	vssadmin.exe
836	vssadmin.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sniey-bc.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2052	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe
2964	sniey-bc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4512	VirusShare_08d2aa597f4ded68db1d15a7a29c0adc.exe
Token: SeDebugPrivilege	2964	sniey-bc.exe
Token: SeBackupPrivilege	1848	vssvc.exe
Token: SeRestorePrivilege	1848	vssvc.exe
Token: SeAuditPrivilege	1848	vssvc.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 4512	3576	VirusShare_08d2aa597f4ded68db1d15a7a29c0adc.exe	86
PID 3576 wrote to memory of 4512	3576	VirusShare_08d2aa597f4ded68db1d15a7a29c0adc.exe	86
PID 3576 wrote to memory of 4512	3576	VirusShare_08d2aa597f4ded68db1d15a7a29c0adc.exe	86
PID 3576 wrote to memory of 4512	3576	VirusShare_08d2aa597f4ded68db1d15a7a29c0adc.exe	86
PID 3576 wrote to memory of 4512	3576	VirusShare_08d2aa597f4ded68db1d15a7a29c0adc.exe	86
PID 3576 wrote to memory of 4512	3576	VirusShare_08d2aa597f4ded68db1d15a7a29c0adc.exe	86
PID 3576 wrote to memory of 4512	3576	VirusShare_08d2aa597f4ded68db1d15a7a29c0adc.exe	86
PID 3576 wrote to memory of 4512	3576	VirusShare_08d2aa597f4ded68db1d15a7a29c0adc.exe	86
PID 3576 wrote to memory of 4512	3576	VirusShare_08d2aa597f4ded68db1d15a7a29c0adc.exe	86
PID 3576 wrote to memory of 4512	3576	VirusShare_08d2aa597f4ded68db1d15a7a29c0adc.exe	86
PID 4512 wrote to memory of 2000	4512	VirusShare_08d2aa597f4ded68db1d15a7a29c0adc.exe	88
PID 4512 wrote to memory of 2000	4512	VirusShare_08d2aa597f4ded68db1d15a7a29c0adc.exe	88
PID 4512 wrote to memory of 2000	4512	VirusShare_08d2aa597f4ded68db1d15a7a29c0adc.exe	88
PID 4512 wrote to memory of 3680	4512	VirusShare_08d2aa597f4ded68db1d15a7a29c0adc.exe	90
PID 4512 wrote to memory of 3680	4512	VirusShare_08d2aa597f4ded68db1d15a7a29c0adc.exe	90
PID 4512 wrote to memory of 3680	4512	VirusShare_08d2aa597f4ded68db1d15a7a29c0adc.exe	90
PID 2000 wrote to memory of 2964	2000	sniey-bc.exe	92
PID 2000 wrote to memory of 2964	2000	sniey-bc.exe	92
PID 2000 wrote to memory of 2964	2000	sniey-bc.exe	92
PID 2000 wrote to memory of 2964	2000	sniey-bc.exe	92
PID 2000 wrote to memory of 2964	2000	sniey-bc.exe	92
PID 2000 wrote to memory of 2964	2000	sniey-bc.exe	92
PID 2000 wrote to memory of 2964	2000	sniey-bc.exe	92
PID 2000 wrote to memory of 2964	2000	sniey-bc.exe	92
PID 2000 wrote to memory of 2964	2000	sniey-bc.exe	92
PID 2000 wrote to memory of 2964	2000	sniey-bc.exe	92
PID 2964 wrote to memory of 1556	2964	sniey-bc.exe	93
PID 2964 wrote to memory of 1556	2964	sniey-bc.exe	93
PID 2964 wrote to memory of 4332	2964	sniey-bc.exe	95
PID 2964 wrote to memory of 4332	2964	sniey-bc.exe	95
PID 2964 wrote to memory of 4456	2964	sniey-bc.exe	101
PID 2964 wrote to memory of 4456	2964	sniey-bc.exe	101
PID 2964 wrote to memory of 4892	2964	sniey-bc.exe	105
PID 2964 wrote to memory of 4892	2964	sniey-bc.exe	105
PID 2964 wrote to memory of 3908	2964	sniey-bc.exe	107
PID 2964 wrote to memory of 3908	2964	sniey-bc.exe	107
PID 2964 wrote to memory of 3560	2964	sniey-bc.exe	109
PID 2964 wrote to memory of 3560	2964	sniey-bc.exe	109
PID 2964 wrote to memory of 2052	2964	sniey-bc.exe	116
PID 2964 wrote to memory of 2052	2964	sniey-bc.exe	116
PID 2964 wrote to memory of 2052	2964	sniey-bc.exe	116
PID 2964 wrote to memory of 3084	2964	sniey-bc.exe	117
PID 2964 wrote to memory of 3084	2964	sniey-bc.exe	117
PID 3084 wrote to memory of 2460	3084	msedge.exe	118
PID 3084 wrote to memory of 2460	3084	msedge.exe	118
PID 2964 wrote to memory of 836	2964	sniey-bc.exe	119
PID 2964 wrote to memory of 836	2964	sniey-bc.exe	119
PID 3084 wrote to memory of 2432	3084	msedge.exe	121
PID 3084 wrote to memory of 2432	3084	msedge.exe	121
PID 3084 wrote to memory of 2432	3084	msedge.exe	121
PID 3084 wrote to memory of 2432	3084	msedge.exe	121
PID 3084 wrote to memory of 2432	3084	msedge.exe	121
PID 3084 wrote to memory of 2432	3084	msedge.exe	121
PID 3084 wrote to memory of 2432	3084	msedge.exe	121
PID 3084 wrote to memory of 2432	3084	msedge.exe	121
PID 3084 wrote to memory of 2432	3084	msedge.exe	121
PID 3084 wrote to memory of 2432	3084	msedge.exe	121
PID 3084 wrote to memory of 2432	3084	msedge.exe	121
PID 3084 wrote to memory of 2432	3084	msedge.exe	121
PID 3084 wrote to memory of 2432	3084	msedge.exe	121
PID 3084 wrote to memory of 2432	3084	msedge.exe	121
PID 3084 wrote to memory of 2432	3084	msedge.exe	121
PID 3084 wrote to memory of 2432	3084	msedge.exe	121
PID 3084 wrote to memory of 2432	3084	msedge.exe	121

