a77232cefd0ce412731521cb4143dbaaaf51e69076cafd2e2252c663b2cf00ec

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2024 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_cfd2351a65e19f7ff9e09d9f0f2a42db.exe
Size

298KB
MD5

cfd2351a65e19f7ff9e09d9f0f2a42db
SHA1

2ec3342d9c01e0eeeec80b4f5787a6f9a9ce5d50
SHA256

a77232cefd0ce412731521cb4143dbaaaf51e69076cafd2e2252c663b2cf00ec
SHA512

23aff27d7189229de12b124285442f38c9f3eeefd3a1f5b1fd193c983b9212f419819c869869f373e8a98ff2bbaf94579ca91aa908cecdbf9d190b91697a3718
SSDEEP

6144:DLOMYYit9Y5OE3bTWUqboQNYBsQNZVwpEG78SIWw0Rh6:DCKp3+7kQNYBsQfweG7EWwR

Score

10^/10

persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\PerfLogs\restore_files_eyrhl.txt

Ransom Note

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) What does this mean ? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. How did this happen ? Especially for you, on our server was generated the secret key pair RSA-2048 - public and private. All your files were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed. If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://rtldkdh6.kghw88gh3eu.net/9CE3D3CDE43ADEF8 2. http://jsdf2wevw2.wrt23wqw34.net/9CE3D3CDE43ADEF8 3. https://7vhbukzxypxh3xfy.onion.to/9CE3D3CDE43ADEF8 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: 7vhbukzxypxh3xfy.onion/9CE3D3CDE43ADEF8 4. Follow the instructions on the site. IMPORTANT INFORMATION: Your personal pages: http://rtldkdh6.kghw88gh3eu.net/9CE3D3CDE43ADEF8 http://jsdf2wevw2.wrt23wqw34.net/9CE3D3CDE43ADEF8 https://7vhbukzxypxh3xfy.onion.to/9CE3D3CDE43ADEF8 Your personal page (using TOR): 7vhbukzxypxh3xfy.onion/9CE3D3CDE43ADEF8 Your personal identification number (if you open the site (or TOR 's) directly): 9CE3D3CDE43ADEF8

URLs

http://rtldkdh6.kghw88gh3eu.net/9CE3D3CDE43ADEF8

http://jsdf2wevw2.wrt23wqw34.net/9CE3D3CDE43ADEF8

https://7vhbukzxypxh3xfy.onion.to/9CE3D3CDE43ADEF8

http://7vhbukzxypxh3xfy.onion/9CE3D3CDE43ADEF8

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (887) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	vcwdun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	VirusShare_cfd2351a65e19f7ff9e09d9f0f2a42db.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_eyrhl.txt	vcwdun.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_eyrhl.html	vcwdun.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_eyrhl.txt	vcwdun.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_eyrhl.html	vcwdun.exe

Executes dropped EXE 1 IoCs

pid	Process
1424	vcwdun.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\helper_xgcv = "C:\\Users\\Admin\\AppData\\Roaming\\vcwdun.exe"	vcwdun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\helper_xgcv = "C"	vcwdun.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ipinfo.io

