0db818ad2b03a8003c1b923985b3cd74ed82272205b3372796b192d2661824ac

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
10-06-2024 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_c9ef69554082be3467df433a15e7ab45.exe
Size

321KB
MD5

c9ef69554082be3467df433a15e7ab45
SHA1

79c01bf85a712ddf6a4d54e9db281a8310a12c15
SHA256

0db818ad2b03a8003c1b923985b3cd74ed82272205b3372796b192d2661824ac
SHA512

13d818b734a9ee2d1cd2bda66ae6213f7fb7e9a74f0175ae37b85906816341e6224cdf1d5f57487e21b80d9782cee75db8acbd3752a303569fc8c6fa2598a4f9
SSDEEP

6144:cL42La41ctAaWLBbYcTDASiBdRIGt4MCZnsdbTo07BTT9OyIO:I42LasctABLBz/Udu04MEnsdbTo01VO8

Score

10^/10

defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_smlkd.txt

Ransom Note

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) What does this mean ? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. How did this happen ? Especially for you, on our server was generated the secret key pair RSA-2048 - public and private. All your files were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed. If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://qw2234duoiyu.h2fyr6785jhdhfg.com/5C6A369C2E66856 2. http://awoeinf832as.wo49i277rnw.com/5C6A369C2E66856 3. https://kb63vhjuk3wh4ex7.onion.to/5C6A369C2E66856 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: kb63vhjuk3wh4ex7.onion/5C6A369C2E66856 4. Follow the instructions on the site. IMPORTANT INFORMATION: Your personal pages: http://qw2234duoiyu.h2fyr6785jhdhfg.com/5C6A369C2E66856 http://awoeinf832as.wo49i277rnw.com/5C6A369C2E66856 https://kb63vhjuk3wh4ex7.onion.to/5C6A369C2E66856 Your personal page (using TOR): kb63vhjuk3wh4ex7.onion/5C6A369C2E66856 Your personal identification number (if you open the site (or TOR 's) directly): 5C6A369C2E66856

URLs

http://qw2234duoiyu.h2fyr6785jhdhfg.com/5C6A369C2E66856

http://awoeinf832as.wo49i277rnw.com/5C6A369C2E66856

https://kb63vhjuk3wh4ex7.onion.to/5C6A369C2E66856

http://kb63vhjuk3wh4ex7.onion/5C6A369C2E66856

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_smlkd.html

Ransom Note

<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; } .ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center> <div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"> What happened  to your files? All of your files were protected by a strong encryption with RSA-2048 More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a> What  does this mean? This means that the  structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. How did this happen? Especially for you, on our server was generated the secret key pair RSA-2048 - public and private. All your  files were encrypted with the public key,  which has been  transferred to your computer via the Internet.  Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!. What do I do? Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed. If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist. <div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr> 1.<a href="http://qw2234duoiyu.h2fyr6785jhdhfg.com/5C6A369C2E66856" target="_blank">http://qw2234duoiyu.h2fyr6785jhdhfg.com/5C6A369C2E66856</a> 2.<a href="http://awoeinf832as.wo49i277rnw.com/5C6A369C2E66856" target="_blank">http://awoeinf832as.wo49i277rnw.com/5C6A369C2E66856</a> 3.<a href="https://kb63vhjuk3wh4ex7.onion.to/5C6A369C2E66856" target="_blank">https://kb63vhjuk3wh4ex7.onion.to/5C6A369C2E66856</a> </div> <div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a> 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: kb63vhjuk3wh4ex7.onion/5C6A369C2E66856 4. Follow the instructions on the site.</div> IMPORTANT INFORMATION: <div class="tb" style="width:790px;"> Your Personal PAGES: <a href="http://qw2234duoiyu.h2fyr6785jhdhfg.com/5C6A369C2E66856" target="_blank">http://qw2234duoiyu.h2fyr6785jhdhfg.com/5C6A369C2E66856</a> <a href="http://awoeinf832as.wo49i277rnw.com/5C6A369C2E66856" target="_blank">http://awoeinf832as.wo49i277rnw.com/5C6A369C2E66856</a> <a href="https://kb63vhjuk3wh4ex7.onion.to/5C6A369C2E66856" target="_blank"> https://kb63vhjuk3wh4ex7.onion.to/5C6A369C2E66856</a> Your Personal PAGE (using TOR): kb63vhjuk3wh4ex7.onion/5C6A369C2E66856 Your personal code (if you open the site (or TOR 's) directly): 5C6A369C2E66856 </div></div></center></body></html>

