magniber | 8ab78bc8884b9de573a3dc19e7fc206e925f643aee3f152d19e8d1caa90b6312

Analysis

max time kernel
137s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
27-12-2023 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3e7152abd213f303c1561aa20ed9cea.dll
Size

38KB
MD5

a3e7152abd213f303c1561aa20ed9cea
SHA1

0cfb6ac5f567c4dd3e9ebe741c2b8b0e19cb243e
SHA256

8ab78bc8884b9de573a3dc19e7fc206e925f643aee3f152d19e8d1caa90b6312
SHA512

854dad9d639cb4c9860c7dcd2d1bb7204ce3efe0a5bc0521d37a61e7ef3787a8334620d718ec2abdbbd077122c008273ce29cf1382af45d8411c431f5cf2e777
SSDEEP

768:bL2WWrr4WdC5pqndJgr8q39GGL3RqL9Q1VW028JQyt3uh11yCg:GdC5pqndJIHtGCE9Q1rRxIM

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://e00810f81c0094e05asabwrkkob.grv4f55lyxu36y26o4orfzy7vmwiljcruko6r7q4tatxvjugg4j66lid.onion/sabwrkkob Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://e00810f81c0094e05asabwrkkob.hesmust.top/sabwrkkob http://e00810f81c0094e05asabwrkkob.salecup.club/sabwrkkob http://e00810f81c0094e05asabwrkkob.tietill.space/sabwrkkob http://e00810f81c0094e05asabwrkkob.hegame.xyz/sabwrkkob Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://e00810f81c0094e05asabwrkkob.grv4f55lyxu36y26o4orfzy7vmwiljcruko6r7q4tatxvjugg4j66lid.onion/sabwrkkob

http://e00810f81c0094e05asabwrkkob.hesmust.top/sabwrkkob

http://e00810f81c0094e05asabwrkkob.salecup.club/sabwrkkob

http://e00810f81c0094e05asabwrkkob.tietill.space/sabwrkkob

http://e00810f81c0094e05asabwrkkob.hegame.xyz/sabwrkkob

Signatures

Detect magniber ransomware 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2124-1-0x0000000001D50000-0x0000000002399000-memory.dmp	family_magniber
behavioral1/memory/1220-15-0x00000000003F0000-0x00000000003F5000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.execmd.execmd.execmd.exevssadmin.execmd.exevssadmin.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	1100	vssadmin.exe	51
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	1100	vssadmin.exe	51
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	1100	vssadmin.exe	51
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	1100	vssadmin.exe	51
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	1100	vssadmin.exe	51
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	1100	vssadmin.exe	51
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	1100	cmd.exe	51
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	1100	cmd.exe	51
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	1100	cmd.exe	51
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	1100	vssadmin.exe	51
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	1100	cmd.exe	51
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	1100	vssadmin.exe	51

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (89) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Suspicious use of SetThreadContext 4 IoCs

Processes:

rundll32.exe

description	pid	Process	procid_target
PID 2124 set thread context of 1220	2124	rundll32.exe	19
PID 2124 set thread context of 1312	2124	rundll32.exe	20
PID 2124 set thread context of 1384	2124	rundll32.exe	21
PID 2124 set thread context of 1508	2124	rundll32.exe	23

Interacts with shadow copies 2 TTPs 8 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	Process
2504	vssadmin.exe
2036	vssadmin.exe
2336	vssadmin.exe
2844	vssadmin.exe
1180	vssadmin.exe
1724	vssadmin.exe
2440	vssadmin.exe
2436	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000580e1c8c6faee54b80ab28599b83677c00000000020000000000106600000001000020000000227573a253126f8aeabddc1f148b21dc60ffc8a37ccde94555fcae227f25de73000000000e8000000002000020000000839dde62f3187979cf1fab912344a9820f4008c49cc197a43508e791d7857a4490000000f337c12eaab02660eb475a27875a18bd024ccec2f9a5a19d21dedb80b0c0afc294ea44bdd7d9d0ea5c3e400a67bdf17838f4a4c0d2bae2781eae01b37d9e44e260df83d66e14808885ef5db7f1d152696e634ada631ac91485c25c2e8b3d704fc51b3204d3914226f7cd7f9fac1903687bf54c3a114551aeeb81f3d3a5dff10552d08b75e32407887a6c37a576397e3e400000008da1bafab6594265fbd3b0a209c567c09e2965801bad92d0531fdb4c2aaa7bdd4407a2c4daf70cd39866b44834cbcfbbd1aea638370d7de8819de952680ee015	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0dd60bdef39da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000580e1c8c6faee54b80ab28599b83677c0000000002000000000010660000000100002000000006ba1eaf608a34db8a4e70dec99f6a802f015b42c30a6086a6d6d860e03666ed000000000e80000000020000200000006eac3732a2dac7493d52a88db667fad8248436d0ab242cf2fe486148a9206d7b2000000054b33c5e5267160beea4d06f7306e9a7be8975e330184655716cb944d444d9ca400000000078918cc559574b88881d5918279e463725b9bf20bc9e9c6c7c4595ea4b782af060a697a4e8d59c1fcc3c4dccd7fe089f281aa52d49bd9646033a809b0c94ca	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "409972312"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E4243C61-A5E2-11EE-AEE3-EED0D7A1BF98} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Modifies registry class 11 IoCs

