03fa142c0153a5651371ebefc567bf9988338050f9c185e3b0dafdc0f5092744

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
07/06/2024, 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_b62587dc8304bbc9ce68d0e8098dcabb.exe
Size

260KB
MD5

b62587dc8304bbc9ce68d0e8098dcabb
SHA1

969c18c86fa5e97341ae09ea268f87c06a42d7f0
SHA256

03fa142c0153a5651371ebefc567bf9988338050f9c185e3b0dafdc0f5092744
SHA512

67fc72e78ad5ec2e0bf8eec50e478421d8a36834dffb963b943bb1d4ed31e991dca5a70b3edb783899e4595f17895089aff69b30918f5749e2c11752645b98cf
SSDEEP

6144:PmcU60DxID/MygKh2eJyDnqWkRN8uRsyS0:elxxeMyB0NnhkQuRsI

Score

10^/10

defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_oeogq.txt

Ransom Note

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) What does this mean ? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. How did this happen ? Especially for you, on our server was generated the secret key pair RSA-2048 - public and private. All your files were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed. If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://aep554w4fm8j.fflroe598qu.com/3E9A531750489A54 2. http://aoei243548ld.keedo93i1lo.com/3E9A531750489A54 3. https://zpr5huq4bgmutfnf.onion.to/3E9A531750489A54 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: zpr5huq4bgmutfnf.onion/3E9A531750489A54 4. Follow the instructions on the site. IMPORTANT INFORMATION: Your personal page: http://aep554w4fm8j.fflroe598qu.com/3E9A531750489A54 Your personal page (using TOR): zpr5huq4bgmutfnf.onion/3E9A531750489A54 Your personal identification number (if you open the site (or TOR 's) directly): 3E9A531750489A54

URLs

http://aep554w4fm8j.fflroe598qu.com/3E9A531750489A54

http://aoei243548ld.keedo93i1lo.com/3E9A531750489A54

https://zpr5huq4bgmutfnf.onion.to/3E9A531750489A54

http://zpr5huq4bgmutfnf.onion/3E9A531750489A54

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_oeogq.html

Ransom Note

<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; } .ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center> <div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"> What happened to your files? All of your files were protected by a strong encryption with RSA-2048 More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a> What does this mean? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. How did this happen? Especially for you, on our server was generated the secret key pair RSA-2048 - public and private. All your  files were encrypted with the public key,  which has been  transferred to your computer via the Internet.  Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!. What do I do? Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed. If for some reasons the addresses are not available, follow these steps: <hr> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist. <div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr> 1.<a href="http://aep554w4fm8j.fflroe598qu.com/3E9A531750489A54" target="_blank">http://aep554w4fm8j.fflroe598qu.com/3E9A531750489A54</a> 2.<a href="http://aoei243548ld.keedo93i1lo.com/3E9A531750489A54" target="_blank">http://aoei243548ld.keedo93i1lo.com/3E9A531750489A54</a> 3.<a href="https://zpr5huq4bgmutfnf.onion.to/3E9A531750489A54" target="_blank">https://zpr5huq4bgmutfnf.onion.to/3E9A531750489A54</a> </div> <div class="tb" style="font-size:13px; border-color:#88000 1. Download and install TOR-Browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a> 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: zpr5huq4bgmutfnf.onion/3E9A531750489A54 4. Follow the instructions on the site.</div> IMPORTANT INFORMATION: <div class="tb" style="width:790px;"> Your Personal PAGE: <a href="http://aep554w4fm8j.fflroe598qu.com/3E9A531750489A54" target="_blank">http://aep554w4fm8j.fflroe598qu.com/3E9A531750489A54</a> Your Personal PAGE (using TOR): zpr5huq4bgmutfnf.onion/3E9A531750489A54 Your personal code (if you open the site (or TOR 's) directly): 3E9A531750489A54 </div></div></center></body></html>

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (430) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2616	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_oeogq.html	vcwhfs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_oeogq.txt	vcwhfs.exe

Executes dropped EXE 1 IoCs

pid	Process
2852	vcwhfs.exe

Loads dropped DLL 1 IoCs

pid	Process
1992	VirusShare_b62587dc8304bbc9ce68d0e8098dcabb.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSCONFIG = "C:\\Users\\Admin\\AppData\\Roaming\\vcwhfs.exe"	vcwhfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSCONFIG = "C"	vcwhfs.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ipinfo.io