URLs

https://kb63vhjuk3wh4ex7.onion.to/5C6A369C2E66856</a>

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (427) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2188	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_smlkd.txt	vcwxtc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_smlkd.html	vcwxtc.exe

Executes dropped EXE 1 IoCs

pid	Process
1564	vcwxtc.exe

Loads dropped DLL 1 IoCs

pid	Process
2904	VirusShare_c9ef69554082be3467df433a15e7ab45.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\vssadm = "C:\\Users\\Admin\\AppData\\Roaming\\vcwxtc.exe"	vcwxtc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vssadm = "C"	vcwxtc.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ipinfo.io

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\restore_files_smlkd.txt	vcwxtc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png	vcwxtc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\restore_files_smlkd.html	vcwxtc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\restore_files_smlkd.txt	vcwxtc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	vcwxtc.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\restore_files_smlkd.txt	vcwxtc.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\restore_files_smlkd.html	vcwxtc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	vcwxtc.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\vi.pak	vcwxtc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_cloudy.png	vcwxtc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_ButtonGraphic.png	vcwxtc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\restore_files_smlkd.txt	vcwxtc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\restore_files_smlkd.txt	vcwxtc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png	vcwxtc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\add_over.png	vcwxtc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter_partly-cloudy.png	vcwxtc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg	vcwxtc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_ButtonGraphic.png	vcwxtc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\restore_files_smlkd.txt	vcwxtc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\restore_files_smlkd.txt	vcwxtc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\fr-FR\restore_files_smlkd.txt	vcwxtc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\restore_files_smlkd.txt	vcwxtc.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\de-DE\restore_files_smlkd.txt	vcwxtc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_SelectionSubpicture.png	vcwxtc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\restore_files_smlkd.txt	vcwxtc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\36.png	vcwxtc.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\restore_files_smlkd.txt	vcwxtc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\restore_files_smlkd.html	vcwxtc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\42.png	vcwxtc.exe
File opened for modification	C:\Program Files\Microsoft Games\restore_files_smlkd.html	vcwxtc.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\restore_files_smlkd.html	vcwxtc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\restore_files_smlkd.txt	vcwxtc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-gibbous.png	vcwxtc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\restore_files_smlkd.html	vcwxtc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\restore_files_smlkd.txt	vcwxtc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\RSSFeeds.css	vcwxtc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\library.js	vcwxtc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full.png	vcwxtc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\restore_files_smlkd.html	vcwxtc.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\restore_files_smlkd.txt	vcwxtc.exe
File opened for modification	C:\Program Files\Windows Sidebar\fr-FR\restore_files_smlkd.html	vcwxtc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv	vcwxtc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\restore_files_smlkd.html	vcwxtc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\restore_files_smlkd.html	vcwxtc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\restore_files_smlkd.html	vcwxtc.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\fr-FR\restore_files_smlkd.txt	vcwxtc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\restore_files_smlkd.txt	vcwxtc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\CircleSubpicture.png	vcwxtc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\glass_lrg.png	vcwxtc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\restore_files_smlkd.html	vcwxtc.