Overview

overview

10

Static

static

10

8ab7965415...ee.exe

windows7-x64

10

8ab7965415...ee.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    895s
  • max time network
    898s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    26-09-2022 17:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe

  • Size

    218KB

  • MD5

    b8845a76e3942ff4d20ba4660ae926bb

  • SHA1

    eb90f945087c270a2ecc11753180ba4ecc270696

  • SHA256

    8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee

  • SHA512

    9e2eda3dfe3bbdf149707eefe67d889fc88e0aa45ae23023367a8914b8feabd1badb043dfb5f8301541d4489d31b79164380a5ac8031662156c639008c26c4fc

  • SSDEEP

    6144:aC61i972rJmciP98f2H64DQFu/U3buRKlemZ9DnGAe/Ix3Sd7+:aK972I/Gf2a4DQFu/U3buRKlemZ9DnG9

Score
10/10
zeppelinpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Public\Desktop\HOW_TO_RECOVER_DATA.hta

Ransom Note
🔒 YOUR FILES HAVE BEEN ENCRYPTED 🔒 Your ID to decrypt: Contact us: | Unfortunately for you, due to a serious vulnerability in IT security, you are vulnerable to attacks! To decrypt files, you need to get a private key. The only copy of the secret key that can be used to decrypt files is on a private server. The server will destroy the key within after the encryption is completed. To save the key for a longer period, you can contact us and provide your ID! In addition, we collect strictly confidential/personal data. This data is also stored on a private server. Your data will be deleted only after payment! If you decide not to pay, we will publish your data to everyone or resellers. So you can expect your data to become publicly available in the near future! It's just a business and we only care about making a profit! The only way to get your files back is to contact us for further instructions! To establish a trust relationship, you can send 1 file for test decryption (no more than 5 MB) ⇓ ⇓ ⇓ ⇓ ⇓ ⇓ ⇓ ⇓ Do not waste your time searching for other decryption methods - THERE ARE NONE, you will pay more for your time! Every day the price of decryption increases! Do not rename encrypted files. Do not use third-party programs to decrypt files - they can only do harm! After payment, you get a decoder (.exe), you only need to run it, and it will do everything by itself. I only accept Bitcoins! You can learn how to buy them on the Internet.

Signatures

  • Detects Zeppelin payload 5 IoCs
  • Zeppelin Ransomware

    Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.

    ransomwarezeppelin
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe
    "C:\Users\Admin\AppData\Local\Temp\8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -start
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1840
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:288
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1504
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
        3⤵
          PID:908
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
            PID:1784
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
            3⤵
              PID:468
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1112
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                wmic shadowcopy delete
                4⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:108
              • C:\Windows\SysWOW64\vssadmin.exe
                vssadmin delete shadows /all /quiet
                4⤵
                • Interacts with shadow copies
                PID:1892
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1020
              • C:\Windows\SysWOW64\vssadmin.exe
                vssadmin delete shadows /all /quiet
                4⤵
                • Interacts with shadow copies
                PID:1972
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 0
              3⤵
              • Executes dropped EXE
              • Modifies extensions of user files
              • Drops file in Program Files directory
              • Drops file in Windows directory
              PID:1468
            • C:\Windows\SysWOW64\notepad.exe
              notepad.exe
              3⤵
                PID:1256
            • C:\Windows\SysWOW64\notepad.exe
              notepad.exe
              2⤵
              • Deletes itself
              PID:1128
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1968
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\Desktop\HOW_TO_RECOVER_DATA.hta"
            1⤵
            • Modifies Internet Explorer settings
            PID:760

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\~temp001.bat
            Filesize

            521B

            MD5

            8a55e9dcda6d9b5b2a7c0ecaccf13068

            SHA1

            4804d35c80a15f7d63c3a143aa26778391537e2b

            SHA256

            db6cd89149e838122410fd50253ce2460444dea299d5c49b1a2f97b561b0d749

            SHA512

            c849477241bc950994dd85387f51be5e050604c7d46f10c4b9fb3bc7e308d658a08a7f3aa0b691eefb5fac2baaf7a5dd799bb159758b600e4f8d332329b44e9c

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
            Filesize

            218KB

            MD5

            b8845a76e3942ff4d20ba4660ae926bb

            SHA1

            eb90f945087c270a2ecc11753180ba4ecc270696

            SHA256

            8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee

            SHA512

            9e2eda3dfe3bbdf149707eefe67d889fc88e0aa45ae23023367a8914b8feabd1badb043dfb5f8301541d4489d31b79164380a5ac8031662156c639008c26c4fc

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
            Filesize

            218KB

            MD5

            b8845a76e3942ff4d20ba4660ae926bb

            SHA1

            eb90f945087c270a2ecc11753180ba4ecc270696

            SHA256

            8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee

            SHA512

            9e2eda3dfe3bbdf149707eefe67d889fc88e0aa45ae23023367a8914b8feabd1badb043dfb5f8301541d4489d31b79164380a5ac8031662156c639008c26c4fc

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
            Filesize

            218KB

            MD5

            b8845a76e3942ff4d20ba4660ae926bb

            SHA1

            eb90f945087c270a2ecc11753180ba4ecc270696

            SHA256

            8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee

            SHA512

            9e2eda3dfe3bbdf149707eefe67d889fc88e0aa45ae23023367a8914b8feabd1badb043dfb5f8301541d4489d31b79164380a5ac8031662156c639008c26c4fc

            Download Submit

          • C:\Users\Admin\Desktop\CompareUndo.rtf.ORCA.D60-333-FEC
            Filesize

            527KB

            MD5

            a0e46a2af6a6606eb48b7a574739b081

            SHA1

            4d9b2c2c34870e034d81717ab611a5eb108eee3d

            SHA256

            149ea1e93058e92d70956c5b9f2871e829173353433bc1e07801955091195387

            SHA512

            94475b18e073d241a207b78b836dac1a7d7764e40d61d5db384700b1e2559aa9e9094d2414803add7daa8a9d77b15777d39110dcda690d66ab2b2557cdab88fb

            Download Submit

          • C:\Users\Admin\Desktop\CompleteBackup.avi.ORCA.D60-333-FEC
            Filesize

            256KB

            MD5

            3b976b5380fc1f0a29f022a594028eb0

            SHA1

            d0133751604990c4c67dec3421ddb96a49376ca2

            SHA256

            899e50309cd14fc5ea73d61bd0edc49970084d064987121673e1332db6b80658

            SHA512

            6e6f4531c0741a0aa1d1d60a92fd2d8db6748f33ec088ef739bbab7df1bf87919b0754812fe01fb352afbba6a4c298834fff3da540e3fc766fde3a07d65cf610

            Download Submit

          • C:\Users\Admin\Desktop\ConvertEnable.wav.ORCA.D60-333-FEC
            Filesize

            477KB

            MD5

            f1738194607d5958dfd218c7e7c440cd

            SHA1

            63a618d1bb0fe8354bc3f0585e5b7abd9b806525

            SHA256

            e43b924810e67bd2b86aa601cb6d471695f7f2ad9f21372221d8cae16ba0e6b6

            SHA512

            78b03eded17793f5b86c84e2038f60b672095b2da05a2004acca851fc7d9e1f83af749e3d797ea366fd7cc841c31ef4990a5d4a27cb27148d1548de71f2ec963

            Download Submit

          • C:\Users\Admin\Desktop\ConvertGrant.vbe.ORCA.D60-333-FEC
            Filesize

            239KB

            MD5

            653d9a8b46aa0a624936dd4d42c2da0d

            SHA1

            7b574cf8974263416ce67460b7dfeae384ff0367

            SHA256

            8a25bf4092ba9562fede7c298a1e09a61894b48add2a0fd586c9bf85a12a6ea8

            SHA512

            3f59701bab3d17c215651bd28018f80e2f85bb57a2d34f42727518fa5b8827b741c31cdc90482c43e10fe7ce4e7bc33a55efb2409cf37d462e4afcff4debf9a2

            Download Submit

          • C:\Users\Admin\Desktop\DebugInstall.wav.ORCA.D60-333-FEC
            Filesize

            561KB

            MD5

            7c8ae66bc3202ebf105aa878358ab746

            SHA1

            644e53c8bb3049fc77d4acd4d4703e5fe92b8672

            SHA256

            7431934b9997485f74be49a2b53c484d5611f3537d4d97a016deb61dfb80a26f

            SHA512

            bd8036255d6e7ea326fe72578a26654e05367d982abee530a308726549d929a04fb9e2b36934def080a99fea1477f1ece8982179c3b3ecf3964c9096250b3ae2

            Download Submit

          • C:\Users\Admin\Desktop\DenyCopy.vdx.ORCA.D60-333-FEC
            Filesize

            629KB

            MD5

            83e5339a249c7982507706a9317cf368

            SHA1

            44b2f331910a10015b281818081fcdd59307d689

            SHA256

            ac1d941bb38daa6fe8ddb16737bd40344c5cb82c262903b156f95cb6bfb73ac5

            SHA512

            97f3797d8e2e4d23dd17d2c77ef7961a9784b6fefbe543854ccdb1435e40b534284396a57ce8503a58a00aa5deb3e3c1469f612ca427325457bae9ac10d9d549

            Download Submit

          • C:\Users\Admin\Desktop\EditWatch.html.ORCA.D60-333-FEC
            Filesize

            663KB

            MD5

            5ad3a251bbe141e794f4fef794c132a6

            SHA1

            41a1514d61cd1843ffc4bca991a2386152dfea56

            SHA256

            f3cd3e8700f5bae94597ed4912040269bc66942a3c3786cb9896fb0a55138632

            SHA512

            f3c17f7edbde6f7721e5f9bb284f2ebb709f8952660709cddc8106e2053ffbe82d0398c6a9bc4d02af24faaaa0c0b37073ede8335fdcd7a3441035e4406483f7

            Download Submit

          • C:\Users\Admin\Desktop\EnterMount.mov.ORCA.D60-333-FEC
            Filesize

            680KB

            MD5

            56a4792225a678e5b15a097b351976dc

            SHA1

            1b9d10d649e38f21d608c72b5fccac0f46621010

            SHA256

            6af463f9e0beb50dd0640c12760bbec92864ceb80cb0a855693c88360164fb34

            SHA512

            4880b78f87b3643d243bcddeb4094bfed9b82cf9443b6285b600fe4933b414f4e4ed86bf928684124da458411de5b6d6989a0ba6c3eb5d0dfdd34d4242d17a5d

            Download Submit

          • C:\Users\Admin\Desktop\ExitRestart.mp2.ORCA.D60-333-FEC
            Filesize

            307KB

            MD5

            009400621f006c38600402197d02c3a4

            SHA1

            d090531e6a4dcb1f5d9bf619a36bfd5b78441d8e

            SHA256

            397bac4095e667110a34ce7eff3f53022d88473aa93d0a3e523f98e85670026c

            SHA512

            55d7b1ac2637e187557917cc5918ca331962c2bde9543cc1c2b53af31c2024c2ad334c0a5cc1a4e0bba5a4a1d779353b68471677e2ac23d9fcdeeeec26e65b7f

            Download Submit

          • C:\Users\Admin\Desktop\FormatMerge.dib.ORCA.D60-333-FEC
            Filesize

            375KB

            MD5

            3988de8276005f1f57f3ffb3877b7d98

            SHA1

            1874971783c12ef60b33b2728a6b3f0a07222ede

            SHA256

            7189388b63fbb4deca8bfd7af4e00c28d621e90f70a5e73711db5fc5151a0de4

            SHA512

            9d27a6b43a7e89aac45edf0b2b5b55cff852b54392b9bf4782ca93a0ba65f05f0a98b10af74f2730d7a04f83463941b760c3fa7444f2cda110c8b4d5a326c587

            Download Submit

          • C:\Users\Admin\Desktop\FormatUpdate.mpa.ORCA.D60-333-FEC
            Filesize

            392KB

            MD5

            b9e40199d7f033ef4dee2cf772817d0e

            SHA1

            cc7e277db171887ef4ddfdc7fc5246096f177009

            SHA256

            f521e2122699ba499b2b5a1a3afb2aa7c6678461908569b25a773e2cac08113a

            SHA512

            b4ae29caa45adf5ede98d7e3492d604639fb82f5d58a12e2fb4023202b8e741da31afe6186714eb592412b1f6c3e7adfd047f308c8eba68b965a5a512f430579

            Download Submit

          • C:\Users\Admin\Desktop\InitializeSplit.odt.ORCA.D60-333-FEC
            Filesize

            341KB

            MD5

            6f3a05d1cdfddceeb7e8da93a46ea475

            SHA1

            da2c541a31e1316f6bdd463eb0fe1715941b3727

            SHA256

            f2dc2a81e29225b89e7258035a3ee0147111f426ab096084c7a044288c89d827

            SHA512

            751a18716643e0624b157e3a70efc2b8517998742623033f20af08ebb6f5b2dad0f02b062700d31c54a54e980763d7de31310fd4a3d27410a350bbdef481a4df

            Download Submit

          • C:\Users\Admin\Desktop\MeasureRegister.js.ORCA.D60-333-FEC
            Filesize

            510KB

            MD5

            8a86dc67900d15f7b8234bc52732a4db

            SHA1

            6851c32a23ab2f3a943e0a7d01227c5519979e90

            SHA256

            d72a0f2719c02798088548381a99d39dde7fc01cd77dc214139b74c24edb6d66

            SHA512

            b93d74742c6ab4c1fd3a0e952af50a906a02a4e76b0c81afefa3f3986c95a760c994738a4f7343f656156ac86e57b0b648a20545669578d86a2d9eaa04aadabf

            Download Submit

          • C:\Users\Admin\Desktop\MergeRequest.wdp.ORCA.D60-333-FEC
            Filesize

            935KB

            MD5

            5c4528cf184ec994489b9f51e78673c8

            SHA1

            9a53a66eb33d8a9d84695404b8fbd7dea9387f81

            SHA256

            df223a8aaaa1815c989399a1c6a5db790f0d5fd09149cb6fec26e83b0d9ade54

            SHA512

            219acfa6befd0f4340962cfbcb6c9615bd06fedfcc09d34378a37063f4e61db9822e387f7d10de2d36ae73a12db8ce4f9aa7ec5a9e17f8ae6176a4e4375e3b2e

            Download Submit

          • C:\Users\Admin\Desktop\MoveCompare.wdp.ORCA.D60-333-FEC
            Filesize

            595KB

            MD5

            8f68ac3aed31daae4bf748a63c14ad1f

            SHA1

            849a0619e8e509fec392b198a194edd25a18cbd5

            SHA256

            e32924603b587128a9d496e1678345acd55576b66d0988c84b130b5593be250c

            SHA512

            9a59d0682245d88a69a820e52c3d0ee4c7fb7c2db16e4c567973452c118729c69c6cf1daefaacff61121958c8b13f1bb9310cc662f3d8ad8a2e52a6598358004

            Download Submit

          • C:\Users\Admin\Desktop\NewSuspend.tiff.ORCA.D60-333-FEC
            Filesize

            544KB

            MD5

            61ae94cfe4d141a826ac7e9622eef7ec

            SHA1

            5feaec0b2c6eff8f4dd602fcb8ead36add235147

            SHA256

            bdeda52c74bf55393fb58688ac3ddad2fa7bb47c14afa17baab54ad4ab7716b4

            SHA512

            c3a9c178956116bd2b72c8b7b7c2dd2dfd47cee040313a150ddbfe956691e9ab29fde364a7275e95d6c0d916e1a00e776e6f2afa4a4dbdacca9a9ead50243355

            Download Submit

          • C:\Users\Admin\Desktop\ProtectDisconnect.mpeg3.ORCA.D60-333-FEC
            Filesize

            578KB

            MD5

            07e47c7775270baabfbd95732fe539ab

            SHA1

            9113cd6fb4c42c197b2b00a482a81a0b82d3f646

            SHA256

            3fa82b25d282b69d5eb28254affe6096fbcf85e0f1725a3f3e63372f94d00896

            SHA512

            f05832398db0df673c43daded6918e04af7e9730cbe2a779ecf34928f3fa1ace55a0c382fef4b3f5e8a63d483accfd3581162923b8b2908096da8e977414e52d

            Download Submit

          • C:\Users\Admin\Desktop\RegisterUnlock.xhtml.ORCA.D60-333-FEC
            Filesize

            460KB

            MD5

            c3f180a7d18847f9cee38bea004deafc

            SHA1

            5136b36ccdad12e4bec437cf97a465a6d87f641b

            SHA256

            ce157c7d290005f5465c799533893aaca0273486f04559a8374ac7ebd458d177

            SHA512

            aec0cff53cfa66c621d7ff4f1caab3980dc042a5911c22284542c047b0c00607e4b20d6d4ac51f0a96a5036204e74b045ffc5daa899a398d3fe360709eb1b747

            Download Submit

          • C:\Users\Admin\Desktop\ResetInstall.cr2.ORCA.D60-333-FEC
            Filesize

            646KB

            MD5

            99b412ec8e92ab3e7f02afa725aacfa7

            SHA1

            dbbc6aab29c6153620d53d718de695bd348a8ba8

            SHA256

            cc5bd2db417a1a4946a2a85f51d80bce6240c7a79c7afe69dca60168e6262a3d

            SHA512

            f2dae981f068d3daf334421d18978f8628e5452ad5450eed29ea111ea605c9be23ec2f939e9de8f3c0e4230893f7158f57dbaf265d7704642f5092971a226078