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sniey-bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	sniey-bc.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_08d2aa597f4ded68db1d15a7a29c0adc.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_08d2aa597f4ded68db1d15a7a29c0adc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Users\Admin\AppData\Local\Temp\VirusShare_08d2aa597f4ded68db1d15a7a29c0adc.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_08d2aa597f4ded68db1d15a7a29c0adc.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Users\Admin\AppData\Roaming\sniey-bc.exe
    C:\Users\Admin\AppData\Roaming\sniey-bc.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Users\Admin\AppData\Roaming\sniey-bc.exe
      C:\Users\Admin\AppData\Roaming\sniey-bc.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2964
    - - C:\Windows\SYSTEM32\bcdedit.exe
        
        bcdedit.exe /set {current} bootems off
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1556
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:4332
    - - C:\Windows\SYSTEM32\bcdedit.exe
        
        bcdedit.exe /set {current} advancedoptions off
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4456
    - - C:\Windows\SYSTEM32\bcdedit.exe
        
        bcdedit.exe /set {current} optionsedit off
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4892
    - - C:\Windows\SYSTEM32\bcdedit.exe
        
        bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:3908
    - - C:\Windows\SYSTEM32\bcdedit.exe
        
        bcdedit.exe /set {current} recoveryenabled off
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:3560
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Howto_RESTORE_FILES.txt
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:2052
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\Howto_RESTORE_FILES.html
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3084
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffff32946f8,0x7ffff3294708,0x7ffff3294718
        6⤵
        
        PID:2460
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,2702697685895214157,12784432840073052235,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
        6⤵
        
        PID:2432
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,2702697685895214157,12784432840073052235,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
        6⤵
        
        PID:3172
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,2702697685895214157,12784432840073052235,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
        6⤵
        
