zeppelin | 88b121f3b3e95e36a642cfdcb0c80f47e4b286e4dbf79b26c923909f4a4f11a4

Resubmissions

03-01-2024 15:08

240103-shylyshgh6 10

03-01-2024 15:05

240103-sf7rvahgf3 10

03-01-2024 15:03

240103-sfclpsfdcq 10

Analysis

max time kernel
0s
max time network
149s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
03-01-2024 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
Size

211KB
MD5

bab201c1a2c8e0f99e683591945e7e3d
SHA1

90e57172d463dcd6df22d2bf96a6b265a7fdec65
SHA256

88b121f3b3e95e36a642cfdcb0c80f47e4b286e4dbf79b26c923909f4a4f11a4
SHA512

d65bc6b40aa4843cf6a9889bcf47b42c8f5b5548c377bd57a32cb7e2cbe2851e5904c3e1631ec87005243b8e33ec371f599f60964e5c94c856943a1846cccc2a
SSDEEP

6144:jia1gMHOPDWIhID8X/4DQFu/U3buRKlemZ9DnGAetTsB+zY+:jIMH06cID84DQFu/U3buRKlemZ9DnGAs

Score

10^/10

zeppelin persistence ransomware

Malware Config

Signatures

Detects Zeppelin payload 8 IoCs

resource	yara_rule
behavioral2/files/0x000900000001ab37-6.dat	family_zeppelin
behavioral2/memory/3920-10-0x0000000000B80000-0x0000000000CC0000-memory.dmp	family_zeppelin
behavioral2/memory/916-14-0x0000000001200000-0x0000000001340000-memory.dmp	family_zeppelin
behavioral2/memory/5008-8027-0x0000000001200000-0x0000000001340000-memory.dmp	family_zeppelin
behavioral2/memory/1232-12468-0x0000000001200000-0x0000000001340000-memory.dmp	family_zeppelin
behavioral2/memory/1232-22165-0x0000000001200000-0x0000000001340000-memory.dmp	family_zeppelin
behavioral2/memory/1232-25827-0x0000000001200000-0x0000000001340000-memory.dmp	family_zeppelin
behavioral2/memory/5008-25848-0x0000000001200000-0x0000000001340000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskeng.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\taskeng.exe\" -start"	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4968	vssadmin.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 5008	3920	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	30
PID 3920 wrote to memory of 5008	3920	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	30
PID 3920 wrote to memory of 5008	3920	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -start
  2⤵
  PID:5008
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:4428
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 1
    3⤵
    PID:916
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 0
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    PID:4972
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete backup
    3⤵
    PID:5032
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
    3⤵
    PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
    3⤵
    PID:4964
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:4144
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:4412
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1916
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:168

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
1⤵
PID:1984

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2920

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
1⤵
- Interacts with shadow copies
PID:4968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons_ie8.gif

Filesize
9KB

MD5
30d2d54faf9dda09f602030924c6f8b9

SHA1
0c58feaeaedd0f4017b39c5f903bd4b86e333c83

SHA256
dfef0aacb5add055ef3a8d7b1c5d883d156c8492fdd1c04ae2d2f579e82a4048

SHA512
e3bdd75c162e17f3e883b8c12c7002d65b7a1a99dac0cf6bbcd93cf476671f57b4203e3d0e3a807f605ef18c46f44cbe35b12c5580f3fa5957346cb8aff2ddc2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons_retina.png

Filesize
16KB

MD5
0e263c5c195acb0a2e81c92fd43cca92

SHA1
8e3f7a9a5054e1e265dce0534e16a9651fc8f7db

SHA256
1bb90932922abcdc54cf28c75ae1dcf2a45c90a7e8c30399c0e78ac7339b54d9

SHA512
8ad8cad691de0e54bf2eb8508d81febb061c74525898a7d3019d47b3add39a5ddcbc928d4cea55c3034471d6abd4a2b723ac994316727ad6519673015e7ac199

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\new_icons.png

Filesize
9KB

MD5
ed59c880e035c71c5cb52935b15c10ad

SHA1
ec0c557a1e16e2689eb17ac881144f76c5c892da

SHA256
1ed355b5d77fa8b7d235eeb4518fa0eddeb229e4f48317fc1c9eee5e525a1fc5

SHA512
297c5ad6527f9a130cab33935b0f93f9d86d907b943f80411d49246dc39aa67036d6a0b9df7d565dd2d992df505407257aa6c3705230a24a620ea0bd71f3c51e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\icons.png

