90bd8c1f54522db5821ff3ed670531f50e88ec61ce1ab3b5f9c9477cebd79ff3

Analysis

max time kernel
145s
max time network
138s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10-06-2024 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_1fca02c9b41ca8164dcbe5624a925036.exe
Size

309KB
MD5

1fca02c9b41ca8164dcbe5624a925036
SHA1

a65d2fdbea2f21772adae110ef03eb187bc0fdac
SHA256

90bd8c1f54522db5821ff3ed670531f50e88ec61ce1ab3b5f9c9477cebd79ff3
SHA512

423cbe37adf1f7f7ae610d0097368109a4ea767bd58cfd013f6afdbe54d34f430fa6c9287909b99d7177902f97f411e2e1b3c6c3eef8acd7c72a6630e377f2a8
SSDEEP

6144:KXWVWipoUM2rSBnr5XdsM9ZWYXOqJsVup/sO3z+WuLY:KiWimUxrUrZxmuOq6VupX40

Score

10^/10

defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_evpeg.txt

Ransom Note

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) What does this mean ? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. How did this happen ? Especially for you, on our server was generated the secret key pair RSA-2048 - public and private. All your files were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed. If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://lk2gaflsgh.jgy658snfyfnvh.com/F5CEE7156A8C37B 2. http://dg62wor94m.sdsfg834mfuuw.com/F5CEE7156A8C37B 3. https://djdkduep62kz4nzx.onion.to/F5CEE7156A8C37B If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: djdkduep62kz4nzx.onion/F5CEE7156A8C37B 4. Follow the instructions on the site. IMPORTANT INFORMATION: Your personal pages: http://lk2gaflsgh.jgy658snfyfnvh.com/F5CEE7156A8C37B http://dg62wor94m.sdsfg834mfuuw.com/F5CEE7156A8C37B https://djdkduep62kz4nzx.onion.to/F5CEE7156A8C37B Your personal page (using TOR): djdkduep62kz4nzx.onion/F5CEE7156A8C37B Your personal identification number (if you open the site (or TOR 's) directly): F5CEE7156A8C37B

URLs

http://lk2gaflsgh.jgy658snfyfnvh.com/F5CEE7156A8C37B

http://dg62wor94m.sdsfg834mfuuw.com/F5CEE7156A8C37B

https://djdkduep62kz4nzx.onion.to/F5CEE7156A8C37B

http://djdkduep62kz4nzx.onion/F5CEE7156A8C37B

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_evpeg.html

Ransom Note

<html>  <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; } .ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;">  <center> <div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"> What happened  to your files? All of your files were protected by a strong encryption with RSA-2048 More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a> What  does this mean? This means that the  structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. How did this happen? Especially for you, on our server was generated the secret key pair RSA-2048 - public and private. All your  files were encrypted with the public key,  which has been  transferred to your computer via the Internet.  Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!! What do I do? Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed. If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist. <div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr> 1.<a href="http://lk2gaflsgh.jgy658snfyfnvh.com/F5CEE7156A8C37B" target="_blank">http://lk2gaflsgh.jgy658snfyfnvh.com/F5CEE7156A8C37B</a> 2.<a href="http://dg62wor94m.sdsfg834mfuuw.com/F5CEE7156A8C37B" target="_blank">http://dg62wor94m.sdsfg834mfuuw.com/F5CEE7156A8C37B</a> 3.<a href="https://djdkduep62kz4nzx.onion.to/F5CEE7156A8C37B" target="_blank">https://djdkduep62kz4nzx.onion.to/F5CEE7156A8C37B</a> </div> <div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr> 1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a> 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: djdkduep62kz4nzx.onion/F5CEE7156A8C37B 4. Follow the instructions on the site.</div> IMPORTANT INFORMATION: <div class="tb" style="width:790px;"> Your Personal PAGES: <a href="http://lk2gaflsgh.jgy658snfyfnvh.com/F5CEE7156A8C37B" target="_blank">http://lk2gaflsgh.jgy658snfyfnvh.com/F5CEE7156A8C37B</a> <a href="http://dg62wor94m.sdsfg834mfuuw.com/F5CEE7156A8C37B" target="_blank">http://dg62wor94m.sdsfg834mfuuw.com/F5CEE7156A8C37B</a> <a href="https://djdkduep62kz4nzx.onion.to/F5CEE7156A8C37B" target="_blank"> https://djdkduep62kz4nzx.onion.to/F5CEE7156A8C37B</a> Your Personal PAGE (using TOR): djdkduep62kz4nzx.onion/F5CEE7156A8C37B Your personal code (if you open the site (or TOR 's) directly): F5CEE7156A8C37B </div></div></center></body></html>