            Download Submit

          • C:\Users\Admin\Desktop\ResumeConnect.asf.ORCA.D60-333-FEC
            Filesize

            612KB

            MD5

            9661d17d7af760363d2a2887e8c429f0

            SHA1

            fe2a5751469e26aabae7f32780481261d178d317

            SHA256

            f1cb9916dbd7939a12baaa380e92a7ffcd290e77d636638079aa34cefa7721f3

            SHA512

            dc03a65077de914587a3ff8f456f865ed14f941fe306d098f864c28f6b8f75d3df02ce9bfb4a2139db201ede3ccc702f23895a88b36b6012a0a384fb43efce08

            Download Submit

          • C:\Users\Admin\Desktop\RevokeUse.wma.ORCA.D60-333-FEC
            Filesize

            324KB

            MD5

            401cbe4fcdded263d32174662a6c48d5

            SHA1

            28f000c38bbdb5eff6143ee1f61510d2ad1a50b2

            SHA256

            44f1d7c881b6aa188e66bc74febb72d0ef3d64cbd32970f9718822460d4a45cb

            SHA512

            710c99100d205ef2f74dc1bae62f6d884cbc051b495cf3c6b562a43c9dfd9df4a57d90d5da61c06ae2e3b1d616e9e6f8a824f329e17f960c05677ba2716aa51b

            Download Submit

          • C:\Users\Admin\Desktop\SearchRequest.raw.ORCA.D60-333-FEC
            Filesize

            358KB

            MD5

            87168e971090b97ac76f12ae2679b0e9

            SHA1

            f5eee93dd12970296348c935774791fa68d65183

            SHA256

            514904bba99728a5ea5e59a987a68dba270dacb261875974edf8ba6e23b0c396

            SHA512

            edebafa8efa30118fe5540925a5ce2aae89ab038fbde05b84878396c1eb5a25bc95f4f13a2dff990ebee722d43064f27392dcd642fbad228170265f72c33f9aa

            Download Submit

          • C:\Users\Admin\Desktop\TraceUpdate.mp3.ORCA.D60-333-FEC
            Filesize

            409KB

            MD5

            c423c6e01c9ca21ca1ef4ac326edca6b

            SHA1

            81c975fb3c60f621fc4eacd08862f679527ab32b

            SHA256

            e50171a435d5e95d402e1a606b74e510a8ae68f2ebfa4357f1b50b447cbdd2a1

            SHA512

            82e188107f3c5def70dd482a31eed70c2693335b7b961ccf0cba6710a00f5e8f000482cbe17e112e3a2b85f4ce29e0ca864d3cbb8213614c0cc4e4445da07d8e

            Download Submit

          • C:\Users\Admin\Desktop\UnregisterClose.temp.ORCA.D60-333-FEC
            Filesize

            426KB

            MD5

            46aa6a26b3b651fe270fb0b5ccf93811

            SHA1

            9ef7cfc4def9e19efb14d9e1d710612cd772ce5d

            SHA256

            6e06506762bf655882d65641d21144259c24c7503190b4d89f6a798de312832d

            SHA512

            3add377fd1071c47df7a08595968db3488c5bed9391695a8232091d8ea7669e7ee53cf9f7880c84845ddf06738ef5ddb2d405c1fd1585e44b144bede8b97f20a

            Download Submit

          • C:\Users\Admin\Desktop\UnregisterCompare.3gp.ORCA.D60-333-FEC
            Filesize

            273KB

            MD5

            c4a76b2a4815f3744d1be1cac5a5ebe8

            SHA1

            552a8f1247535ad82bc3645237814f2bdacb63e1

            SHA256

            f81002d2754e9c2ae165d2aa48058cd04a2d0f3dd2882f2407473fdd72dacdc4

            SHA512

            f4918f556adff8db28c2463fe28ada746d0461d96e3097a3414353b2c8c4bfc6dfb9c4316eb63f253a1913f5b6908edf2974ca90cc04baed3e178c373b8fb7c8

