Overview

overview

10

Static

static

10

1.exe

windows7-x64

10

1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-09-2022 08:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1.exe

  • Size

    214KB

  • MD5

    9df62163926e1801587b0f824add2f1d

  • SHA1

    2e4d3b2561e89844f01267bbd26383012931a773

  • SHA256

    0e3a28023ba5030fbf2395239b89ca959982bbeec1972aa0adaae6c1fb44e08d

  • SHA512

    b0ce0047a488a1df52fa7c0a4d180feeaa806858677f2fc0abe05450228aa3e00498797a7ac7f4fb9dcf442dd5cdd79e09cca42101259f0866f8699f80b4622e

  • SSDEEP

    6144:syJE1yd7WHJmcyfjtPWna4DQFu/U3buRKlemZ9DnGAevIhdiMM+:sU/d7WsvBPWa4DQFu/U3buRKlemZ9DnG

Score
10/10
zeppelinpersistenceransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] 1. Visit https://tox.chat/download.html 2. Download and install qTOX on your PC. 3. Open it, click "New Profile" and create profile. 4. Click "Add friends" button and search our contact - 126E30C4CC9DE90F79D1FA90830FDC2069A2E981ED26B6DC148DA8827FB3D63A1B46CFDEC191 Your personal ID: AFE-8C9-254 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
URLs

https://tox.chat/download.html

Signatures

  • Detects Zeppelin payload 3 IoCs
  • Zeppelin Ransomware

    Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.

    ransomwarezeppelin
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4708
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -start
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2340
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4044
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
        3⤵
          PID:5112
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
            PID:2356
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
            3⤵
              PID:768
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:3940
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe -ExecutionPolicy ByPass -Command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2328
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                WMIC.exe shadowcopy delete /nointeractive
                4⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1668
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -agent 0
              3⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Drops file in Windows directory
              PID:3500
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
              3⤵
                PID:4532
              • C:\Windows\SysWOW64\notepad.exe
                notepad.exe
                3⤵
                  PID:3548
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4848

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
              Filesize

              2KB

              MD5

              12dbb5eb4ce1ea3942d83f9309151677

              SHA1

              19e529c286499b44fa120d9effd8e0fabb1c56a3

              SHA256

              bca95945f5d1a63cb8fd232b3cd7cf857acdb04697b0a8537b6aaf697b1ff34b

              SHA512

              61593564ef6273b4493b8a9ef6669690f5a040c579effa26d44f2ba5977850d6afda17afba5ef80fdb461fbf4d061ec8bfb13cf6a87c5e2ed8c6c9cae3d9e84d

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_8AE57F9FAAC778EA4099F469BEEE4C46
              Filesize

              472B

              MD5

              e89c3fa7244c0f301da2fb10568f2c1c

              SHA1

              553c49cda8392207c090ce206910ee386b034ebb

              SHA256

              71c7869933d22d4dd6156019ef7f4b872263999a116b97ebed6eff4b174a49e0

              SHA512

              98858dd163a15259d3e1dbb39d1cf4df8a93ead5f0e0230bcc6957b7d3fa5b8032d31d854861793358a06f062cbe45d8efca4e484145b894dfbbd307a12c3cc7

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
              Filesize

              1KB

              MD5

              0d870ca424457579d4bd345ac1ec6c3c

              SHA1

              fc3d8924e13b4fc5eca7cabd4967eea3d4db1690

              SHA256

              cf9df8d62ec78ca20a50633047af6c913dc2d10f15823795e8d86042c7b05ed0

              SHA512

              a1e731ae03b1a2259f8e1afc86058aabb3b8ce3b0141f08ea18b6c7003c55aeb135d40bba38ebf1f76174eb1ad758fbec10841dee1ed704fb0285e36b2f7d66b