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\restore_files_smlkd.txt	vcwxtc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	vcwxtc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png	vcwxtc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_ButtonGraphic.png	vcwxtc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\settings.js	vcwxtc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-overlay.png	vcwxtc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\restore_files_smlkd.html	vcwxtc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\restore_files_smlkd.txt	vcwxtc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\restore_files_smlkd.html	vcwxtc.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\de-DE\restore_files_smlkd.html	vcwxtc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\restore_files_smlkd.html	vcwxtc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\restore_files_smlkd.txt	vcwxtc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\restore_files_smlkd.txt	vcwxtc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\restore_files_smlkd.txt	vcwxtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2584	vssadmin.exe
288	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fb77a44c05810147b08a7c81f076238d00000000020000000000106600000001000020000000db130ee972e518f3a0d89196c469ae79a052ec64f3a7c8b541c7bdcefb875547000000000e800000000200002000000085af2f3f1ebf3a0c61dae7f8e45e09053d10b21748899f0168fcacf8e20afc2990000000fffc9cb2fa2c19a5215a576834f15309f7c4b49d0b67c3e3be3716348916fa112de09ee211e637184c16220eccf130cb7e59c19d6999e89883660a9bc2a79976e236114b7946f9e56a00e7b9b6ebc8e9f928e3365499c303ccf470c88120e687a28514f9cfb29ac188fb9f2e143e85a2149d1d44e3b801bd3499583ba6e35887aff095eeeaecfcfe3066efc570eab3ed400000003b274b0f2de90337fc48f42d7981300a86d492362717ea310d58d700b65cbbb67f09cb04c145eee94a9be6eb733dd4980ea696b8f3089adb7732a495c736ab82	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70b9850081bbda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fb77a44c05810147b08a7c81f076238d00000000020000000000106600000001000020000000b6c5f78d0cb3cce2fa07ebb362b78d6392e529f3dac6c3b5f7e203d254bdead8000000000e80000000020000200000002af9a361c7c6cf281fb302b6c29b5eb00523bc8c6e661e0e0a11a76a213a7fa62000000064d85bdb8863bca7878af152c1b5171ea68c85539137f1c0f4143d662a22ef4f400000005ff3e172ae20de45ed43be1838e3e092d5b62ab16257ef3c816c076e6ed10caba40dda2662477bc9c91c96890e63273b305983948a6a14155a4e94f4ecf2ecba	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424218406"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2C1555A1-2774-11EF-80DF-F60046394256} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
332	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe
1564	vcwxtc.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	VirusShare_c9ef69554082be3467df433a15e7ab45.exe
Token: SeDebugPrivilege	1564	vcwxtc.exe
Token: SeBackupPrivilege	2372	vssvc.exe
Token: SeRestorePrivilege	2372	vssvc.exe
Token: SeAuditPrivilege	2372	vssvc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2644	iexplore.exe
1604	DllHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2644	iexplore.exe
2644	iexplore.exe
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 1564	2904	VirusShare_c9ef69554082be3467df433a15e7ab45.exe	28
PID 2904 wrote to memory of 1564	2904	VirusShare_c9ef69554082be3467df433a15e7ab45.exe	28
PID 2904 wrote to memory of 1564	2904	VirusShare_c9ef69554082be3467df433a15e7ab45.exe	28
PID 2904 wrote to memory of 1564	2904	VirusShare_c9ef69554082be3467df433a15e7ab45.exe	28
PID 2904 wrote to memory of 2188	2904	VirusShare_c9ef69554082be3467df433a15e7ab45.exe	29
PID 2904 wrote to memory of 2188	2904	VirusShare_c9ef69554082be3467df433a15e7ab45.exe	29
PID 2904 wrote to memory of 2188	2904	VirusShare_c9ef69554082be3467df433a15e7ab45.exe	29
PID 2904 wrote to memory of 2188	2904	VirusShare_c9ef69554082be3467df433a15e7ab45.exe	29
PID 1564 wrote to memory of 2584	1564	vcwxtc.exe	31
PID 1564 wrote to memory of 2584	1564	vcwxtc.exe	31
PID 1564 wrote to memory of 2584	1564	vcwxtc.exe	31
PID 1564 wrote to memory of 2584	1564	vcwxtc.exe	31
PID 1564 wrote to memory of 332	1564	vcwxtc.exe	37
PID 1564 wrote to memory of 332	1564	vcwxtc.exe	37
PID 1564 wrote to memory of 332	1564	vcwxtc.exe	37
PID 1564 wrote to memory of 332	1564	vcwxtc.exe	37
PID 1564 wrote to memory of 2644	1564	vcwxtc.exe	38
PID 1564 wrote to memory of 2644	1564	vcwxtc.exe	38
PID 1564 wrote to memory of 2644	1564	vcwxtc.exe	38
PID 1564 wrote to memory of 2644	1564	vcwxtc.exe	38
PID 2644 wrote to memory of 2880	2644	iexplore.exe	40
PID 2644 wrote to memory of 2880	2644	iexplore.exe	40
PID 2644 wrote to memory of 2880	2644	iexplore.exe	40
PID 2644 wrote to memory of 2880	2644	iexplore.exe	40
PID 1564 wrote to memory of 288	1564	vcwxtc.exe	41
PID 1564 wrote to memory of 288	1564	vcwxtc.exe	41
PID 1564 wrote to memory of 288	1564	vcwxtc.exe	41
PID 1564 wrote to memory of 288	1564	vcwxtc.exe	41
PID 1564 wrote to memory of 2008	1564	vcwxtc.exe	46
PID 1564 wrote to memory of 2008	1564	vcwxtc.exe	46
PID 1564 wrote to memory of 2008	1564	vcwxtc.exe	46
PID 1564 wrote to memory of 2008	1564	vcwxtc.exe	46

