7007b16d76f879588fbbaef6ed77de0be778d38b09ace3740d50068937334dab

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-06-2024 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_1449cdc2acb385e8326dfd0364e67d25.exe
Size

339KB
MD5

1449cdc2acb385e8326dfd0364e67d25
SHA1

27ec595e01e4c89fb17a895bced8b84871355df4
SHA256

7007b16d76f879588fbbaef6ed77de0be778d38b09ace3740d50068937334dab
SHA512

d660379a13c169ca0690a64cf5427d75ca71030e61bcc2795d6ddbd41d21028b453487c170db74303aa6c2c76d188272c8f6ad049ac4e579c6aaf738590d8c0b
SSDEEP

6144:Y9Jy1mYCrFLXOppiFWDKvZBjtgnbEufzKB/xL4lkY:YvyUYsXWpiVztebEWz+Z4eY

Score

10^/10

defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_ljtvu.txt

Ransom Note

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) What does this mean ? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. How did this happen ? Especially for you, on our server was generated the secret key pair RSA-2048 - public and private. All your files were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed. If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://lk2gaflsgh.jgy658snfyfnvh.com/7ADE2A589D2A591 2. http://dg62wor94m.sdsfg834mfuuw.com/7ADE2A589D2A591 3. https://djdkduep62kz4nzx.onion.to/7ADE2A589D2A591 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: djdkduep62kz4nzx.onion/7ADE2A589D2A591 4. Follow the instructions on the site. IMPORTANT INFORMATION: Your personal pages: http://lk2gaflsgh.jgy658snfyfnvh.com/7ADE2A589D2A591 http://dg62wor94m.sdsfg834mfuuw.com/7ADE2A589D2A591 https://djdkduep62kz4nzx.onion.to/7ADE2A589D2A591 Your personal page (using TOR): djdkduep62kz4nzx.onion/7ADE2A589D2A591 Your personal identification number (if you open the site (or TOR 's) directly): 7ADE2A589D2A591

URLs

http://lk2gaflsgh.jgy658snfyfnvh.com/7ADE2A589D2A591

http://dg62wor94m.sdsfg834mfuuw.com/7ADE2A589D2A591

https://djdkduep62kz4nzx.onion.to/7ADE2A589D2A591

http://djdkduep62kz4nzx.onion/7ADE2A589D2A591

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_ljtvu.html

Ransom Note

<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; } .ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center> <div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"> What happened  to your files? All of your files were protected by a strong encryption with RSA-2048 More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a> What  does this mean? This means that the  structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. How did this happen? Especially for you, on our server was generated the secret key pair RSA-2048 - public and private. All your  files were encrypted with the public key,  which has been  transferred to your computer via the Internet.  Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!! What do I do? Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed. If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist. <div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr> 1.<a href="http://lk2gaflsgh.jgy658snfyfnvh.com/7ADE2A589D2A591" target="_blank">http://lk2gaflsgh.jgy658snfyfnvh.com/7ADE2A589D2A591</a> 2.<a href="http://dg62wor94m.sdsfg834mfuuw.com/7ADE2A589D2A591" target="_blank">http://dg62wor94m.sdsfg834mfuuw.com/7ADE2A589D2A591</a> 3.<a href="https://djdkduep62kz4nzx.onion.to/7ADE2A589D2A591" target="_blank">https://djdkduep62kz4nzx.onion.to/7ADE2A589D2A591</a> </div> <div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr> 1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a> 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: djdkduep62kz4nzx.onion/7ADE2A589D2A591 4. Follow the instructions on the site.</div> IMPORTANT INFORMATION: <div class="tb" style="width:790px;"> Your Personal PAGES: <a href="http://lk2gaflsgh.jgy658snfyfnvh.com/7ADE2A589D2A591" target="_blank">http://lk2gaflsgh.jgy658snfyfnvh.com/7ADE2A589D2A591</a> <a href="http://dg62wor94m.sdsfg834mfuuw.com/7ADE2A589D2A591" target="_blank">http://dg62wor94m.sdsfg834mfuuw.com/7ADE2A589D2A591</a> <a href="https://djdkduep62kz4nzx.onion.to/7ADE2A589D2A591" target="_blank"> https://djdkduep62kz4nzx.onion.to/7ADE2A589D2A591</a> Your Personal PAGE (using TOR): djdkduep62kz4nzx.onion/7ADE2A589D2A591 Your personal code (if you open the site (or TOR 's) directly): 7ADE2A589D2A591 </div></div></center></body></html>

