magniber | 5642ad44f0697e5c7d1c09a862bc32bd0e7da73e8ed717899b111fe5ce61a713

Analysis

max time kernel
120s
max time network
147s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22-12-2023 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53e5fc2375ca90b7345c7533aa34e7cb.dll
Size

38KB
MD5

53e5fc2375ca90b7345c7533aa34e7cb
SHA1

e52901f32031dea26e087ea28a22b11324fe2616
SHA256

5642ad44f0697e5c7d1c09a862bc32bd0e7da73e8ed717899b111fe5ce61a713
SHA512

9512625afdc6f9547af0bd5d47661c2f3cf2cac7abec50393b906bfc9b01ea7878260db49a41cb69c1aadbac65cd38b203faa94e0cfb51e40dcb7e6c801b9fb4
SSDEEP

768:fESk4VQoQCC3cHHrnZOVSJbNZoMzODqY3PnwZDZe7nmoot9kq3W33WuZEcSfuC:fDk1RCCMHVOeH3OvwZF+nct9kqGHWuYp

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://e04064b8ee7c56d05aowpynsoc.ypajgycpauisibmmq6en2xd6z6doiiwxitzhwbu2zmxfxwjcumvirbad.onion/owpynsoc Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://e04064b8ee7c56d05aowpynsoc.coldsum.space/owpynsoc http://e04064b8ee7c56d05aowpynsoc.datesat.site/owpynsoc http://e04064b8ee7c56d05aowpynsoc.outplea.xyz/owpynsoc http://e04064b8ee7c56d05aowpynsoc.outwest.top/owpynsoc Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://e04064b8ee7c56d05aowpynsoc.ypajgycpauisibmmq6en2xd6z6doiiwxitzhwbu2zmxfxwjcumvirbad.onion/owpynsoc

http://e04064b8ee7c56d05aowpynsoc.coldsum.space/owpynsoc

http://e04064b8ee7c56d05aowpynsoc.datesat.site/owpynsoc

http://e04064b8ee7c56d05aowpynsoc.outplea.xyz/owpynsoc

http://e04064b8ee7c56d05aowpynsoc.outwest.top/owpynsoc

Signatures

Detect magniber ransomware 2 IoCs

resource	yara_rule
behavioral1/memory/1944-4-0x0000000001CE0000-0x000000000220F000-memory.dmp	family_magniber
behavioral1/memory/1108-16-0x0000000001C00000-0x0000000001C05000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	1620	vssadmin.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	1620	vssadmin.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	1620	cmd.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	1620	vssadmin.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	1620	cmd.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	1620	vssadmin.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	1620	cmd.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	1620	vssadmin.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	1620	vssadmin.exe	47

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (66) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1944 set thread context of 1108	1944	rundll32.exe	11
PID 1944 set thread context of 1172	1944	rundll32.exe	19
PID 1944 set thread context of 1196	1944	rundll32.exe	18
PID 1944 set thread context of 2164	1944	rundll32.exe	17