Filesize
9KB

MD5
2fdd49eddc1e5a04b1864baa605092ac

SHA1
e3c98a7f75c790f3d84e3430bd3c474fb64e1a08

SHA256
7b9c4e6c5cfa002bd358c34ab244a879aa5e4483ae23ec88a62aee2e775aecad

SHA512
fe85f753a4fcef9e99c41253e5ab53eccdb78da80ba67a6fcf6b2f0621fe61af4d2989b1fc9f30bd34f73259e2250467693f7526069e7b9733c88ea482206801

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-il\ui-strings.js

Filesize
6KB

MD5
7066bf92d371b44c2df8632331a4da34

SHA1
9fb6e5fc5c497ba6cf23ab0014db03b9cf417cbd

SHA256
9a10f132532733a89a7fbc3873efafdbd6c97ac14eb036b96129815e8a82714f

SHA512
db1a91275073df41f21275d524a6e331e711975a880794cf12ee2741a443fd4cd791a34962db80d17fcb042a22fa13b4f0ebf9e0c0323022473f0c0303db5967

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\ui-strings.js

Filesize
7KB

MD5
57d5986a48c2364fc488fd962300bf50

SHA1
f418b92f8966e77f469f16de00b6d3444a049c03

SHA256
a6b58ee32555ef4eaa18d4c484689039296a741bad42c3aa36d992f8116d9b17

SHA512
d09a9983c7a332b4cf2bfd7026862d334c7cd926101a1445b0ce688a21061c817e115f6e5c0db8990284df6d6bbc2b9ab2ad8bc9bd8b63f9703c646520409099

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\en-us\AppStore_icon.svg

Filesize
15KB

MD5
cc87cdf04ab78d0869f61b60999862fb

SHA1
b3a8f3f5266d97a650f6fd5af657e91bf1774f8d

SHA256
8938e48644fddc438f372edff9b90c10f078cd929ba0a131b225323dfbdb2f14

SHA512
96ba6f0bab0833d42c75e878d6ec0b60338343dd02c113cf4bd6c5dd39f7582cb8f0aa8e885175f21b9c9fd0048a152376fa569d694f7a10c9e98285702a5df8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf

Filesize
381KB

MD5
5aef915fc1ad67ed6728d459cd95e543

SHA1
7c0aeb985cacf587f39f7d479e51d785d356d125

SHA256
5bb0d14a768f7ca2537e51c8b8751698ed39f07ce51bb5be400d7c2e55bf107e

SHA512
fa1af764698019dc5121b316b1b99d74afd7e44ad733c8734cf1fdd4ddb3a75284757718ef7d50928187e3978462efb461752b97343f2e4720abf33c6357c7fa

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf

Filesize
56KB

MD5
58b1d9d975714ea7937c059cb03c16de

SHA1
30f3d077f461878c91abffe2c67cf8bfc6a224d4

SHA256
c46a647179d986b37516047653e5022ea51f67229515a4a9b4fb10a0c3dc2bae

SHA512
c79fde6a5a0ecf0aa490eae8a34d48949e8777ce9ed5ca6dae67f8a26d64e2ca27f9d40f9846334385080732813bab83973efe451dd405484a8f20cda295eba2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\ui-strings.js

Filesize
14KB

MD5
29a6ff6b7d1553aaabc1ce128e209da0

SHA1
adf01425044b9a80f01b2d779720070ee18f3d01

SHA256
c707fb05562a4bf75f1d151bae1906c483ae7fcc60b5a7e98b0b9d9a1a7f8d5a

SHA512
4c21dd8a670bafe3315f9c84cad397342631492117753d1b45e1268b180e23a8527223158a116848df1270c6b7adeb7cbd4c5f751ea8425f4da8448f6eada38c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-ma\ui-strings.js

Filesize
17KB

MD5
566638d347cf8a805927fc601fc2de78

SHA1
efc4f20f6a0749ccb4d13e15235e526cbd301ccb

SHA256
3d8ee87f0b4a1448318228f20b075b523bee89acaa5e05ed4054e4c41510a124

SHA512
178c31804045f9ea1874d759c8b5226e4ac9007823404fb11f58eb2cdec74b63848cfa9a5299377d227e8280d41ac3d0f6158b9754db4a825e583777c3076a31