URLs

https://djdkduep62kz4nzx.onion.to/F5CEE7156A8C37B</a>

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (431) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2560	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_evpeg.txt	vcwxqt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_evpeg.html	vcwxqt.exe

Executes dropped EXE 1 IoCs

pid	Process
2936	vcwxqt.exe

Loads dropped DLL 1 IoCs

pid	Process
2976	VirusShare_1fca02c9b41ca8164dcbe5624a925036.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\vsadmin = "C:\\Users\\Admin\\AppData\\Roaming\\vcwxqt.exe"	vcwxqt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vsadmin = "C"	vcwxqt.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ipinfo.io

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_ButtonGraphic.png	vcwxqt.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\restore_files_evpeg.html	vcwxqt.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain_PAL.wmv	vcwxqt.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\restore_files_evpeg.html	vcwxqt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\restore_files_evpeg.txt	vcwxqt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\settings.css	vcwxqt.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_ButtonGraphic.png	vcwxqt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\settings.js	vcwxqt.exe
File opened for modification	C:\Program Files\Windows Sidebar\ja-JP\restore_files_evpeg.html	vcwxqt.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\restore_files_evpeg.html	vcwxqt.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\restore_files_evpeg.txt	vcwxqt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\restore_files_evpeg.html	vcwxqt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css	vcwxqt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\highDpiImageSwap.js	vcwxqt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\restore_files_evpeg.txt	vcwxqt.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	vcwxqt.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_MATTE2_PAL.wmv	vcwxqt.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-backglow.png	vcwxqt.exe
File opened for modification	C:\Program Files\Java\jre7\lib\management\restore_files_evpeg.html	vcwxqt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\restore_files_evpeg.html	vcwxqt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_few-showers.png	vcwxqt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous.png	vcwxqt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\restore_files_evpeg.html	vcwxqt.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\ffjcext.zip	vcwxqt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\restore_files_evpeg.html	vcwxqt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_bottom_left.png	vcwxqt.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	vcwxqt.exe
File opened for modification	C:\Program Files\Common Files\System\ado\restore_files_evpeg.html	vcwxqt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_h.png	vcwxqt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\restore_files_evpeg.txt	vcwxqt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\restore_files_evpeg.txt	vcwxqt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\restore_files_evpeg.html	vcwxqt.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	vcwxqt.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	vcwxqt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_gtk.css	vcwxqt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\restore_files_evpeg.txt	vcwxqt.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\restore_files_evpeg.txt	vcwxqt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\restore_files_evpeg.html	vcwxqt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\picturePuzzle.css	vcwxqt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\restore_files_evpeg.txt	vcwxqt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\RSSFeeds.css	vcwxqt.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_btn-back-static.png	vcwxqt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\restore_files_evpeg.txt	vcwxqt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\restore_files_evpeg.html	vcwxqt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\lua\restore_files_evpeg.txt	vcwxqt.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\en-US\restore_files_evpeg.txt	vcwxqt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent.png	vcwxqt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\restore_files_evpeg.html	vcwxqt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\sd\restore_files_evpeg.html	vcwxqt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\restore_files_evpeg.html	vcwxqt.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\restore_files_evpeg.html	vcwxqt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\restore_files_evpeg.html	vcwxqt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\restore_files_evpeg.txt	vcwxqt.