Processes:

taskhost.exerundll32.exeDwm.exeExplorer.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\mscfile\shell\open\command	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\mscfile\shell\open\command	Dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\mscfile	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\mscfile\shell	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\mscfile\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\mscfile\shell\open\command	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\mscfile\shell\open	Explorer.EXE

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

notepad.exe

pid	Process
2656	notepad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid	Process
2124	rundll32.exe
2124	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid	Process
1384	Explorer.EXE

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

rundll32.exe

pid	Process
2124	rundll32.exe
2124	rundll32.exe
2124	rundll32.exe
2124	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Explorer.EXEwmic.exeWMIC.exewmic.exe

description	pid	Process
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	2592	wmic.exe
Token: SeSecurityPrivilege	2592	wmic.exe
Token: SeTakeOwnershipPrivilege	2592	wmic.exe
Token: SeLoadDriverPrivilege	2592	wmic.exe
Token: SeSystemProfilePrivilege	2592	wmic.exe
Token: SeSystemtimePrivilege	2592	wmic.exe
Token: SeProfSingleProcessPrivilege	2592	wmic.exe
Token: SeIncBasePriorityPrivilege	2592	wmic.exe
Token: SeCreatePagefilePrivilege	2592	wmic.exe
Token: SeBackupPrivilege	2592	wmic.exe
Token: SeRestorePrivilege	2592	wmic.exe
Token: SeShutdownPrivilege	2592	wmic.exe
Token: SeDebugPrivilege	2592	wmic.exe
Token: SeSystemEnvironmentPrivilege	2592	wmic.exe
Token: SeRemoteShutdownPrivilege	2592	wmic.exe
Token: SeUndockPrivilege	2592	wmic.exe
Token: SeManageVolumePrivilege	2592	wmic.exe
Token: 33	2592	wmic.exe
Token: 34	2592	wmic.exe
Token: 35	2592	wmic.exe
Token: SeIncreaseQuotaPrivilege	2620	WMIC.exe
Token: SeSecurityPrivilege	2620	WMIC.exe
Token: SeTakeOwnershipPrivilege	2620	WMIC.exe
Token: SeLoadDriverPrivilege	2620	WMIC.exe
Token: SeSystemProfilePrivilege	2620	WMIC.exe
Token: SeSystemtimePrivilege	2620	WMIC.exe
Token: SeProfSingleProcessPrivilege	2620	WMIC.exe
Token: SeIncBasePriorityPrivilege	2620	WMIC.exe
Token: SeCreatePagefilePrivilege	2620	WMIC.exe
Token: SeBackupPrivilege	2620	WMIC.exe
Token: SeRestorePrivilege	2620	WMIC.exe
Token: SeShutdownPrivilege	2620	WMIC.exe
Token: SeDebugPrivilege	2620	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2620	WMIC.exe
Token: SeRemoteShutdownPrivilege	2620	WMIC.exe
Token: SeUndockPrivilege	2620	WMIC.exe
Token: SeManageVolumePrivilege	2620	WMIC.exe
Token: 33	2620	WMIC.exe
Token: 34	2620	WMIC.exe
Token: 35	2620	WMIC.exe
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	2580	wmic.exe
Token: SeSecurityPrivilege	2580	wmic.exe
Token: SeTakeOwnershipPrivilege	2580	wmic.exe
Token: SeLoadDriverPrivilege	2580	wmic.exe
Token: SeSystemProfilePrivilege	2580	wmic.exe
Token: SeSystemtimePrivilege	2580	wmic.exe
Token: SeProfSingleProcessPrivilege	2580	wmic.exe
Token: SeIncBasePriorityPrivilege	2580	wmic.exe
Token: SeCreatePagefilePrivilege	2580	wmic.exe
Token: SeBackupPrivilege	2580	wmic.exe
Token: SeRestorePrivilege	2580	wmic.exe
Token: SeShutdownPrivilege	2580	wmic.exe
Token: SeDebugPrivilege	2580	wmic.exe
Token: SeSystemEnvironmentPrivilege	2580	wmic.exe
Token: SeRemoteShutdownPrivilege	2580	wmic.exe
Token: SeUndockPrivilege	2580	wmic.exe
Token: SeManageVolumePrivilege	2580	wmic.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