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\ui-strings.js

Filesize
15KB

MD5
18b7fc0447dcc11f9dd47b43af19d5b4

SHA1
4632a475b05ab3fd7f2e0973712cc35c4794b324

SHA256
b6be75168a21129fb8df56f8f2722fc91666d5007e7e8701cf3aef11d7608c3d

SHA512
156fe4bf329bf8bdb815bbb7db3bcbf7895f6d2155a33691f2813e0e4b037f7146bdbfb6e508ce464a3278ca8dd7ca63ebd79a10c3f263a8a5d3baf1631ea485

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\faf_icons.png

Filesize
7KB

MD5
fe7dc4991e1e3f245ed60f71330973c6

SHA1
84007bff871d0d250b9d30a0e57436d61e73d8fc

SHA256
ed239057eb079e401b005a9803e57338e5f6c4a20a79a3abc7baa35f068281d8

SHA512
2867e82ba46269f3f7322f51b4434ff8c16ed2e3135df3ddc7e7944af5a3c13cd6cd453f03f52517d1d35d71b2a575e7108512762e67eddfa8db95ef3467cf39

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\ui-strings.js

Filesize
11KB

MD5
ad18d92259205d56343f17568256268b

SHA1
d2ee6ddebd6576a7327a437dd11a13a78d69130c

SHA256
f6d1c7339e88215e06a192ba1f68eca5af2db6fb482ce8ae59e4538e594adcd6

SHA512
095d596d9f143cc846d0aa56bf0af05c4ebfd2fb16fe4300218c28764ac846e76658a6bc772c8964b07850d83d377a9137c7fa43f38c0946b121805c015edb44

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\ui-strings.js

Filesize
17KB

MD5
9749a8afb1bb1325664add528f845959

SHA1
a4d729eaa2dcc64d383f206f02f63e3e198f2cbf

SHA256
9ea86c9ebc5afcff1def4084f0c759fc0c09202f4b3fd7c29b0aa0be0928a7fd

SHA512
d087165f95779bad9ae5ae40e6e2899f209bbab2ff2d665e70a814fb8e9a12de53aeb86b6b334620d6ae2a9dad194e0d69bd57a72d2a6706b09041a8e029a820

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-ma\ui-strings.js

Filesize
18KB

MD5
d6014977002e4783ca0d1bad6fd40567

SHA1
828e7094660cceb33b01508dea612e58793709c7

SHA256
d886dec89441595ed17d7df167d1f08ac7e07eefdddfad579eaa8d5b6a92c31d

SHA512
7eb61e789938f8509bf276668996b6c23a50b7cf8a3fd803838c00d5cdfd516ba10e976d54b68e8e560c87c90e3e839f820d79e49e7c172ad84cab82329f595a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-il\ui-strings.js

Filesize
19KB

MD5
d4fd526c9a18dc2eb8d64e9780bb7bca

SHA1
8eba0de04a455b1da12df418a7080e9f1462385f

SHA256
bdf2ec4ad2d4d5502bdb139b7aaa2caba099d81d9fc1329931c46accc6c3c7da

SHA512
c10675bb12993492cecb6d780b2a60fde8bdbac070fd68468e9ca5c3d4dfb65fd18c157394512b8338b2256a1eb17f128edf0f5898311aba5214309cfe523531

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\ui-strings.js

Filesize
23KB

MD5
82867f9b2cb5cdfb47ed106c1b48221a

SHA1
24184939c45bdc00b2dd8499dad231aef2bed135

SHA256
e5918919d4be1b7a13326b2f209fa660bf4e00e65b882b2b1bede45d8408f95d

SHA512
3b4b4ad25555119ed65382218e790a7768d3e31041904f4d02310e7ef10a65d57ea4bf503e1b1b42fae5651305963d07fd49d3683784c0c6da425542cdbb1606

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

Filesize
211KB

MD5
bab201c1a2c8e0f99e683591945e7e3d

SHA1
90e57172d463dcd6df22d2bf96a6b265a7fdec65

SHA256
88b121f3b3e95e36a642cfdcb0c80f47e4b286e4dbf79b26c923909f4a4f11a4

SHA512
d65bc6b40aa4843cf6a9889bcf47b42c8f5b5548c377bd57a32cb7e2cbe2851e5904c3e1631ec87005243b8e33ec371f599f60964e5c94c856943a1846cccc2a

