03f81462c6d158453036fedf3e5d3dcd0eef4a5aafd79b5b9379b3df89e4d6fc

Analysis

max time kernel
144s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2024, 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_39028e8653ba4e422599441e49da3d29.exe
Size

444KB
MD5

39028e8653ba4e422599441e49da3d29
SHA1

62071f1ee92eb4e11e39a29b937bd86b9591c1d3
SHA256

03f81462c6d158453036fedf3e5d3dcd0eef4a5aafd79b5b9379b3df89e4d6fc
SHA512

42b31196d6e243c8e71949d820a70324872c87a488826b029d5ed8f57cc45a72dd2e93581cf26a1af6eff4155f3c696f8298265f3c3d185d7570cce0a6e19cb0
SSDEEP

12288:g4irDtSclFJNVKqjhKD2AWU7irDtSclFJN:GrDt7t7lKD2AWUGrDt7

Score

10^/10

defense_evasion evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\how_recover+rmj.txt

Ransom Note

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BTC NOW, and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://k5fxm4dl35qk323d.justmakeapayment.com/6A47E86EB93B0F 2. http://vr6g2curb2kcidou.expay34.com/6A47E86EB93B0F 3. http://tsbfdsv.extr6mchf.com/6A47E86EB93B0F 4. https://o7zeip6us33igmgw.onion.to/6A47E86EB93B0F 5. https://o7zeip6us33igmgw.tor2web.org/6A47E86EB93B0F 6. https://o7zeip6us33igmgw.onion.cab/6A47E86EB93B0F If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: o7zeip6us33igmgw.onion/6A47E86EB93B0F 4. Follow the instructions on the site. IMPORTANT INFORMATION: Your personal pages: http://k5fxm4dl35qk323d.justmakeapayment.com/6A47E86EB93B0F http://vr6g2curb2kcidou.expay34.com/6A47E86EB93B0F http://tsbfdsv.extr6mchf.com/6A47E86EB93B0F https://o7zeip6us33igmgw.onion.to/6A47E86EB93B0F Your personal page (using TOR-Browser): o7zeip6us33igmgw.onion/6A47E86EB93B0F Your personal identification number (if you open the site (or TOR-Browser's) directly): 6A47E86EB93B0F !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

URLs

http://k5fxm4dl35qk323d.justmakeapayment.com/6A47E86EB93B0F

http://vr6g2curb2kcidou.expay34.com/6A47E86EB93B0F

http://tsbfdsv.extr6mchf.com/6A47E86EB93B0F

https://o7zeip6us33igmgw.onion.to/6A47E86EB93B0F

https://o7zeip6us33igmgw.tor2web.org/6A47E86EB93B0F

https://o7zeip6us33igmgw.onion.cab/6A47E86EB93B0F

http://o7zeip6us33igmgw.onion/6A47E86EB93B0F

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 5 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2320	bcdedit.exe
1664	bcdedit.exe
3724	bcdedit.exe
5484	bcdedit.exe
1656	bcdedit.exe

Renames multiple (876) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	VirusShare_39028e8653ba4e422599441e49da3d29.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	cwwssacroic.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+rmj.txt	cwwssacroic.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+rmj.html	cwwssacroic.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_recover+rmj.txt	cwwssacroic.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_recover+rmj.html	cwwssacroic.exe

Executes dropped EXE 2 IoCs

pid	Process
2116	cwwssacroic.exe
3996	cwwssacroic.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Acrndtd = "C:\\Users\\Admin\\AppData\\Roaming\\cwwssacroic.exe"	cwwssacroic.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
31	myexternalip.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4644 set thread context of 4940	4644	VirusShare_39028e8653ba4e422599441e49da3d29.exe	88
PID 2116 set thread context of 3996	2116	cwwssacroic.exe	92

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	cwwssacroic.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\how_recover+rmj.html	cwwssacroic.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_CN\how_recover+rmj.txt	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-100_contrast-black.png	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-100_contrast-black.png	cwwssacroic.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\how_recover+rmj.txt	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\how_recover+rmj.html	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-20_altform-unplated.png	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\how_recover+rmj.txt	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-16_altform-lightunplated.png	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreBadgeLogo.scale-200.png	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-24_altform-unplated.png	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\how_recover+rmj.html	cwwssacroic.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\how_recover+rmj.html	cwwssacroic.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\how_recover+rmj.txt	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.contrast-white_scale-125.png	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notificationsUI\how_recover+rmj.txt	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\how_recover+rmj.html	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\how_recover+rmj.html	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\how_recover+rmj.txt	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-36_altform-unplated_contrast-black.png	cwwssacroic.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\AppIcon.scale-125.png	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\Weather_TileLargeSquare.scale-100.png	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\how_recover+rmj.html	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteWideTile.scale-100.png	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-24.png	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorWideTile.contrast-black_scale-200.png	cwwssacroic.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\how_recover+rmj.txt	cwwssacroic.exe
File opened for modification	C:\Program Files\Microsoft Office\how_recover+rmj.txt	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\how_recover+rmj.html	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_PigNose.png	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WideTile.scale-100.png	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.scale-150.png	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Microsoft.Support.SDK\how_recover+rmj.txt	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\jsaddins\onenote_strings.js	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\MedTile.scale-100_contrast-black.png	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\LockScreenBadgeLogo.scale-200.png	cwwssacroic.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	cwwssacroic.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\how_recover+rmj.html	cwwssacroic.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\ko.pak	cwwssacroic.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\how_recover+rmj.html	cwwssacroic.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\how_recover+rmj.txt	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-white_scale-125.png	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.scale-125.png	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\EmptyVideoProjectCreations_LightTheme.png	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-63.png	cwwssacroic.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt	cwwssacroic.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\how_recover+rmj.txt	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-32_altform-lightunplated.png	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-125.png	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-150_contrast-white.png	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-48_altform-lightunplated_devicefamily-colorfulunplated.png	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\LargeTile.scale-125.png	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\how_recover+rmj.txt	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupSmallTile.scale-100.png	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteSmallTile.scale-100.png	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-150_contrast-white.png	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\how_recover+rmj.html	cwwssacroic.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Apply\how_recover+rmj.txt	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_BadgeLogo.scale-200.png	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\SplashScreen\PaintSplashScreen.scale-200.png	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72.png	cwwssacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-200_contrast-white.png	cwwssacroic.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2324	vssadmin.exe
2732	vssadmin.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	cwwssacroic.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4224	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe
3996	cwwssacroic.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4940	VirusShare_39028e8653ba4e422599441e49da3d29.exe
Token: SeDebugPrivilege	3996	cwwssacroic.exe
Token: SeBackupPrivilege	5660	vssvc.exe
Token: SeRestorePrivilege	5660	vssvc.exe
Token: SeAuditPrivilege	5660	vssvc.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4644	VirusShare_39028e8653ba4e422599441e49da3d29.exe
2116	cwwssacroic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 4940	4644	VirusShare_39028e8653ba4e422599441e49da3d29.exe	88
PID 4644 wrote to memory of 4940	4644	VirusShare_39028e8653ba4e422599441e49da3d29.exe	88
PID 4644 wrote to memory of 4940	4644	VirusShare_39028e8653ba4e422599441e49da3d29.exe	88
PID 4644 wrote to memory of 4940	4644	VirusShare_39028e8653ba4e422599441e49da3d29.exe	88
PID 4644 wrote to memory of 4940	4644	VirusShare_39028e8653ba4e422599441e49da3d29.exe	88
PID 4644 wrote to memory of 4940	4644	VirusShare_39028e8653ba4e422599441e49da3d29.exe	88
PID 4644 wrote to memory of 4940	4644	VirusShare_39028e8653ba4e422599441e49da3d29.exe	88
PID 4644 wrote to memory of 4940	4644	VirusShare_39028e8653ba4e422599441e49da3d29.exe	88
PID 4644 wrote to memory of 4940	4644	VirusShare_39028e8653ba4e422599441e49da3d29.exe	88
PID 4644 wrote to memory of 4940	4644	VirusShare_39028e8653ba4e422599441e49da3d29.exe	88
PID 4940 wrote to memory of 2116	4940	VirusShare_39028e8653ba4e422599441e49da3d29.exe	89
PID 4940 wrote to memory of 2116	4940	VirusShare_39028e8653ba4e422599441e49da3d29.exe	89
PID 4940 wrote to memory of 2116	4940	VirusShare_39028e8653ba4e422599441e49da3d29.exe	89
PID 4940 wrote to memory of 2196	4940	VirusShare_39028e8653ba4e422599441e49da3d29.exe	90
PID 4940 wrote to memory of 2196	4940	VirusShare_39028e8653ba4e422599441e49da3d29.exe	90
PID 4940 wrote to memory of 2196	4940	VirusShare_39028e8653ba4e422599441e49da3d29.exe	90
PID 2116 wrote to memory of 3996	2116	cwwssacroic.exe	92
PID 2116 wrote to memory of 3996	2116	cwwssacroic.exe	92
PID 2116 wrote to memory of 3996	2116	cwwssacroic.exe	92
PID 2116 wrote to memory of 3996	2116	cwwssacroic.exe	92
PID 2116 wrote to memory of 3996	2116	cwwssacroic.exe	92
PID 2116 wrote to memory of 3996	2116	cwwssacroic.exe	92
PID 2116 wrote to memory of 3996	2116	cwwssacroic.exe	92
PID 2116 wrote to memory of 3996	2116	cwwssacroic.exe	92
PID 2116 wrote to memory of 3996	2116	cwwssacroic.exe	92
PID 2116 wrote to memory of 3996	2116	cwwssacroic.exe	92
PID 3996 wrote to memory of 2320	3996	cwwssacroic.exe	93
PID 3996 wrote to memory of 2320	3996	cwwssacroic.exe	93
PID 3996 wrote to memory of 2324	3996	cwwssacroic.exe	95
PID 3996 wrote to memory of 2324	3996	cwwssacroic.exe	95
PID 3996 wrote to memory of 1664	3996	cwwssacroic.exe	99
PID 3996 wrote to memory of 1664	3996	cwwssacroic.exe	99
PID 3996 wrote to memory of 3724	3996	cwwssacroic.exe	101
PID 3996 wrote to memory of 3724	3996	cwwssacroic.exe	101
PID 3996 wrote to memory of 5484	3996	cwwssacroic.exe	103
PID 3996 wrote to memory of 5484	3996	cwwssacroic.exe	103
PID 3996 wrote to memory of 1656	3996	cwwssacroic.exe	105
PID 3996 wrote to memory of 1656	3996	cwwssacroic.exe	105
PID 3996 wrote to memory of 4224	3996	cwwssacroic.exe	108
PID 3996 wrote to memory of 4224	3996	cwwssacroic.exe	108
PID 3996 wrote to memory of 4224	3996	cwwssacroic.exe	108
PID 3996 wrote to memory of 3596	3996	cwwssacroic.exe	109
PID 3996 wrote to memory of 3596	3996	cwwssacroic.exe	109
PID 3596 wrote to memory of 1060	3596	msedge.exe	110
PID 3596 wrote to memory of 1060	3596	msedge.exe	110
PID 3996 wrote to memory of 2732	3996	cwwssacroic.exe	111
PID 3996 wrote to memory of 2732	3996	cwwssacroic.exe	111
PID 3596 wrote to memory of 4692	3596	msedge.exe	113
PID 3596 wrote to memory of 4692	3596	msedge.exe	113
PID 3596 wrote to memory of 4692	3596	msedge.exe	113
PID 3596 wrote to memory of 4692	3596	msedge.exe	113
PID 3596 wrote to memory of 4692	3596	msedge.exe	113
PID 3596 wrote to memory of 4692	3596	msedge.exe	113
PID 3596 wrote to memory of 4692	3596	msedge.exe	113
PID 3596 wrote to memory of 4692	3596	msedge.exe	113
PID 3596 wrote to memory of 4692	3596	msedge.exe	113
PID 3596 wrote to memory of 4692	3596	msedge.exe	113
PID 3596 wrote to memory of 4692	3596	msedge.exe	113
PID 3596 wrote to memory of 4692	3596	msedge.exe	113
PID 3596 wrote to memory of 4692	3596	msedge.exe	113
PID 3596 wrote to memory of 4692	3596	msedge.exe	113
PID 3596 wrote to memory of 4692	3596	msedge.exe	113
PID 3596 wrote to memory of 4692	3596	msedge.exe	113
PID 3596 wrote to memory of 4692	3596	msedge.exe	113

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cwwssacroic.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	cwwssacroic.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_39028e8653ba4e422599441e49da3d29.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_39028e8653ba4e422599441e49da3d29.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Users\Admin\AppData\Local\Temp\VirusShare_39028e8653ba4e422599441e49da3d29.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_39028e8653ba4e422599441e49da3d29.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Users\Admin\AppData\Roaming\cwwssacroic.exe
    C:\Users\Admin\AppData\Roaming\cwwssacroic.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Users\Admin\AppData\Roaming\cwwssacroic.exe
      C:\Users\Admin\AppData\Roaming\cwwssacroic.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3996
    - - C:\Windows\SYSTEM32\bcdedit.exe
        
        bcdedit.exe /set {current} bootems off
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2320
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:2324
    - - C:\Windows\SYSTEM32\bcdedit.exe
        
        bcdedit.exe /set {current} advancedoptions off
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1664
    - - C:\Windows\SYSTEM32\bcdedit.exe
        
        bcdedit.exe /set {current} optionsedit off
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:3724
    - - C:\Windows\SYSTEM32\bcdedit.exe
        
        bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:5484
    - - C:\Windows\SYSTEM32\bcdedit.exe
        
        bcdedit.exe /set {current} recoveryenabled off
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1656
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Howto_Restore_FILES.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:4224
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\Howto_Restore_FILES.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3596
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa64946f8,0x7ffaa6494708,0x7ffaa6494718
        6⤵
        
        PID:1060
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,17206954272261733000,10196802680234573325,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
        6⤵
        
        PID:4692
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,17206954272261733000,10196802680234573325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
        6⤵
        
        PID:3936
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,17206954272261733000,10196802680234573325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:8
        6⤵
        
        PID:3332
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17206954272261733000,10196802680234573325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2804 /prefetch:1
        6⤵
        
        PID:5944
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17206954272261733000,10196802680234573325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2816 /prefetch:1
        6⤵
        
        PID:6028
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,17206954272261733000,10196802680234573325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
        6⤵
        
        PID:4172
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,17206954272261733000,10196802680234573325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
        6⤵
        
        PID:2324
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17206954272261733000,10196802680234573325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
        6⤵
        
        PID:3492
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17206954272261733000,10196802680234573325,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
        6⤵
        
        PID:4868
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17206954272261733000,10196802680234573325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1
        6⤵
        
        PID:4248
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17206954272261733000,10196802680234573325,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
        6⤵
        
        PID:1576
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:2732
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Roaming\CWWSSA~1.EXE
        5⤵
        
        PID:3888
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
    3⤵
    PID:2196

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\how_recover+rmj.html

Filesize
10KB

MD5
63e3c41752b3de41ecbf94ef233c30cf

SHA1
c372e3ec3427658c6e086bcd27c1e9fea324224f

SHA256
db3e6ff894c89fd9f2a0bf284ac64148284ad547aa9aa0251005beffa0848f29

SHA512
6978ffa2f7dbef1000e6aed29db468465877e18b1f403710a32abe5545ad6dc590770493f0f6e8e87c70c91a0bf8424f4d865734c4542a0c36297b2da93a3aab

Download Submit
C:\Program Files\7-Zip\Lang\how_recover+rmj.txt

Filesize
2KB

MD5
6a3d53d7cf70e8c86c4bae8d68be6faf

SHA1
67dc2f0905699f3ee27b66107633ecd25e6c469c

SHA256
5c23976199c3f7d57be9f52376c42abc9e04d02d1cf5f8feb811d4901338ded5

SHA512
e3f1d93903ee88515cbd04362a850097769428d78fbf1b3bd557f7711de2eb46c3d0ecf040ae76bb8e2c6865ed06148669d5cc44e84a3b611470f0f6e6dcc52b

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
606B

MD5
b525d9685f882a4ccc7d173ddb90b708

SHA1
eb383ccdce12f76b441efd08238e3c50fbe0b9d1

SHA256
ac4c1f0b2943c223f67f6bdd1036a9e73e019792b49c45636e345daf730a5e6f

SHA512
1aa659d0ee8e5520e57d09f17494ac05706ea62bd26b29381811f7c98e2b6df7e50ad2da5a57795702688c38833d4b52ddfcf0984071125b9fbb092c0c40c370

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
606B

MD5
84b6e2569f65443c72c750f163efc23d

SHA1
503e10de192be3dee3b465f232c2cc178c0cbe61

SHA256
5dfed3fa59a1685045ad805b066bd669c01e3897d8a9555a971f93d90b80ae74

SHA512
08085b06d5bc17658d904b6b3ad7da1ae94af3051c0119638243719e51412e56f2625ba66d012a8acdd53e2f7188b4bfa9433c8dffa734e40106bb5204f143ca

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
462B

MD5
e00db2e1ff6726c81d598970a67e4ae4

SHA1
d2942aeb7cedada058faf5bf14c437c5eb43a732

SHA256
19946c331753673cb5f2d6f884055f116129895aa14cb50bff4a4c6ab52a4bfa

SHA512
fcc8f38b3444170e3f423c5b8e1dd1b5c0c66641ba2fe9c39aec5f89dae11d2e7c1df5c63c45a13045b422881f8dc091ae64e650894016cc8b795fee34177902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f53207a5ca2ef5c7e976cbb3cb26d870

SHA1
49a8cc44f53da77bb3dfb36fc7676ed54675db43

SHA256
19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23

SHA512
be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ae54e9db2e89f2c54da8cc0bfcbd26bd

SHA1
a88af6c673609ecbc51a1a60dfbc8577830d2b5d

SHA256
5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af

SHA512
e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fdcd1d46ef78603cee44e1637db67dd8

SHA1
75ddf1b1fa8e1238ef9635dc9ab535df2f7b087f

SHA256
0142edf2d3ace04ef942b8746786340828867f0fbafe2c2cae922552f407499e

SHA512
68030c871baaae52f09f06f025e15b163335b814ecc1c772211224da523da32e2cd75cf545a23432d5e64b7e9522615a1b94eb980d6e78e9c17b5da8995dfb11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0da5f0f6e03f378055776fac7b5c061c

SHA1
c49e1a7695033f5017883bf3103eb0ee44677bee

SHA256
2af6ab4d7cc9777c311c8d88657cd4dfb88c8d0c411b51b75b29d83cf8107421

SHA512
8b9a8dd857fdb62e84e2bd3d5017ed056e6102a4abf592ddd0f422e41df4c29c77ae705841f4f7a6613faa2ccf560e567b24832aa3edf8e580eb53b8103e010b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f2549ea238297578d03c44dd9f9cf42b

SHA1
a4e4278a88b6d5ce27a2dba7fde5f47cef30d465

SHA256
b572915bc79d7221456d00d79c653cbb91d5fa0d20eec4126c6af7c07c65f73b

SHA512
145d7a5e64b440d1241526e52e8d088f4549258aea87072008cd0702fcb00257603ef625e154f9ebd7aadcde734614522b2aea3d2cc28fad131c2d97b72bf64b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ed971d57-94e3-41d0-ba7d-2b84f10d23dd}\0.1.filtertrie.intermediate.txt

Filesize
430B

MD5
72245e4281f351a128dc26ec1a74435b

SHA1
cc2188c4ef1ee1d91afdfdc0ffde3339088e88b0

SHA256
d7a01f76a65df07cddbaa18c89fb381e98be08ab15e5277e7e8b180d293ffe50

SHA512
d4674d16f13266511d83e7a352e0497d1aa5c85101c90a7f615ea55725e8e3e65c1405f7b75a1f4388ffef1c9a4c778befaf9ffe03146645d94a3c5dcad3b98e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ed971d57-94e3-41d0-ba7d-2b84f10d23dd}\0.2.filtertrie.intermediate.txt

Filesize
430B

MD5
7a43bf54e031b37afd0146cb93ebd34a

SHA1
9c46aa957571b275dbb0f78b69211558e13c9ca9

SHA256
3fac214ae1dbae2ad3c6b3dd28896ef3507c09df20c2454d6564b3597643a616

SHA512
37c6037297f1040522424485c622dd1d6261d948e66fb998545306359ed21a4f4f10da9cf685e463f1b2637d9f5d8be718b79afff9c213af14d7a5880ac070ae

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586123695506360.txt

Filesize
75KB

MD5
0291811f1f82aff885f5d3289b644a6d

SHA1
6b8eb7f40831546e8964278ed0538bd78c62b330

SHA256
f5447bc2e3dea390da3e03bf462b7944a7ddeaf9ca3e365fcb894dc53a3ca9c7

SHA512
8c1d0a3edd6de5149539d925072f5a54d6bcdd95b155fc438de1da47772ba2866d12625b21a39367134ea45269dc0427e752f6e59eca63120556ff82f698c927

Download Submit
C:\Users\Admin\AppData\Roaming\cwwssacroic.exe

Filesize
444KB

MD5
39028e8653ba4e422599441e49da3d29

SHA1
62071f1ee92eb4e11e39a29b937bd86b9591c1d3

SHA256
03f81462c6d158453036fedf3e5d3dcd0eef4a5aafd79b5b9379b3df89e4d6fc

SHA512
42b31196d6e243c8e71949d820a70324872c87a488826b029d5ed8f57cc45a72dd2e93581cf26a1af6eff4155f3c696f8298265f3c3d185d7570cce0a6e19cb0

Download Submit
memory/2116-10-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/2116-17-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/3996-481-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/3996-7531-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/3996-22-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/3996-23-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/3996-1774-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/3996-19-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/3996-15-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/3996-16-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/3996-7529-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/3996-7577-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/3996-7540-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/3996-18-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/3996-7546-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/4644-0-0x0000000000BC0000-0x0000000000BC3000-memory.dmp

Filesize
12KB

Download
memory/4644-4-0x0000000000BC0000-0x0000000000BC3000-memory.dmp

Filesize
12KB

Download
memory/4940-11-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/4940-1-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/4940-3-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/4940-5-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/4940-2-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download