iexplore.exeExplorer.EXE

pid	Process
2780	iexplore.exe
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Explorer.EXE

pid	Process
1384	Explorer.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid	Process
2780	iexplore.exe
2780	iexplore.exe
2240	IEXPLORE.EXE
2240	IEXPLORE.EXE
2240	IEXPLORE.EXE
2240	IEXPLORE.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid	Process
1384	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Explorer.EXEcmd.exetaskhost.exerundll32.execmd.execmd.execmd.execmd.execmd.exeiexplore.execmd.exeCompMgmtLauncher.exeCompMgmtLauncher.exeCompMgmtLauncher.exeDwm.exe

description	pid	Process	procid_target
PID 1384 wrote to memory of 2656	1384	Explorer.EXE	31
PID 1384 wrote to memory of 2656	1384	Explorer.EXE	31
PID 1384 wrote to memory of 2656	1384	Explorer.EXE	31
PID 1384 wrote to memory of 2472	1384	Explorer.EXE	32
PID 1384 wrote to memory of 2472	1384	Explorer.EXE	32
PID 1384 wrote to memory of 2472	1384	Explorer.EXE	32
PID 1384 wrote to memory of 2592	1384	Explorer.EXE	34
PID 1384 wrote to memory of 2592	1384	Explorer.EXE	34
PID 1384 wrote to memory of 2592	1384	Explorer.EXE	34
PID 1384 wrote to memory of 2964	1384	Explorer.EXE	33
PID 1384 wrote to memory of 2964	1384	Explorer.EXE	33
PID 1384 wrote to memory of 2964	1384	Explorer.EXE	33
PID 2964 wrote to memory of 2620	2964	cmd.exe	38
PID 2964 wrote to memory of 2620	2964	cmd.exe	38
PID 2964 wrote to memory of 2620	2964	cmd.exe	38
PID 1220 wrote to memory of 2580	1220	taskhost.exe	39
PID 1220 wrote to memory of 2580	1220	taskhost.exe	39
PID 1220 wrote to memory of 2580	1220	taskhost.exe	39
PID 1220 wrote to memory of 2636	1220	taskhost.exe	40
PID 1220 wrote to memory of 2636	1220	taskhost.exe	40
PID 1220 wrote to memory of 2636	1220	taskhost.exe	40
PID 2124 wrote to memory of 2360	2124	rundll32.exe	43
PID 2124 wrote to memory of 2360	2124	rundll32.exe	43
PID 2124 wrote to memory of 2360	2124	rundll32.exe	43
PID 2124 wrote to memory of 1520	2124	rundll32.exe	44
PID 2124 wrote to memory of 1520	2124	rundll32.exe	44
PID 2124 wrote to memory of 1520	2124	rundll32.exe	44
PID 2636 wrote to memory of 2984	2636	cmd.exe	47
PID 2636 wrote to memory of 2984	2636	cmd.exe	47
PID 2636 wrote to memory of 2984	2636	cmd.exe	47
PID 1520 wrote to memory of 524	1520	cmd.exe	48
PID 1520 wrote to memory of 524	1520	cmd.exe	48
PID 1520 wrote to memory of 524	1520	cmd.exe	48
PID 2472 wrote to memory of 2780	2472	cmd.exe	49
PID 2472 wrote to memory of 2780	2472	cmd.exe	49
PID 2472 wrote to memory of 2780	2472	cmd.exe	49
PID 2060 wrote to memory of 2100	2060	cmd.exe	75
PID 2060 wrote to memory of 2100	2060	cmd.exe	75
PID 2060 wrote to memory of 2100	2060	cmd.exe	75
PID 3048 wrote to memory of 824	3048	cmd.exe	55
PID 3048 wrote to memory of 824	3048	cmd.exe	55
PID 3048 wrote to memory of 824	3048	cmd.exe	55
PID 2780 wrote to memory of 2240	2780	iexplore.exe	58
PID 2780 wrote to memory of 2240	2780	iexplore.exe	58
PID 2780 wrote to memory of 2240	2780	iexplore.exe	58
PID 2780 wrote to memory of 2240	2780	iexplore.exe	58
PID 1296 wrote to memory of 1992	1296	cmd.exe	57
PID 1296 wrote to memory of 1992	1296	cmd.exe	57
PID 1296 wrote to memory of 1992	1296	cmd.exe	57
PID 1992 wrote to memory of 600	1992	CompMgmtLauncher.exe	73
PID 1992 wrote to memory of 600	1992	CompMgmtLauncher.exe	73
PID 1992 wrote to memory of 600	1992	CompMgmtLauncher.exe	73
PID 824 wrote to memory of 1364	824	CompMgmtLauncher.exe	72
PID 824 wrote to memory of 1364	824	CompMgmtLauncher.exe	72
PID 824 wrote to memory of 1364	824	CompMgmtLauncher.exe	72
PID 2100 wrote to memory of 2036	2100	CompMgmtLauncher.exe	71
PID 2100 wrote to memory of 2036	2100	CompMgmtLauncher.exe	71
PID 2100 wrote to memory of 2036	2100	CompMgmtLauncher.exe	71
PID 1312 wrote to memory of 208	1312	Dwm.exe	83
PID 1312 wrote to memory of 208	1312	Dwm.exe	83
PID 1312 wrote to memory of 208	1312	Dwm.exe	83
PID 1312 wrote to memory of 216	1312	Dwm.exe	84
PID 1312 wrote to memory of 216	1312	Dwm.exe	84
PID 1312 wrote to memory of 216	1312	Dwm.exe	84