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\restore_files_evpeg.txt	vcwxqt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\restore_files_evpeg.txt	vcwxqt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nb\restore_files_evpeg.html	vcwxqt.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	vcwxqt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sm\LC_MESSAGES\restore_files_evpeg.html	vcwxqt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\restore_files_evpeg.txt	vcwxqt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\restore_files_evpeg.txt	vcwxqt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\restore_files_evpeg.html	vcwxqt.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	vcwxqt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\restore_files_evpeg.txt	vcwxqt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\restore_files_evpeg.html	vcwxqt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2672	vssadmin.exe
1680	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a2300000000020000000000106600000001000020000000ea83bce98b82754c362cb6273d399ee56a82d0f1ed4559451813fb743adf4b96000000000e800000000200002000000012b7357890fa87b7051165f5557be044de0737387867294454afe2172d633ea4200000008bb882eb1ab64a792e9c37df9a72c1b87ab261aef1c2212b8a602d1bfd5192584000000006e4d6494432af465d7a466a4207b0fc0a84b8a5cd6b2f85febebb8a631f3868d6ffa1db67da223a422853c43637b900a7470a3e208bcccff3fb60fbc2910411	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424178209"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a23000000000200000000001066000000010000200000008b3ac936b723bb6c833e9dee52fc20c063e8ab0e629e0d0f9618b8350c4740a5000000000e8000000002000020000000973209cd244fee30248dca1606c234d74d4c7a5b4e63099225c72336b93a8223900000002fd6a3fb5a929de130c4fdbb93df794e434ab7a1fc7d612d024120954693330b6e2a6ba44050cadc33fa0930a6d6ddb0e47c915d4afbed8a343f63179f7cb5992f4bd1a667d4167b4780e7a4c567d0f46da1ad8dea63dab5126baecdaf177b1b78d263b3841b67cd0bc5d7fce22b0a357381532dffd31305937b928add69f2be5ae0936f47e314cf0b443e7be0cf14d840000000b01fa4d22e7484bd85970d2410c90f9a048888a311c56c645d26313c159f7f5df124781da8d3d82783d546e5d39f8e02cb6625d692e42dbcaea80b54c838327a	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9557ED11-2716-11EF-8C93-DEECE6B0C1A4} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3078e26923bbda01	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2636	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe
2936	vcwxqt.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2976	VirusShare_1fca02c9b41ca8164dcbe5624a925036.exe
Token: SeDebugPrivilege	2936	vcwxqt.exe
Token: SeBackupPrivilege	2592	vssvc.exe
Token: SeRestorePrivilege	2592	vssvc.exe
Token: SeAuditPrivilege	2592	vssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3040	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3040	iexplore.exe
3040	iexplore.exe
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2936	2976	VirusShare_1fca02c9b41ca8164dcbe5624a925036.exe	28
PID 2976 wrote to memory of 2936	2976	VirusShare_1fca02c9b41ca8164dcbe5624a925036.exe	28
PID 2976 wrote to memory of 2936	2976	VirusShare_1fca02c9b41ca8164dcbe5624a925036.exe	28
PID 2976 wrote to memory of 2936	2976	VirusShare_1fca02c9b41ca8164dcbe5624a925036.exe	28
PID 2976 wrote to memory of 2560	2976	VirusShare_1fca02c9b41ca8164dcbe5624a925036.exe	29
PID 2976 wrote to memory of 2560	2976	VirusShare_1fca02c9b41ca8164dcbe5624a925036.exe	29
PID 2976 wrote to memory of 2560	2976	VirusShare_1fca02c9b41ca8164dcbe5624a925036.exe	29
PID 2976 wrote to memory of 2560	2976	VirusShare_1fca02c9b41ca8164dcbe5624a925036.exe	29
PID 2936 wrote to memory of 2672	2936	vcwxqt.exe	31
PID 2936 wrote to memory of 2672	2936	vcwxqt.exe	31
PID 2936 wrote to memory of 2672	2936	vcwxqt.exe	31
PID 2936 wrote to memory of 2672	2936	vcwxqt.exe	31
PID 2936 wrote to memory of 2636	2936	vcwxqt.exe	37
PID 2936 wrote to memory of 2636	2936	vcwxqt.exe	37
PID 2936 wrote to memory of 2636	2936	vcwxqt.exe	37
PID 2936 wrote to memory of 2636	2936	vcwxqt.exe	37
PID 2936 wrote to memory of 3040	2936	vcwxqt.exe	38
PID 2936 wrote to memory of 3040	2936	vcwxqt.exe	38
PID 2936 wrote to memory of 3040	2936	vcwxqt.exe	38
PID 2936 wrote to memory of 3040	2936	vcwxqt.exe	38
PID 2936 wrote to memory of 1680	2936	vcwxqt.exe	39
PID 2936 wrote to memory of 1680	2936	vcwxqt.exe	39
PID 2936 wrote to memory of 1680	2936	vcwxqt.exe	39
PID 2936 wrote to memory of 1680	2936	vcwxqt.exe	39
PID 3040 wrote to memory of 1704	3040	iexplore.exe	41
PID 3040 wrote to memory of 1704	3040	iexplore.exe	41
PID 3040 wrote to memory of 1704	3040	iexplore.exe	41
PID 3040 wrote to memory of 1704	3040	iexplore.exe	41
PID 2936 wrote to memory of 2012	2936	vcwxqt.exe	45
PID 2936 wrote to memory of 2012	2936	vcwxqt.exe	45
PID 2936 wrote to memory of 2012	2936	vcwxqt.exe	45
PID 2936 wrote to memory of 2012	2936	vcwxqt.exe	45

