buran | 88b121f3b3e95e36a642cfdcb0c80f47e4b286e4dbf79b26c923909f4a4f11a4

Resubmissions

03-01-2024 15:08

240103-shylyshgh6 10

03-01-2024 15:05

240103-sf7rvahgf3 10

03-01-2024 15:03

240103-sfclpsfdcq 10

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03-01-2024 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
Size

211KB
MD5

bab201c1a2c8e0f99e683591945e7e3d
SHA1

90e57172d463dcd6df22d2bf96a6b265a7fdec65
SHA256

88b121f3b3e95e36a642cfdcb0c80f47e4b286e4dbf79b26c923909f4a4f11a4
SHA512

d65bc6b40aa4843cf6a9889bcf47b42c8f5b5548c377bd57a32cb7e2cbe2851e5904c3e1631ec87005243b8e33ec371f599f60964e5c94c856943a1846cccc2a
SSDEEP

6144:jia1gMHOPDWIhID8X/4DQFu/U3buRKlemZ9DnGAetTsB+zY+:jIMH06cID84DQFu/U3buRKlemZ9DnGAs

Score

10^/10

buran zeppelin persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 8C5-F2F-A4B Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran

Detects Zeppelin payload 8 IoCs

resource	yara_rule
behavioral1/files/0x00080000000122c4-8.dat	family_zeppelin
behavioral1/memory/2180-17-0x0000000001280000-0x00000000013C0000-memory.dmp	family_zeppelin
behavioral1/memory/3068-22-0x0000000000FA0000-0x00000000010E0000-memory.dmp	family_zeppelin
behavioral1/memory/2408-7586-0x0000000000FA0000-0x00000000010E0000-memory.dmp	family_zeppelin
behavioral1/memory/3024-11602-0x0000000000FA0000-0x00000000010E0000-memory.dmp	family_zeppelin
behavioral1/memory/3024-23930-0x0000000000FA0000-0x00000000010E0000-memory.dmp	family_zeppelin
behavioral1/memory/3024-30279-0x0000000000FA0000-0x00000000010E0000-memory.dmp	family_zeppelin
behavioral1/memory/2408-30307-0x0000000000FA0000-0x00000000010E0000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (7423) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2876	notepad.exe