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:2984

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:208
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  PID:216
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:1180

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a3e7152abd213f303c1561aa20ed9cea.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\system32\wbem\wmic.exe
    C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2360
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
      4⤵
      PID:524
- C:\Windows\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2656
- C:\Windows\system32\cmd.exe
  cmd /c "start http://e00810f81c0094e05asabwrkkob.hesmust.top/sabwrkkob^&2^&45776257^&89^&345^&12"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://e00810f81c0094e05asabwrkkob.hesmust.top/sabwrkkob&2&45776257&89&345&12
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2780 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2240
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2620
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2592

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1508

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2336

C:\Windows\system32\CompMgmtLauncher.exe
CompMgmtLauncher.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:824
- C:\Windows\system32\wbem\wmic.exe
  "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:1364

C:\Windows\system32\CompMgmtLauncher.exe
CompMgmtLauncher.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\system32\wbem\wmic.exe
  "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:600

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1872

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2844

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1180

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1724

C:\Windows\system32\wbem\wmic.exe
"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
1⤵
PID:2036

C:\Windows\system32\CompMgmtLauncher.exe
CompMgmtLauncher.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2440

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2436

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2504

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
PID:2296
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  PID:2120
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2672

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d8d50f581ba278a9186e87e674f3a4cb

SHA1
b042e7e4118936b80c3a46ff609ca207f1bc598c

SHA256
299ce4ae495e4ab5914fe6db85b33e18487e086d1244ba01744e6bcbacb3aa14

SHA512
f23df154efa2d4ad849a242bd476f32b6bf1732b8464c58d941e97929727da96a789ab7948810175527f25022eab190e33557795cf09ab746a7ba980f1d397f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5b95288a62d229e4ab37df7b2cbd012f

SHA1
aa165b002711dfe6887e58dd02a4a2c552043bd7

SHA256
59fb9ff19aeb4830a1dc29d7e33cccb977cc1280bfa57816014057ceb5a11ced

SHA512
4808db885a3c250b61fd18b6d5cff9fb654bdbb64a55298fff2ae83a66027728c5919a37cd35295994c8155f4909ba7561a83afe1594fa064415a3423d1c0c25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
15152f10bfeed9f21bcce5500b32963c

