e0dd4011e20b1891e8a9d8b2bdf474b2567b9b12228c3071697b329d1ea9fe33

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2024, 21:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_1b4fe263910ddda19b73d160c655051e.exe
Size

311KB
MD5

1b4fe263910ddda19b73d160c655051e
SHA1

ee29de3b4d84b6a40bf880adaaa8cc4182c22edd
SHA256

e0dd4011e20b1891e8a9d8b2bdf474b2567b9b12228c3071697b329d1ea9fe33
SHA512

8da58bf888ea8c17f337e8092fb88595291b4702411265986cc1c883e42a4b68fd4b0935d401ec43a462a83ec8a364d2b70564c7a7cdb315cd9c9fc6670dc2a9
SSDEEP

6144:3gwtAiwoPwjx2X8sc94NCcbZkOxUmRAFabXA5FwwtcUpfUOcrPWiPuXT5+:3uoPwjxkhkOxUmNrAPwwtftUPWieU

Score

10^/10

defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\restore_files_kpoga.txt

Ransom Note

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) What does this mean ? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. How did this happen ? Especially for you, on our server was generated the secret key pair RSA-2048 - public and private. All your files were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed. If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://rtldkdh6.kghw88gh3eu.net/DB3AEAA157663AA6 2. http://jsdf2wevw2.wrt23wqw34.net/DB3AEAA157663AA6 3. https://7vhbukzxypxh3xfy.onion.to/DB3AEAA157663AA6 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: 7vhbukzxypxh3xfy.onion/DB3AEAA157663AA6 4. Follow the instructions on the site. IMPORTANT INFORMATION: Your personal pages: http://rtldkdh6.kghw88gh3eu.net/DB3AEAA157663AA6 http://jsdf2wevw2.wrt23wqw34.net/DB3AEAA157663AA6 https://7vhbukzxypxh3xfy.onion.to/DB3AEAA157663AA6 Your personal page (using TOR): 7vhbukzxypxh3xfy.onion/DB3AEAA157663AA6 Your personal identification number (if you open the site (or TOR 's) directly): DB3AEAA157663AA6

URLs

http://rtldkdh6.kghw88gh3eu.net/DB3AEAA157663AA6

http://jsdf2wevw2.wrt23wqw34.net/DB3AEAA157663AA6

https://7vhbukzxypxh3xfy.onion.to/DB3AEAA157663AA6

http://7vhbukzxypxh3xfy.onion/DB3AEAA157663AA6

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (885) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	VirusShare_1b4fe263910ddda19b73d160c655051e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	vcwtrv.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_kpoga.txt	vcwtrv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_kpoga.html	vcwtrv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_kpoga.txt	vcwtrv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_kpoga.html	vcwtrv.exe

Executes dropped EXE 1 IoCs

pid	Process
3908	vcwtrv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\helper_xgcv = "C:\\Users\\Admin\\AppData\\Roaming\\vcwtrv.exe"	vcwtrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\helper_xgcv = "C"	vcwtrv.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ipinfo.io