Executes dropped EXE 3 IoCs

pid	Process
2408	svchost.exe
3024	svchost.exe
3068	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2180	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
2180	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\svchost.exe\" -start"	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh87.8C5-F2F-A4B	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\AIR98.POC	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143753.GIF.8C5-F2F-A4B	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePageSlice.gif	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01291_.WMF.8C5-F2F-A4B	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099153.WMF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153087.WMF.8C5-F2F-A4B	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195772.WMF	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\core_visualvm.jar.8C5-F2F-A4B	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01295_.GIF	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\vlc.mo	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00222_.WMF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21495_.GIF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK_K_COL.HXK.8C5-F2F-A4B	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\APPT.CFG	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.8C5-F2F-A4B	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util_1.7.0.v201011041433.jar.8C5-F2F-A4B	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\vlc.mo.8C5-F2F-A4B	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar.8C5-F2F-A4B	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01759_.WMF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02116_.GIF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0229385.WMF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR43B.GIF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR8F.GIF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDREQS.ICO	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe.8C5-F2F-A4B	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Luxembourg.8C5-F2F-A4B	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\fr-FR\FreeCell.exe.mui	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Executive.xml.8C5-F2F-A4B	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\TAB_OFF.GIF.8C5-F2F-A4B	svchost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\play-background.png	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240389.profile.gz	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02233_.WMF.8C5-F2F-A4B	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115864.GIF.8C5-F2F-A4B	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Port-au-Prince	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\reflow.api.8C5-F2F-A4B	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SlateBlue.css	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF.8C5-F2F-A4B	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_ja_4.4.0.v20140623020002.jar.8C5-F2F-A4B	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.registry_1.1.300.v20130402-1529.jar	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLMAILR.FAE.8C5-F2F-A4B	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBCAL.XML.8C5-F2F-A4B	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_equalizer.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-modules-appui.jar	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18255_.WMF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Payment Type.accft.8C5-F2F-A4B	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sa.jar.8C5-F2F-A4B	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185778.WMF.8C5-F2F-A4B	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0337280.JPG	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10307_.GIF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE.8C5-F2F-A4B	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_zh_4.4.0.v20140623020002.jar	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101857.BMP	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01472_.WMF.8C5-F2F-A4B	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00560_.WMF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Oriel.thmx	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	svchost.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\vlc.mo.8C5-F2F-A4B	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02041_.WMF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DVDHM.POC	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansDemiBold.ttf.8C5-F2F-A4B	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chicago.8C5-F2F-A4B	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2688	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	2180	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
Token: SeDebugPrivilege	2180	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
Token: SeDebugPrivilege	2408	svchost.exe
Token: SeIncreaseQuotaPrivilege	2804	WMIC.exe
Token: SeSecurityPrivilege	2804	WMIC.exe
Token: SeTakeOwnershipPrivilege	2804	WMIC.exe
Token: SeLoadDriverPrivilege	2804	WMIC.exe
Token: SeSystemProfilePrivilege	2804	WMIC.exe
Token: SeSystemtimePrivilege	2804	WMIC.exe
Token: SeProfSingleProcessPrivilege	2804	WMIC.exe
Token: SeIncBasePriorityPrivilege	2804	WMIC.exe