Download Submit
C:\Users\Admin\Desktop\AddWatch.mpeg.11C-1F1-41F

Filesize
761KB

MD5
979e70821385ef5af4d4e991205d6b66

SHA1
1768d62595bb398be2746ce3dd2481b573c99621

SHA256
f65c0e04c0898c14be8d9ae50c12e3a08d19e843a2d0039fb97ffc3a227b1eee

SHA512
52b1adab28ef91bd3042d318cbbf8243f9da97eb0feb21eb97b4b3a84cad022405fb76e7fdeaddb5fd7ae61304a7eedc990a8fc5b07618a33a86e1af507c5e94

Download Submit
C:\Users\Admin\Desktop\CloseSkip.png.11C-1F1-41F

Filesize
705KB

MD5
cce68529294bb465c5acffc2c9960914

SHA1
da4547016f56a7aa0570de8945bfa35d979832e1

SHA256
2b8574a373a91b71dfb4baea16ce8c1dcca8f4a4f27f3873f914d08ca5243178

SHA512
bd38b245590be2e1041b7707ebc4cdbc701d612c10a9f52e2befa1b7ff7af82b5cab7c99ff8989c9f668f20a4c5827fb77ae1030b02c3cd580c91b228b94692f

Download Submit
C:\Users\Admin\Desktop\CompleteUninstall.php.11C-1F1-41F

Filesize
621KB

MD5
3cc7f536f0d634233b49cdb760b1d2f6

SHA1
a2fafd1b1514f5a2b43a6a4e47186c558d9906b5

SHA256
02ac9d02e3e52b3e07e27bd69ee49ac526832723a9c772e63ef238fd0459af92

SHA512
78d18eee068d18fa685b8949c468c83ff637affd5e7fd0be85eee6207675bec0e331b5540901eeb3294fd4241abf1e03a9b7d2953eff754c8cc9eac98bac56c4

Download Submit
C:\Users\Admin\Desktop\ConvertAdd.ps1.11C-1F1-41F

Filesize
480KB

MD5
b1475dbc94c42bd2401de0a63cd30554

SHA1
a25dcc97ed140bbad58443b5488edf7cd7d94e4d

SHA256
581a9cd28d2ac5ce190392e9020069de7955532dbc8e6f1be75149edb151428c

SHA512
b0268c181e5aa62207809fafdf309d9d298d9cb7c97d3c53971fb26f9d56169ddcf0f422d4b689fd782974d6dc5825a9f9f54c3d4a37867bbaba6ef1fa712c4d

Download Submit
C:\Users\Admin\Desktop\ConvertFromInvoke.wmf.11C-1F1-41F

Filesize
311KB

MD5
ef3115398eb9e6347f99d2d1e457d436

SHA1
7f16b1ee9f693166a607df5dea99b706d12ecd5a

SHA256
32e069e04e1e035231cf67e50b3e4a3b68b4c1140153a6ff29cc84a2fa12ab2b

SHA512
be5eb90a2a89550669b2b32417a0d3ef2a7ab972b58479ded23555ef53137c6f013c7ebe8542a218220ee8c035ba5da5cd4c951748869cd9a48d8a137f839639

Download Submit
C:\Users\Admin\Desktop\DebugGrant.potm.11C-1F1-41F

Filesize
424KB

MD5
6e811c74bcb99a724d4f910c71b95771

SHA1
226dae5912c5c652bf4703ebf840399f30e8d32f

SHA256
2e53e3e6db4112538d5adf2ca48db9cecdd2564800adf759179e188403eb777c

SHA512
902274ff22f00c54fdf35be616b2c0cc00251c2a09f2a0cac949a64f604042426b1e7c4b82e60a042f1f8534c4e1fee064a6125610f3cf404aee08a5c2cffbb0

Download Submit
C:\Users\Admin\Desktop\DebugResize.rle.11C-1F1-41F

Filesize
508KB

MD5
16f5c531ba377d9d5b7222d4dd13a601

SHA1
d916e1ec5cf85111300f56aa7d3e729878a9afd4

SHA256
d23813a7cb89fa805d38250ef8e100ece1890ef9b35519f0a5adc97c0b0fb5da

SHA512
e9282a5ac914e0e8d3e84314439dbf2f2f825f4b35a9ab9d7995acc753cd2177e0ffa94500ac9a80e2ffca29709576b388cc4550e812061e67519d924950b2fc