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-16_altform-lightunplated.png	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\MedTile.scale-100.png	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\nav_icons_trending.targetsize-48.png	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\restore_files_kpoga.txt	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\restore_files_kpoga.html	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\RotateHorizontally.png	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2020.1906.55.0_neutral_~_8wekyb3d8bbwe\restore_files_kpoga.txt	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Light.scale-100.png	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Eye.png	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_altform-unplated_contrast-black.png	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_targetsize-64.png	vcwtrv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\restore_files_kpoga.txt	vcwtrv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses\restore_files_kpoga.txt	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\restore_files_kpoga.html	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.scale-100.png	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pt-BR\View3d\restore_files_kpoga.html	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailWideTile.scale-125.png	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\en-US\restore_files_kpoga.txt	vcwtrv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	vcwtrv.exe
File opened for modification	C:\Program Files\Common Files\System\uk-UA\restore_files_kpoga.html	vcwtrv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\restore_files_kpoga.html	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageStoreLogo.scale-100.png	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\restore_files_kpoga.html	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-400_contrast-white.png	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-150_contrast-white.png	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-100_contrast-black.png	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-32_altform-unplated.png	vcwtrv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\restore_files_kpoga.txt	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageLargeTile.scale-100.png	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64.png	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarWideTile.scale-400.png	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-48_altform-unplated.png	vcwtrv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\restore_files_kpoga.txt	vcwtrv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\or_IN\LC_MESSAGES\restore_files_kpoga.txt	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\LockScreenLogo.scale-100.png	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ms-MY\restore_files_kpoga.html	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-16.png	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_contrast-white.png	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-400.png	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\restore_files_kpoga.html	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupWideTile.scale-125.png	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-20_altform-unplated.png	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailLargeTile.scale-200.png	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\SmallTile.scale-125.png	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Square150x150Logo.scale-200.png	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\restore_files_kpoga.txt	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-60_altform-unplated.png	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\restore_files_kpoga.html	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Velocity\restore_files_kpoga.html	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-256.png	vcwtrv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\policy\restore_files_kpoga.txt	vcwtrv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-140.png	vcwtrv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\restore_files_kpoga.html	vcwtrv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\restore_files_kpoga.html	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-125.png	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare150x150Logo.scale-200_contrast-black.png	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\Icons\restore_files_kpoga.html	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\SmallTile.scale-200.png	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Retail\NinjaCatOnDragon.scale-200.png	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-30.png	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-256_altform-unplated_contrast-white.png	vcwtrv.exe
File opened for modification	C:\Program Files\Internet Explorer\uk-UA\restore_files_kpoga.html	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\restore_files_kpoga.html	vcwtrv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Square150x150Logo.scale-125.png	vcwtrv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4196	vssadmin.exe
2288	vssadmin.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	vcwtrv.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1852	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe
3908	vcwtrv.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2408	VirusShare_1b4fe263910ddda19b73d160c655051e.exe
Token: SeDebugPrivilege	3908	vcwtrv.exe
Token: SeBackupPrivilege	1068	vssvc.exe
Token: SeRestorePrivilege	1068	vssvc.exe
Token: SeAuditPrivilege	1068	vssvc.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 3908	2408	VirusShare_1b4fe263910ddda19b73d160c655051e.exe	83
PID 2408 wrote to memory of 3908	2408	VirusShare_1b4fe263910ddda19b73d160c655051e.exe	83
PID 2408 wrote to memory of 3908	2408	VirusShare_1b4fe263910ddda19b73d160c655051e.exe	83
PID 2408 wrote to memory of 2208	2408	VirusShare_1b4fe263910ddda19b73d160c655051e.exe	84
PID 2408 wrote to memory of 2208	2408	VirusShare_1b4fe263910ddda19b73d160c655051e.exe	84
PID 2408 wrote to memory of 2208	2408	VirusShare_1b4fe263910ddda19b73d160c655051e.exe	84
PID 3908 wrote to memory of 4196	3908	vcwtrv.exe	87
PID 3908 wrote to memory of 4196	3908	vcwtrv.exe	87
PID 3908 wrote to memory of 1852	3908	vcwtrv.exe	92
PID 3908 wrote to memory of 1852	3908	vcwtrv.exe	92
PID 3908 wrote to memory of 1852	3908	vcwtrv.exe	92
PID 3908 wrote to memory of 2696	3908	vcwtrv.exe	93
PID 3908 wrote to memory of 2696	3908	vcwtrv.exe	93
PID 2696 wrote to memory of 4404	2696	msedge.exe	94
PID 2696 wrote to memory of 4404	2696	msedge.exe	94
PID 3908 wrote to memory of 2288	3908	vcwtrv.exe	95
PID 3908 wrote to memory of 2288	3908	vcwtrv.exe	95
PID 3908 wrote to memory of 4584	3908	vcwtrv.exe	97
PID 3908 wrote to memory of 4584	3908	vcwtrv.exe	97
PID 3908 wrote to memory of 4584	3908	vcwtrv.exe	97
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 2644	2696	msedge.exe	99
PID 2696 wrote to memory of 4520	2696	msedge.exe	100
PID 2696 wrote to memory of 4520	2696	msedge.exe	100
PID 2696 wrote to memory of 2004	2696	msedge.exe	101
PID 2696 wrote to memory of 2004	2696	msedge.exe	101

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcwtrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	vcwtrv.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_1b4fe263910ddda19b73d160c655051e.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_1b4fe263910ddda19b73d160c655051e.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Roaming\vcwtrv.exe
  C:\Users\Admin\AppData\Roaming\vcwtrv.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3908
- - C:\Windows\System32\vssadmin.exe
    "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
    3⤵
    - Interacts with shadow copies
    PID:4196
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE_FILES.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RESTORE_FILES.HTML
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe76fe46f8,0x7ffe76fe4708,0x7ffe76fe4718
      4⤵
      PID:4404
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,10574677421853450628,17485832927554293119,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
      4⤵
      PID:2644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,10574677421853450628,17485832927554293119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
      4⤵
      PID:4520
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,10574677421853450628,17485832927554293119,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
      4⤵
      PID:2004
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,10574677421853450628,17485832927554293119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
      4⤵
      PID:2316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,10574677421853450628,17485832927554293119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
      4⤵
      PID:4100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,10574677421853450628,17485832927554293119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 /prefetch:8
      4⤵
      PID:3028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,10574677421853450628,17485832927554293119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 /prefetch:8
      4⤵
      PID:3300
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,10574677421853450628,17485832927554293119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
      4⤵
      PID:1204
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,10574677421853450628,17485832927554293119,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
      4⤵
      PID:4188
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,10574677421853450628,17485832927554293119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
      4⤵
      PID:3636
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,10574677421853450628,17485832927554293119,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3756 /prefetch:1
      4⤵
      PID:4936
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,10574677421853450628,17485832927554293119,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2988 /prefetch:2
      4⤵
      PID:3068
- - C:\Windows\System32\vssadmin.exe
    "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2288
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\vcwtrv.exe >> NUL
    3⤵
    PID:4584
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE >> NUL
  2⤵
  PID:2208

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\restore_files_kpoga.html

Filesize
5KB

MD5
f382f8ac7e899ef554e77878c2ec4733

SHA1
e2d9e6f1daf4d197ab2fd92355ffab0d17803a32

SHA256
74cebbcd04a6797cc57eeefba429abac0358a5420858c692a1515c6a3ef547fc

SHA512
49bda692a62754d3d8f8add7a9e05646b7a53e943ad71b08fc856d1dc924df42c271b12fc99a1d1cad6158676ec0cb3c40a48a7cddcde0414529357d88524db6

Download Submit
C:\Program Files\7-Zip\Lang\restore_files_kpoga.txt

Filesize
2KB

MD5
f2d57d0862b4f2e6f22f201ec333e712

SHA1
51e17d4394782afbddbc619109c326f14a9ca05d

SHA256
9bf7c7f0632bc66d30a08cf2d093ff9f4a89bfbce8e86feb9aa08973599b8204

SHA512
5be40954abb9f1557728c93106ee5f698b9fd5bc4aba32ea5e2c8f142c33e692e0a22b704cd3c109ab52205fe6a2a0e20fca981b5e1b7d0b6684e659be5ddc6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3f1ae9335eabcd631a13e051b76489e6

SHA1
5d141715f3f328d0db27fa23cff1fd9ae272f2c4

SHA256
5f6e32c1ffcb48e359bf1421983eb23d832658c105b5cd64f432fe9c494bcf2f

SHA512
0ef86475209f23f723d48461246fe50f956d3deccfe7940ee38b25978e5c37af58bff4e87b1b0a5199d4c8a38a0f2fddd37f124e0d811e3ec533157ee9909436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2df0e40598656e66d0af675b2636a1e7

SHA1
899635b20a40f0980709fedff28f64bbbd013086

SHA256
a111bbd518da8a170ec1f206dd00ebdc32a2912b091c2dcdeea384a5c6721b72

SHA512
fd5505491d3ce72b062bd4d727e3aae5ad3bce66e124821518edddefec5d66d56dba83519285cb21433e98aa8efa5dbe0c5f52ebaa55fdbcc5e5d0457a487692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
661b5e7643487d546c53037d9f9af359

SHA1
f1b70926f5fbe9102fc6abcc3b6c3e9424232a8e

SHA256
00d7a29bf2f65e107a219bd3f47fd74be545ae47eced13409a08e666ab1df546

SHA512
c2e4efc29eb7f1caf77568bfb27e2c20ec9c04485bbd7cbb8496e845f45927669d3652a8013b2b0d76c30c2604cc69de387e8e66934dc80a4f29a0b68c54c35e

Download Submit
C:\Users\Admin\AppData\Roaming\vcwtrv.exe

Filesize
311KB

MD5
1b4fe263910ddda19b73d160c655051e

SHA1
ee29de3b4d84b6a40bf880adaaa8cc4182c22edd

SHA256
e0dd4011e20b1891e8a9d8b2bdf474b2567b9b12228c3071697b329d1ea9fe33

SHA512
8da58bf888ea8c17f337e8092fb88595291b4702411265986cc1c883e42a4b68fd4b0935d401ec43a462a83ec8a364d2b70564c7a7cdb315cd9c9fc6670dc2a9

Download Submit
memory/2408-15-0x0000000074DB0000-0x0000000074DE9000-memory.dmp

Filesize
228KB

Download
memory/2408-14-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2408-0-0x00000000009F0000-0x00000000009F3000-memory.dmp

Filesize
12KB

Download
memory/2408-5-0x0000000074DB0000-0x0000000074DE9000-memory.dmp

Filesize
228KB

Download
memory/2408-4-0x0000000000A00000-0x0000000000A03000-memory.dmp

Filesize
12KB

Download
memory/2408-1-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/3908-10-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/3908-7643-0x0000000074DB0000-0x0000000074DE9000-memory.dmp

Filesize
228KB

Download
memory/3908-7642-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/3908-7629-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/3908-6752-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/3908-16-0x0000000074DB0000-0x0000000074DE9000-memory.dmp

Filesize
228KB

Download
memory/3908-13-0x00000000008B0000-0x00000000008B3000-memory.dmp

Filesize
12KB

Download