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
              Filesize

              484B

              MD5

              d87b6cace36839d6808e1a959bdfa840

              SHA1

              2afe1cd3cef468045d5d96c9f46cf9a178849ae3

              SHA256

              8065aba3d639c1bbbd9058f25c1b47264da85a84fb35dc9be018f0c5f3956f8e

              SHA512

              2a7b3e7f66dc665f54692d2894fa185bf542d40a5c271d895fb897869c38d79550a21a70ad1a7b7c5a18292e47c06e3e85cfb272b2726942765c6d910c83c8d1

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_8AE57F9FAAC778EA4099F469BEEE4C46
              Filesize

              488B

              MD5

              d9aa90f869029e5f061f3e42716486df

              SHA1

              dda4bf074ea9c7c2984bb06259cc393ddbb70176

              SHA256

              95a26f6abde55f8f239909de42c10563a85bfafa6d035d54c8ddba131154fc6b

              SHA512

              571c55bb40b3515162402525574888bf88bf2a8c8abf9a7724259bde2da6ce61664e902427805fc8c77155e5c5b670e5471608444126b18946571cb824f67a1c

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
              Filesize

              482B

              MD5

              14852b289237169aa4313492bfa7e887

              SHA1

              8fc7b77916ae0406b89fa283272da4029e0a8e7e

              SHA256

              e45f3195b5f26efdda0dca88b9c71e2751f4bbf88052cc9a319c5868174d9de7

              SHA512

              db3e44d09ecd1d24c4c1bda0696adf5b4a9ccf4f8e463723b36cf396771c6b579173e12e3601e32980a200377896e7d29e9a511630bd0b45a87b01463c4403f8

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MBR7CLLA\WW9M9T2Y.htm
              Filesize

              18KB

              MD5

              6b17a59cec1a7783febae9aa55c56556

              SHA1

              01d4581e2b3a6348679147a915a0b22b2a66643a

              SHA256

              66987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb

              SHA512

              3337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PREIF6EH\V72DZ861.htm
              Filesize

              184B

              MD5

              b1cd7c031debba3a5c77b39b6791c1a7

              SHA1

              e5d91e14e9c685b06f00e550d9e189deb2075f76

              SHA256

              57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

              SHA512

              d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\~temp001.bat
              Filesize

              262B

              MD5

              e6545ccb3660f88529716ed4e647c713

              SHA1

              ecd628f29985599a24c5c1d23083c689917dd74e

              SHA256

              e802bf0c4481bef693d4d1f307aba48301e330d3728dd46a4ec97c4a96b4d4a7

              SHA512

              f745e7d5dd006083234e783dd5dc7fb83043a7d0479ea2a91a2ddbc8c20ca47343516efbd155271768c675a22b32e88febdfe51551ec42dfdb64805c62c3188d

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
              Filesize

              214KB

              MD5

              9df62163926e1801587b0f824add2f1d

              SHA1

              2e4d3b2561e89844f01267bbd26383012931a773

              SHA256

              0e3a28023ba5030fbf2395239b89ca959982bbeec1972aa0adaae6c1fb44e08d

              SHA512

              b0ce0047a488a1df52fa7c0a4d180feeaa806858677f2fc0abe05450228aa3e00498797a7ac7f4fb9dcf442dd5cdd79e09cca42101259f0866f8699f80b4622e

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
              Filesize

              214KB

              MD5

              9df62163926e1801587b0f824add2f1d

              SHA1

              2e4d3b2561e89844f01267bbd26383012931a773

              SHA256

              0e3a28023ba5030fbf2395239b89ca959982bbeec1972aa0adaae6c1fb44e08d

              SHA512

              b0ce0047a488a1df52fa7c0a4d180feeaa806858677f2fc0abe05450228aa3e00498797a7ac7f4fb9dcf442dd5cdd79e09cca42101259f0866f8699f80b4622e

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
              Filesize

              214KB

              MD5

              9df62163926e1801587b0f824add2f1d

              SHA1

              2e4d3b2561e89844f01267bbd26383012931a773

              SHA256

              0e3a28023ba5030fbf2395239b89ca959982bbeec1972aa0adaae6c1fb44e08d

              SHA512

              b0ce0047a488a1df52fa7c0a4d180feeaa806858677f2fc0abe05450228aa3e00498797a7ac7f4fb9dcf442dd5cdd79e09cca42101259f0866f8699f80b4622e

              Download Submit

            • C:\Users\Admin\Desktop\BlockCompare.css.colambia.AFE-8C9-254
              Filesize

              370KB

              MD5

              2b029ede9a31013ed942456ba5ff8e58

              SHA1

              40055569d057127099f2d4718967a96312a7969f

              SHA256

              074a4060268fcd6dd1c6e7853da60e7a38d32ae0d202e27d7d1e643d669aabfa

              SHA512

              01bc5f2c227a4d486ac2f04e199521fa4a43c71e57decb38d8593c79fa5775b47e8c3ca6f0bc16a99b2fc47c3ed468118c7405f0065dc70b55c32394ea06d3aa

              Download Submit

            • C:\Users\Admin\Desktop\CheckpointPop.odt.colambia.AFE-8C9-254
              Filesize

              393KB

              MD5

              4e4a8dd13d698990b9845870b07bff5f

              SHA1

              3bae2f99bde1977494c65eebf9372a6988744f3c

              SHA256

              a3afe54efc21d91911a606b1a0b06f9a2f6e1436cdfeba13ac954a2226dc7505

              SHA512

              9da9a2f472972230da645143463e8168417a0f8e3f9e54cd8097e29dae24e6589b4ef71a127296b67b723bba42b3a1fb350ceee689704bc700b8916b255ef3e3

              Download Submit

            • C:\Users\Admin\Desktop\CompleteBackup.ini.colambia.AFE-8C9-254
              Filesize

              416KB

              MD5

              0eb2ed923f30feee22cfa4a46f5ac03f

              SHA1

              3419117f4c20f50bf775bfc0302f2e90c3b5f71b

              SHA256

              ce9def82633629dc200548487bfef7dcf1b1c14c36c1f731214a1cad7232da1e

              SHA512

              bca211fe2bb4a476919b316d470f88d4f02b0bdb384ca1bc7573284af0f5bd55aae459a2ae4873a2f6d0d5902d98ecffa42a76ccefd07bdfa322af91f102841e

              Download Submit

            • C:\Users\Admin\Desktop\DismountAdd.xps.colambia.AFE-8C9-254
              Filesize

              301KB

              MD5

              da4b2a1ffc478bc8bcf1aef12eb32b92

              SHA1

              d929de6d1c7edb822c4f3789b551a7a4cf4fba7e

              SHA256

              33499e5d107ea95ed994dff4e0c48ba0d78e616072fa5cb771e03dcdc1e5a0dd

              SHA512

              fa44339e9b25c37492018d2829d1d314ab9c8e2228c898669e5af172ed0fb3b62117a0e84805abdfc7345ff6611f7544b51dfe34ea645a329c730902b5e840ea

              Download Submit

            • C:\Users\Admin\Desktop\EnableRedo.mht.colambia.AFE-8C9-254
              Filesize

              554KB

              MD5

              1d1f39fbb3078fb66d5a73e7b6fa804f

              SHA1

              b5e2bffd5aa955879f96268c6284fb9ec48a1877

              SHA256

              5fbf250dc46c47ac47563efd450c7d927a5e04c82bb8bcb65ce9df89cebfe734

              SHA512

              3e2ebcecf954595883f991610ee90ccfeeb2adef7fb89b747282e4733982fb54ff8cb3a4e7ac8611be6044a3321ab938f51afd26db6cce7417dcaf5d6b1e19dd

              Download Submit

            • C:\Users\Admin\Desktop\FindSelect.vssm.colambia.AFE-8C9-254
              Filesize