Interacts with shadow copies 2 TTPs 8 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2836	vssadmin.exe
972	vssadmin.exe
332	vssadmin.exe
2776	vssadmin.exe
2536	vssadmin.exe
2848	vssadmin.exe
1088	vssadmin.exe
2088	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008dcd4c448ce8fb42a8f577f49cde6d30000000000200000000001066000000010000200000003ee0d8b30c92dec09506e6fb676743fae627fac5bddebf06e7a8ec905269f4e2000000000e8000000002000020000000c0fa1998e49fb114e09f5e5fae7528bc933baabd082a2985a2b21ecf7f274d672000000089d3ec9991216ed0b0e6e5964316251660d126e78db144be619c47107effab3f400000003d4f1de504df4db6ef466bb6e2fe21edf5dbedd4a5819da434de35c70b550a8e1c88a56d68993ff5a6464848b6c459bfaf99073391a4bd5a2abe840520dd28e0	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008dcd4c448ce8fb42a8f577f49cde6d3000000000020000000000106600000001000020000000b23b5623e887028506e4d21606b764874f7810b93f3395150f53de9c3d70584f000000000e800000000200002000000043fdb589ab8b74d76b42123b9a5217cf4b51b0fd3a5baf796fae62cefdf56cf890000000ba8e5d4b8f37d6cbfa273b22933c9cf925d3cbe00a73fcd74b997844cb0e8986d1aa71aaf37fe9c16b0248269bf5ac3585db19061e7059698f0f6b105afcc48e1442d63f935b16e77a6d9dcd4a15ab920ec6a22b26f0e818e205ba9572959757f0643fcaa114f6c522a3ffa38bb767242c673501852ee559e867e975b2dc18202973396a63f4dda23980b275efbb1de24000000060de12996d03e986a106748ef1a228d385eb2474f7a0ce725694efe5d39099f70383283bbc2256ceb039bce2732741ad75d86c9fa294b0494ec98edea6c3b5d8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80cd416aa034da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{95404D41-A093-11EE-A892-DECE4B73D784} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "409388490"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\mscfile\shell\open\command	Dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\mscfile\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\mscfile\shell\open\command	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\mscfile	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\mscfile\shell\open\command	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\mscfile\shell	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\mscfile\shell\open	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Dwm.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1584	notepad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1944	rundll32.exe
1944	rundll32.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
1944	rundll32.exe
1944	rundll32.exe
1944	rundll32.exe
1944	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	2388	wmic.exe
Token: SeSecurityPrivilege	2388	wmic.exe
Token: SeTakeOwnershipPrivilege	2388	wmic.exe
Token: SeLoadDriverPrivilege	2388	wmic.exe
Token: SeSystemProfilePrivilege	2388	wmic.exe
Token: SeSystemtimePrivilege	2388	wmic.exe
Token: SeProfSingleProcessPrivilege	2388	wmic.exe
Token: SeIncBasePriorityPrivilege	2388	wmic.exe
Token: SeCreatePagefilePrivilege	2388	wmic.exe
Token: SeBackupPrivilege	2388	wmic.exe
Token: SeRestorePrivilege	2388	wmic.exe
Token: SeShutdownPrivilege	2388	wmic.exe
Token: SeDebugPrivilege	2388	wmic.exe
Token: SeSystemEnvironmentPrivilege	2388	wmic.exe
Token: SeRemoteShutdownPrivilege	2388	wmic.exe
Token: SeUndockPrivilege	2388	wmic.exe
Token: SeManageVolumePrivilege	2388	wmic.exe
Token: 33	2388	wmic.exe
Token: 34	2388	wmic.exe
Token: 35	2388	wmic.exe
Token: SeIncreaseQuotaPrivilege	2308	WMIC.exe
Token: SeSecurityPrivilege	2308	WMIC.exe
Token: SeTakeOwnershipPrivilege	2308	WMIC.exe
Token: SeLoadDriverPrivilege	2308	WMIC.exe
Token: SeSystemProfilePrivilege	2308	WMIC.exe
Token: SeSystemtimePrivilege	2308	WMIC.exe
Token: SeProfSingleProcessPrivilege	2308	WMIC.exe
Token: SeIncBasePriorityPrivilege	2308	WMIC.exe
Token: SeCreatePagefilePrivilege	2308	WMIC.exe
Token: SeBackupPrivilege	2308	WMIC.exe
Token: SeRestorePrivilege	2308	WMIC.exe
Token: SeShutdownPrivilege	2308	WMIC.exe
Token: SeDebugPrivilege	2308	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2308	WMIC.exe
Token: SeRemoteShutdownPrivilege	2308	WMIC.exe
Token: SeUndockPrivilege	2308	WMIC.exe
Token: SeManageVolumePrivilege	2308	WMIC.exe
Token: 33	2308	WMIC.exe
Token: 34	2308	WMIC.exe
Token: 35	2308	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2388	wmic.exe
Token: SeSecurityPrivilege	2388	wmic.exe
Token: SeTakeOwnershipPrivilege	2388	wmic.exe
Token: SeLoadDriverPrivilege	2388	wmic.exe
Token: SeSystemProfilePrivilege	2388	wmic.exe
Token: SeSystemtimePrivilege	2388	wmic.exe
Token: SeProfSingleProcessPrivilege	2388	wmic.exe
Token: SeIncBasePriorityPrivilege	2388	wmic.exe
Token: SeCreatePagefilePrivilege	2388	wmic.exe
Token: SeBackupPrivilege	2388	wmic.exe
Token: SeRestorePrivilege	2388	wmic.exe
Token: SeShutdownPrivilege	2388	wmic.exe
Token: SeDebugPrivilege	2388	wmic.exe
Token: SeSystemEnvironmentPrivilege	2388	wmic.exe
Token: SeRemoteShutdownPrivilege	2388	wmic.exe
Token: SeUndockPrivilege	2388	wmic.exe
Token: SeManageVolumePrivilege	2388	wmic.exe
Token: 33	2388	wmic.exe
Token: 34	2388	wmic.exe
Token: 35	2388	wmic.exe
Token: SeIncreaseQuotaPrivilege	2308	WMIC.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1668	iexplore.exe
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1668	iexplore.exe
1668	iexplore.exe
1600	IEXPLORE.EXE
1600	IEXPLORE.EXE
1600	IEXPLORE.EXE
1600	IEXPLORE.EXE