        PID:3576
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,2702697685895214157,12784432840073052235,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
        6⤵
        
        PID:2252
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,2702697685895214157,12784432840073052235,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
        6⤵
        
        PID:2960
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,2702697685895214157,12784432840073052235,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
        6⤵
        
        PID:1792
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,2702697685895214157,12784432840073052235,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
        6⤵
        
        PID:3432
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,2702697685895214157,12784432840073052235,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
        6⤵
        
        PID:3048
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,2702697685895214157,12784432840073052235,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
        6⤵
        
        PID:3524
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,2702697685895214157,12784432840073052235,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
        6⤵
        
        PID:1496
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,2702697685895214157,12784432840073052235,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
        6⤵
        
        PID:2612
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:836
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Roaming\sniey-bc.exe
        5⤵
        
        PID:3008
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
    3⤵
    PID:3680

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\how_recover+rwc.html

Filesize
9KB

MD5
cf89cb972237c9da3797ce95c34d8205

SHA1
663a1e61f8d730cd3cd10ee7361fea42bfee9644

SHA256
6fba959f943b37d9e11a38b53fadc9a221603e10aa6a3d9778cfb2203db86b01

SHA512
836290f231e4d194c90b752fd83b9ee852723798cb25a455fecd1162c9de28f8a9139cf346e54e537f0a63cc8ebe524a2baa48ba5e0cf60fc26a1a0568c73920

Download Submit
C:\Program Files\7-Zip\Lang\how_recover+rwc.txt

Filesize
2KB

MD5
0417783c764c495989b31f3c094b9c9c

SHA1
df3d2814de5dd2a831dec9a96d19aecd09d7839d

SHA256
4685ff855ba05ff21fbf94601694f21999eb9ffe31892daa809411bc2c9886f9

SHA512
f9d23b2b3cee627060514aec4fd5f3df09a5472c1d614fab39444e68775224ad05291e1f12948f3907cefd57956901dd579d8a8c75aeb596dc7a662639c42e90

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
606B

MD5
18aad2c2374210f0e03243593ae9059e

SHA1
82117cd9dcd3a7586321674009200f366f3d7276

SHA256
e828c1886aadeff53e81aa4282776707e9a8c23d5c3fd681fdfbfac4863fd776

SHA512
20746b17aa47b41d8168b454da577c0b9ac2d7422fda128e5ffc09d45f3b3106aa987e9611d7dabf32a09506829453069595114c64d90573acbc0ae6b7b8772b

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
606B

MD5
eb1960e682cbf35c3c4baae68e6c756e

SHA1
e068891a3f3ad04075b507d976ee52ca66c6cbdf

SHA256
baf58c4053b190d345d59d15406c8e3239095b7268df66f17705a1810a07c5c5

SHA512
4c1c6fc51477ec873db5d668dc4fa71f848095af2036e7abe3b7fe9deea0aa5e1d2607d9105782693b0b1b7ee5ecdc21ef975d85920cda1071efd47b74c342ba

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
462B

MD5
d17dc254a90a3fce43ab675ce55ba00c

SHA1
12182e3d6c5e0acbfb581b703b886a128b10fa45

SHA256
a21fab86e1fcdb95873f8ccd018d3e79667e12462d7dd676fb4b48e98b4e6cd9

SHA512
0e200650abe1f409c791ab7442b5cd4aec69e15e37bddafc7a9b79f9eba2f0574fb611e2a6622391a3346d962b4843ecb2675e98b50f611cb0731eb181f1649a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5f1e8ce4f722d487a749a703263cc9db

SHA1
ab32fdb48daf5c6d3482989d1f76763c7d3b61a7

SHA256
a076eaa1ef9d4bb76d7e6e788c72ae57208ea4e2435fc7231e0337d9836b195f

SHA512
6cee72ba5b347115ea1ef3bfeb421f503f5ffe871dd6d801c1af43dd8f1d8b41eb5fa42186ffeb92515d57e6de7228d7e54486c5b17aaaab5fac15a4744ca91a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7d0bc4a9d9922a9d4670de43672d89fb