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\notes-static.png	vcwhfs.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\restore_files_oeogq.html	vcwhfs.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\restore_files_oeogq.html	vcwhfs.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv	vcwhfs.exe
File opened for modification	C:\Program Files\Java\jre7\bin\plugin2\restore_files_oeogq.html	vcwhfs.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\restore_files_oeogq.html	vcwhfs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\settings.css	vcwhfs.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-highlight.png	vcwhfs.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\fr-FR\restore_files_oeogq.html	vcwhfs.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\restore_files_oeogq.txt	vcwhfs.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png	vcwhfs.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png	vcwhfs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\restore_files_oeogq.txt	vcwhfs.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\de-DE\restore_files_oeogq.html	vcwhfs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\weather.css	vcwhfs.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\restore_files_oeogq.html	vcwhfs.exe
File opened for modification	C:\Program Files\Windows Mail\ja-JP\restore_files_oeogq.html	vcwhfs.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	vcwhfs.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\restore_files_oeogq.txt	vcwhfs.exe
File opened for modification	C:\Program Files\Windows Media Player\restore_files_oeogq.html	vcwhfs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-hot.png	vcwhfs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\restore_files_oeogq.html	vcwhfs.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIcon.png	vcwhfs.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\restore_files_oeogq.html	vcwhfs.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uz\restore_files_oeogq.html	vcwhfs.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\restore_files_oeogq.html	vcwhfs.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_SelectionSubpicture.png	vcwhfs.exe
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\restore_files_oeogq.html	vcwhfs.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_olv.css	vcwhfs.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\restore_files_oeogq.html	vcwhfs.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\co\restore_files_oeogq.html	vcwhfs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\31.png	vcwhfs.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_ButtonGraphic.png	vcwhfs.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hr.pak	vcwhfs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-middle.png	vcwhfs.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_SelectionSubpicture.png	vcwhfs.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\restore_files_oeogq.html	vcwhfs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\settings.js	vcwhfs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\restore_files_oeogq.html	vcwhfs.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonIcon.png	vcwhfs.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png	vcwhfs.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	vcwhfs.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\restore_files_oeogq.txt	vcwhfs.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\restore_files_oeogq.html	vcwhfs.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\restore_files_oeogq.txt	vcwhfs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\restore_files_oeogq.txt	vcwhfs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\clock.js	vcwhfs.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt	vcwhfs.exe
File opened for modification	C:\Program Files\Windows Mail\it-IT\restore_files_oeogq.txt	vcwhfs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl-hot.png	vcwhfs.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask_PAL.wmv	vcwhfs.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_SelectionSubpicture.png	vcwhfs.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\co\restore_files_oeogq.txt	vcwhfs.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\restore_files_oeogq.txt	vcwhfs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_left.png	vcwhfs.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\restore_files_oeogq.txt	vcwhfs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\logo.png	vcwhfs.