To the powers that be,
I recently had a client get infected with a variant of Cryptowall. During my virus removal in safe mode using ESET and Malwarebytes it appears Malwarebytes came upon the .exe that caused the virus. It's was a randomly named .exe in the temp folder of the user that got infected. It's 7 random numbers long. I have enabled show file extensions on said file and renamed it to .pdf removing the .exe. I have it in an aptly named folder not to touch it and it's sitting there.
Is anyone interested in looking at it? I believe it's a V3 variant based on what I read in the Crypto Wall readme on the website here. Its slightly awesome, to me, because I can almost trace the exact moment the user caused the virus this time. So many times I haven't been able to do this. I can see them logging in. Open Outlook, then I see the silent VSS admin wipe command 10 minutes later. The command appears to error out however.
Is there anything further in the event logs I can check for activity from this virus?
Would you like a copy of the messages that were created in the process? The HELP_DECRYPT files?