Suspicious use of UnmapMainImage 5 IoCs

pid	Process
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 1584	1108	taskhost.exe	28
PID 1108 wrote to memory of 1584	1108	taskhost.exe	28
PID 1108 wrote to memory of 1584	1108	taskhost.exe	28
PID 1108 wrote to memory of 1652	1108	taskhost.exe	50
PID 1108 wrote to memory of 1652	1108	taskhost.exe	50
PID 1108 wrote to memory of 1652	1108	taskhost.exe	50
PID 1108 wrote to memory of 2388	1108	taskhost.exe	49
PID 1108 wrote to memory of 2388	1108	taskhost.exe	49
PID 1108 wrote to memory of 2388	1108	taskhost.exe	49
PID 1108 wrote to memory of 1860	1108	taskhost.exe	48
PID 1108 wrote to memory of 1860	1108	taskhost.exe	48
PID 1108 wrote to memory of 1860	1108	taskhost.exe	48
PID 1860 wrote to memory of 2308	1860	cmd.exe	30
PID 1860 wrote to memory of 2308	1860	cmd.exe	30
PID 1860 wrote to memory of 2308	1860	cmd.exe	30
PID 1652 wrote to memory of 1668	1652	cmd.exe	46
PID 1652 wrote to memory of 1668	1652	cmd.exe	46
PID 1652 wrote to memory of 1668	1652	cmd.exe	46
PID 1392 wrote to memory of 860	1392	cmd.exe	36
PID 1392 wrote to memory of 860	1392	cmd.exe	36
PID 1392 wrote to memory of 860	1392	cmd.exe	36
PID 1668 wrote to memory of 1600	1668	iexplore.exe	35
PID 1668 wrote to memory of 1600	1668	iexplore.exe	35
PID 1668 wrote to memory of 1600	1668	iexplore.exe	35
PID 1668 wrote to memory of 1600	1668	iexplore.exe	35
PID 860 wrote to memory of 1964	860	CompMgmtLauncher.exe	38
PID 860 wrote to memory of 1964	860	CompMgmtLauncher.exe	38
PID 860 wrote to memory of 1964	860	CompMgmtLauncher.exe	38
PID 1196 wrote to memory of 2808	1196	Explorer.EXE	65
PID 1196 wrote to memory of 2808	1196	Explorer.EXE	65
PID 1196 wrote to memory of 2808	1196	Explorer.EXE	65
PID 1196 wrote to memory of 2148	1196	Explorer.EXE	72
PID 1196 wrote to memory of 2148	1196	Explorer.EXE	72
PID 1196 wrote to memory of 2148	1196	Explorer.EXE	72
PID 2148 wrote to memory of 2812	2148	conhost.exe	54
PID 2148 wrote to memory of 2812	2148	conhost.exe	54
PID 2148 wrote to memory of 2812	2148	conhost.exe	54
PID 2016 wrote to memory of 524	2016	cmd.exe	56
PID 2016 wrote to memory of 524	2016	cmd.exe	56
PID 2016 wrote to memory of 524	2016	cmd.exe	56
PID 524 wrote to memory of 636	524	CompMgmtLauncher.exe	59
PID 524 wrote to memory of 636	524	CompMgmtLauncher.exe	59
PID 524 wrote to memory of 636	524	CompMgmtLauncher.exe	59
PID 1172 wrote to memory of 2216	1172	Dwm.exe	70
PID 1172 wrote to memory of 2216	1172	Dwm.exe	70
PID 1172 wrote to memory of 2216	1172	Dwm.exe	70
PID 1172 wrote to memory of 1712	1172	Dwm.exe	68
PID 1172 wrote to memory of 1712	1172	Dwm.exe	68
PID 1172 wrote to memory of 1712	1172	Dwm.exe	68
PID 1712 wrote to memory of 232	1712	cmd.exe	69
PID 1712 wrote to memory of 232	1712	cmd.exe	69
PID 1712 wrote to memory of 232	1712	cmd.exe	69
PID 2772 wrote to memory of 676	2772	cmd.exe	75
PID 2772 wrote to memory of 676	2772	cmd.exe	75
PID 2772 wrote to memory of 676	2772	cmd.exe	75
PID 676 wrote to memory of 1044	676	CompMgmtLauncher.exe	76
PID 676 wrote to memory of 1044	676	CompMgmtLauncher.exe	76
PID 676 wrote to memory of 1044	676	CompMgmtLauncher.exe	76
PID 1944 wrote to memory of 2068	1944	rundll32.exe	82
PID 1944 wrote to memory of 2068	1944	rundll32.exe	82
PID 1944 wrote to memory of 2068	1944	rundll32.exe	82
PID 1944 wrote to memory of 2080	1944	rundll32.exe	83
PID 1944 wrote to memory of 2080	1944	rundll32.exe	83
PID 1944 wrote to memory of 2080	1944	rundll32.exe	83