              600KB

              MD5

              a9a53b9237ec3929c6e2c03ac40371da

              SHA1

              f48c1f6baa97ff3dbc018f7aaa92e62e06bd9526

              SHA256

              ba6f0721bd97c45adfddd242183d3aec472f02af5ddd74c6051994e115df34b5

              SHA512

              f19b72c4849fb07c0965a4e28164ad1be42bdbe4edab648dd2d3a4a741a12fba2619a02cedf787565abb0a6e888023c0cef0bcf81a09a47eadb768092cac99a2

              Download Submit

            • C:\Users\Admin\Desktop\HideGroup.css.colambia.AFE-8C9-254
              Filesize

              255KB

              MD5

              d31e3507beb4c0c1bd94434a9272232f

              SHA1

              0d976635f9e0521a83dd69e2b46e570323fe2b94

              SHA256

              a7b870c3f3cf1ab6e89ab6d0e36ad2d029c0a98b891890ab6382eeb0a3ceb367

              SHA512

              502e0a5a7dd336003292b9637baedbc2c35cf741b7aaa32cfea6d7a1bc2da4f87e38e2c68e1abea85bf63a9a7406db59077f613c63b861ac46f8190239ea1c4d

              Download Submit

            • C:\Users\Admin\Desktop\InvokeResume.mpp.colambia.AFE-8C9-254
              Filesize

              485KB

              MD5

              237f70e0473380b4d59b73b2c29e4396

              SHA1

              60f83d55571cb38be9dbcc8bc2c66ed9b6a59a4b

              SHA256

              d262de12bff6bac5e6081dbe52a44d6caef897f68bd3066e4e613b325cd95bbf

              SHA512

              0da0c2578f0fd1b66be10aa4222bb2f057a2a314e020f675954807223b3efa329d2046c62980eda16ed7fee324ec65b9d2013005c3b47e699158c3d03f3771fd

              Download Submit

            • C:\Users\Admin\Desktop\LockUse.dxf.colambia.AFE-8C9-254
              Filesize

              324KB

              MD5

              7ca5d63c86f4075d5c4da40958e4ce46

              SHA1

              3f273fe1a224d4eef15f2406613c1e0be8e4f3e1

              SHA256

              71387fcc01992ddb4747165c1ccb5c9878ad2c68573d578254e63430f4038499

              SHA512

              6c9fe5f538f1ec98ba5e2d455ab54b14a81a2e169cd4c8830cfeb7837aee18a989e4fb302705d2927668d69fcee4be08511d2e15475031e90feef41eb3a68f54

              Download Submit

            • C:\Users\Admin\Desktop\OpenEnable.MTS.colambia.AFE-8C9-254
              Filesize

              347KB

              MD5

              41a2eea6f48109ad8410bae76d4377a0

              SHA1

              90cadb82238d875c400ef719fc3391ea9da3153f

              SHA256

              77a76f3f71b72beebbb3158cb7f2988182fd229b77f8fd70fc8a8365e96c493a

              SHA512

              f2d684adc24be82b5785739c6ecfa4a09676b741bb93fe9b928c00ab550bff9cc96956b9b5174c6f41bf6016a644f156bcbb5473f7838fdf4d66d5221a62c407

              Download Submit

            • C:\Users\Admin\Desktop\ReceiveImport.TTS.colambia.AFE-8C9-254
              Filesize

              462KB

              MD5

              877d56d7a588604060a5124bb0e6aea2

              SHA1

              7f15be5134492f2aaaa085e96d306598c8fb5446

              SHA256

              3147eca137b46a63174de4f718f0f78227637f2375e934851fbf40c0a0d5f6e7

              SHA512

              2c02ce4b9d321e5b621800286b68b067dbd8604826cf88897340b62fd3769d81be9ce18f1b7f15b07ae96528b501e40d46f801aa9ed7c518bbe5c503c7a93182

              Download Submit

            • C:\Users\Admin\Desktop\RenameLimit.AAC.colambia.AFE-8C9-254
              Filesize