Download Submit
C:\Users\Admin\Desktop\DismountLimit.vssx.11C-1F1-41F

Filesize
649KB

MD5
6df70482ddf956b269858028358541fd

SHA1
9ffa2123970f2c129a75fc6e69ccd118fac12f85

SHA256
5ebb30aa2d6bc9eb60612aa16cd69bb145bd75ad6408eeb47244402e3328e449

SHA512
d3298ed32c05744b29729de4453e85e3895ffe0cacfaac7cf3b3995e0e7661839b350acdbf719631803c39f18306e61d0608c596dc7e5f08966999b1bc929495

Download Submit
C:\Users\Admin\Desktop\EnableCheckpoint.bin.11C-1F1-41F

Filesize
536KB

MD5
1c1ebab621e23979c5012f3675cf37f5

SHA1
63da6d459e9c539b73d9d8c660f70544d41131db

SHA256
530ccffb8acebe1dff6763e87a7af743ac8f6d19e1ed1c05847e62a4123b91e3

SHA512
bc2fae3dc0131b78159f98f6c7eebd576f1fb9068b2f3ae667ad6667d5760db11a7a743096bd84c80b5b71700dbb8ea80ea0872e929cbc938dc0b9fbb9daca09

Download Submit
C:\Users\Admin\Desktop\MeasureExpand.vsd.11C-1F1-41F

Filesize
790KB

MD5
405de05255522e30225128726dd33cc6

SHA1
26d4f958e2961037a9bc7317d2564ffcadbb5ad2

SHA256
8d2ab6ceb1dea3a81884cee5945be3f31c7da1d64365328e49b9e847675d288c

SHA512
8ba179c186a5aad60143d25b279314bf3068e414202122915897f1df85169b3d26ceaa953ac26f6cbd2f8c8dc0b423bf1660c29a220c415ad5e1ba5ac3dfdeb9

Download Submit
C:\Users\Admin\Desktop\OptimizeUnprotect.vdx.11C-1F1-41F

Filesize
1.1MB

MD5
047782e1fd70511a8232573600207eb6

SHA1
15989f6bb244b2730350f5b29f0e2311f8088de6

SHA256
b9c6f1d328270a2370d3da997b701d28ebece6ede94ea336f10bca7789a771c0

SHA512
f27cac6ce0e3b8ebe0a8bba9ec6902b49369ffe036c0f3a8335663506c93c8de8a8d37a9d913b0c0657b8a2804ddc3a79070cd4a998943cef40b943c2ac5034f

Download Submit
C:\Users\Admin\Desktop\OutSwitch.xps.11C-1F1-41F

Filesize
283KB

MD5
1634c5ae50dbe7f091d261592e0a5223

SHA1
3501d9506a492e992019f3d69b90de21802f87dc

SHA256
c344011911d8010299f5bdffeb851985921c25f48defcc288b7d529baa59286e

SHA512
233e7f82741c631c173ba4110e7fe92d6cbb7cf8a1c6a09745608bdcfefd65c683a08defbf15a5bcf0bb33b433ef283a4ad4ff742ba6907dccb237504d5f3b18

Download Submit
C:\Users\Admin\Desktop\ReceiveApprove.bmp.11C-1F1-41F

Filesize
452KB

MD5
8384fe01c3bce6542590c833b309ef83

SHA1
a028ef54f6c7b31b80f12a8840f3d7d19ebdd3bf

SHA256
74916855d0fb9fd99f69367056be7c8184bbef29c3645b7451636ef8cb94391e

SHA512
b96f249098c0dab54e830d32c11b80c1c59627a8f066ed798191e9637c03dd9c61caf237617fcae5da6968aa9ccb6896be5f339c16b0aab50312ca8a72fcb927

Download Submit
C:\Users\Admin\Desktop\ResetInvoke.mov.11C-1F1-41F

Filesize
367KB

MD5
bce525b66f876c02fddc3cb6d4c20cee

SHA1
8e189bb0978a24acc702214d99fc28c6e7dd72c8

SHA256
920214e43674e14dbcd6c734d557ed00ce9673020b84c6e576322fc262eebfd8

SHA512
1b1ed218f1aa1dd31c30e3e9926b9478b2c37cd201a2c251387c11e393bb825d5c4b2641c7eb7397dbb02ee6635297bbdb912ced43e08c33831b126ce5fc3ded