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\restore_files_eyrhl.txt	vcwdun.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-180.png	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\SmallTile.scale-125.png	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-white_scale-125.png	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-16_altform-unplated.png	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Fonts\restore_files_eyrhl.txt	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-36_altform-lightunplated.png	vcwdun.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Triedit\restore_files_eyrhl.txt	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\restore_files_eyrhl.html	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\images\restore_files_eyrhl.html	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\restore_files_eyrhl.html	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-24.png	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-72.png	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\AppxMetadata\restore_files_eyrhl.html	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-96_altform-unplated.png	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\HoloAssets\restore_files_eyrhl.html	vcwdun.exe
File opened for modification	C:\Program Files\Java\restore_files_eyrhl.html	vcwdun.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\restore_files_eyrhl.html	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\restore_files_eyrhl.txt	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_altform-unplated_contrast-white.png	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16_altform-unplated.png	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96_altform-lightunplated.png	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\restore_files_eyrhl.html	vcwdun.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\THMBNAIL.PNG	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\es-MX\View3d\restore_files_eyrhl.html	vcwdun.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\restore_files_eyrhl.html	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubAppList.scale-100_contrast-white.png	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\restore_files_eyrhl.txt	vcwdun.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\restore_files_eyrhl.html	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-20_altform-unplated_contrast-black.png	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\restore_files_eyrhl.html	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-unplated.png	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\te-IN\View3d\restore_files_eyrhl.txt	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-200_contrast-white.png	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64_altform-unplated.png	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarLargeTile.scale-100.png	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailMediumTile.scale-125.png	vcwdun.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-100.png	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxMediumTile.scale-125.png	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\LargeTile.scale-100_contrast-black.png	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\restore_files_eyrhl.txt	vcwdun.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\restore_files_eyrhl.txt	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyCalendarSearch.scale-200.png	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-32.png	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlFrontIndicatorHover.png	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Ear.png	vcwdun.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\restore_files_eyrhl.txt	vcwdun.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\restore_files_eyrhl.txt	vcwdun.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\restore_files_eyrhl.txt	vcwdun.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png	vcwdun.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\restore_files_eyrhl.txt	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-125.png	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-40_contrast-black.png	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Light.scale-150.png	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-36.png	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailBadge.scale-150.png	vcwdun.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-100.png	vcwdun.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\restore_files_eyrhl.html	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookMedTile.scale-200.png	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\restore_files_eyrhl.txt	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_targetsize-32.png	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Dark.scale-100.png	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailMediumTile.scale-125.png	vcwdun.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_2019.716.2313.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\restore_files_eyrhl.txt	vcwdun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2444	vssadmin.exe
1552	vssadmin.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings	vcwdun.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2060	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe
1424	vcwdun.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3472	VirusShare_cfd2351a65e19f7ff9e09d9f0f2a42db.exe
Token: SeDebugPrivilege	1424	vcwdun.exe
Token: SeBackupPrivilege	2740	vssvc.exe
Token: SeRestorePrivilege	2740	vssvc.exe
Token: SeAuditPrivilege	2740	vssvc.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 1424	3472	VirusShare_cfd2351a65e19f7ff9e09d9f0f2a42db.exe	84
PID 3472 wrote to memory of 1424	3472	VirusShare_cfd2351a65e19f7ff9e09d9f0f2a42db.exe	84
PID 3472 wrote to memory of 1424	3472	VirusShare_cfd2351a65e19f7ff9e09d9f0f2a42db.exe	84
PID 3472 wrote to memory of 1940	3472	VirusShare_cfd2351a65e19f7ff9e09d9f0f2a42db.exe	86
PID 3472 wrote to memory of 1940	3472	VirusShare_cfd2351a65e19f7ff9e09d9f0f2a42db.exe	86
PID 3472 wrote to memory of 1940	3472	VirusShare_cfd2351a65e19f7ff9e09d9f0f2a42db.exe	86
PID 1424 wrote to memory of 2444	1424	vcwdun.exe	88
PID 1424 wrote to memory of 2444	1424	vcwdun.exe	88
PID 1424 wrote to memory of 2060	1424	vcwdun.exe	100
PID 1424 wrote to memory of 2060	1424	vcwdun.exe	100
PID 1424 wrote to memory of 2060	1424	vcwdun.exe	100
PID 1424 wrote to memory of 3532	1424	vcwdun.exe	101
PID 1424 wrote to memory of 3532	1424	vcwdun.exe	101
PID 3532 wrote to memory of 3976	3532	msedge.exe	102
PID 3532 wrote to memory of 3976	3532	msedge.exe	102
PID 1424 wrote to memory of 1552	1424	vcwdun.exe	103
PID 1424 wrote to memory of 1552	1424	vcwdun.exe	103
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 4576	3532	msedge.exe	106
PID 3532 wrote to memory of 3984	3532	msedge.exe	107
PID 3532 wrote to memory of 3984	3532	msedge.exe	107
PID 3532 wrote to memory of 1360	3532	msedge.exe	108
PID 3532 wrote to memory of 1360	3532	msedge.exe	108
PID 3532 wrote to memory of 1360	3532	msedge.exe	108
PID 3532 wrote to memory of 1360	3532	msedge.exe	108
PID 3532 wrote to memory of 1360	3532	msedge.exe	108

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcwdun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	vcwdun.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_cfd2351a65e19f7ff9e09d9f0f2a42db.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_cfd2351a65e19f7ff9e09d9f0f2a42db.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Users\Admin\AppData\Roaming\vcwdun.exe
  C:\Users\Admin\AppData\Roaming\vcwdun.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1424
- - C:\Windows\System32\vssadmin.exe
    "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2444
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE_FILES.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RESTORE_FILES.HTML
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3532
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc85f746f8,0x7ffc85f74708,0x7ffc85f74718
      4⤵
      PID:3976
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,6311358155570973077,4744160477191439110,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
      4⤵
      PID:4576
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,6311358155570973077,4744160477191439110,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
      4⤵
      PID:3984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,6311358155570973077,4744160477191439110,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
      4⤵
      PID:1360
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,6311358155570973077,4744160477191439110,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
      4⤵
      PID:1368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,6311358155570973077,4744160477191439110,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
      4⤵
      PID:2444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,6311358155570973077,4744160477191439110,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8
      4⤵
      PID:2556
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,6311358155570973077,4744160477191439110,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8
      4⤵
      PID:3692
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,6311358155570973077,4744160477191439110,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
      4⤵
      PID:4320
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,6311358155570973077,4744160477191439110,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
      4⤵
      PID:1988
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,6311358155570973077,4744160477191439110,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
      4⤵
      PID:5068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,6311358155570973077,4744160477191439110,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
      4⤵
      PID:2764
- - C:\Windows\System32\vssadmin.exe
    "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\vcwdun.exe >> NUL
    3⤵
    PID:4356
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE >> NUL
  2⤵
  PID:1940

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\restore_files_eyrhl.html

Filesize
5KB

MD5
014e921e8a677069dbe195d3f62f1ac7

SHA1
a70be6530cc0f2ee3c9ccc1a5af1387d54facf7a

SHA256
74adc8250bf45ab8104271448b60a0d2ec0ee0e26067c0bd2bcb3dc0882cc06d

SHA512
e60b0eaa495cccea11793f8ba3764664d17e60478a161dc71531ef5225380e92d666f982faae1d56ab822d31cd826a6d1ade8967d7f2358e4502082c5d7b5110

Download Submit
C:\PerfLogs\restore_files_eyrhl.txt

Filesize
2KB

MD5
4f01d6e42dd5f4bca9d6ff5e26f55233

SHA1
ab5d29583d2651f000528268d8adc22bd2351c60

SHA256
f1b9793b70aa7acd386cffed999bde8464f08a7e6c5c4287b651f962afcb572c

SHA512
c492569f0df6db08f4b302cfbfe0ecf038b3d88fb4b191995827874c66b5d6f156fa68450b4ec9120aaa02f80019b7a40dbda607f40c83220ef4bb7b80a358ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E62A8F547B79FBF11B7311BEEA0EDEDB

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E62A8F547B79FBF11B7311BEEA0EDEDB

Filesize
426B

MD5
fd5f70ccadbf6900fcb69ab47e747ce4

SHA1
4a52ba0168678245059fb2d1101d4091862042dc

SHA256
8f4bc10be7bf7d384d202f82e6266e5ebaa17045b4d68d8d8e06aef7fb446147

SHA512
4eedf561aa3a50c6b152e2bed449fbd6585eee65d5d9f278af24db22a3f26ae85616f4446c79ad3e5cac391ea4a7430c5f5d4504586dbdfd49a76666de7ae740

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
011193d03a2492ca44f9a78bdfb8caa5

SHA1
71c9ead344657b55b635898851385b5de45c7604

SHA256
d21f642fdbc0f194081ffdd6a3d51b2781daef229ae6ba54c336156825b247a0

SHA512
239c7d603721c694b7902996ba576c9d56acddca4e2e7bbe500039d26d0c6edafbbdc2d9f326f01d71e162872d6ff3247366481828e0659703507878ed3dd210

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\757106c5-b121-44e0-b93d-f6db2cb44fa9.tmp

Filesize
5KB

MD5
5d944fc41a353ea131f4be20290f65c7

SHA1
e145ed00dd8c7261501539a134bdadc2db2ffc90

SHA256
e586fe289bd05c7f3d03ad5dde8ccf3ebc48eef972839e3ca8db9406041f773d

SHA512
569ccf357f354a664b212c2af78446f7d6be21f52295c306a74cd7c3830a0ad97d0f2e6ae239f68aded033c494c87f36ec9a2471acc009e5da0f1f4d3dae57d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
111b4f7212028d297c66a250b3c5cf96