URLs

https://djdkduep62kz4nzx.onion.to/7ADE2A589D2A591</a>

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (363) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
1132	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_ljtvu.txt	vcwnfb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_ljtvu.html	vcwnfb.exe

Executes dropped EXE 1 IoCs

pid	Process
1756	vcwnfb.exe

Loads dropped DLL 1 IoCs

pid	Process
2696	VirusShare_1449cdc2acb385e8326dfd0364e67d25.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\vsadmin = "C:\\Users\\Admin\\AppData\\Roaming\\vcwnfb.exe"	vcwnfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vsadmin = "C"	vcwnfb.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ipinfo.io

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-last-quarter_partly-cloudy.png	vcwnfb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\restore_files_ljtvu.html	vcwnfb.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\restore_files_ljtvu.txt	vcwnfb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fi.pak	vcwnfb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\restore_files_ljtvu.html	vcwnfb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\restore_files_ljtvu.txt	vcwnfb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\9.png	vcwnfb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\restore_files_ljtvu.txt	vcwnfb.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv	vcwnfb.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\restore_files_ljtvu.html	vcwnfb.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\restore_files_ljtvu.html	vcwnfb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\restore_files_ljtvu.txt	vcwnfb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\restore_files_ljtvu.html	vcwnfb.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\restore_files_ljtvu.html	vcwnfb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\restore_files_ljtvu.txt	vcwnfb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\settings.js	vcwnfb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	vcwnfb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\restore_files_ljtvu.html	vcwnfb.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\restore_files_ljtvu.txt	vcwnfb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\restore_files_ljtvu.txt	vcwnfb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\settings.css	vcwnfb.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\restore_files_ljtvu.txt	vcwnfb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\currency.js	vcwnfb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Pretty_Peacock.jpg	vcwnfb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-TW.pak	vcwnfb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	vcwnfb.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv	vcwnfb.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\restore_files_ljtvu.txt	vcwnfb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\restore_files_ljtvu.txt	vcwnfb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\restore_files_ljtvu.html	vcwnfb.exe
File opened for modification	C:\Program Files\Windows Sidebar\restore_files_ljtvu.html	vcwnfb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	vcwnfb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_rest.png	vcwnfb.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\1047x576black.png	vcwnfb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\restore_files_ljtvu.html	vcwnfb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\restore_files_ljtvu.txt	vcwnfb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\restore_files_ljtvu.html	vcwnfb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\te.pak	vcwnfb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern.png	vcwnfb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\restore_files_ljtvu.txt	vcwnfb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\restore_files_ljtvu.html	vcwnfb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\restore_files_ljtvu.txt	vcwnfb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider.png	vcwnfb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\restore_files_ljtvu.html	vcwnfb.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-over-DOT.png	vcwnfb.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\restore_files_ljtvu.txt	vcwnfb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\restore_files_ljtvu.txt	vcwnfb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\restore_files_ljtvu.html	vcwnfb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uk\restore_files_ljtvu.txt	vcwnfb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\restore_files_ljtvu.html	vcwnfb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\restore_files_ljtvu.txt	vcwnfb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg	vcwnfb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\clock.js	vcwnfb.