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\restore_files_oeogq.txt	vcwhfs.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\restore_files_oeogq.html	vcwhfs.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\it-IT\restore_files_oeogq.html	vcwhfs.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\de-DE\restore_files_oeogq.html	vcwhfs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\spacer_highlights.png	vcwhfs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\restore_files_oeogq.html	vcwhfs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\clock.js	vcwhfs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2668	vssadmin.exe
2240	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10e2945907b9da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000749f7a4cf25b7448943efea0dad12fd40000000002000000000010660000000100002000000047d8822f364ef7f0728a87b82fe074c74984e019318cfa9b83e34c2cd4d9c5dc000000000e800000000200002000000057c619877749331e0d4f0d36ae870a33f61acf7d916117f5d67c9e6bdbe3fa0c2000000008e8c2dcdba903fdb803a8515c33f9b2f174b5951a921af12c81960c5e64b8c540000000d57bd9fdfdbbcee0540b8186a36fd1b3b714838c8b8f32a6057b3494f988c089b84ff8a5ce1ff96bc27cc868249ceca77e9cecab811aac6a858fc80cefcc618f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000749f7a4cf25b7448943efea0dad12fd4000000000200000000001066000000010000200000000245f07f7c327fe5c24651fd98fa60d7547f1921658bf158dee95c99ba951108000000000e800000000200002000000016b202c7ec148731de723a61894df77084b6d6c12f02ce28fab316d9e18c750690000000faed12c9a0bb12ba29f08d180472a6074ce739f68a7fa7d54a1f2c9996848973b85e2db8b1c8bb89efe0078acd7aa8c6852ad2827132236ae00208d1fc81c8c82e32b375dafbf8f707e41c5568c8930f09a07d9a78285fde3d7b89f9ea69951efb1f6dd656d11a5876baf130f577165a5e2e6a00c2d9cd180ee994d1d380e10ebba3c797ad3e5402f63f1abe90c101e440000000e2fe240aed7590a59d7f6bbc15c52d48e895c7d5c1862605580bd15ba681bf08ba83a314c09ceeeec9edefbfbd81544254f6e132140bc43e9c57ea7020298945	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423946254"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8518A701-24FA-11EF-8547-E6D98B7EB028} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2196	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe
2852	vcwhfs.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1992	VirusShare_b62587dc8304bbc9ce68d0e8098dcabb.exe
Token: SeDebugPrivilege	2852	vcwhfs.exe
Token: SeBackupPrivilege	2160	vssvc.exe
Token: SeRestorePrivilege	2160	vssvc.exe
Token: SeAuditPrivilege	2160	vssvc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1568	iexplore.exe
1280	DllHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1568	iexplore.exe
1568	iexplore.exe
2656	IEXPLORE.EXE
2656	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2852	1992	VirusShare_b62587dc8304bbc9ce68d0e8098dcabb.exe	28
PID 1992 wrote to memory of 2852	1992	VirusShare_b62587dc8304bbc9ce68d0e8098dcabb.exe	28
PID 1992 wrote to memory of 2852	1992	VirusShare_b62587dc8304bbc9ce68d0e8098dcabb.exe	28
PID 1992 wrote to memory of 2852	1992	VirusShare_b62587dc8304bbc9ce68d0e8098dcabb.exe	28
PID 1992 wrote to memory of 2616	1992	VirusShare_b62587dc8304bbc9ce68d0e8098dcabb.exe	29
PID 1992 wrote to memory of 2616	1992	VirusShare_b62587dc8304bbc9ce68d0e8098dcabb.exe	29
PID 1992 wrote to memory of 2616	1992	VirusShare_b62587dc8304bbc9ce68d0e8098dcabb.exe	29
PID 1992 wrote to memory of 2616	1992	VirusShare_b62587dc8304bbc9ce68d0e8098dcabb.exe	29
PID 2852 wrote to memory of 2668	2852	vcwhfs.exe	31
PID 2852 wrote to memory of 2668	2852	vcwhfs.exe	31
PID 2852 wrote to memory of 2668	2852	vcwhfs.exe	31
PID 2852 wrote to memory of 2668	2852	vcwhfs.exe	31
PID 2852 wrote to memory of 2196	2852	vcwhfs.exe	37
PID 2852 wrote to memory of 2196	2852	vcwhfs.exe	37
PID 2852 wrote to memory of 2196	2852	vcwhfs.exe	37
PID 2852 wrote to memory of 2196	2852	vcwhfs.exe	37
PID 2852 wrote to memory of 1568	2852	vcwhfs.exe	38
PID 2852 wrote to memory of 1568	2852	vcwhfs.exe	38
PID 2852 wrote to memory of 1568	2852	vcwhfs.exe	38
PID 2852 wrote to memory of 1568	2852	vcwhfs.exe	38
PID 1568 wrote to memory of 2656	1568	iexplore.exe	39
PID 1568 wrote to memory of 2656	1568	iexplore.exe	39
PID 1568 wrote to memory of 2656	1568	iexplore.exe	39
PID 1568 wrote to memory of 2656	1568	iexplore.exe	39
PID 2852 wrote to memory of 2240	2852	vcwhfs.exe	41
PID 2852 wrote to memory of 2240	2852	vcwhfs.exe	41
PID 2852 wrote to memory of 2240	2852	vcwhfs.exe	41
PID 2852 wrote to memory of 2240	2852	vcwhfs.exe	41