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	vcwxtc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcwxtc.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_c9ef69554082be3467df433a15e7ab45.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_c9ef69554082be3467df433a15e7ab45.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Roaming\vcwxtc.exe
  C:\Users\Admin\AppData\Roaming\vcwxtc.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1564
- - C:\Windows\System32\vssadmin.exe
    "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2584
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE_FILES.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:332
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RESTORE_FILES.HTML
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2644 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2880
- - C:\Windows\System32\vssadmin.exe
    "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
    3⤵
    - Interacts with shadow copies
    PID:288
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\vcwxtc.exe >> NUL
    3⤵
    PID:2008
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE >> NUL
  2⤵
  - Deletes itself
  PID:2188

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_smlkd.html

Filesize
4KB

MD5
6cdf8a9780a219d6ce74083ee3f2d285

SHA1
c47bd2b835981516b9c369b4d48bd0081a595f9a

SHA256
9f81fa262176f9e3443017e0aae6aba3c746088df679123dc8c1f49385a0dee5

SHA512
17a8882d2ac4b0e456fc77d130f36ef8ea4125484361e2095ad510dc3f337fdfcfbf232d901befcb09337f78822b5ceab6e927bd8cd3942b2a70f8e513d465cc

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_smlkd.txt

Filesize
2KB

MD5
9e9f54af655e6a6b45dfab9498a0bfaa

SHA1
b6772ffd5678ec85f0f16c14cda58b85730fb75d

SHA256
2737b00992e7ca2515b45d754ff493e3b6637a68c73f66b2ab645e0a087d2fba

SHA512
3711d4337838d1b9f52670bf30da6b622ba2424106c57f98d081765619abf577c118f45d1651bc71235cef95c9f375ca70207ced0dc6efc4c5b789b525dec975

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
367ecd59605b4eb5d5c8376be1a913bb

SHA1
250dd50863b292f0101befbe2dc7e373b2dcde15

SHA256
9f40c75ab9466ab95844236a83932e16b2cc2c892b22fc3c6619b8071028d850

SHA512
192e9c6f6ab524c97ea8918665eeb5459b9b96b80343225a5cd5157a9d7418f6035529c0dc4c4fe8174392c4a46732454d985d2f02e0528b2d7a0e301da62beb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e86f24c4dd2c1ccef3f83b2de7002cf2