Download Submit
C:\Users\Admin\Desktop\RestartUnregister.snd.11C-1F1-41F

Filesize
733KB

MD5
002c016d04d94bcbf46e6c2c3bc56cb8

SHA1
1911f802b22f28fce810f9d0ee0ed785565bc9d2

SHA256
f18b859d62155772cf87105bc7b9bdebb84f112fa5ce1e114d017e45ba5b54ea

SHA512
fc768fa03405d301c978a11ad30972ecbe32198b9ad07de60878e5c178b879413ab42042cc6f22756d9b3872b0b69c6489b23648c542c442a37312f46c28590d

Download Submit
C:\Users\Admin\Desktop\SetConvert.avi.11C-1F1-41F

Filesize
339KB

MD5
94cf5627e86655baefd707421dfa3935

SHA1
a35aff203d1dd196f91813f7fea4630aa256de1b

SHA256
5530dbe2559020c4a08415226da077bba561ac9d01768476db2b51e1a306a6f5

SHA512
164d08a712fd764ead94ffcf36a403750c987e5b6e7d2ca58a72246ddcb6e19edc3eccc9cd2245d696d96ffca51193f27c07f747087eea8aa69b0b0451ee09a2

Download Submit
C:\Users\Admin\Desktop\SwitchDisconnect.vsx.11C-1F1-41F

Filesize
564KB

MD5
832e62cad80e388578f25fbf7e118bb2

SHA1
e73b5c5efefcfca4b7aa2502ea74e0d1143bfc9e

SHA256
0424f83fa4b8a05c7f4e7c15c4e362efbc3399e3d5433227bdabdccd691e2c5c

SHA512
17a58996df99108c4c87cc4d034c3f814ca019f038108a1a489db0b9544948345d604ab0282109f859c9107ba3fe8df2370eb8353fe02bc1053849724092bd04

Download Submit
C:\Users\Admin\Desktop\UnlockUnpublish.htm.11C-1F1-41F

Filesize
593KB

MD5
890a0d7ee23a144a2515eeb1dbbf232a

SHA1
49814d6cdfcb12bbbd79e2bb4dd0f3a06953379c

SHA256
794f1aa8a0a3b78a368e6f5eb9eb5ebb326f30a246f75cd2176cc0fa960fa1a8

SHA512
ac9f449b54514dadde5ac67c6af15ef3c7f52c0c259879f13e4c00838aad6df6ddfd1e12b4e4e7738b85c801261fb50db806fe21c1e07a1e496da4c6b6659a53

Download Submit
C:\Users\Admin\Desktop\WriteConvert.clr.11C-1F1-41F

Filesize
677KB

MD5
846133249964b58b34d2e8702e19a38c

SHA1
a9cce55f1c8bc15038be2142b5ea497904f5ad80

SHA256
d86fe1c55fcbc4277d95f8ff6daa2a2b59fa8d6f234c59b0991b3f6262e088c6

SHA512
4eabcfea3d8cdd1ea07f42b18f0e273b124e793aaaf21355727a998b6c99bbdb3dbe09e80a8c991e2eda04dc256b19c7d6f39a4d109dcc9cf910dd576ced10ae

Download Submit
memory/168-7-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/916-14-0x0000000001200000-0x0000000001340000-memory.dmp

Filesize
1.2MB

Download
memory/1232-12468-0x0000000001200000-0x0000000001340000-memory.dmp

Filesize
1.2MB

Download
memory/1232-22165-0x0000000001200000-0x0000000001340000-memory.dmp

Filesize
1.2MB

Download
memory/1232-25827-0x0000000001200000-0x0000000001340000-memory.dmp

Filesize
1.2MB

Download
memory/1916-25847-0x0000000002F60000-0x0000000002F61000-memory.dmp

Filesize
4KB

Download
memory/3920-10-0x0000000000B80000-0x0000000000CC0000-memory.dmp

Filesize
1.2MB

Download
memory/5008-8027-0x0000000001200000-0x0000000001340000-memory.dmp

Filesize
1.2MB

Download
memory/5008-25848-0x0000000001200000-0x0000000001340000-memory.dmp

Filesize
1.2MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads