Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-12-2024 04:24
Static task
static1
Behavioral task
behavioral1
Sample
2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe
-
Size
92KB
-
MD5
56d8d0386a2dc75b88ca52ddafbd3430
-
SHA1
165b9b0cb19bd4f849f2431b12028c179be57780
-
SHA256
9d131d41b278c689424e6713a320e8e410501b17260bdb2a6770d9e407d82df0
-
SHA512
02048a750b58befcdfe202626af009896d035a8a065d9fa87061fc85b94286e614f73a513ec436355a2edff1c56c53c40238f5f030106ebe9ab989d1c58693d5
-
SSDEEP
1536:mBwl+KXpsqN5vlwWYyhY9S4AgOWEtLXa7ujvLCh2k77Z8fDaQg9EgDCO/v:Qw+asqN5aW/hLiOWsFj0vFaDaQSE3A
Malware Config
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Dharma family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (312) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe = "C:\\Windows\\System32\\2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe" 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\3W44XPEP\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Admin\Links\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Public\Music\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Admin\Music\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Public\Documents\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8O71085\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GUJ7UW2N\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Public\Videos\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\GY8QW6M2\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\L7XNHY48\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\75GKCLJR\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6GFIGH6G\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File created C:\Windows\System32\Info.hta 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre7\lib\sound.properties.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\39.png 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Porto_Velho.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115864.GIF.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Black Tie.eftx 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199661.WMF.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115867.GIF.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File created C:\Program Files (x86)\Microsoft Office\Office14\mscss7wre_en.dub.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN026.XML 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.xml.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\vlc.mo.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\PDXFile_8.ico 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File created C:\Program Files (x86)\Microsoft Office\Office14\VISSHE.DLL.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MST7MDT.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01242_.WMF.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\PhotoViewer.dll 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21326_.GIF.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\PYCC.pf.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Resolute.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File created C:\Program Files\Java\jre7\bin\w2k_lsa_auth.dll.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File created C:\Program Files\Java\jre7\lib\zi\Indian\Reunion.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\TAB_ON.GIF 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSWDS_EN.LEX.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.Tools.Applications.Project.dll.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIconsMask.bmp.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\setup.swf 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00343_.WMF 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SMSL.ICO.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\settings.css 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00092_.GIF.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21335_.GIF.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\journal.dll 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\sql2000.xsl.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241019.WMF 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-locale-l1-1-0.dll.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01268_.GIF.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188519.WMF.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Indiana\Marengo 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_right_over.gif.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\TAB_OFF.GIF 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files\Java\jre7\lib\ext\zipfs.jar 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\es-ES\Mahjong.exe.mui 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files\Windows Media Player\fr-FR\WMPDMC.exe.mui 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PICSTYLES.DPV 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File created C:\Program Files\Java\jre7\lib\zi\Pacific\Niue.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files\Microsoft Office\Office14\VisioCustom.propdesc.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\ARCTIC.INF 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse_2.1.200.v20140512-1650.jar 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR20F.GIF 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\fr-FR\wordpad.exe.mui 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGBORDER.DPV.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_left.png 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rarrow.gif.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01015_.WMF.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152600.WMF.id-516D0299.[MAGA24@cyberfear.com].MAGA 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2304 vssadmin.exe 1760 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 1844 vssvc.exe Token: SeRestorePrivilege 1844 vssvc.exe Token: SeAuditPrivilege 1844 vssvc.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2060 wrote to memory of 1160 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 31 PID 2060 wrote to memory of 1160 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 31 PID 2060 wrote to memory of 1160 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 31 PID 2060 wrote to memory of 1160 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 31 PID 1160 wrote to memory of 2300 1160 cmd.exe 33 PID 1160 wrote to memory of 2300 1160 cmd.exe 33 PID 1160 wrote to memory of 2300 1160 cmd.exe 33 PID 1160 wrote to memory of 2304 1160 cmd.exe 34 PID 1160 wrote to memory of 2304 1160 cmd.exe 34 PID 1160 wrote to memory of 2304 1160 cmd.exe 34 PID 2060 wrote to memory of 780 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 38 PID 2060 wrote to memory of 780 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 38 PID 2060 wrote to memory of 780 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 38 PID 2060 wrote to memory of 780 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 38 PID 780 wrote to memory of 2960 780 cmd.exe 40 PID 780 wrote to memory of 2960 780 cmd.exe 40 PID 780 wrote to memory of 2960 780 cmd.exe 40 PID 780 wrote to memory of 1760 780 cmd.exe 41 PID 780 wrote to memory of 1760 780 cmd.exe 41 PID 780 wrote to memory of 1760 780 cmd.exe 41 PID 2060 wrote to memory of 2364 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 42 PID 2060 wrote to memory of 2364 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 42 PID 2060 wrote to memory of 2364 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 42 PID 2060 wrote to memory of 2364 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 42 PID 2060 wrote to memory of 1600 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 43 PID 2060 wrote to memory of 1600 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 43 PID 2060 wrote to memory of 1600 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 43 PID 2060 wrote to memory of 1600 2060 2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe 43 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\system32\mode.commode con cp select=12513⤵PID:2300
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2304
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\system32\mode.commode con cp select=12513⤵PID:2960
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1760
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
- Modifies Internet Explorer settings
PID:2364
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
- Modifies Internet Explorer settings
PID:1600
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1844
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
2Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id-516D0299.[MAGA24@cyberfear.com].MAGA
Filesize23.5MB
MD5ff2c89f558909f3405c18eb940745e15
SHA185a8446e6611df77c38add6c68daae059fd821e2
SHA2564d222d0e9df8c29622821f5529718f44f2e172270329a19ed50395ff253dd496
SHA51219a25967042bf36c04d1ca7c1bf0fb05bd1cb4cfd354f06ef2418578f420aeb8fee98c608b7c2282993f1f9f8205ccd46804bd13f12ac5763a647e8105397495
-
Filesize
1KB
MD59b93304e82ff1b7bfefcdba836137f6e
SHA133166bb2627f512992910a3e09f288a3c1a1de45
SHA2560a938c915325bf1e283e60c600b70580f512d1d8674f83ebb8bc27a3deb19c78
SHA5127def687bb4fbc7a7547299b65e831874eb2eae7ebb24bf6a545c619fc8466658ff5f2a9a15eace4fdcd71d0fdcff667fcaf7b71c8887c4c745484187eda91e45