SHA1
673909cb859256a47b6ce2d535ed19cfaac5ef70

SHA256
d6f004008e9576757281911a224f8687951644e466cc3bc48572f46fad6d52e0

SHA512
eaae6ad5c38e654e4a13933d275cc8d5184f3cbe1c2a91039a25ea925949342d829a2e4151cb715a2a49131aeb33ee007a88107acebdc5c958ab45911bc1d13c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d7512367bbdb71e846433885d6dd778

SHA1
ad6e1acf2b7824c6b58e28e6ee44069b125a8808

SHA256
fcbd69e5aa1ac512a43a2f75ae5eeadb07e5b03adab69b0a6136759621ef725a

SHA512
c2e6c07f215caa7b2f14a22d289df4b8f23176bfa134292e74c1e8c2cf38f281a5a07d1a28287a6e91cab9a4a0622a7cb26c91c3ae90099c0cfb01220ae84472

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0aa95f5b588e59f58725699e234ba995

SHA1
b981cc87aac5ca8aa31e8c6467965fe9c408816f

SHA256
e17da3620c039e1e53b30dc3c6a584603ec7a8ec0f973e4bf0c532a770e7e830

SHA512
b5d673ef7a20068ba5db2eab58328332a0ce193e6749de7b27f88060c01a5100b5d0fd60460a991971937e4866648cc4b65c0295104ed4af8fa321767288ce92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ebe1de0858e559f00f63a94f247b3553

SHA1
75c91d454c1c6a51ec661fcf49eb095910b92ea3

SHA256
e297451d49bd7cffb5344dee8b9c9cf0c25a636a278a14b85aefe164e5072ece

SHA512
fc1291d73ede66dbc1607b87fe156a99387c490fc1776d58ffb4f3ad64e20c21f0d2beb270a0ca5305820cd2468d7f39a4868d7cc3271e974da292cbd09b011f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f7b357b439971bd1da318d83cb40dec

SHA1
0198db1600d402faf7b7772177e48252263d6cd3

SHA256
e8a1825924bf6c0ca468a78dbabaf95ecf1957a96a9f1fb5b7716db6bea6bcb4

SHA512
7289e65e25d262de696d132e2c928ccbf18c0454bc02a04aeac28a48cb3709407d6ddbd64e4e3556000d78cd6c1195ce80ca93de58990175f865af04e72f4c5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
88a55c85381815f73cf68c426d3edcad

SHA1
6bb871e2736014ca7d69b4cb9f8be973b2e1f37d

SHA256
41d36823c47cdc01917e719d14d9b8fb6c47184ea03d24db1e08366019406ad9

SHA512
eb5aec67d26f92eceef69f6608279edf85b2bd39357902b72aa789e922236cba5581100f77f66375c04145e6fb532211a4f91cd30e5bd83c891b8f89288c051c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d4af9db45bb2f67793a0cbd5c8c93b6

SHA1
27da09079f44d40b760073b6bf1083895a5129a4

SHA256
dff074c309009e34bf2789d6da498c0e39ad79d2d9bed1e20d6b4b6996ee1fca

SHA512
1d0c77649ade8c24089e9bb5ee6fc43d5e25d9d395dedc957ad9c2eb1ec983850e2da056d03e162ee0ad6ab44812d025106fa9795217d54217308f42c7afa453

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
312f3776e6e6a9be91aebf75c66c7a9a

SHA1
b82c108c3ebb97eef42641a3091b6144223e4916

SHA256
02768c07f70af510666cf3d1aba358054511f1a5ecf869722ab093a646dbd918

SHA512
bde174ddd0e2149243ce467550605c3e4bafce10ed4a054344bba9ce8198bf7e556dd13fd5e37c1a9360ed92f85cd0ab8ccb1601b197a958ed393e8c6f49f116

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6d989b7597801b778d8042ee363a58b

SHA1
ff36bfbb493a68487e206cb57271602fb95e5450

SHA256
4821d58beba120488cd77ed6b9e7bd5d0682001a6c99fe1cf5da452cda91b071

SHA512
d94e72c1f96297091f85a8afe5398c963d295f1286d213ed320e3cf4610ae6be442c6d6b225352bd55ba43b434c604007b229640b3ce4f8d4b9e596369e5bcd8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd2aae7d39c9d957594b5bd503f6fea9