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1584
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1860
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\system32\cmd.exe
  cmd /c "start http://e04064b8ee7c56d05aowpynsoc.coldsum.space/owpynsoc^&2^&36489896^&67^&347^&12"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1652

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\53e5fc2375ca90b7345c7533aa34e7cb.dll,#1
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:2068
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  PID:2080
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:2200

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2164

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  PID:2148
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:2808

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:232
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:2216

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2496

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1668 CREDAT:275457 /prefetch:2
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1600

C:\Windows\system32\CompMgmtLauncher.exe
CompMgmtLauncher.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:860
- C:\Windows\system32\wbem\wmic.exe
  "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:1964

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Interacts with shadow copies
PID:2836

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Interacts with shadow copies
PID:972

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1392

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://e04064b8ee7c56d05aowpynsoc.coldsum.space/owpynsoc&2&36489896&67&347&12
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
1⤵
PID:2812

C:\Windows\system32\CompMgmtLauncher.exe
CompMgmtLauncher.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:524
- C:\Windows\system32\wbem\wmic.exe
  "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:636

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:332

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2776

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2536

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18155140611994644780480386153-19155410241323773515112564009191693687110928537"
1⤵
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:676
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1044

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2848

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
PID:2376
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  PID:1084
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2184

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1088

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8425414ebc5853c877194350dd8b82e9

SHA1
a96a0a0ac66d4d2c9f72d52122d19a2714a27ddd

SHA256
3600b67bb775c21d084c4f1288bed40f919fbd7266c87f02dd9d36e4ed525994

SHA512
f52eb55ff8f17dd2cb21cf82817a0395087faf3127b087cd5b170f1cb1d0a87646d52f44250a9cc76a55d25ba414735e524ccf2ed9e53ed4a9c4de96b5ac07f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bd368fe505f3a347414e6f12ebd34995