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcwxqt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	vcwxqt.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_1fca02c9b41ca8164dcbe5624a925036.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_1fca02c9b41ca8164dcbe5624a925036.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Roaming\vcwxqt.exe
  C:\Users\Admin\AppData\Roaming\vcwxqt.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2936
- - C:\Windows\System32\vssadmin.exe
    "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2672
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE_FILES.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2636
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RESTORE_FILES.HTML
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3040 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1704
- - C:\Windows\System32\vssadmin.exe
    "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1680
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\vcwxqt.exe >> NUL
    3⤵
    PID:2012
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE >> NUL
  2⤵
  - Deletes itself
  PID:2560

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_evpeg.html

Filesize
4KB

MD5
094a6257b7495cb7e41e6717fde86e91

SHA1
112d44352583f3402c46242c5d4b5126b8773f3f

SHA256
1a8ba690393498e4196453d051e09188f86ffc3faef9f4fbaa212eda29aecf50

SHA512
6eb039197c981ea971b87aa1ceeaf69e69e774945ec233af99d3f20e016295b112c613c2e34512a864b574e8b1eba7fa9b0319494a47ef8b98c3bb704ec3c7a7

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_evpeg.txt

Filesize
2KB

MD5
b5f4e8d68fb7bc632220ccdc57cae90b

SHA1
6afc66d066cfb456a6373e13dd325031906456b4

SHA256
f6b2cb1bd58540d11cf6b33c1ab05ac887408603fcf58ab70fca62e4ea2a6503

SHA512
df3bf0e138ea7efb6fabe5682284bf3ae11553da3ce7e64672728490acf3547dc3c6c100d18d9c4d5e0632c4184f29589b453f5c0230bce48475bf235d526064

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ab73067aa867e8d9d290fbfd0e805b3

SHA1
4458ed324b933e3d4b181c2448dd42486e903a39

SHA256
12b072d3fb931dbc88e09bb2b271f7148f5e5ac55f213e908371bb4bdbdcbf34

SHA512
e0a3298af3adf8cbd4fe1861ca10178e8879c4851227061a7c92855c5f35432c0e1981c1f6e02dfed694bc68bd0d6b73d32ea8ce6667979893b512a070310a3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86c2ecf66514b212b66582264d458933

SHA1
f9549f9f2ebf0e07eda9c136033e8e69ef2f852e

SHA256
492c5859a5c76f38cad1b891bbfcbb53975e6aec022c9feb0861c6382bc5ae02

SHA512
5115d03f5ffcc02b556581dfe44df44375212fb886c17c046304a099e481b43bbc5771b6b62ff2ac112c93cf770a27debaf03abcbd5b51262fb9b4685e0e82ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
95637348fc383b30b98fd6bd11be2738

SHA1
87edb61769dd16f64f0a6d579a8eb7a47f726af5

SHA256
25c0f2fd9aada342a2aa069cdcb4afd81a5d7f78d88af3e2e1cdbb583f53c4e4

SHA512
a04cf698127e219b6d035e96b03f14c35ecf0adf552a38dd6ed5957d3562669fddb272b32bf1d3a57e88318f0e1c5d185c05d103e09fb36ebbf10f19a1b01d29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
274a20a9cd82789f3fd778b33f8fca88