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.jpg	vcwnfb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\restore_files_ljtvu.html	vcwnfb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\picturePuzzle.js	vcwnfb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\restore_files_ljtvu.html	vcwnfb.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\restore_files_ljtvu.txt	vcwnfb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sv.pak	vcwnfb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\restore_files_ljtvu.txt	vcwnfb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\restore_files_ljtvu.html	vcwnfb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\restore_files_ljtvu.html	vcwnfb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\restore_files_ljtvu.html	vcwnfb.exe
File opened for modification	C:\Program Files\MSBuild\restore_files_ljtvu.txt	vcwnfb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2616	vssadmin.exe
3060	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8074b8fc22bbda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000a8466e42d225844ac5dcaaf2cd7efab00000000020000000000106600000001000020000000731364be197471065b89c26bd4fe51f543b599f2711417f4838285f48927effd000000000e8000000002000020000000dcb6c8db6b83553bfca7d1c5a0da121543360808084b0c0ab427cae65e2b6384900000002663b3cf74c634bd203d226d1541f1eec9a4f506d4abf1625a8fbe657f22789864b6e91f1cb218ab8536ab4051718e558437bf10ce5d1591dfbdf894b5a4f4ebd3b74c39c0d675a6b7b4d0bf466d4287b835479b71e2f0dd36497c72b447225470d35a6fc35490a2bc3b1027ba04a20b9f6cdf8d067275aa5440aa88a4e91c94985de6ea5badc31ba36924cb87cc1ced4000000005673ef9649369ed667d6287a53de03da53badacd006939d57f3cb533dcd182b5f69eb98fe359dac40fcad4c669ac4329707ca6792e8018202e3aa561dfb5f38	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424178027"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{27CC60A1-2716-11EF-AFF6-E61A8C993A67} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000a8466e42d225844ac5dcaaf2cd7efab00000000020000000000106600000001000020000000d39fde79ba172013d12dc2a54844fda4531cbb96c14d8dcef5d3b9d26e0ea94a000000000e8000000002000020000000f2a9877c1fd38fe4bfcc93acf64bf51002f55662dbb35462fa14f60f11bd65b820000000b41ccf36f16c1c5ab0880c8a969677faa023172dfe3f3c879802a5b0f07b648040000000de21e34a85193e7dc286722764e49b486c151120f1894342294bb488254eab82f9a7b65f44cda8a3f6bcde408cfd17c14413c2031e6ffb577545b48dc8208b6a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2764	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe
1756	vcwnfb.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	VirusShare_1449cdc2acb385e8326dfd0364e67d25.exe
Token: SeDebugPrivilege	1756	vcwnfb.exe
Token: SeBackupPrivilege	2416	vssvc.exe
Token: SeRestorePrivilege	2416	vssvc.exe
Token: SeAuditPrivilege	2416	vssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2908	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2908	iexplore.exe
2908	iexplore.exe
2988	IEXPLORE.EXE
2988	IEXPLORE.EXE
2988	IEXPLORE.EXE
2988	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 1756	2696	VirusShare_1449cdc2acb385e8326dfd0364e67d25.exe	28
PID 2696 wrote to memory of 1756	2696	VirusShare_1449cdc2acb385e8326dfd0364e67d25.exe	28
PID 2696 wrote to memory of 1756	2696	VirusShare_1449cdc2acb385e8326dfd0364e67d25.exe	28
PID 2696 wrote to memory of 1756	2696	VirusShare_1449cdc2acb385e8326dfd0364e67d25.exe	28
PID 2696 wrote to memory of 1132	2696	VirusShare_1449cdc2acb385e8326dfd0364e67d25.exe	29
PID 2696 wrote to memory of 1132	2696	VirusShare_1449cdc2acb385e8326dfd0364e67d25.exe	29
PID 2696 wrote to memory of 1132	2696	VirusShare_1449cdc2acb385e8326dfd0364e67d25.exe	29
PID 2696 wrote to memory of 1132	2696	VirusShare_1449cdc2acb385e8326dfd0364e67d25.exe	29
PID 1756 wrote to memory of 2616	1756	vcwnfb.exe	31
PID 1756 wrote to memory of 2616	1756	vcwnfb.exe	31
PID 1756 wrote to memory of 2616	1756	vcwnfb.exe	31
PID 1756 wrote to memory of 2616	1756	vcwnfb.exe	31
PID 1756 wrote to memory of 2764	1756	vcwnfb.exe	39
PID 1756 wrote to memory of 2764	1756	vcwnfb.exe	39
PID 1756 wrote to memory of 2764	1756	vcwnfb.exe	39
PID 1756 wrote to memory of 2764	1756	vcwnfb.exe	39
PID 1756 wrote to memory of 2908	1756	vcwnfb.exe	40
PID 1756 wrote to memory of 2908	1756	vcwnfb.exe	40
PID 1756 wrote to memory of 2908	1756	vcwnfb.exe	40
PID 1756 wrote to memory of 2908	1756	vcwnfb.exe	40
PID 1756 wrote to memory of 3060	1756	vcwnfb.exe	41
PID 1756 wrote to memory of 3060	1756	vcwnfb.exe	41
PID 1756 wrote to memory of 3060	1756	vcwnfb.exe	41
PID 1756 wrote to memory of 3060	1756	vcwnfb.exe	41
PID 2908 wrote to memory of 2988	2908	iexplore.exe	43
PID 2908 wrote to memory of 2988	2908	iexplore.exe	43
PID 2908 wrote to memory of 2988	2908	iexplore.exe	43
PID 2908 wrote to memory of 2988	2908	iexplore.exe	43
PID 1756 wrote to memory of 2320	1756	vcwnfb.exe	45
PID 1756 wrote to memory of 2320	1756	vcwnfb.exe	45
PID 1756 wrote to memory of 2320	1756	vcwnfb.exe	45
PID 1756 wrote to memory of 2320	1756	vcwnfb.exe	45