            Download Submit

          • C:\Users\Admin\Desktop\UseWatch.TTS.ORCA.D60-333-FEC
            Filesize

            494KB

            MD5

            1244bb82e6545dbf07385c413dddfe65

            SHA1

            1a3cf088f3eaae40dadc87fe6651e5b9aa4e2a6d

            SHA256

            5ff7d8122bbc7d3ea0088431937aa0f57e1e43151f8127d5c5229a0f8e782296

            SHA512

            1914861d718f2cf9448740e7a7d4e0b322b6cd30df60db800273a2307ed9d6639ad7540c52625554b7c31d3ff6e11a16345129d988123b9189e0d7e6f1ca106e

            Download Submit

          • C:\Users\Admin\Desktop\WriteFind.DVR-MS.ORCA.D60-333-FEC
            Filesize

            443KB

            MD5

            6c4649e809f5be845ad2cba43057a7d4

            SHA1

            59137ab9d7d7b4f63471be7342b08fcac1194f1e

            SHA256

            1644c88a4afd5f37544e3130a9d75ac5c3fa965455515d64c111b40815776aba

            SHA512

            7101e5c8f39cca06c92afbdb63da76f0b8f64dc65971d5454d0e5fcacb3708fe3587c2908c553b89d23d3eb88a6dca667082700be026a6e1374b0e0db924c2fb

            Download Submit

          • C:\Users\Admin\Desktop\WriteReset.bmp.ORCA.D60-333-FEC
            Filesize

            290KB

            MD5

            8fc2d9a5b93f1959394c6a7ebb9f3880

            SHA1

            b1c857b9f572f87583eb16e9e9e6b7fdda11caf8

            SHA256

            4cbd39196b62fa2bae6b08822f843c25042cb3564f6377dabef09287755d4d94

            SHA512

            5232098f942357f56380e22132bac7071754861a17f215d3fc6cdf82a1b7473f268804a785f569b74b415dae32d5b5850c01d3323f4ef2216b6934579242736d

            Download Submit

          • C:\Users\Public\Desktop\HOW_TO_RECOVER_DATA.hta
            Filesize

            2KB

            MD5

            34f7680700b517da82202267723d745e

            SHA1

            85e44d961a333b36418bc7d3282bf063743dbeae

            SHA256

            2c9f6a6d16c699901cb610db86b7c110310c27064c4927ddd81fd8e39e2183fd

            SHA512

            e6f192557f014770da96da467c7d541f301c7b6627e85d2a44a8d3eb183a43036d6b26f9d73c3d3f20ad2c8db2b1b1d8b2416d907566774f79371fb79555d9c5

            Download Submit

          • \Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
            Filesize

            218KB

            MD5

            b8845a76e3942ff4d20ba4660ae926bb

            SHA1

            eb90f945087c270a2ecc11753180ba4ecc270696

            SHA256

            8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee

            SHA512

            9e2eda3dfe3bbdf149707eefe67d889fc88e0aa45ae23023367a8914b8feabd1badb043dfb5f8301541d4489d31b79164380a5ac8031662156c639008c26c4fc

            Download Submit

          • \Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
            Filesize

            218KB

            MD5

            b8845a76e3942ff4d20ba4660ae926bb

            SHA1

            eb90f945087c270a2ecc11753180ba4ecc270696

            SHA256

            8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee

            SHA512

            9e2eda3dfe3bbdf149707eefe67d889fc88e0aa45ae23023367a8914b8feabd1badb043dfb5f8301541d4489d31b79164380a5ac8031662156c639008c26c4fc

            Download Submit

          • memory/108-75-0x0000000000000000-mapping.dmp

            Download

          • memory/288-62-0x0000000000000000-mapping.dmp

            Download

          • memory/468-65-0x0000000000000000-mapping.dmp

            Download

          • memory/908-63-0x0000000000000000-mapping.dmp

            Download

          • memory/1020-66-0x0000000000000000-mapping.dmp

            Download

          • memory/1112-67-0x0000000000000000-mapping.dmp

            Download

          • memory/1128-60-0x0000000000000000-mapping.dmp

            Download

          • memory/1256-105-0x0000000000000000-mapping.dmp

            Download

          • memory/1468-70-0x0000000000000000-mapping.dmp

            Download

          • memory/1504-68-0x0000000000000000-mapping.dmp

            Download

          • memory/1668-54-0x0000000075071000-0x0000000075073000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1784-64-0x0000000000000000-mapping.dmp

            Download

          • memory/1840-57-0x0000000000000000-mapping.dmp

            Download

          • memory/1892-76-0x0000000000000000-mapping.dmp

            Download

          • memory/1972-73-0x0000000000000000-mapping.dmp

            Download