SHA1
1556cac9e40ff9ee897398a50e800d4cdbd31c2d

SHA256
c87ed6fd421f39fde6a20b3b6ca44e3b95b0ebe5a7b83454f41a94741ccc6e6d

SHA512
bd17c0a11f4f5a0ff235e5c7bc75426d8108ba4e616c24ac417f321738fb0257f987a4a1519d1b3c2c768bfd24327d38a208ac022ee70eddaa7be395eb13282e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
f5b764fa779a5880b1fbe26496fe2448

SHA1
aa46339e9208e7218fb66b15e62324eb1c0722e8

SHA256
97de05bd79a3fd624c0d06f4cb63c244b20a035308ab249a5ef3e503a9338f3d

SHA512
5bfc27e6164bcd0e42cd9aec04ba6bf3a82113ba4ad85aa5d34a550266e20ea6a6e55550ae669af4c2091319e505e1309d27b7c50269c157da0f004d246fe745

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
85cd1383423dce00535d2d87d1cfd88c

SHA1
a6d5f2904a7ebb44bf33eaeb1e6a3f78c0679a16

SHA256
3612461385f35c57a55d89f0b0f8b362ffcf76acaa52f3eb1814bba0eb7ba7a4

SHA512
d6999f25309bf28452bbd3e76892f13bd5611ce8864e29c512e9d64d830fabca981db3ad7d377c333ccacb68f0e51f2a8cff05c59d0beaba0e7efcce901f3534

Download Submit
C:\Users\Admin\AppData\Roaming\vcwdun.exe

Filesize
298KB

MD5
cfd2351a65e19f7ff9e09d9f0f2a42db

SHA1
2ec3342d9c01e0eeeec80b4f5787a6f9a9ce5d50

SHA256
a77232cefd0ce412731521cb4143dbaaaf51e69076cafd2e2252c663b2cf00ec

SHA512
23aff27d7189229de12b124285442f38c9f3eeefd3a1f5b1fd193c983b9212f419819c869869f373e8a98ff2bbaf94579ca91aa908cecdbf9d190b91697a3718

Download Submit
memory/1424-7630-0x0000000000400000-0x000000000086D000-memory.dmp

Filesize
4.4MB

Download
memory/1424-16-0x00000000742B0000-0x00000000742E9000-memory.dmp

Filesize
228KB

Download
memory/1424-4121-0x0000000000400000-0x000000000086D000-memory.dmp

Filesize
4.4MB

Download
memory/1424-7067-0x0000000000400000-0x000000000086D000-memory.dmp

Filesize
4.4MB

Download
memory/1424-7590-0x0000000000400000-0x000000000086D000-memory.dmp

Filesize
4.4MB

Download
memory/1424-1066-0x0000000000400000-0x000000000086D000-memory.dmp

Filesize
4.4MB

Download
memory/1424-10-0x0000000000400000-0x000000000086D000-memory.dmp

Filesize
4.4MB

Download
memory/1424-2809-0x0000000000400000-0x000000000086D000-memory.dmp

Filesize
4.4MB

Download
memory/1424-13-0x0000000000E70000-0x0000000000E73000-memory.dmp

Filesize
12KB

Download
memory/1424-7631-0x00000000742B0000-0x00000000742E9000-memory.dmp

Filesize
228KB

Download
memory/3472-15-0x00000000742B0000-0x00000000742E9000-memory.dmp

Filesize
228KB

Download
memory/3472-0-0x0000000000B10000-0x0000000000B14000-memory.dmp

Filesize
16KB

Download
memory/3472-14-0x0000000000400000-0x000000000086D000-memory.dmp

Filesize
4.4MB

Download
memory/3472-5-0x00000000742B0000-0x00000000742E9000-memory.dmp

Filesize
228KB

Download
memory/3472-4-0x0000000000B20000-0x0000000000B23000-memory.dmp

Filesize
12KB

Download
memory/3472-1-0x0000000000400000-0x000000000086D000-memory.dmp

Filesize
4.4MB

Download