SHA1
e311a8946964b482ea9f736da14f84637b350828

SHA256
f91f24444b75f8440e1185fef73db937e2df6cfb7a32da5628c0fcd0be46b388

SHA512
21855a59411a762c0eabcf47bf14ab5ea48822642f9aca22db508c773e9340a6460e5bc306aac26aad59559e837d9ef372cc17d397a6fd8d61c33d489090d39c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2db5cc24d11e189a9b3ae59205e79082

SHA1
b978c4753542eb1d82e07cee6968e829fb89c84a

SHA256
324af22e7ce3c56e107e581af83cdd3ae6ec7c3ac4a6b170f1f2d59b29a2a92e

SHA512
2c0dba0e943a6bdbfde717f7ac9b05b852187e64fdcc861494f8cb11a9dce4cb52c44722e16ed77a9dbc5b0ea510ff2d44af9ecf101dff2db338edbfd7d2f740

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
91dbaedbbab3ea812862223f1d26cfc3

SHA1
2f72cbfc501d99103206b430954abce83bddad5c

SHA256
d1a90dfa8ca91c9f82d75cd686aca433546e6e4b655ab27b16af2b3f20c911ab

SHA512
71a5b28499ff9646f6a09b6f65a49a21370ecf19e70f1c969308c9497a277a3c5177b54ffda9f94298c06989bb01ec3bbcf8bbc6c0e04a6a4e60e4a5540ec0c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cf64167cf239c7c45499edcac40b2e3a

SHA1
1383ea3f134d3db46dd7f8729fe9e22e6d2309b4

SHA256
98756139087d2cad428240000cd2896f1b0be423216c1fa99e25bdef4aca90e2

SHA512
b90db3c00866088b2e37cc59f15fb425b91102dbf2ce10c2b435d037889be2482dfb7c931628327c248290cf3f9841ecd9bf47b3298eb6b03bf9d8004f2596a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7b1daf19bb48445383139f58fafcc644

SHA1
e564359291d19a82982dddaa2cabe28640cb1e1b

SHA256
d732f2e8735204018b2ae46d6df7ed4e055d7d33534d6dfb61cfe085c019d10d

SHA512
32f2f188adc561431b8481a6199239f642bd77b7ba140dfa3b6b1822f8e4b905458d7d0c8b7d6d6d27fef4e583a7ca99859e4c727752bae7d17e0565b1d42be2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
49570baf2bfcaeb0742022b7fe5ab65f

SHA1
1f460393089422b86bd44fb17e6f413c21855f59

SHA256
6ef11b6c0d4157b4535acdd2a8df5087f9d0c604392656c8605b1d46432c5a3f

SHA512
0ae0b26abb0b25cc7082f146e4f92e3a988da379d080775563d48a7d22e1731b0e08593ac028eb57a0828985e38edebfb6bb569450188f63d6e27e04b3327a11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a31c61a1b536815f3ffbfeef19c0acc3

SHA1
9332bd439a6a8189945644fe71eeb2f74b85481a

SHA256
1c302fb77177da92eab6ceee602b06cb02e0c200c985a2399aaa57979ed53be9

SHA512
a34447b3427241abadfc5a6ec9afb75f928deb65211b23774df04e92baac819bbce97f9b3e59b99ef6002215631826ea503e28be6524cacd2de9fb27d82e4dc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
113129334a4c1b1027b8b9737da78296

SHA1
8a90444ea254ac6c73aad6635498ad55deb66c72

SHA256
5070c9dfe169ec2659102189cc5c42188906952f287012cc4458e0235ad1f46f

SHA512
18da133766dba9bfa5df28be13404c20cd4186b404d4eb1de206cfc3ecfe3abce4362d4859104e4900914ba6d08f63ac2dd92f359325777e74c1a4dc8455089a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
35d08557d84d7ee1819955fe6fcc0486

SHA1
912f2bdd26e5ec7a0c88e982cb42339c43e56794

SHA256
2abfd552cb3fdf9a50ea117a3796b547d4a4798e50c150314f64651c30bdbeed

SHA512
08ed2b6371ace6ed3814db384cb406ce882a175e9fcc4a0d4bc05b612d4ada2b70e8e6cf9624666d6802bece3dd6feaed27c3d57c4ab5ec745b0da0c35ad08e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c020d6b8350aa6c85ad26ff3f70569f5