SHA1
8c611e9dc3085da63588263128924d70526da58c

SHA256
5e1bd6adb2108485e43c672dd630c9c87f04a94e9eae4b037198082b6d80a1f2

SHA512
4e7f556aa674be635079f4b27a9a1215bd0ac2c956cb1a036e59330b620d1838fe78a331d10fe1c97e46cb4243f41762b6691d7a83271b9e5d3f1631c6da9ff7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eeb198b8091ea9b368d5fb69a10adb9d

SHA1
cb0818e7732678b8b6640b96566945add15a2411

SHA256
14b4899e18d0da77ef09cf90753d09f399fd1b9996e6c6ac62aa44e2f7a8b539

SHA512
bb0555fa57afd7bd348622779624af4a7d1ebc4be9968bcda72326d3e060d2de10a44ad9ed1fb98016148a202866f79e60c40f0c574a667feff92fdb0cf839e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44335ab5728c3e32fe7cc0128e47dd38

SHA1
d9f0fe1ddf4b2dc9816acb7043b8975d796fa17e

SHA256
53e3a963e0b22197422980da41614690bcbc670c049796e35ed8b7a292678ded

SHA512
7d6220319365d75d754dd18f954a2f13acab5a067c09de5ddff13d278b5c6965626cd65de6b91ec1d31825783ff8e64610a8c157b26b5a9c62faae815a76b126

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
12327ec1a2651bdd5b0dc65e47bd5402

SHA1
413e712e0ee109cee55da517118a982d94c66da8

SHA256
8a1038187c9a5f17df4eb42e06a3cd4cd097901edbf837ca2582e01365ee912b

SHA512
1ac25b4326926e1f76ccb1108ff3fa0db3783c2f79b995243d3a093e25ba4e15d1303d25919de1135312cb14557afd4873c316f5642b50708248bf244b529b12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
78188c655daa6b81e733bd29a4d9b41a

SHA1
249748369f9722979b0e0a93fd0d628ad0a7e3f3

SHA256
28ff8151ebae83f648aec28999078413401d2b0c9bfdefcc606f47fb012d0d30

SHA512
7f1bf53b951dcfb6cdcb45e4bf48aa91c8cd6e1acd6d19d84504a8f19b262c6be729bd4e0fe7dbd2d53977009dfa63c48ce8d86886451d8382c3c3ee9d992405

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b965563b9b58c88080dd8b8e8c476d9

SHA1
1913587fbf01a204607173b6c30fa1784a692d4c

SHA256
051ea5123aee6a3bce260ff164a17a94b74bcfe068be934718c1ebb702782c80

SHA512
1ccbaae19f6b1946aa2b628f65c5b78a536165f8b8fc533313c9b1333339a86f676e39a8431f6ec08f22afa8b3a3d81441d2f62b65c5551170968fc73d3b724a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71c437a9431adc11f1d97b76be40970a

SHA1
97c8d25fb1400a0da5bee77577291c247ac80396

SHA256
1e502e694ed9cc463d68a422a6dbc63a024985ecff55235dd632f21d59d8865a

SHA512
1b6f3924d8f9efec2e2171d1175f2069e8002ad1e11c9cc67b2fd412f640066ba2331e679da9776bfeb06290558e2a7e71ab400d453c595ecb07a7261d404c6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf1ce53285ea39ccd9a17300ee37bd86

SHA1
c4179d9d369724b4209552a25cf0c7d7077ac7e7

SHA256
4753b8f75306905e4a05117f9b1157d05f705ab449d7d61456826afd43ac6768

SHA512
27a269189f61e09879f0936ddf3a405ac3b8201edf74452521a473b4e97a98490f269f82ac5f0255f421b09e9f8caef6cb024eb1c3023882a3c9c603fce81854