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcwhfs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	vcwhfs.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_b62587dc8304bbc9ce68d0e8098dcabb.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_b62587dc8304bbc9ce68d0e8098dcabb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Roaming\vcwhfs.exe
  C:\Users\Admin\AppData\Roaming\vcwhfs.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2852
- - C:\Windows\System32\vssadmin.exe
    "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2668
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE_FILES.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2196
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RESTORE_FILES.HTML
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1568
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1568 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2656
- - C:\Windows\System32\vssadmin.exe
    "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2240
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE >> NUL
  2⤵
  - Deletes itself
  PID:2616

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_oeogq.html

Filesize
4KB

MD5
84f88fe3cd5d670c032f5c0517995d8e

SHA1
326102c496af6ca9df4344b5c76fee09bc00b867

SHA256
f89e49cd38cdb3f26fe16899a7e1e89202a10a41c324d64cbd56f3f85cf4fd32

SHA512
7be79591f9dea5c3d0d922aa0b8b116b65b36fb500a2e9efc26c01a6ce89fa623fd9b28265c30622a0ac2dc2da9f6fb0da95fb9f8cea348507881caa5663c96d

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_oeogq.txt

Filesize
2KB

MD5
7c5b23431a419c90e361968974e0eb37

SHA1
0c8754abc8307d595c8f5dc3d6512c4f353a0955

SHA256
69b4d9aabd71b2b29c3138fbef9ba8b1be9946db12cf95f496f88c0fa960b472

SHA512
cd48f7607be86d39a345dc83033a0abce15358a02b10e8661b86ead8a8c9cbc74055c12e1e02957745b11d9b9d91635866a7a425d2cf79eb43f6d0c176ef2cd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
df63a190dbae3f089a286aec8a4d80a6

SHA1
0ed7226b3dcae53faae84dd298abdca4e50c7977

SHA256
603d41f9e08bb2c3a3e1f57b14da257d765cb0c3b707dbef8d68b4c119683c4c

SHA512
873bdcc15ba47f66161f77bd5876a82daf588924acbd0247ce0a09fc95e5755bacde10e7d84058810283fb02f3d28b64a3053b044028cd0f9de8490675f1b2f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f43d38048059028bc8d757686903e589

SHA1
ca8885ac4be98bbf8230c6caf00bbed6dbd22885

SHA256
97c389b4bde9aeab664d59a87e33558f24321ef584de8a4b610fd7f9ead514bf

SHA512
7a893d477a6a45ea7a1fc0bc270b4b828d0a429aa4875d4953ab76671e27f61bd500bca74682bb1f6c5acfdf9644dced2020bcf6ceea6a825cf43f9317238aef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1609130ea087e6efc47d7ab07c958e9f

SHA1
56c7d90f443d3d3d23fc0a0142a42f6bf91b76d7

SHA256
76ac699e8e18d58e12e75377ca73182dce59744ee6f74f0dc33e7acbe462df9d

SHA512
3c22935e00730b9d0e70b8709addb860657764947e0956aa900c5738cc086039a6a58733a1aab3dc253a8d28b9ae09a8fa484e5531e74b209bcf2408a4ac39ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b75c9ba5a2ae9ece0ae5ad62ae14ea71

SHA1
921d16b122b92c10447eb612defdcf1598932dc0

SHA256
921051a57984a1fb0146500e654208258d16435054620c30a95122a6ecdf608e

SHA512
e800cf2c2dd4cbc4f275d1b812428be3334875a7d3ca586152578c92fb66df2d8e1613b44f0f1b8ce37085980ae6250e568b9d43d39a226a57ed93e7c5864907

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f639ded956e827bb4fb4b164c25525c

SHA1
c0445a6228557eb5368439b6b5beeac86866986a

SHA256
f003b5fe5aba2df0301b87cdc099f47d0fdc0c153f97a3501d98564316c590ed

SHA512
66d77a542513a2c859b22912675a8060c6b199da51b8afb6c1304bf5aa3de2a8d8721bad4ef14009585287896308bc1c032f2005556c6eb4311174796e3d2ddb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df6ff956823987dd7b4de329ae05ca4b

SHA1
cab6494d92d357d75587a4daf1f9be05f01eb42d

SHA256
2b3e57feb98715d15e70ecffd5f2a056fc35818eedcb36306bf1ead0996bb5fa

SHA512
09e55bd2b14c2947b1adc7339b46a549c29b6bbb3bc96195da1defc06181782016350ff77e79a446c1eac62cd9d484ea417a381edc1756789ef34d4e1442cce7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d91b4d43fa74fd973cba20c4240ace76

SHA1
39dec448efc1567bb7189024f5778b4815e85bee

SHA256
552cb2c57a15fc45199a3310d6a9561e966180e29906f4e7ce6fd2ec192576d3

SHA512
d7083095179b9ee93b62b8b4e0b3387cca676f98ee0acd463cadf5e5a7b5c1c29f025a95184cc557dc42b6b121d0f1b0324c003e281aa74573eaaa17bf7cb658

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33427fe841ea607a517771df348b2334