SHA1
954a7d7a5851947f504a3b70fb668dc5976eca5c

SHA256
eb3a37a26a608084783b027a4e1fab7c27eae804241f861f035fcb38a3a0721c

SHA512
b9c8c8790bfcef3d50508eb13cde7b3c5cded0ea9108cea71269c81f462b5818dc697382e6e8442222f99e148dcafaa987b19668cbc7900aae84f387bc2d8407

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a8a895fad393ca7f5455433f8efd3828

SHA1
0d46c496f35a3744420ab8d8fe9432bcec83571e

SHA256
db18532f03f905142fbf8b369b56a32cabcf23f491eca0fadb741c3a5a8b7727

SHA512
d6cda969a923ada33dfba30cbd6c56e395e2360df90b53df23dbfc4cfd0f48da49605610793368ffd1474799dba4dc9013d1d3b5340f3c5c47a678cb066d3de5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bcb2844258304a2e44f67d4af0467a70

SHA1
c39e2bfd0766ae4af512555515c9fcd2d0caf4b4

SHA256
61f2e8ac35a1136da7ddf8853384a5b59a7807b94b5da39951ee8a524228dba8

SHA512
8efc24fa28707be7c74ba442aad39582149b1bbd818c8b64505f808cc1815ebb6cdcde7c59daa9e0dcf9fc0cb37b9da4064c093946c2c8e488e73e2873d62af3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e175b6cbae1013a187fd7dfc1160802e

SHA1
e923e472d0b6b670305d357a7f2163195c9c637b

SHA256
43753eab807d458138ac82cd501c9853bb75b4bc714da75151879137f58ede43

SHA512
67efcb66ce6f25c41c5510c0b2d4e2fab7588972c8a121149635f52c2ce18adc502b261e9b627e4eb40f9e4582a016516cc854b7224d7411356f23d18f5ed012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bbbf7a85878c3f80e3c806d86f4f6ef6

SHA1
5268f56ae5b198bb7c20f95f7188ef99c4eab594

SHA256
f0b13dc72d3444985f458e6713b4335c7f96885aa4022b5ad21ce874e1907663

SHA512
d2f836ca6c0d2ff9522cb808dfbb9f5870ef44a6b31a2b300f555e52377fafcbc62abbb81cbfabb3b6cf664b7bf9baab0f66416b2109345b48be95b85c137f12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3ff2863c41ceb6676af13c93089ef587

SHA1
d7236fe7a2fa0f7470405209373b8b179939b2bd

SHA256
7e9ce9f7de2a4e4b8a0b7e6d5c0e92fbc3fb3dc0eb3e42cdd4d559c86dba3158

SHA512
abfe37620c94a9f80098065aef8a52995fbab7b492968cbc1e0b44d829cc9bc4f32e12b9a11f42667129db8548c025a8cf4347ad9068bf4e42e97708d88cdcb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1389c59362b5da63998ebc28ad016731

SHA1
4b930a6bae9df7cd3501d6b90d9f17eff91086f8

SHA256
efb62c46c257719aff35cecabb7d537c956af77c85855ee2854b25ffc04d9c07

SHA512
3fa5b778bf3a5d8187f8139c8c2f0535ec92934ef4d5a03f3ddc6fa8043b33ff715d483c6b3a6d5ca0c6b74ec87a0d9f17b3cb93cddf73abbba1fb3124f4ca9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6b4d139f18f07469eace0c8dab7811c4

SHA1
99b2a7a1543011519f267e905d555ecee6e2a5e7

SHA256
f10026ea4da9016bb8adb08a5784d01b31bee5de09294657a90b017d0fec10ed

SHA512
2580b5022dd7d716677d66715f98a99d0bcc2fccd10dfcbef06d4b46f6824de7d3757eb5ce39f92a061f67279cf1f7055b73160c9074fee78fdbe3c47ac3c4f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0a6173ef8f0a3ebe56bb4206be89ec13