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a6c3546321e858e8ee5a7caab8e332a

SHA1
da0d0f90e95019c58c0ab3844215c2a3e51bf1b1

SHA256
72ea84c537af091c6db6374ad3e0dfd1dcc661667016fbcb73d123bf2c2832ad

SHA512
f2cfa963159f878e719c64a186d13a315b20ef431ade64237f44a5663e2ffda04d029b56b22fc5d834999b664394c33c8bf46980ca907a995f5301ce40d7dbd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d19695381f316c7a0ca2b4ff09c75a0a

SHA1
6b135c0b80d12b5ae7651d3f4300791d28aaec4d

SHA256
d84dd1e41cf7df12ad37c33cc016069930b4efdd32a0c0aae2e53107b0a4c0c1

SHA512
770670259772d18f80f78c2327b9b508da8f3835b08373e0c3a56cea8fa2c66ca93318df048f6d83340170f40fb56ceecc7dd6fb2716bb9bb05827e83f7e926e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
0a469087eb300a66d8cb490d17a547a7

SHA1
711bc8728a1a16357e5c39ac4f2b2545b25e5425

SHA256
ec441c8c015fecae27413a851ba244056712cdb8fbb1d75b62506f645619bde3

SHA512
484357b9c730be5951636b5cdd8ff99f465458efdd99df526f0ac630d9b77f48f86292e5185cbd92d23f427d767e78e7fc2941b54c561a0326034ed8b772cd6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab71B9.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar72AB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Desktop\RESTORE_FILES.BMP

Filesize
2.3MB

MD5
df820c4374474666271a73132de656dc

SHA1
84962b7acf08f6822e6e7564f1f89ebdac1dd27f

SHA256
4ac01d60532587964d88d26fdec43945e9fa318493e63e6fedd6ae982342d230

SHA512
e3bd2894364245f985009ffd914cb67d86686d1e66bd568f2b91ace30be4d4d42038dc16ec266fed374390c1d2814a50eeff80924495b4d8440196af75849b26

Download Submit
\Users\Admin\AppData\Roaming\vcwxtc.exe

Filesize
321KB

MD5
c9ef69554082be3467df433a15e7ab45

SHA1
79c01bf85a712ddf6a4d54e9db281a8310a12c15

SHA256
0db818ad2b03a8003c1b923985b3cd74ed82272205b3372796b192d2661824ac

SHA512
13d818b734a9ee2d1cd2bda66ae6213f7fb7e9a74f0175ae37b85906816341e6224cdf1d5f57487e21b80d9782cee75db8acbd3752a303569fc8c6fa2598a4f9

Download Submit
memory/1564-4307-0x0000000000400000-0x00000000006A3000-memory.dmp

Filesize
2.6MB

Download
memory/1564-4840-0x0000000000400000-0x00000000006A3000-memory.dmp

Filesize
2.6MB

Download
memory/1564-4303-0x0000000002B90000-0x0000000002B92000-memory.dmp

Filesize
8KB

Download
memory/1564-3109-0x0000000000400000-0x00000000006A3000-memory.dmp

Filesize
2.6MB

Download
memory/1564-17-0x0000000000320000-0x0000000000324000-memory.dmp

Filesize
16KB

Download
memory/1564-13-0x0000000000400000-0x00000000006A3000-memory.dmp

Filesize
2.6MB

Download
memory/1564-5365-0x0000000000400000-0x00000000006A3000-memory.dmp

Filesize
2.6MB

Download
memory/1604-4305-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/2904-0-0x00000000002B0000-0x00000000002B3000-memory.dmp

Filesize
12KB

Download
memory/2904-5-0x00000000002C0000-0x00000000002C4000-memory.dmp

Filesize
16KB

Download
memory/2904-1-0x0000000000400000-0x00000000006A3000-memory.dmp

Filesize
2.6MB

Download
memory/2904-11-0x0000000000400000-0x00000000006A3000-memory.dmp

Filesize
2.6MB

Download