SHA1
2a6f4c2b75c03ed2fd1f1960985aeb2bb6b83350

SHA256
58f983bf5ccbe7fc0b70bde31072086ded68ae3c1d55e0db07143d45c594800d

SHA512
c6070d40a03418432484983d32224bfb7a36555ce56f7ba51b53a4691c9ee7f36e8a110b8f7598773c8493baebb997f1709e08d3b91383b7d0c5c1973246b9d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ac3f9cfbc7619cf6735fec18d7990647

SHA1
76875cd5ffb3548a994c3f5ff1ac92a938568876

SHA256
86f668885d445bd4fe804c74797af9a4c88e5c7ba14ebde354e9821aaa13b24e

SHA512
de989067ae446bd7d602b00a3eb64588a955244f7f5af0483612e1d625eb7de8fbd0674ef16cc66adc732a5c42d3880eeef080501f0627d78ced8e9eb057d05b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1da51cfed837ce24b4ae307a390bd390

SHA1
f2b03e5c8dc24a3d29400d4e7fadd1085840e31e

SHA256
4d4b678ae6507f81c5f4bc105ce67ba46792a34d5696c1a2e168710e87bac6b3

SHA512
85dbf9c725635a3c5d1d7f182b7b7661a5673f61c1bdca8001431aa35bd18111ae6e4ce5a615d430c373f4b39fa11ddd0d72c5c7e465354c1f6ef0fb3bef1cb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
981d9c8a10bf10ebf26dd0d7962c6084

SHA1
b9d48ea864971781cab932550eef1f233eb12c0f

SHA256
1c6047df048a32542aa04315fe8e246a068035c586c815bfa0fde5f20cf946e3

SHA512
9874878ae4650f964cd478cb36c248f16a3b492f18eac8d5b2438c2e40b578d70a59de5c3a5b36b7e123759c42d0261209c1496876a1f506dbd8e797b9968270

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
76541f8fae8c838d2a615528aa045197

SHA1
fe032d22479c32a9411038ae324348e91318d755

SHA256
1693b2bc7ca8f7539f14e5d67d71b64921099183f52b337ce6c2765e0b68fdca

SHA512
659108eea6bbb7d16385b33c8098399ffc9536b08a2af3deab5c8d5535cd056bf0075c3a391e3c551372bf8e9153ca59fe471fecb747b4150ce8a3efa29cd6ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0c029cac8c9bbdb6f8b8dd372d346438

SHA1
b105f05d147d33e5418fdd8ec177465fda46522f

SHA256
65d0eda5f7ff82c07d50132b018fc2f6aeb5852239953b62fb68047ababb401b

SHA512
e19569c362b7f623a89686cc4cf4ecfe9b60be44724d9b1b0e777c42347ab659c91946d762f3c0f91f8c36470b6c7296bbf2f399b1e16d36c3deebe383db0612

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fc24c1dd2940815416c42bf9f5af0b52

SHA1
96c454afdc3bd64405b265f3f273d3e9e6df8118

SHA256
cfcd75a9d36025b8697983fd6990c84c6a30b671dc403e0204bc7f6504d55124

SHA512
2adf631f7ef4b585c42fb68d014fb77adadf553ee1e67ccef95918f887524339be9d439cda7cbdfaab8bb707d71d945d0c732e3be037760f71cee5923f1b4dcf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
55c506729865019794e681a8d2e1ec1d

SHA1
2acbfb572d80b49ebe494348f482d6155be2ff5b

SHA256
b386f1ca4e4e2c6d08af070438447104904fb17d3c2c349f6df74fc376ba5b7e

SHA512
63fc01807d761439313845bddfc5da37a3deaff5fb87d7ff64dcee6d411b4c8f18f74df6312123e1073ddb7d46d6f64b4e7f5d3db0bca1938e3a8819e6a93d17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5c3f18b4a315507573f30460790dbb6a

SHA1
036aefd4706fad93ccb5a8d9faafd5519fa51d65

SHA256
f2fcfcf1d7bc705fc170eb215a9e027e3e483b2e7cd43803a6e8c4d454fa0f58

SHA512
b508acb79305ed26d19796ceb80dd6425d45f451757b9d8aec695bb89046b9d7d4057218a56969b1d0b15717d6e40f435de5fbfe3344ca774b4a6db679d672f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eea99f01b0cbd49d9e0ea11ef9b9d625

SHA1
c0ce59a649b51e2b349e280a4fa6c84ba8193d1c

SHA256
b0adaa1a376c7bd84d8648b7c56d88a6083088cc5bb0ebc45c67a6a7255d72cf

SHA512
89edc91a6f766d73d04c28093b5f2e1a49999c3e59f460c5abb7d97d5ef3b81bed3829876cdabe2602d890d7c3ba368b25c7f51228b3abee9149ced0d85b7be3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
31b758bad7bf39a5da2b5bfbc8383baf