SHA1
2c5b7a8a0f0f75a8e4aa41b1520eacb2fe03ffd0

SHA256
069be97a3b89ada52f249268d7d1bddfdc65bd4dbbfd5536fb9cd8e88a121fc7

SHA512
f107bd9010f6419b7dbb29cf8dae71d689339b2d9dd05d44b95c2069deec76124bab9441f386cf8fea7ea9981aefaa374e9f9d80c78440209e40f52fb283561d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8c4682fe39df65c98ae812133b172bc

SHA1
b7ce76a1d9ed9f7f020e0e2d8d37b4082219b0e0

SHA256
9a25fa92ad79fe3edf69ff149b81646fcba01f52bcfe924456001be02bf420a7

SHA512
b6763e51e452018f34dc24443c522486499bc13ad0e3132d979192bcc19fecc5afdcf507b7a5589b81ef99431b249cdb1fa68abbe85d4cfdea342305a4430503

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
442a98003e0314f7c93851c0f4eefc2b

SHA1
4ad6665bfcbc03676525bed8ad3f7d4bcfd9d983

SHA256
9f5f9faf5207d6a77625f4915ab7c6358023ba0c00003164dbe5af0225639c40

SHA512
8bed73659e4b2d8a9971249bbac50953f59478c9b89f99fc19d42abb425c6ad475bb917a8130b9e7d61acc25d951b70f14ea08d81651bf79e7dbf747e95195f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6201178792fd74880c01d805be97a6b9

SHA1
97f2139c63859d417c8865257b671b8d755e228a

SHA256
5e7aa97a07cedcbb8a34cb1519f8feaa299bcfa44e35baf6a5f2638770b819b0

SHA512
bde1f633d576e280cacb3e5919139e8f98964e84f8bb37bc62785630d67022363600ca5ba877179cab88862abb6aebd381d73232c6d719b68fde7a678795c7d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c177f6d15bb721311f441c2103317808

SHA1
8640bc47a7c97b2796d271d485af04a049aa780a

SHA256
04c16fc8b63d2191d1a1781f3c75abf043c477632e705160c4582c14ba4e6dae

SHA512
05e7f4f8f81fc19dbeb03d7dc970dcc8ce08af7668962210d11c5298cf96a3b36dbec0cb2c53ab81f0bf9b236e9722638bf30f1c2c80c6143757a3cc2f7fac43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05bb5fdc41b59411112b330c7904e7f3

SHA1
70fef95c69a94a5c24e03b47949cf7e21e32af17

SHA256
bfcebda10d50c73ab3e0a6311471cddd6a5bca7e1c927d933a37540e2b5de97e

SHA512
19c38f188da8ece04ee4c894060e6d45cd2fdb0181b1aad73ac0f5ed56c0ff73f2a5843b780f27f2c9eadd9bc6b850c07094d6e9359a64bb00469da769f0ba56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1b86eb433b56a0a163dc4226da0cec2

SHA1
aaa705140fb1b9ed6eedf81bec7026b641ba8106

SHA256
e586b7e97b1d7b273661aec87275d51b1449401820bec81075df9e93a3883949

SHA512
1690917c4babc42307382591877dada24a2cf296f794803d895d109282285d18465074e662c4b64ed890eef28e899a6f8b0b0bc111315a48672b12c9416b5482

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd8f99255fe1f95dd800918b9daabb1f

SHA1
d6119881c97fe745c76376e643cb0362d8343dee

SHA256
ecac30e91d23a64607f0cd2870259c836294bdaf8733823bb3ddf195e4c20e18

SHA512
2e737d9bf9f643248314da52a8b8f7cd6b7f0257ae9b28c7f5a17a5c6b610ed007233f490f39ed06eee644c14ea5de5aa97527958c7fa61704e034923ff7bad0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4f574cba0711bb862d0516f47a74763

SHA1
6edee955fe600c16ccf7379701152621c691f052

SHA256
06b6f8a181ad66d4d8be8767959b0f27e83d02be470a118a587b5e45cbb03fb6

SHA512
ee5ef16aeef187de363bb7047579a7f562f2f7c94193fb76f908cd583c37ab621e3da387fcfbcc2bcf206e22261bf40fe0efed176c69117cf6b38858ea864f45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91f1eacf0af14b6d28e20e2509a461fd

SHA1
1063fe2dd39737614618803bf086f27bb7b6c635

SHA256
3f8a93db86f9eecb8dd3d91627f834bd433cb28e90ddb650d02d9e96b638cfae

SHA512
df6235f823ea93b06d9c926f37a83b7de624d7c72bf550da72fd36890f498aad4698a9babcb8ad96e057e0b3363ed01795df47f495582665925fbc410860d157

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f63f1fb0b5c4568312f8d6ae66029b8

SHA1
8b1df93979fafb35275165eb22e98af73dccba95

SHA256
d750114c3f8db3aaa1842c10579ffbda93611c5b2638f07412cdfafd5328cb28

SHA512
cbb870c5c783313806b85127742cc326b69cb38f16470ec17cbe170348f9fbbb8a02275b2600b99c6e1b2f5d4fc17014cbb42dc5b50dd7751d60224af39d7406

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45b52e3d7384eb9e5eb26a145bb2f253

SHA1
78c35d1dbdd494943c354afe21af545e7dba9462

SHA256
1e94adc5d15d4fd0478a2a0665993ddc61fdd965ebecb12c95ebfb4bf2495df2

SHA512
119296e02c3d7a51069cc7288cd8c51a5aac14e959551aa9b4ba4d9747434fb07f020458f27bbf612e5a53993d5a702b41e1c4a3a0f0d22a510bbc9936714841

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba61ffbb2ee132541e77e94a9e7da7ae

SHA1
15886bb23e9b88da8f59f15b96bf3171c7e7199a

SHA256
60bddcf9ea91b165b745654e4688d4bd25e6a2ed8aec8c7c9299ddadd46ca747

SHA512
883d057f64dd918405252aed804f375c4af44ae82f0587201d6a8c30753617f3c4f0b8b4e278a04c5bfdcc1b57c1254c40a9e0cac7a68f503901f1cb7c815d78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8ebfb508b7f903d4fbf6450a39cf319

SHA1
13bcd7df1196afd6a7ff8d0db47040d4c658e23f

SHA256
7150967fa6134507690b47ecb400231378545cb5ebe22827ab478965468912ae

SHA512
972be7316b1232ccee7ab3cc7b5120b39c4139c1466ef2220fa22247532b6e5a17dd8171929749f3883e256090d41a3316998a0ef4ebd576074552067706a255

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d0ffd9dd2b95ba9e3897bf2ac0f353e

SHA1
73fed79ca23171d64d590ef5ac6e01ec17be7b41

SHA256
3fda8ffb9272dd2a2b0440ef7b8098d1a4b2c5222181769ea089c4bfbfffab79

SHA512
825e1c4829c4ac45088c13a00d04a292e16946a9b6bb6c2ca0586b130037854fd70c8cd703786405d9e1a0d483fc66ce2b68150980f16d44de49e7e9c4395b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab69BE.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6A90.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Roaming\vcwxqt.exe

Filesize
309KB

MD5
1fca02c9b41ca8164dcbe5624a925036

SHA1
a65d2fdbea2f21772adae110ef03eb187bc0fdac

SHA256
90bd8c1f54522db5821ff3ed670531f50e88ec61ce1ab3b5f9c9477cebd79ff3

SHA512
423cbe37adf1f7f7ae610d0097368109a4ea767bd58cfd013f6afdbe54d34f430fa6c9287909b99d7177902f97f411e2e1b3c6c3eef8acd7c72a6630e377f2a8

Download Submit
memory/2936-4339-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download
memory/2936-15-0x00000000001E0000-0x00000000001E3000-memory.dmp

Filesize
12KB

Download
memory/2936-4824-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download
memory/2936-11-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download
memory/2936-5313-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download
memory/2976-14-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download
memory/2976-1-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download
memory/2976-0-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2976-4-0x0000000000250000-0x0000000000253000-memory.dmp

Filesize
12KB

Download