SHA1
3b695558d869966c8fc38c94184642b6c8fc7a4d

SHA256
6572700a8102320a7bc722bff1b1b54524c1b91f111b4ccfbf235a93d7dc26f4

SHA512
016eff5b080069ed7fd64e65a961e2492d03b4a3ebcd2c2bd4956f0ac5880f0d8cccd08abbc548efe37d80c2b8844bb80269d06f50668ffe025ed7599402ac86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9500.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar95B1.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\Documents\UpdateExport.dotx

Filesize
716KB

MD5
24a33fba179445065ba73ef57625eebd

SHA1
7292d5ebeccec4d123cdecc13384c7942e1fb67d

SHA256
f365446d558e7f5a96092c1f6ccb3a6b8df718c522bb6f98856507a69296ed7d

SHA512
44633231206f81d5f69ff97c4fd1d9f6475beb208862a7d357fe6f0cbc32ab5cfe45b83eb5df5355b7a112513750cbd2c966b85a9ade81cc7034e75316d7e5a2

Download Submit
C:\Users\Admin\Documents\UpdateExport.dotx

Filesize
1024KB

MD5
c5f72faf808a58f419a9d3898e81bbca

SHA1
135c7cccdebae92153a8ee583d1fd4d921794001

SHA256
a8be90ee51706215e9b08f56115e5c18fb3ff443bdea807685c5f441c67d2f69

SHA512
4ae054928389f72308708b297e3532f960747efd697e7dcd6555e7c1915f2fdfa7ebad85be757b2cbe170a58f07d8a455ff90ca5e5d8daf562e0a0f736a73268

Download Submit
C:\Users\Admin\Documents\UpdateExport.dotx

Filesize
1024KB

MD5
5129ccbb27ce507835787d2ff3f8542b

SHA1
bcd02fc721123525407c2443d610f256b6352e46

SHA256
3ed84bf488a2226e06f799d063002c713e2baeef5fa9d34974cb6f501b00c480

SHA512
7d6f7638c31c9b5b0f8448491f242e1d9bf377d93d4d26a107303b3fcc67ae5c60ac402d3fa7d256bca5ec01a9b07e90335aa03f5bf34e07a468819e9a116cce

Download Submit
C:\Users\Admin\Pictures\readme.txt

Filesize
1KB

MD5
df0f354bd15b23b476fba0de644e6abb

SHA1
58c4d9d4c6d3b99e2f0042a6cc7e5f3119665f04

SHA256
5290f285c3593954fff630ab9ae2119761f822180e610736dd3e1499d150c0cf

SHA512
c168bb5133f41abe64e4cd1e8eaac4f4292ec22eef8e6274877684a5fd3a9b897f5bc726e2b245f38cf2d880b8dac4658a7879298e545a76a0b8742bbd32db3a

Download Submit
memory/1108-0-0x0000000001C00000-0x0000000001C05000-memory.dmp

Filesize
20KB

Download
memory/1108-16-0x0000000001C00000-0x0000000001C05000-memory.dmp

Filesize
20KB

Download
memory/1944-9-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1944-5-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1944-6-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1944-696-0x00000000044A0000-0x00000000044A1000-memory.dmp

Filesize
4KB

Download
memory/1944-697-0x00000000044A0000-0x00000000044A1000-memory.dmp

Filesize
4KB

Download
memory/1944-7-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1944-8-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1944-10-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1944-11-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1944-12-0x0000000001B60000-0x0000000001B61000-memory.dmp

Filesize
4KB

Download
memory/1944-17-0x0000000004130000-0x0000000004131000-memory.dmp

Filesize
4KB

Download
memory/1944-13-0x0000000001B70000-0x0000000001B71000-memory.dmp

Filesize
4KB

Download
memory/1944-14-0x0000000001B80000-0x0000000001B81000-memory.dmp

Filesize
4KB

Download
memory/1944-15-0x0000000001B90000-0x0000000001B91000-memory.dmp

Filesize
4KB

Download
memory/1944-4-0x0000000001CE0000-0x000000000220F000-memory.dmp

Filesize
5.2MB

Download