              531KB

              MD5

              fc5e46549afe793374b60f0d7d4b8f93

              SHA1

              a2fb12e473077171b0e0e68dcb2cb30d7693fe61

              SHA256

              b340b2720e1127ce90f518aeacf371c8f8996016946da62d7e29887470fb312e

              SHA512

              5da914f1e75dc3ea94a32e852490e0fb3ecef21fbd82a99b0b0a310128b08c7b6d95ece1bb01ddfbc3c1f2325bbd8178b79c962dff1162dbcd15d6fbff16658c

              Download Submit

            • C:\Users\Admin\Desktop\RestartRepair.xsl.colambia.AFE-8C9-254
              Filesize

              439KB

              MD5

              8dece5c84269b3bbddf1d5351a8a261d

              SHA1

              968b642dfb723ba93dd867cca4df961991fa93cb

              SHA256

              729ab9d6cea8e0c9bb5138b5a7192c5115a357fba7fd2f5ee13b3042ebf924db

              SHA512

              8e7041320c144ff33f241e336684aba5db7e1c0c4324291d2c3352ee6f97b692745f99671b59549e7f3809ebf39a793fcb9f052869e9baafb0adefcb405e19ba

              Download Submit

            • C:\Users\Admin\Desktop\SelectCompare.ico.colambia.AFE-8C9-254
              Filesize

              646KB

              MD5

              b00aa398a896880045b995209af6976a

              SHA1

              4ec496c168a9314c5147fe15d7a06497cc88d717

              SHA256

              322c9560f437eddffc2808b43fc1b6a00675d7918b36788273d0e521dc97c307

              SHA512

              23553ef3f27ab4aa16701b8f4c3c42b026b8e45c468358df0ae41253386d44ba08c674a8899553bf47e463678a0d05f53cf565c6afb1c22a63ed2b6a1dc3e143

              Download Submit

            • C:\Users\Admin\Desktop\SwitchInitialize.WTV.colambia.AFE-8C9-254
              Filesize

              577KB

              MD5

              fcd1b815a224a1eabcfe773f411f9610

              SHA1

              abddcc91b81f8806daf8527c098c0f1c940c3bd6

              SHA256

              b4cb6c5042d245b79c67c6aa4a2b81344ba4288a77bcc4cb3d38fe0d8e6a2db2

              SHA512

              d4fc42e5153133b2bf5f9fbeee2f69bf59ca2de04a7a94b065e7d10d5708d1b15713f8ab019ceeede6b81100ca9cee056bb7d13e8ca3a188621192f5186d4430

              Download Submit

            • C:\Users\Admin\Desktop\TestRename.gif.colambia.AFE-8C9-254
              Filesize

              278KB

              MD5

              c95b4184aa0e48b7ebdd181fadbd7c45

              SHA1

              7d7098b49f8c5a3da97443ef60539c133944f1d0

              SHA256

              d6eb5d65854ceb6ddd897a1d3ef5130ea57884ee2d2354b55c43a256163f7b15

              SHA512

              3cda32fd0aa29a3ecaa6f7c8c13015a286a10751e5cb96fe148599c39fcf4ef65c82f2ebd647e4f3b346b558c7955e367d78f7b04e0b099ddd1ef83db05fb98c

              Download Submit

            • C:\Users\Admin\Desktop\UndoOut.htm.colambia.AFE-8C9-254
              Filesize

              623KB

              MD5

              581f948c0d9b708e12e6aecb8e615bf1

              SHA1

              231af86d4b024c323c9f998a8fdc8fdd772f433c

              SHA256

              c565d8422aee60134faa0a3ce49c41042f4219b4f32169dcd6f3aba7bd923c17

              SHA512

              76eded5bab13ed395d6726682a064991697e4900c7440c62921d9c27e19d8f720ed09a0a5e93a5abe815fa445a1029ee8cdfa89b377016048b5618a7cdae7e25

              Download Submit

            • C:\Users\Admin\Desktop\UndoUnprotect.vssm.colambia.AFE-8C9-254
              Filesize