SHA1
22aef6230988c64f06b843ccfab69d681d0e791d

SHA256
03a8f5eb7ad5d479f5d1c91dbf90efc1f18afd2fbedfb313d4b8c8f6dfea0b8a

SHA512
a08b13be80445dc2b1cb4d99b22046c6e4160637e3888095a5d654da8c0c7c419f675325619329f5ea684b83663d8e954cf25fb38d0fb1eba7e6caa028c22d96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68945cddaf1d06f8d6f7c5b8e21a05f8

SHA1
88c984d6b3ae0c3f2ab5ef9225e31e78d86db6b4

SHA256
cb04d01a435240340c05d658bbdf3167fde0ec010be43259efbd6ccfee8bf701

SHA512
82e39cd8b5d916c7e915931bf89e9a59d1f6cfc8b2c25827210a1cc541c95e429ad102e8f2702648f954f950482073c53c5a69f98b7261b173602cf9fd550a09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91e75f7e1f8d2f9cdd821de65884ccc6

SHA1
46f92b70af3ad846e1982037c5679a51f46a17a7

SHA256
9944d0192654c5206cb9d58d0a5b0afbfa107edece8e426f377712921f3ce850

SHA512
2def8a1ed48adb20f271548a680e54e8fa308fb24f4684ae4792907d1c6b4addb41231647fc3ccfaba5bea0283a039dafcdf436683687cea7b441a82c7629295

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2aa00aa98eee268d3cc7e733db92986d

SHA1
8089021a266702ba9f02be51114c468d24f599ac

SHA256
373e108b7a7ef6161ca89d26509a5e64565dfd8662867d1b675384e58ba44c3c

SHA512
769c8b3ce51be16547bdd4529deb98eb607618156194504e3cc88650dec798de67373d6d1270e1f18fc08b9108487bc8e005589606e886b1d6b0b483a719a3b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90cf7ed8927c5c270b19114eb8a3397f

SHA1
af98f50309b52685fc3912d03ae2f4002b106ef2

SHA256
ba531947534d91cf7f1d3a55b045817b39ae03dc43543bb6ac52089e89bcba6c

SHA512
505dd3f3595acf53aa90925a57a790f017c9287fbd4a98cb8933a9846c64837d3c589b2fbd1d68b0c2ddc7c4e7da9c43e5f67bffa7c0fd1c9b68678eaf08e4b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c5d3a6ac9eec5b9df5085bf2f21ef393

SHA1
062196a871905349c47932002091f491e8e7244d

SHA256
bf4e0249236869ee6a91f75d5376b678ea475fe2d4daf9b47434d7e52a9c87de

SHA512
ffa9297a7659c2f96bd8a877e89cc1664a44b6fbec8e75ed84bbce96e3b6a30f611925f84e98567558c1a8d0b1a44bedf10a99a5709d01141cbe4aea1c4517b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9fc3bf335632fe70da4b139f7c72f07

SHA1
84b63615b24fdf4713daa84a3e6f04b83d865c97

SHA256
328bbece3755ab44c9fae35e2fc176829d0bd642b4eb8964faa50c7fbaec0e91

SHA512
125b8ca2cbf907ffaa7d39ee26a0f5dafa9fcc06dc0afd9a8febef00c108b7c53a864dcaabff75a92cd0648303f69541fa6d12c068edbb08c94d5b5dcf3cbdaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd5e724d1ae3597cebda2444d34231d8

SHA1
1de2e75bdde3af293eb279e4e9244f3181ead7c6

SHA256
c49d7d74c40026d8e75b7887b06a87d777cf7ceeaeae5d215ac7fe6643357d65

SHA512
014ce455b801ada3bdeef8fefa40274b365372962e02028c92ba3ed98215c347699b64ef36e93135583c7f154b6a5c658da49c02b27bf017008195c69e84eec0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aff768ec1cb4fd2cebe02f6712bc0fc6

SHA1
4b3ea504ed6ce48d49452af1a264ff50eabe0032

SHA256
0873fea209323b947e9e1abeec45f282dc5061d7d3ae1cb850d253d998140464

SHA512
f306f1d663310ca06340efe8278cee515f0679fa702a8cf7a3ed53d3a37ec7e1e109d1b74a731879cad55a4c18655099fe8939341723f38777e39c4a9af73856

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3d5615dce3d85304f18d6932c1bbce7