Token: SeCreatePagefilePrivilege	2804	WMIC.exe
Token: SeBackupPrivilege	2804	WMIC.exe
Token: SeRestorePrivilege	2804	WMIC.exe
Token: SeShutdownPrivilege	2804	WMIC.exe
Token: SeDebugPrivilege	2804	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2804	WMIC.exe
Token: SeRemoteShutdownPrivilege	2804	WMIC.exe
Token: SeUndockPrivilege	2804	WMIC.exe
Token: SeManageVolumePrivilege	2804	WMIC.exe
Token: 33	2804	WMIC.exe
Token: 34	2804	WMIC.exe
Token: 35	2804	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2804	WMIC.exe
Token: SeSecurityPrivilege	2804	WMIC.exe
Token: SeTakeOwnershipPrivilege	2804	WMIC.exe
Token: SeLoadDriverPrivilege	2804	WMIC.exe
Token: SeSystemProfilePrivilege	2804	WMIC.exe
Token: SeSystemtimePrivilege	2804	WMIC.exe
Token: SeProfSingleProcessPrivilege	2804	WMIC.exe
Token: SeIncBasePriorityPrivilege	2804	WMIC.exe
Token: SeCreatePagefilePrivilege	2804	WMIC.exe
Token: SeBackupPrivilege	2804	WMIC.exe
Token: SeRestorePrivilege	2804	WMIC.exe
Token: SeShutdownPrivilege	2804	WMIC.exe
Token: SeDebugPrivilege	2804	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2804	WMIC.exe
Token: SeRemoteShutdownPrivilege	2804	WMIC.exe
Token: SeUndockPrivilege	2804	WMIC.exe
Token: SeManageVolumePrivilege	2804	WMIC.exe
Token: 33	2804	WMIC.exe
Token: 34	2804	WMIC.exe
Token: 35	2804	WMIC.exe
Token: SeBackupPrivilege	2060	vssvc.exe
Token: SeRestorePrivilege	2060	vssvc.exe
Token: SeAuditPrivilege	2060	vssvc.exe
Token: SeDebugPrivilege	2408	svchost.exe
Token: SeDebugPrivilege	2408	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2408	2180	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	29
PID 2180 wrote to memory of 2408	2180	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	29
PID 2180 wrote to memory of 2408	2180	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	29
PID 2180 wrote to memory of 2408	2180	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	29
PID 2180 wrote to memory of 2876	2180	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	28
PID 2180 wrote to memory of 2876	2180	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	28
PID 2180 wrote to memory of 2876	2180	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	28
PID 2180 wrote to memory of 2876	2180	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	28
PID 2180 wrote to memory of 2876	2180	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	28
PID 2180 wrote to memory of 2876	2180	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	28
PID 2180 wrote to memory of 2876	2180	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	28
PID 2408 wrote to memory of 2824	2408	svchost.exe	44
PID 2408 wrote to memory of 2824	2408	svchost.exe	44
PID 2408 wrote to memory of 2824	2408	svchost.exe	44
PID 2408 wrote to memory of 2824	2408	svchost.exe	44
PID 2408 wrote to memory of 2800	2408	svchost.exe	30
PID 2408 wrote to memory of 2800	2408	svchost.exe	30
PID 2408 wrote to memory of 2800	2408	svchost.exe	30
PID 2408 wrote to memory of 2800	2408	svchost.exe	30
PID 2408 wrote to memory of 2732	2408	svchost.exe	41
PID 2408 wrote to memory of 2732	2408	svchost.exe	41
PID 2408 wrote to memory of 2732	2408	svchost.exe	41
PID 2408 wrote to memory of 2732	2408	svchost.exe	41
PID 2408 wrote to memory of 2844	2408	svchost.exe	39
PID 2408 wrote to memory of 2844	2408	svchost.exe	39
PID 2408 wrote to memory of 2844	2408	svchost.exe	39
PID 2408 wrote to memory of 2844	2408	svchost.exe	39
PID 2408 wrote to memory of 2812	2408	svchost.exe	32
PID 2408 wrote to memory of 2812	2408	svchost.exe	32
PID 2408 wrote to memory of 2812	2408	svchost.exe	32
PID 2408 wrote to memory of 2812	2408	svchost.exe	32
PID 2408 wrote to memory of 2620	2408	svchost.exe	37
PID 2408 wrote to memory of 2620	2408	svchost.exe	37
PID 2408 wrote to memory of 2620	2408	svchost.exe	37
PID 2408 wrote to memory of 2620	2408	svchost.exe	37
PID 2408 wrote to memory of 2764	2408	svchost.exe	34
PID 2408 wrote to memory of 2764	2408	svchost.exe	34
PID 2408 wrote to memory of 2764	2408	svchost.exe	34
PID 2408 wrote to memory of 2764	2408	svchost.exe	34
PID 2764 wrote to memory of 2804	2764	cmd.exe	35
PID 2764 wrote to memory of 2804	2764	cmd.exe	35
PID 2764 wrote to memory of 2804	2764	cmd.exe	35
PID 2764 wrote to memory of 2804	2764	cmd.exe	35
PID 2408 wrote to memory of 1692	2408	svchost.exe	51
PID 2408 wrote to memory of 1692	2408	svchost.exe	51
PID 2408 wrote to memory of 1692	2408	svchost.exe	51
PID 2408 wrote to memory of 1692	2408	svchost.exe	51
PID 1692 wrote to memory of 2688	1692	cmd.exe	47
PID 1692 wrote to memory of 2688	1692	cmd.exe	47
PID 1692 wrote to memory of 2688	1692	cmd.exe	47
PID 1692 wrote to memory of 2688	1692	cmd.exe	47
PID 2408 wrote to memory of 3024	2408	svchost.exe	49
PID 2408 wrote to memory of 3024	2408	svchost.exe	49
PID 2408 wrote to memory of 3024	2408	svchost.exe	49
PID 2408 wrote to memory of 3024	2408	svchost.exe	49
PID 2408 wrote to memory of 3068	2408	svchost.exe	48
PID 2408 wrote to memory of 3068	2408	svchost.exe	48
PID 2408 wrote to memory of 3068	2408	svchost.exe	48
PID 2408 wrote to memory of 3068	2408	svchost.exe	48
PID 2408 wrote to memory of 1060	2408	svchost.exe	52
PID 2408 wrote to memory of 1060	2408	svchost.exe	52
PID 2408 wrote to memory of 1060	2408	svchost.exe	52
PID 2408 wrote to memory of 1060	2408	svchost.exe	52
PID 2408 wrote to memory of 1060	2408	svchost.exe	52

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  PID:2876
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
    3⤵
    PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete backup
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
    3⤵
    PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:2824
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 1
    3⤵
    - Executes dropped EXE
    PID:3068
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1692
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1060

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
1⤵
- Interacts with shadow copies
PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME39.CSS

Filesize
122KB

MD5
e6f156fc925364e48d2858a12c081f0e

SHA1
515caf92a7a77219ac6bcf9646153d73fefd70b5

SHA256
8d4e7820dfd0f22c885ab3f9b8d21e644eb9c0a50b835337ad9c525bdfa27c23

SHA512
d1ca5eb2f92eef6cffc46544e07332c13eaea313fc3e7b2c1e942fb338274ccbfe4c41464209d0d46008bfb4b9c5893d13b530fcf2f423cd30894de3ef27187a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME54.CSS

Filesize
125KB

MD5
e25aad38a72769c1a4935c4167def9fe

SHA1
e994e8aa4175878f96aaa6c2c3a4545b6b9ccb66

SHA256
21e5ca70e44407df5ec24a1e9670f71f385737e9875cdb8fe8d3da3cd6535ef3

SHA512
cb6e63cc005738aca623a594640d148113fcf2d28eef76318fe07ca0a686b66d512f7f13022a7d1d74e6cc9aa32b22a9a634c8ea15ab4497139115019923ae6f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\ISO690.XSL

Filesize
258KB

MD5
2ec238af43a36297326afdb22dd5ea29

SHA1
03a13ca437cec846812cae72dfb0c6f7e0bb8d64

SHA256
72092df26b61ee330821e51f714efaa1499afd9cdf19a1eb33a335429b3db0b8

SHA512
112eef75ae893e4654e9954cfb87532714cf32d290f3883c997e2606b569db7744b3293d6826cb627d567995a795aeda88504a2e8a15b91111004634b2f8b161

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\TURABIAN.XSL

Filesize
92KB

MD5
2fa501d31de250c55a5882c8b579ff10

SHA1
f2c926e34c54b2fa9c0a7a6fc0bdf2c9eb108bef

SHA256
09c4c591acf13c4cd971da3298aedfef902e353e9fa72bbefa38cdca81622a19

SHA512
81e6158dc4dc221aee2ab11cb688abc8c925a99401a0b8646053f267e7b42d30f2fcd3c4eab87ff3907972851f27f16b96688c1a8495feaa494ac26cf85fc5e5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\EXLIRMV.XML

Filesize
78KB

MD5
11e03fac19463c9cf07410b4e968821c

SHA1
fb41e5ab566fc7c8112b79a22d76581cbc627f09

SHA256
aa96e39120461e8398843770fc6ee31e8dcef5c103ddf34c106ee7a4c726f8f2

SHA512
b68c42887ecb168e56775dfa9571c3a3e524df632e2e325b59347c2656839b858ae66a644494af2b8eaa44aa0828319a719817434b67817d8e44afdf0f48d2bc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImages.jpg.8C5-F2F-A4B

Filesize
7KB

MD5
4189aa11208ec739373cf6dc1c269322

SHA1
a69b17571ec7295479a3f3b3b7dd7deb28819e94

SHA256
8b2713dd8c0abb4a2dfe616c6c3cffcf1d2ea9314ef8807f04f3bbce2614d0b8

SHA512
12c22739d0c1a7a7a887ce77fad7c9b4d4061185ad1d23d89712573c8f3bf434fd6492ca41918d48d9a5b81f998fa1470e0df125806e530c755ec7271bcc333a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\IPIRMV.XML

Filesize
78KB

MD5
dc09a0e734f8d47ea15e03e7c9ea938b

SHA1
46cdabd61ee0eaab6a1c970a58e36d57063253a4

SHA256
030fd2586fb4b93c090e6387f4b1aa402899aa10ca52c4b76822d5c670d93d47

SHA512
46b9216db2698aa0b432ebba022c020635927d2058d777889e0ae975002bb75c6d326bb5484ad0ca3b8bfc9a4a96fd7b05543477315a21ba0caca16f9e26f50e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml

Filesize
249KB

MD5
d794f42c5391bd2e5de7c4802500c5af

SHA1
d87af816e0e7d07d543e9e510c80c7ffba94368b

SHA256
90d7772ef69efcfb7b7eeb1fc710e36e5744c3ad03966852b7f903c6a0bae307

SHA512
f98f052f7d4966627350131ff847ab626ec3f57e4b7ae3e7415960e754f4ae5076a6197ac72bdc0b02611b53d8f32afebdf5e0b14fd0890dba67aeb150888c63

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OLKIRMV.XML

Filesize
78KB

MD5
c6a703dc0462c5a1737ce5d44a715633

SHA1
4bd882f4847088759698b730898418a743c6bf60

SHA256
ba3a3cb414a7e0fa37665b0516ab01e61a6aac71eb73ffcb40a623a40c627526

SHA512
1343bcb8cbb7452e57ee1f9d120d9f6b5bff0b26288b921155f93cbe89adae017118213218f0602a5d43cd2dd7c25dca4ba3c6506ae20f05253fcd33234932c2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\PPTIRMV.XML

Filesize
79KB

MD5
1f8f202b9659b7ff45d89cd83798e154

SHA1
86f90624e370ac84f7434c7c678bcdd834d77cc6

SHA256
4d2f771023a4cda631cb22a5dcc82f4f5b6f33e4df0ddb3e0d7b7010ec8684c0

SHA512
91c4c77f11dde701d55a1615f4a721bb487f73e7555b088171f09add0c378107419aeb8b5077f88feda026136fc0ce5801f7e20b5cd7fba98748cb94895c8383

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\WORDIRMV.XML

Filesize
78KB

MD5
67f6d0caaeffd1bb08eaf5fa8a8b2487

SHA1
66e0c3be4473eddbd8ef8c155f09135ce5a89d0a

SHA256
faa7145f7396809f481fe303f5b7d6bf7f1c503e0dcb0e2e1ab6e58c1f31daa7

SHA512
63e5f8680f68385642088252278e12e693eee09f2826dc45f687a15182b58d418b94b732f061254078ec6ab1615c4ef67b830c8a548e900e1dd4ab72cb79e075

Download Submit
C:\Program Files\Java\jdk1.7.0_80\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Filesize
936B

MD5
bc39a5c155fd0ccf952b41efda71e0ef

SHA1
b595a06fdebf5cd1e026583e4366b82248bfcd08

SHA256
5fab76c2f6299555d32654bfe791e9b70ed98d51f541ed7e56c44d760be32354

SHA512
916e71fc5c667935c7bc0a09d30ee9def2c572a8206bb0c28a5219be5bff18b6676f9d047a2ed64169456b74f3e3046be3050bb7e852b7ba34e2b310c5ce0bb8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.properties

Filesize
7KB

MD5
2425628cd52274896bf28cce77780705

SHA1
cc001df1eee67f14348ce2d9fd5d3804803831cd

SHA256
d8284ed1010f3409843221b48ed6ad2ba37e82e161b92064a8e10cad0ac5a569

SHA512
983c5bd179aa8eee7ee95df8956987e1fa2ff639cd2f8ee8dbc5c7a2c4b26e0869ca16ba043f92b901e598cfb61c1a448fe35029878381edc3c7bcd222a689ec

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html

Filesize
7KB

MD5
9e9733de44db82b9c858d018eaf40d8c

SHA1
89f3c55cef949e582c25d31f5a36ca21471532d2

SHA256
e78d2501f17f0a8349174be917bc69d94d58f72c5e211ac8f6521705af543cc8

SHA512
230e8eb1ceb3aae4182c19b007eacada682cee7158c394c86900b1336bae43ff393d1e55f0bbd572b27fb1c4dcb9aef1b6dd0990933f2da846c8dd31616a0dc6

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html

Filesize
10KB

MD5
3267713281c22d42a1d932f8af9fdc34

SHA1
ff7dbffaac6ac1682f40fa15c4866ea697144239

SHA256
74711dae27fd57c9edee1bb6af7ffe1787e5924735ae1e57e57d5d31d6636ae0

SHA512
419c279c64045f57b326f7004d2508d8bc31860df271c33922dd8418924fe961b3185fcee0c01d89d49ab27c17e0d7048e3de28d87526364ce33968837d7b3de

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html

Filesize
10KB

MD5
2a57ac1eae69eb55b1f4eaa45a3c1462

SHA1
5eb1c32bfbc3e307b7038e9c1c6a2448f6a5956c

SHA256
da2a1223cd5960a2023d2e230219cff1076f15d8952fcfed920c0a85f4a66b44

SHA512
8f8545609c101880dd9a0805049814c403367bcec43fbf8721d23ae779e3d78454c9d1728d44251223d47ff8507126d7a7b25fa203ccfd9bb4920a9d42d2919b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html

Filesize
10KB

MD5
f88daf0f1cd1a7ac83502aec1e919315

SHA1
aaf16947fc5ea33a08dc0238e0904ae96df842b3

SHA256
53f3f07a58d99472a4e74f9668a3d1199e6f3b7a8f94c57032103b7d8e274bfe

SHA512
a8a63db1fc13e73b180aef05e765813438374b51c738fbf0a1c36928b6a6e985e0fa1c5c2e16d6e7d0de75d3b543ec526b3201abf4b374df41116b1a7fc43002

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html

Filesize
13KB

MD5
0aeb3edf3d69efffabc81a6960dac8b1

SHA1
669f7db96fec25302d2a8fa94b64473dcbc5a1ab

SHA256
0b123b6167a3dfe52f842fda6ab5a5b2d63b36663343d29b506a7bc0174ef81c

SHA512
4b19bfdf1cdd24e120c7f8cbaf9f57ab60688233e1b51770d557606116ef0bbe45381ec59e381d26abd12d2fd98ae7670a3bccf12eec96302b50d29b88048489

Download Submit
C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\vlc.mo

Filesize
92KB

MD5
0a07d433f47b56a060e38ae716c9637e

SHA1
b00eded960042bce1fd12952dad774d740b56e49

SHA256
df98ba99736b7910fdaba56725c7e86ceb45c0ed476ef6606ac187e032d4847a

SHA512
29ff8a64cff20977bbc84c6b858d5b12aa6997ce7b12445d37f1851373aebd4483c18a29db717d7b580b51cb519d7f78193c3ed795aaa60e98321ac01f5c4fbb

Download Submit
C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo

Filesize
92KB

MD5
30e510ee4165d4e24f287d30f6b6f371

SHA1
8c15deda9ef6786a94f9007b857f4970c6a7add6

SHA256
142c8bf41a07941b6a90759382a5d7630a90a7b82740b846535795cae52285ae

SHA512
6e88167bd6e55bc09d682ab09474dbc971422272724b7bf47cbdd4a752a81a2eaad5076068f1f3da193203b4a5f7c2cbda5a4e07fd48069b912b1dd7586a097c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe

Filesize
211KB

MD5
bab201c1a2c8e0f99e683591945e7e3d

SHA1
90e57172d463dcd6df22d2bf96a6b265a7fdec65

SHA256
88b121f3b3e95e36a642cfdcb0c80f47e4b286e4dbf79b26c923909f4a4f11a4

SHA512
d65bc6b40aa4843cf6a9889bcf47b42c8f5b5548c377bd57a32cb7e2cbe2851e5904c3e1631ec87005243b8e33ec371f599f60964e5c94c856943a1846cccc2a

Download Submit
C:\Users\Admin\Desktop\ApproveUnlock.gif.8C5-F2F-A4B

Filesize
357KB

MD5
88a875bd60b38a7647c4a0922d28bba3

SHA1
7899f616d84e13e2065279c5ac30a42448daeb42

SHA256
342db7f8b4420efd7dcd19fc8db7ac69ace1dbc3391c68bc01d237dfa2769a04

SHA512
fcb9cfb72052c723cb68f64ce085c87615ba3e949084d16a11d5484391bac2b7ecd1fd084a5fb5b76e880b83be3d44c66a5bc320dd9b9c79f89fe3b407893d25

Download Submit
C:\Users\Admin\Desktop\ClearStop.mpeg2.8C5-F2F-A4B

Filesize
268KB

MD5
21e1f2d4f5296c009f4343dfb9f5d764

SHA1
5c1bd757446fe5e050f753b9f3989623194dd717

SHA256
2945438915c6bca7265097d2d27638273d95f8186df43dc2b958271b0af0ac2a

SHA512
338b17b9def0cf40733a07d2495f2e6da7482b1a77f5c68d926e3f9bf51e41533a55e81e48018c1e489756571d366039fd6d59ed4521692d54767546ec8229c4

Download Submit
C:\Users\Admin\Desktop\ConfirmRepair.wma.8C5-F2F-A4B

Filesize
410KB

MD5
16648c1e5dcb604e6c757496a6e8dd3d

SHA1
ff60cc7bd9b7eb7d5326e399bd9c7c5833271015

SHA256
c360cddab5623d2f1c67b4803dc3536336277c59f52c19570f1025f07f984ff4

SHA512
965e63328bc4accd84bbe28371f1d0a691d36c850bb2960669ba0bd66e006e1eafa0682f8080aaa0ccf74dcc0246fdc7b29534dac2662a5dbbae890906069ebe

Download Submit
C:\Users\Admin\Desktop\ConvertCopy.emz.8C5-F2F-A4B

Filesize
428KB

MD5
9ae6f5873298c323e0c0bd018865da6f

SHA1
aedfc97aa69b93b1b00cbadb4a60a9b3a1df01b8

SHA256
70bb283dd7aa757469a5c25f9080e134f0fa38c038f4aa1dfefead32ab24a80b

SHA512
cb8c1759d45033213837791e383f0f0b1e4756acbdfeda9c1c017bfda5807de1d91ed287787021f6f2e4f2837c1431132f04f21dd83aaa19a924050a7e7e21eb

Download Submit
C:\Users\Admin\Desktop\EnableNew.wmx.8C5-F2F-A4B

Filesize
499KB

MD5
3fb7c38b279ce62951ff44560847b715

SHA1
9d03b78b5fbd228f51f435e03dbb82aa67648ed3

SHA256
1d9b5912ae358c0dcb509a8621bdaff6c93e789e33c7ad3db02bb76d9837c882

SHA512
c30bfa3728f4668a178fde4daa34c9e26a7947f4ff1984ceaa350363a8314ab0852b23f7371aef9b10c6d29e26ce9dbfb5235dc7dc37c60f202c0bbc78e45a61

Download Submit
C:\Users\Admin\Desktop\ExitUnprotect.wav.8C5-F2F-A4B

Filesize
606KB

MD5
8c5fc4dd55a7bcbc516b72c1e8582d9f

SHA1
9351cb49a6881049a9ee30ab1b476bf092beb804

SHA256
9104981652d64b1dde8084a4dafc2c4eec281c60ec36a1facac145f8b68f3920

SHA512
b472e2e554cb99c0151448582e0b16cbbe30133531851613078ae6a4993a0203bbcf796c13dc7094bc444784e9d45952da51505712d7f2387e31c8f9bbada871