SHA1
9a13ef18617afc0d48b08934b1649f7e55ab3793

SHA256
1ecddff8bc628a8d3ce90ce7a6112b8f28ec2affa806ac66d44db89e918c0e0e

SHA512
3c97b84a8572bb0360d51ca599d360014c93586109cd82fcdf6056ce68b9dabf2943613bac2ec0b7b268909bbfede4d9befb7cdec00320ffa8faff4fa499b937

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
78336ab5f9fad0a236fcd660593387b5

SHA1
777ff9cc349b1a2f461bb3e7ac2f2b25d89661b4

SHA256
4fef7b3097700e000b09406e8973fe78f0289b34a2180f1b8cd0d04d8ecb641a

SHA512
cecd2ddc13b11f3a1e08701c06f0f73dc2ccdb0fc6d9b2b53a45e499b03b4a309619911939b8d8f009133d104d50c1299ca507227fdc6ebec23079f7427b0e0e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{e370d575-74de-428c-9fa6-fb883201bb32}\0.1.filtertrie.intermediate.txt

Filesize
430B

MD5
baf8d09edcc30302beccbf3b33b425f0

SHA1
439a9baf78a1d95f2c91225cbab5b13bd00bd25b

SHA256
b94dff04ab92c212755971df3cefd5fda407478d20c4ec177e1755af86fcb369

SHA512
e3e375652874c75b314e738f690a1038b52ef281969054cd59c6d86f607256570317a59fe0b47b232af306fa3159112dd28c9abb0ee26abef47e8d52edc87da7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{e370d575-74de-428c-9fa6-fb883201bb32}\0.2.filtertrie.intermediate.txt

Filesize
430B

MD5
3dc2c29c8e3775c6ac0563d3039b7e77

SHA1
5380720aa7b177542d533c2ddc45fe40dc3b88a8

SHA256
4a6855f084a3c1de218c4a03b50e158678909e27e3f3658b6f87902400d57e2f

SHA512
dc949a888b50ccad49b892649f1b1763a830dbd6294f6ed501a230f4fcd1065925529277f0fd7a14d19fc93e861b1cdb451cd5865e68ce03a7d6344d1c2c28aa

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596449526171674.txt

Filesize
75KB

MD5
ec880ffc0844f76b18969240866ccf3b

SHA1
628edebca951a997283cc8d3c80985ac281e5add

SHA256
ab26bc3a68186065c69ef61818d1cc4e7cab6921f005eee628a3c57899f9b1d5

SHA512
e093e3732fad5e075cc7c44f7d8b95e05a27381a41e1f7feeea63c31c98f7a22dcd47e651168792e04700b22fa5cbbe7e37314fc98e0bf451b5481fb52057f29

Download Submit
C:\Users\Admin\AppData\Roaming\sniey-bc.exe

Filesize
316KB

MD5
08d2aa597f4ded68db1d15a7a29c0adc

SHA1
bd4cbbfccf4f47656f767ebe473b6d225cc5865e

SHA256
c1912debaaa2978d389f5e4a6994c9ad4f5ff1d94a4f0f52dde1a75f92021c21

SHA512
6073f284a07ea1d91543b6b520915a33ccca9449458828eb86467104b7e234c31063c9de987f5fdd585a8744b06531a052b00b6ea0358c07caedc2d1bf80b5e6

Download Submit
memory/2000-12-0x0000000000400000-0x000000000080F000-memory.dmp

Filesize
4.1MB

Download
memory/2964-15-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2964-17-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2964-16-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2964-1640-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2964-7594-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2964-18-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2964-22-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2964-7535-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2964-7537-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2964-787-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2964-7551-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2964-7552-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2964-21-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3576-0-0x0000000000AA0000-0x0000000000AA3000-memory.dmp

Filesize
12KB

Download
memory/3576-4-0x0000000000AA0000-0x0000000000AA3000-memory.dmp

Filesize
12KB

Download
memory/4512-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4512-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4512-1-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4512-3-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4512-10-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download