              900KB

              MD5

              b9b9cc9d9d6cbcea77883ff1aff461de

              SHA1

              bc721aec49f5355fa0662994b4db8d7e34fcb9ae

              SHA256

              0fcae12f9ca70c7e144a4a5629812543ea931267869b12b2adcb16210e783c7c

              SHA512

              ab579bf63e6e22dea775eeca71976617e4fe965e781738520c1c1a88a52543a662bbb473755cc50dbc4cdbfb3140fd8b27c9f6ba757ae91c9afae32c0805b69c

              Download Submit

            • C:\Users\Admin\Desktop\UnregisterReceive.eprtx.colambia.AFE-8C9-254
              Filesize

              508KB

              MD5

              0e0b13a924adec6b8c5cd66d5f633af4

              SHA1

              a2e2b55ad7c94026c0ab9dcb47752dc03cc9eae0

              SHA256

              3571779b78b11ab0e2dca4ddcc3f73f59fcfbbd29f8bf7e8b90bcf5e472a1dd8

              SHA512

              3b9a8f89036015a4bf53f503d05f315191f89b87eef3720027c0bbc18e3d90760969fadfafa458b27e6640d4f6ae18a9f9199a3c66b4d020e4d5fc74337b915d

              Download Submit

            • C:\Users\Admin\Desktop\WatchEdit.ppt.colambia.AFE-8C9-254
              Filesize

              232KB

              MD5

              392a345e34f98bf38fee4d568e3ccb93

              SHA1

              9a6bd283a760add541c7ea1df40375c3d4f73dc4

              SHA256

              3ead842cf86b708d18ab77333b5322dc2c778b7e8668f74741f60e801b7c29aa

              SHA512

              2019dc5c69ecdd2f444d698b02aa21775a1a842fb33452d9013e07212fbc8dd3fcd78d09fcab38af543aafcb0a141b410be21a603756f994e4bd59ef4af7eca0

              Download Submit

            • memory/768-147-0x0000000000000000-mapping.dmp

              Download

            • memory/1668-164-0x0000000000000000-mapping.dmp

              Download

            • memory/2320-132-0x0000000000000000-mapping.dmp

              Download

            • memory/2328-158-0x0000000005C70000-0x0000000005CD6000-memory.dmp

              Filesize

              408KB

              Download

            • memory/2328-154-0x0000000004D10000-0x0000000004D46000-memory.dmp

              Filesize

              216KB

              Download

            • memory/2328-162-0x00000000067F0000-0x0000000006812000-memory.dmp

              Filesize

              136KB

              Download

            • memory/2328-161-0x00000000067A0000-0x00000000067BA000-memory.dmp

              Filesize

              104KB

              Download

            • memory/2328-160-0x0000000006820000-0x00000000068B6000-memory.dmp

              Filesize

              600KB

              Download

            • memory/2328-159-0x00000000062D0000-0x00000000062EE000-memory.dmp

              Filesize

              120KB

              Download

            • memory/2328-157-0x0000000005C00000-0x0000000005C66000-memory.dmp

              Filesize

              408KB

              Download

            • memory/2328-156-0x0000000005370000-0x0000000005392000-memory.dmp

              Filesize

              136KB

              Download

            • memory/2328-155-0x0000000005530000-0x0000000005B58000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/2328-163-0x0000000007820000-0x0000000007DC4000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/2328-152-0x0000000000000000-mapping.dmp

              Download

            • memory/2340-143-0x0000000000000000-mapping.dmp

              Download

            • memory/2356-145-0x0000000000000000-mapping.dmp

              Download

            • memory/3500-149-0x0000000000000000-mapping.dmp

              Download

            • memory/3548-185-0x0000000000000000-mapping.dmp

              Download

            • memory/3940-148-0x0000000000000000-mapping.dmp

              Download

            • memory/4044-153-0x0000000000000000-mapping.dmp

              Download

            • memory/4532-146-0x0000000000000000-mapping.dmp

              Download

            • memory/5112-144-0x0000000000000000-mapping.dmp

              Download