SHA1
bd27d333b032557b96e2255acc01aa483d5ecd11

SHA256
14f899755bc42ff40c493f9afa931b4fb037559cd6f1f2ef873ce390f17878d8

SHA512
e0ee013d84ae36b39e1d97bca755786fc7e5f10d41bb919cfd618362c2ccd660045f3b461b1c29d28f92de829215ff8032136c0cb2192797179eafeb4aefab4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c13be626a7cf82f54b49647d948da4d2

SHA1
a33975a71ddde59016b69fe5c49046ba5bd32a83

SHA256
1e535ba58f9df28c15f7cec3a224f1e66fb31543f22a2b4363b1c92b3b93cba9

SHA512
06e268197e5b82a3385dcd1b2d81a47ba01955cab92c2661dcae8289ea9f9060044f4622b5c09041c5e44847c132c66e8bfa01e883e1a4b8078cef61a0e35cb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8b9e6e2def61569eec7f48f91091aec1

SHA1
bde8f1f9d0fe714cd2677473c38100c6e4e5d985

SHA256
8b2bea982b2d55ae8516f6f82a020422cd39dab1773ac9ae0fd81477b1c6cbe0

SHA512
a1a59c45a82d75b69eaf98cc446a475df0d810041d64ca85236abf91826d7ce2bb76f002d24a95334a687d62b2a656c707ab1e1552b54cc1058853410479f5f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
89300887e74baa2eb2d0bab497f1f720

SHA1
d99fdbb43bff28fe3445bab36d08e2b5a92aefe3

SHA256
cf0a34d3884ec9991bba5776985db8b77f3cbb7458e0dc09befcacc074af7ab3

SHA512
9396282d18f6ac45c6ee2ebd6382401e2299aed0582af82c73ffbb4fe567e2ae9dfc0c58d2605a79431c3982b39cf15c6718794433a5d04fe300531a23d10dbb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
05f67179ffa43787684875a6e83a16eb

SHA1
958488ede45be268a37641d0f1e3172343484c44

SHA256
9d0235c140041c1c402a996ccad499d64a7d7fba6c4e998d8c5d95b49bc5f380

SHA512
d092749db10da8ca94092c03de637a3e1fd12ec5406855142cfb0b676ae7adca7d0560c6ee35272948e6f8f5ab53de855b912f561da192d1a272d34155f63ecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD6C.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD9E.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\Desktop\ApproveStop.svg.sabwrkkob

Filesize
256KB

MD5
0227c7e95c1a2516d2cf75cd2a3be8dd

SHA1
d1136aa0a3025127ad2e8c53c3ace4211c2878e7

SHA256
52951f5e7ea1f141fc1c420e1e6a7a192ff364bbc3bafcd173849dfe818637f9

SHA512
1a78f730c6d34fee03eed3b74a50ff355aed61216cc441aa74c4566f916b376b292ab649c31d7ec334cfc10ff5f85e406f5ebadba5adf902b7a168e2ddde7cc2

Download Submit
C:\Users\Admin\Desktop\EnableClear.dib.sabwrkkob

Filesize
256KB

MD5
a84ceded556682f4de21611540026a55

SHA1
d7c1bc262e07b655b7f3ffa0f7ea21d40fac47cb

SHA256
699328f7311c4851768ac14696434da0427ad33f2a019fb86e245b91a508bbcd

SHA512
89a67189ba7e8d9e998dd48c689bb314d98c08726bb5f4ce9130ee65c80834c45eaf364c7f386d705bcf552da03bf7096bcb7cb5d6be6ae7ce1fbaa4c9102d39

Download Submit
C:\Users\Admin\Desktop\ExpandReset.ppsm.sabwrkkob

Filesize
256KB

MD5
76ecf06106f25ee14698fee9780cc21f

SHA1
43abd461b4e63b7fe40d73d61b9d0d186125680b

SHA256
d8c8f0e85387594cfbc226d0eb8101baa1bea75fc52da1060930e11d7494353e

SHA512
f89f1ed3f2e3fd5d5de145c0d05ef5203c904ab36fccc460d84f13f4f5a06cb5ba0ef0f200b22fce27050c55e39e09d3d4f0fabe509831808b2c112169e4faeb

