0db818ad2b03a8003c1b923985b3cd74ed82272205b3372796b192d2661824ac

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2024, 21:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_c9ef69554082be3467df433a15e7ab45.exe
Size

321KB
MD5

c9ef69554082be3467df433a15e7ab45
SHA1

79c01bf85a712ddf6a4d54e9db281a8310a12c15
SHA256

0db818ad2b03a8003c1b923985b3cd74ed82272205b3372796b192d2661824ac
SHA512

13d818b734a9ee2d1cd2bda66ae6213f7fb7e9a74f0175ae37b85906816341e6224cdf1d5f57487e21b80d9782cee75db8acbd3752a303569fc8c6fa2598a4f9
SSDEEP

6144:cL42La41ctAaWLBbYcTDASiBdRIGt4MCZnsdbTo07BTT9OyIO:I42LasctABLBz/Udu04MEnsdbTo01VO8

Score

10^/10

defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\restore_files_felny.txt

Ransom Note

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) What does this mean ? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. How did this happen ? Especially for you, on our server was generated the secret key pair RSA-2048 - public and private. All your files were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed. If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://qw2234duoiyu.h2fyr6785jhdhfg.com/63EC4070FC173D71 2. http://awoeinf832as.wo49i277rnw.com/63EC4070FC173D71 3. https://kb63vhjuk3wh4ex7.onion.to/63EC4070FC173D71 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: kb63vhjuk3wh4ex7.onion/63EC4070FC173D71 4. Follow the instructions on the site. IMPORTANT INFORMATION: Your personal pages: http://qw2234duoiyu.h2fyr6785jhdhfg.com/63EC4070FC173D71 http://awoeinf832as.wo49i277rnw.com/63EC4070FC173D71 https://kb63vhjuk3wh4ex7.onion.to/63EC4070FC173D71 Your personal page (using TOR): kb63vhjuk3wh4ex7.onion/63EC4070FC173D71 Your personal identification number (if you open the site (or TOR 's) directly): 63EC4070FC173D71

URLs

http://qw2234duoiyu.h2fyr6785jhdhfg.com/63EC4070FC173D71

http://awoeinf832as.wo49i277rnw.com/63EC4070FC173D71

https://kb63vhjuk3wh4ex7.onion.to/63EC4070FC173D71

http://kb63vhjuk3wh4ex7.onion/63EC4070FC173D71

Extracted

Path

C:\Program Files\7-Zip\Lang\restore_files_felny.html

Ransom Note

<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; } .ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center> <div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"> What happened  to your files? All of your files were protected by a strong encryption with RSA-2048 More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a> What  does this mean? This means that the  structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. How did this happen? Especially for you, on our server was generated the secret key pair RSA-2048 - public and private. All your  files were encrypted with the public key,  which has been  transferred to your computer via the Internet.  Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!. What do I do? Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed. If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist. <div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr> 1.<a href="http://qw2234duoiyu.h2fyr6785jhdhfg.com/63EC4070FC173D71" target="_blank">http://qw2234duoiyu.h2fyr6785jhdhfg.com/63EC4070FC173D71</a> 2.<a href="http://awoeinf832as.wo49i277rnw.com/63EC4070FC173D71" target="_blank">http://awoeinf832as.wo49i277rnw.com/63EC4070FC173D71</a> 3.<a href="https://kb63vhjuk3wh4ex7.onion.to/63EC4070FC173D71" target="_blank">https://kb63vhjuk3wh4ex7.onion.to/63EC4070FC173D71</a> </div> <div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a> 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: kb63vhjuk3wh4ex7.onion/63EC4070FC173D71 4. Follow the instructions on the site.</div> IMPORTANT INFORMATION: <div class="tb" style="width:790px;"> Your Personal PAGES: <a href="http://qw2234duoiyu.h2fyr6785jhdhfg.com/63EC4070FC173D71" target="_blank">http://qw2234duoiyu.h2fyr6785jhdhfg.com/63EC4070FC173D71</a> <a href="http://awoeinf832as.wo49i277rnw.com/63EC4070FC173D71" target="_blank">http://awoeinf832as.wo49i277rnw.com/63EC4070FC173D71</a> <a href="https://kb63vhjuk3wh4ex7.onion.to/63EC4070FC173D71" target="_blank"> https://kb63vhjuk3wh4ex7.onion.to/63EC4070FC173D71</a> Your Personal PAGE (using TOR): kb63vhjuk3wh4ex7.onion/63EC4070FC173D71 Your personal code (if you open the site (or TOR 's) directly): 63EC4070FC173D71 </div></div></center></body></html>