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcwnfb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	vcwnfb.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_1449cdc2acb385e8326dfd0364e67d25.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_1449cdc2acb385e8326dfd0364e67d25.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Roaming\vcwnfb.exe
  C:\Users\Admin\AppData\Roaming\vcwnfb.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1756
- - C:\Windows\System32\vssadmin.exe
    "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2616
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE_FILES.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2764
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RESTORE_FILES.HTML
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2908 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2988
- - C:\Windows\System32\vssadmin.exe
    "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
    3⤵
    - Interacts with shadow copies
    PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\vcwnfb.exe >> NUL
    3⤵
    PID:2320
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE >> NUL
  2⤵
  - Deletes itself
  PID:1132

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_ljtvu.html

Filesize
4KB

MD5
26b3903b5ac494fe074453fa00cdb136

SHA1
7c1147ccc42086e8150f9bf40edd7ebe8b304953

SHA256
f39e444ddf6e4e52aaa69e3b01247880177558f4d97123f4c2117ee622b456ef

SHA512
6bb47c1ed625070faf4996e767480494d9803cd49fbb6d4713390251d95c37288fadee2004884c5f6c9006e2ffcf095d6ef269706235bc3a37dd0d1d224652c2

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_ljtvu.txt

Filesize
2KB

MD5
6499637d0abba4d1de6dd16ae81a1c29

SHA1
1ab6237ed8ec8507553827d1fa3af789869ac172

SHA256
c046bcf814b28d4735b8b44a2e0aec41cf345864a5827a3db38bb515a0d3f4d0

SHA512
4b8da39f2cbeec103b41f88eafd766b99a53eb1e8c9a2fb837a1a1eeca65a5f831d149d56860eb02b60457dd7d9c2dd9631a8fb934640330948ac95da35b244c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f45424383d631b7c386568e7f0e7e037

SHA1
3fa4b837abf74cf8cdbc7c21f99215ba764d607b

SHA256
3159c0419015401e808da6cbd6c90140844dfafd153d85c7b2218affeed47f16

SHA512
77751fb3c18b4768ca20e18e4b4d3fc26d40b938b123b6b7a751a728b833d4819c475f4ca6afd1160e8bcdc2fa69bea6be7d0f04d81da50bb6ba35df652a6307

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5433649c49db913e58cf3e6b84bba66f

SHA1
1b68bb887389e874e04a634ddee0948a04f8bc26

SHA256
71788dad7cfe0878864201f85f4da7fd8db9e93d6b9047d496bb1f88d16059bc

SHA512
7c426a166da0d7aa9c2b4c17a8253f04d2155375c53a7580d808bb0c90a1abd548309a8c38dba4ca7f17537de8a30b5fbc6e4b3cc176348d8f952710145f12a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e01c1c7e79c00194a4ee23c085abbd0

SHA1
ba633f1745a5d3606cbc977cf447bc1d38ff3e78

SHA256
00a0c63b2ee71f43f0fd9dd4768fbc401cd34214cfc7a3b2ea031964bc7ba2db

SHA512
e27190719db1c64b5ec38c89803f52e172d2cb1eca905153985bda60a291392248856c0e1023f1323f0ec193eb70c9a1edd0947c5de39c2f00dd5c940d5490cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54291d8859d191c38ffe65504c23cb67

SHA1
c70508ed87acfce5e3acdd71d69e16c7e5e6038f

SHA256
82c30b37281946f92941126554b878814b7a90a8b246542f595fbcce6dea168a

SHA512
31053aa358c19466aece615a467e54092e23b6d4a5bf48d68d5abab91b2fe9750925f7d0b8062cc4fe949b59252f641c4bc16759d00ead2421400918a2ed76c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42a11c511f3ac794251f4775e2a35550