Download Submit
C:\Users\Admin\Desktop\ImportCopy.svg.sabwrkkob

Filesize
320KB

MD5
0c80b4932c789e2cbca64b33f7e3bbac

SHA1
9e7a728e20c0c1861b9061da40630d888e0190ae

SHA256
03831965269f3fbb0e4227fd80f054e1848fe2f3072dc42ba6433089a0e1d644

SHA512
39c439116f8a0aa0b918d51eb23c720823a27cbc8778d63f78a7fc9c0c178eb2bb1cd3ce59137f34938e03e8dee91fda195b9ac98a79192cfc10fcfbe5786d06

Download Submit
C:\Users\Admin\Desktop\ResolveJoin.vbs.sabwrkkob

Filesize
320KB

MD5
7dfb78677aef49288aea2e9dba22eb40

SHA1
4c0cc0243094f39a5102de51ac8b8921b60fa0f5

SHA256
2cbb4a9143ee2e360e5573ae3a1f414b978087db4dcf41bfc2ca872dbf55d965

SHA512
d66f48930250bf6d3c5fae6f376b30bbbfc159929891407489bf4d209212ac09cba348c3166a353134449a74d3c9b05f729f2075d22bcc97918805552c0198e5

Download Submit
C:\Users\Admin\Desktop\SplitStop.docx.sabwrkkob

Filesize
320KB

MD5
23518af84ee933da426c26c1c82f8f44

SHA1
71f0bcb51eb33c0639097b7db0733d87ec5beca3

SHA256
18d76d58157d785386be386c2e5be7280f5cd924d29a1ddb49b64c5dbede1b92

SHA512
202bb13e3c80296d038f721bfedc46b618c1d52ca5a596e8cf403672ddf3f805e1d07786197ed8e5f7b0df310f8207cb307404b7653d384cc3104d196c70496e

Download Submit
C:\Users\Admin\Desktop\StartExit.pot.sabwrkkob

Filesize
557KB

MD5
28bc2184ed42edf5fc2bde03e307dbe9

SHA1
f037afa34281a87633ce78ac5aef7dbfefe81411

SHA256
cb9caef23ddbf8cb56e2e9377845cd8054f0849a7566ab88d7aca67493bf351c

SHA512
87fc6ffec4d31f207fde53b481286053d7079ff513cea0179b1bc36b952d96e8e9d8a4ccae19cee6802cd4d7bbb3995bcc9040908cda8a012a689e63e62e13af

Download Submit
C:\Users\Admin\Desktop\WaitSearch.docx.sabwrkkob

Filesize
411KB

MD5
5dd3bf08231f070a710e8933b15eaae5

SHA1
e9b97dfb62ee59386b4ddddd12858baf5bf3c7bd

SHA256
d5c0763b5316f5a48e458c5ea9012504480b112dbea2f8ff7c273e1df3aec9ba

SHA512
04646a4aa029d1faa3ea8397ebf4ba68cc16a8d20247e46e3285d7b65af26f5de1daf2f9196e4419a98d74b5b1c01e3b4981f7d4fea6514766c21b849832e194

Download Submit
C:\Users\Admin\Pictures\readme.txt

Filesize
1KB

MD5
95961f0c92e586c7a56eb77a0b5e96b7

SHA1
c49c8076cc9b85cb4ece62eeb5d9ccb128e24296

SHA256
3b3e2eacef94a2e99137ea53669e5c4d8e5861e450540f760d8c7c720bf833d1

SHA512
bff2f0ff6ad52b5b3764da34827c9a7ecb9eb30ffcb5e6af8dfb820984c7fba9f5541c59a4d733d6e4ec2feca21edaa63cf50462af81c4d5225fd6df5da0709b

Download Submit
memory/1220-15-0x00000000003F0000-0x00000000003F5000-memory.dmp

Filesize
20KB

Download
memory/1220-0-0x00000000003F0000-0x00000000003F5000-memory.dmp

Filesize
20KB

Download
memory/2124-11-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/2124-17-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2124-16-0x00000000042A0000-0x00000000042A1000-memory.dmp

Filesize
4KB

Download
memory/2124-12-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2124-13-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2124-14-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2124-9-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2124-10-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2124-7-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2124-6-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2124-4-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2124-3-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2124-1-0x0000000001D50000-0x0000000002399000-memory.dmp

Filesize
6.3MB

Download