SHA1
8810012befcfab891bf6eab22d6a758a05630130

SHA256
f625ba265d4d99d1e7721f2cd18ae95e890347e9ba0c45af5f3be0ae8f99fe31

SHA512
df87513ad4e347f8368d642b6b16ee2e66ea0bd615999857ca930d39b72654f7991b3790db9ff3da8d8ca00088d2ee11ad3a8bae3907569de292423a981a92bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
219c3d61c611c8cb34e964681b0b80b2

SHA1
a61e9e8b10566a8dd3c1f2050894ccc9f4f6af81

SHA256
42a73e962b4aa065aefb13c968cc5dc4f4af0df30fee35d6abf63367c2ecdfff

SHA512
b8183622ace657687d25b0e6f63e3216e700092c1d788fa6920138ecb4c01498f1b6a2de090f2b9440152f6d9e64b62d1774d3e8649075f36f643901e462bea0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
586d7a975fbddbc2fc4797c580645e86

SHA1
40e24e5270fee3c9705c308ef2c8a80e9ec7cff1

SHA256
48049deb6650800f88a5fc412c8ab56e50b9f51d2995545130dcdd82b346089c

SHA512
fee0113f6757107f34a7548ec74f1e40d096df149e0a563a2c6cb13e1a6d5f0f79bb7a8b4f75849375bd3cc727e2b7ba61142330af52d5b2f5fe0658d7ecaaf3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3f09f62802ee0103dad1cc9f37c9a5d

SHA1
d218667d507664d1f9f9196cbb24b9b9bdfab0c2

SHA256
95be9930e4a4fbf27aa5a0a863b8f800d7c30cc671d507694b5ccca1c18b6318

SHA512
af36da42b00547320e56d43c0567e7ab19e2115c03aa2c40415ef55f36ef8cfb2d39ba66870e36728e6b9f381f847555e3279e9a2008b88a792e22e1537bcf8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42167dc9e84d036606047a31386eaae0

SHA1
a9539b9d228ce4c2194eca3b6bbd0f187632d1b4

SHA256
ec895f1c3ca1d431115adc0f1d748f1e477043a3d71b4c727ecd3a0bf55fbe18

SHA512
7d4375d75dd98534030c2d85e2f8bcec298c5aac19bf7b1795672c2c09391423aac304206574b1fce718fa56b938d610063f40e11db5ec122085bad43c39a08b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
b7f8125ac7bca1353915d0068dd58f83

SHA1
33704fdbdf166a55dc9b96e03abcd3a79830491e

SHA256
158ea47cd13f98a79fb05abf8b2277a69ab511ef5ccb196d949a7f2ce2e1bd82

SHA512
8aea1931f571f1d291d496fc919236ab0186ad41ee54adc8e937dd0a683b139ab5e032f550492b9de05779a155c71710a37d6c03d1df803989056e02542912b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab70C0.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar71B1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Desktop\RESTORE_FILES.BMP

Filesize
2.3MB

MD5
536e14852dfc1654673f7cb46854bbc1

SHA1
ea41246e080b9084798005d1afdc5a0ec4375877

SHA256
8ae6de4fad1d9b165f230f8ae9e1e0a661bcb1900f9b1d11c3797761488b3a2c

SHA512
c36ed93c130ad50946e073f0db658e9eedd664bb71f0b855744e8066374d5e6fbe313555734bed71e5c6d6c12e31f77182876783da5ba4fbdaaf72e5d54734c9

Download Submit
\Users\Admin\AppData\Roaming\vcwhfs.exe

Filesize
260KB

MD5
b62587dc8304bbc9ce68d0e8098dcabb

SHA1
969c18c86fa5e97341ae09ea268f87c06a42d7f0

SHA256
03fa142c0153a5651371ebefc567bf9988338050f9c185e3b0dafdc0f5092744

SHA512
67fc72e78ad5ec2e0bf8eec50e478421d8a36834dffb963b943bb1d4ed31e991dca5a70b3edb783899e4595f17895089aff69b30918f5749e2c11752645b98cf

Download Submit
memory/1280-4312-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/1992-1-0x00000000001D0000-0x00000000001D4000-memory.dmp

Filesize
16KB

Download
memory/1992-12-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/1992-5-0x00000000001E0000-0x00000000001E4000-memory.dmp

Filesize
16KB

Download
memory/1992-0-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2852-4818-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2852-4494-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2852-4311-0x0000000004020000-0x0000000004022000-memory.dmp

Filesize
8KB

Download
memory/2852-3911-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2852-17-0x00000000026E0000-0x00000000026E4000-memory.dmp

Filesize
16KB

Download
memory/2852-13-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download