SHA1
e5204d9485c50c3c8502e92685eaa2ec48529aeb

SHA256
432a3a230f957cc5d1b75d931ec1f27e45641e467b96d8b1879e28db334d551c

SHA512
bf804b39aaaa456cc1cd45d09a6e7928b44196a872dcf0fbae7e1d3b28d489c9f613cf8c6343914918bd0d803ff82fec9ef2649d79bd6d496e58424481971438

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
531cb5216ac54fd07e40f03e4849e253

SHA1
38d5523ce4ac868699472d42c96c682c20a7e2d0

SHA256
c2257224476f601f47534f70fcb804c97b8805fe347b6d00ef3a953982a050b5

SHA512
f62b12647625c84c501e541190a708ceb3d9e92e75d35dbdace4a49197b13131d5f59bc7928a2d9750cdea64966a61382a9928125aa3f8f3e500dee105dc6574

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af9746ce7e0eecb197226e6f65f1a974

SHA1
3d19539e1ba702818edaf49a0b710f90257da92d

SHA256
b87fa073bff6e0f704d0e2011c5df64637fde7b3ec84840ec871bbf07a5615af

SHA512
0e0c868c4b1485e643f3ebcff57685a9e46d7ceeda87ff652c473caa76b2064d899d915bc5710db05daebd0841783607bae5dd0f25bba42de5a6ff627fdedb13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cfd35bc238f9e8022f2dd1127ea008f3

SHA1
9e0195066595441f2c431ec29b4031cc4c1535e3

SHA256
2751388f4a68c63d709ecf6d1fb3d1d01a27d1d32c7d8d2200e2e3f9f09afd44

SHA512
2e994ae6f06f512673dc01c73f33e683bc88802955961a267b1faaa6154d32fba24f92112743b48e0279828c54ee060b759482f49b463cafdb25f65d18612818

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb4897418ef5292256ee49019dc11d66

SHA1
b708eef4c7d8a7cd9650d41b12b05d339a06f30f

SHA256
3e69f11d356e85da8675e8fd4deff2fba236a4bf70fa6724062e4c5d395e6a49

SHA512
c402a84bad60bc9173f6421b095653e3bb90af34ba024dc658e71e1cbbc23437025db2bba5cedd6cae2cce161d2ffca674b739b052cfdc7ed7ea03a2f0cd9e29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e9dac34d0465fab0f5153fdac0c459e6

SHA1
e7d04dff5d5cd2a8703849d2eb3ec70fb2abbb1e

SHA256
a603aef27a4639a73ce89de88cbb6f5722668c03f15aef6b90b442d84270f7dd

SHA512
0235d3cc577c99fb0e8ed367bb6d43b848030de9795193e6a9ae3afd1e0f86783657f1cd373d27b05738875d4e284ba6fcfe0dff2b44929ebf22821b72ecf6d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
715c1155e2f9767e6bf38e2243c51b3c

SHA1
e88880a801e13c80fc193924acb731773f6a35cd

SHA256
206e8d11a5b3bc7dc5bf16a9ec49ad3b7d7de39dd4fd38a0f64a2da4c81ab06e

SHA512
2526f0c052001f956e2f9d30c48c251624b34198e0e2eb333e8289511b160c432ac96c9f2871e583ca071cd9c5cab3dc4f81b3171831f0c21dafa6153f7dc715

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb873c8bc6f770796e09d68d52f0c3e3

SHA1
1e6e2db4db79e48d1333a9c4fd0b1c2747d24af8

SHA256
eba25e7cba6a7074e56ea2a14e6bcb4a04c96d9505ab79ad5520a66641075a3b

SHA512
dbba337469e9874b37fe6f1971a21950e751b8924383ad010bfd96a434a44c91d30fd5bfb942aadd715a1080d5dd44cb62f7269a2ee36a495ad5e017cc314ecc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a27a0f1f655931db243b0f2044b515a

SHA1
13dd2dc7ceef842efb9da061bc90a16b36037a73

SHA256
934efa9c960a3f80c58953703df4c48f1f9cd73df69e08bede43fefec37d2e36

SHA512
04f02c6e96012f53015e5cbe34b1b2a0a6d746ed9256eb0287e80fa8a3cb4a0c56866a5f2aa52d1466e1d8e8d729e605e68cf1bfbb84704919b665f06eedcc2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f5b3aa1c16891f12df6305d9dade3af

SHA1
429f66bbc0708846484eff89efa5a55b613458ae

SHA256
df207c165e58e27a4a48bafe23abeeaa6436e333529c888abe914d5e6ad6fde2

SHA512
9170d09aa613be6755de01f7da0c71be78875ee6fb6a81451863dd0349f3ce3fd8d7ee07ecc33266d70fdcc220c6a48d43834823725078efcc1179d481a564ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15c907219ddef43f04d5e9169cadc5af

SHA1
1884631e505d4329b46a86a56628cc8ad0f60bd7

SHA256
57973393aed8d2912775cce5dce85af1a4f442a8f8ccb10e6611e9d17479f6f7

SHA512
460dbd42bbe1b07130513b7825ca68e49f456e3070ac5812acc3b9da1977e57d541ee0da200bc1fe91056ae1f8ccfc15e6703b06d975e560cde29a4c05eefc11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8d08eb78f9e3fd369bda905c4c99906

SHA1
81730216d67d1a005c7f01646cfe9b38465fea77

SHA256
2a551e3733cb332a1843ec317b6065865d778690ccbf7b0bf9dbaebca5fc992e

SHA512
4574ac1a22731c6cfd56b3617e1399647014f83568e5b63ccb2c227df5d75de02270231ee6dec89bd4516392929048e49a418114109f7c46a2b98272eb5dcd6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9855cc0ae60f802181cbdd729601e6bf

SHA1
878bedee306d187dd424d38fb96e4ab90c191e08

SHA256
e282d96a56172e9cf8f71cdf171a9641acf1b26d360716ed84be11db3f010ebb

SHA512
8147453c550609d57ac9e7365c97ba080a04f297bea58edcbbada56cf5cefed28acfddf2fb8bf6d5d2334091d25b8b2081ca6a9931341ed43a16d0efb517863d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ebc6e61bce0e7a26785cd97e21cc1aff

SHA1
cfe985725e7c1c06fb9be5e617f10eb4081b6829

SHA256
54a100487a8fbdfdfdfc0b2f8ffdf4a311bf02335b203bdb2d489ae341ac650b

SHA512
41c209f729d8692a7ffb43bb65a89b64248ab58647504d449a0084bc48b440c2e0dde3bd847589f6b583527ae3443c77aa568b1147c65ff3daafa9f70618396a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8696e821b15347bb18ea86711fd3145d

SHA1
3defd068a4dc481cd78a3ce5863558ff26e06efe

SHA256
459cd850486f382da3652061364fa6cd96d0a458a68c9020d1f497701e99c1d2

SHA512
a2c5a726ef8cbc510ada3ece25e3170c49d72bc636cf954b25f2b1222efc427312f72e8f1f94fcdbe4cf49714c2ee069eb7db1f4ed58c15bfa435c6b8b4742f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47bc5bde769046d1f101d31bbaa4b850

SHA1
a6be9291dc9f6ae6c70b4c8c08add0a04b2bc533

SHA256
b759f235cc56c2208b7146f786e950f41dc3cea28e3673ef9d7f612f10150009

SHA512
93d1fad7da1cc58f3afd5205890ccd8f16627a900fd24be08d1bc31d58611c53874d8a3aaeaa8469bd8c342f96bec45e7159afe3e00d0c941d38c6251eaeac8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2000.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab211D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2150.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Roaming\vcwnfb.exe

Filesize
339KB

MD5
1449cdc2acb385e8326dfd0364e67d25

SHA1
27ec595e01e4c89fb17a895bced8b84871355df4

SHA256
7007b16d76f879588fbbaef6ed77de0be778d38b09ace3740d50068937334dab

SHA512
d660379a13c169ca0690a64cf5427d75ca71030e61bcc2795d6ddbd41d21028b453487c170db74303aa6c2c76d188272c8f6ad049ac4e579c6aaf738590d8c0b

Download Submit
memory/1756-778-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/1756-4577-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/1756-12-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/1756-17-0x0000000000250000-0x0000000000253000-memory.dmp

Filesize
12KB

Download
memory/1756-2049-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/1756-4070-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/1756-4101-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/2696-0-0x0000000000230000-0x0000000000234000-memory.dmp

Filesize
16KB

Download
memory/2696-2-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download
memory/2696-5-0x00000000002A0000-0x00000000002A3000-memory.dmp

Filesize
12KB

Download
memory/2696-16-0x0000000000400000-0x00000000006E3000-memory.dmp

Filesize
2.9MB

Download