URLs

https://kb63vhjuk3wh4ex7.onion.to/63EC4070FC173D71</a>

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (879) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	VirusShare_c9ef69554082be3467df433a15e7ab45.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	vcwmvr.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_felny.txt	vcwmvr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_felny.html	vcwmvr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_felny.txt	vcwmvr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_felny.html	vcwmvr.exe

Executes dropped EXE 1 IoCs

pid	Process
1608	vcwmvr.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vssadm = "C:\\Users\\Admin\\AppData\\Roaming\\vcwmvr.exe"	vcwmvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vssadm = "C"	vcwmvr.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ipinfo.io

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\restore_files_felny.html	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-100_contrast-white.png	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeLargeTile.scale-400.png	vcwmvr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\restore_files_felny.txt	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\contacts_permission_uwp.png	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-60.png	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-24_altform-unplated_contrast-high.png	vcwmvr.exe
File opened for modification	C:\Program Files\ResolveRead.doc	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\7734_36x36x32.png	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxAccountsSplashLogo.scale-140.png	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarBadge.scale-200.png	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-32_altform-unplated_contrast-white.png	vcwmvr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense2019_eula.txt	vcwmvr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-100.png	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\restore_files_felny.html	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\256x256.png	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\restore_files_felny.html	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml\Assets\NoiseAsset_256x256_PNG.png	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_contrast-white.png	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Light.scale-125.png	vcwmvr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-140.png	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-40_altform-lightunplated.png	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageMedTile.scale-125.png	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-36_altform-unplated.png	vcwmvr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.White.png	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Light\Cabinet.png	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\illustration-UploadToOD.svg	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosMedTile.contrast-black_scale-200.png	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxMediumTile.scale-125.png	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\restore_files_felny.txt	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-16.png	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\FlatFreehand3D.mp4	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\restore_files_felny.html	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\restore_files_felny.html	vcwmvr.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\restore_files_felny.html	vcwmvr.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\restore_files_felny.html	vcwmvr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\restore_files_felny.html	vcwmvr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\System\ole db\restore_files_felny.txt	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W4.png	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square310x310\PaintLargeTile.scale-200.png	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\jscripts\wefgallery_strings.js	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\MedTile.scale-200.png	vcwmvr.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\restore_files_felny.html	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-36_altform-unplated_contrast-black.png	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.scale-200.png	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\restore_files_felny.txt	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\es\restore_files_felny.html	vcwmvr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-180.png	vcwmvr.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\restore_files_felny.html	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-36_altform-unplated.png	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-80_altform-unplated.png	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupSmallTile.scale-150.png	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteWideTile.scale-400.png	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Dark.scale-125.png	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxSmallTile.scale-125.png	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-96.png	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.targetsize-256.png	vcwmvr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\or_IN\LC_MESSAGES\restore_files_felny.html	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-125_contrast-black.png	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_neutral_~_8wekyb3d8bbwe\restore_files_felny.txt	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Dark\MilitaryRight.png	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookMedTile.scale-150.png	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\restore_files_felny.html	vcwmvr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-100_contrast-black.png	vcwmvr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
3036	vssadmin.exe
2908	vssadmin.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	vcwmvr.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1844	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe
1608	vcwmvr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	652	VirusShare_c9ef69554082be3467df433a15e7ab45.exe
Token: SeDebugPrivilege	1608	vcwmvr.exe
Token: SeBackupPrivilege	2312	vssvc.exe
Token: SeRestorePrivilege	2312	vssvc.exe
Token: SeAuditPrivilege	2312	vssvc.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 652 wrote to memory of 1608	652	VirusShare_c9ef69554082be3467df433a15e7ab45.exe	83
PID 652 wrote to memory of 1608	652	VirusShare_c9ef69554082be3467df433a15e7ab45.exe	83
PID 652 wrote to memory of 1608	652	VirusShare_c9ef69554082be3467df433a15e7ab45.exe	83
PID 652 wrote to memory of 1944	652	VirusShare_c9ef69554082be3467df433a15e7ab45.exe	84
PID 652 wrote to memory of 1944	652	VirusShare_c9ef69554082be3467df433a15e7ab45.exe	84
PID 652 wrote to memory of 1944	652	VirusShare_c9ef69554082be3467df433a15e7ab45.exe	84
PID 1608 wrote to memory of 2908	1608	vcwmvr.exe	87
PID 1608 wrote to memory of 2908	1608	vcwmvr.exe	87
PID 1608 wrote to memory of 1844	1608	vcwmvr.exe	94
PID 1608 wrote to memory of 1844	1608	vcwmvr.exe	94
PID 1608 wrote to memory of 1844	1608	vcwmvr.exe	94
PID 1608 wrote to memory of 1840	1608	vcwmvr.exe	95
PID 1608 wrote to memory of 1840	1608	vcwmvr.exe	95
PID 1840 wrote to memory of 2744	1840	msedge.exe	96
PID 1840 wrote to memory of 2744	1840	msedge.exe	96
PID 1608 wrote to memory of 3036	1608	vcwmvr.exe	97
PID 1608 wrote to memory of 3036	1608	vcwmvr.exe	97
PID 1608 wrote to memory of 1004	1608	vcwmvr.exe	99
PID 1608 wrote to memory of 1004	1608	vcwmvr.exe	99
PID 1608 wrote to memory of 1004	1608	vcwmvr.exe	99
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 752	1840	msedge.exe	101
PID 1840 wrote to memory of 4656	1840	msedge.exe	102
PID 1840 wrote to memory of 4656	1840	msedge.exe	102
PID 1840 wrote to memory of 2952	1840	msedge.exe	103
PID 1840 wrote to memory of 2952	1840	msedge.exe	103

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcwmvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	vcwmvr.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_c9ef69554082be3467df433a15e7ab45.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_c9ef69554082be3467df433a15e7ab45.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:652
- C:\Users\Admin\AppData\Roaming\vcwmvr.exe
  C:\Users\Admin\AppData\Roaming\vcwmvr.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1608
- - C:\Windows\System32\vssadmin.exe
    "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2908
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE_FILES.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RESTORE_FILES.HTML
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa955e46f8,0x7ffa955e4708,0x7ffa955e4718
      4⤵
      PID:2744
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,13303139454415601465,5834484600137634589,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
      4⤵
      PID:752
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,13303139454415601465,5834484600137634589,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
      4⤵
      PID:4656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,13303139454415601465,5834484600137634589,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
      4⤵
      PID:2952
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13303139454415601465,5834484600137634589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
      4⤵
      PID:2028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13303139454415601465,5834484600137634589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
      4⤵
      PID:876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,13303139454415601465,5834484600137634589,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 /prefetch:8
      4⤵
      PID:800
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,13303139454415601465,5834484600137634589,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 /prefetch:8
      4⤵
      PID:1212
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13303139454415601465,5834484600137634589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
      4⤵
      PID:2940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13303139454415601465,5834484600137634589,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
      4⤵
      PID:2584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13303139454415601465,5834484600137634589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
      4⤵
      PID:4048
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13303139454415601465,5834484600137634589,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
      4⤵
      PID:1276
- - C:\Windows\System32\vssadmin.exe
    "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
    3⤵
    - Interacts with shadow copies
    PID:3036
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\vcwmvr.exe >> NUL
    3⤵
    PID:1004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE >> NUL
  2⤵
  PID:1944

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\restore_files_felny.html

Filesize
4KB

MD5
8a8265a4c4afca98b6a10c62631af95b

SHA1
bff6652abb60e24040a76fa6d2a010b31e9c7430

SHA256
7570040cdfd03ba4adb88f7b678ea3c05b74eea4f360c0475daabe34e377d5ec

SHA512
1011cb8dc80cfee315bdd9e7a566a4ccef855c0408ebc43190f6250064f979e0a91b28afe61ac6356904128a92b381f5585f40ee53327781fc555dfe320a6cd0

Download Submit
C:\Program Files\7-Zip\Lang\restore_files_felny.txt

Filesize
2KB

MD5
20fe4937760a4361d59f65535c986311

SHA1
6da4416457e5c75cbea82b8c59d0f59f3c2e04d9

SHA256
8347bfbb6c763e500521248462e5418eb03c99420f52b7ffa92711586539b771

SHA512
0fbf6e4995b38e4341f7ed5f83f47be35e941d3a278136f229de1f86a68085efaf0fdcf597aacf78444f8a72a1f6be512eaab341edad5fd8baaab47f604f2794

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
061f62b246cf4a9eb3b7e69b577aaf57

SHA1
a568234f2a06e6fd2c5407fdd0ef3278b47c688f

SHA256
528bdc86deac79bd15de8ed44cef15960be9cf6161fd705966ee971e02e0a8e6

SHA512
e9b8b8c7a7e6882b1b8be15be53175ee7945e1a48cb5463678e7a0bf21e33389ac8ab513f5ad7c5d984c5697f98616e90c946c6a53dc17ece2d08984471c84b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b73442e05f206cf06712c57c1172e3c9

SHA1
592f136ed6d559acebcc4f76f14d47face2c7ccb

SHA256
d93ed7c5a017cc24aa21fd0f1770226186bc4741259fe30b26dfaad3342d1153

SHA512
46c9158b6c246b54be7f20d3cf7b67f254a037f01501a6c044e04b7db6ac6d85c8eb1f13821d831911e709cf942a9b915809f64e4e57e1017291b635c4accc01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
235139f8a8cb84221536b3e27a689d1f

SHA1
311974ab58aef39c65e4d521f7a3de5e4be8a95d

SHA256
458797ccd20b6619af4367f70c75434b6da5e981b3ada9f1091e29bad4957c86

SHA512
11c5454a77162f142f944f81bea6438ce9a06e357d8ab11aea1f85b2973dd21711aee75696b1c8edce5d683b22129b992d4d4bcd5d166bea8d4ec3ad23eec2fc

Download Submit
C:\Users\Admin\AppData\Roaming\vcwmvr.exe

Filesize
321KB

MD5
c9ef69554082be3467df433a15e7ab45

SHA1
79c01bf85a712ddf6a4d54e9db281a8310a12c15

SHA256
0db818ad2b03a8003c1b923985b3cd74ed82272205b3372796b192d2661824ac

SHA512
13d818b734a9ee2d1cd2bda66ae6213f7fb7e9a74f0175ae37b85906816341e6224cdf1d5f57487e21b80d9782cee75db8acbd3752a303569fc8c6fa2598a4f9

Download Submit
memory/652-11-0x0000000000400000-0x00000000006A3000-memory.dmp

Filesize
2.6MB

Download
memory/652-0-0x0000000000C60000-0x0000000000C63000-memory.dmp

Filesize
12KB

Download
memory/652-1-0x0000000000400000-0x00000000006A3000-memory.dmp

Filesize
2.6MB

Download
memory/652-5-0x0000000000D20000-0x0000000000D24000-memory.dmp

Filesize
16KB

Download
memory/652-6-0x0000000074DC0000-0x0000000074DF9000-memory.dmp

Filesize
228KB

Download
memory/652-12-0x0000000074DC0000-0x0000000074DF9000-memory.dmp

Filesize
228KB

Download
memory/1608-7622-0x0000000000400000-0x00000000006A3000-memory.dmp

Filesize
2.6MB

Download
memory/1608-13-0x0000000000400000-0x00000000006A3000-memory.dmp

Filesize
2.6MB

Download
memory/1608-7648-0x0000000074DC0000-0x0000000074DF9000-memory.dmp

Filesize
228KB

Download
memory/1608-7647-0x0000000000400000-0x00000000006A3000-memory.dmp

Filesize
2.6MB

Download
memory/1608-17-0x0000000000890000-0x0000000000894000-memory.dmp

Filesize
16KB

Download
memory/1608-18-0x0000000074DC0000-0x0000000074DF9000-memory.dmp

Filesize
228KB

Download
memory/1608-7589-0x0000000000400000-0x00000000006A3000-memory.dmp

Filesize
2.6MB

Download
memory/1608-3041-0x0000000000400000-0x00000000006A3000-memory.dmp

Filesize
2.6MB

Download