Download Submit
C:\Users\Admin\Desktop\FormatDisconnect.cr2.8C5-F2F-A4B

Filesize
250KB

MD5
3e75aa96663632be1e0a2043766436e8

SHA1
0d90695d516f0b11d9bfed0fbbc11f465fba2e19

SHA256
db725e269dab9fcd69b7a3a7d0c2e0907e68058279efd78ea6621364beeba056

SHA512
ef3a5435ebbdb096a188e778a72fa6aed1be3ca7cf1c47983cea7e5ebfdb3c68072973d59fc22cc469b15cadbf135067646b3a478c757d08910e92d67e1d4057

Download Submit
C:\Users\Admin\Desktop\GetResolve.vstm.8C5-F2F-A4B

Filesize
552KB

MD5
d8e649416248f363a2e0b6ab275101a9

SHA1
135b40b6ce639175c117ead075eedbdfc9966603

SHA256
f71b0020786a614e2dc5fca0cfaa37ff1512762602e11ce1fb59ae2edea9e613

SHA512
7b77851755bcdec60705ba62ab597ef78eba3217e427effe276eead3d46e35ffc6df2f1f98b8d4a2c24ff9cbb78729efba8c93e5e7535b3f323fc962eb1caba0

Download Submit
C:\Users\Admin\Desktop\HideSwitch.wma.8C5-F2F-A4B

Filesize
534KB

MD5
0804640bcc86099ef54a056354b8406f

SHA1
c4e903249c7e566c0657f70635cf0ad16e673518

SHA256
44ffd238e854f25ec5029c26e501410000005df2ddd7bc4d793a731b7f8490e3

SHA512
4d55088ac40098801e1583b0e9407357085773d8e58071e23f0a3a6bef6c7f6325f77d394bd37a937b338988baae85aed7e938cc30811dbb119c2c5d925cd6cb

Download Submit
C:\Users\Admin\Desktop\InitializeBlock.jpg.8C5-F2F-A4B

Filesize
570KB

MD5
7709a43699fa68519ae6ba72766d6a4e

SHA1
873d3568eccb06708f5a4bf7702debd7560b536e

SHA256
ab2841e6dae1984532bf417a22fd60b2781fe5bd61728b1718e243ce61b6b148

SHA512
65993046f9894f37da92f0b24b03354d77e820b18401436a41337ae2ec1068eb38a0813df8e07da0c6985b803e1776f2c86ac5ddcf7e904922439cee8a384923

Download Submit
C:\vcredist2010_x86.log.html

Filesize
83KB

MD5
bdc47762c71a2361701e2b9ad423a19b

SHA1
4aa98b9a9083054ad857e2e6b08b03bccc3396fe

SHA256
8f685822ed275830bf107074e972cfae04d701239e80b86318460b7fa4706652

SHA512
92cd87d43a867f09abeb29b4d71a6d9c53b02c507c97c4f2d4ee904eb106787cd94235280c9c066b88998e057811659cdcae065d3b59e798ad20ba28a7a6d890

Download Submit
memory/1060-30306-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2180-17-0x0000000001280000-0x00000000013C0000-memory.dmp

Filesize
1.2MB

Download
memory/2408-7586-0x0000000000FA0000-0x00000000010E0000-memory.dmp

Filesize
1.2MB

Download
memory/2408-30307-0x0000000000FA0000-0x00000000010E0000-memory.dmp

Filesize
1.2MB

Download
memory/2876-12-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2876-15-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/3024-30279-0x0000000000FA0000-0x00000000010E0000-memory.dmp

Filesize
1.2MB

Download
memory/3024-11602-0x0000000000FA0000-0x00000000010E0000-memory.dmp

Filesize
1.2MB

Download
memory/3024-23930-0x0000000000FA0000-0x00000000010E0000-memory.dmp

Filesize
1.2MB

Download
memory/3068-22-0x0000000000FA0000-0x00000000010E0000-memory.dmp

Filesize
1.2MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads