buran | 88b121f3b3e95e36a642cfdcb0c80f47e4b286e4dbf79b26c923909f4a4f11a4

Resubmissions

03-01-2024 15:08

240103-shylyshgh6 10

03-01-2024 15:05

240103-sf7rvahgf3 10

03-01-2024 15:03

240103-sfclpsfdcq 10

Analysis

max time kernel
89s
max time network
92s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
03-01-2024 15:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
Size

211KB
MD5

bab201c1a2c8e0f99e683591945e7e3d
SHA1

90e57172d463dcd6df22d2bf96a6b265a7fdec65
SHA256

88b121f3b3e95e36a642cfdcb0c80f47e4b286e4dbf79b26c923909f4a4f11a4
SHA512

d65bc6b40aa4843cf6a9889bcf47b42c8f5b5548c377bd57a32cb7e2cbe2851e5904c3e1631ec87005243b8e33ec371f599f60964e5c94c856943a1846cccc2a
SSDEEP

6144:jia1gMHOPDWIhID8X/4DQFu/U3buRKlemZ9DnGAetTsB+zY+:jIMH06cID84DQFu/U3buRKlemZ9DnGAs

Score

10^/10

buran zeppelin persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 255-807-181 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran

Detects Zeppelin payload 13 IoCs

resource	yara_rule
behavioral4/files/0x000c00000002a6d0-6.dat	family_zeppelin
behavioral4/memory/1880-12-0x0000000000230000-0x0000000000370000-memory.dmp	family_zeppelin
behavioral4/memory/1188-13-0x0000000000E20000-0x0000000000F60000-memory.dmp	family_zeppelin
behavioral4/memory/232-23-0x0000000000230000-0x0000000000370000-memory.dmp	family_zeppelin
behavioral4/memory/1880-6103-0x0000000000230000-0x0000000000370000-memory.dmp	family_zeppelin
behavioral4/memory/3468-10477-0x0000000000230000-0x0000000000370000-memory.dmp	family_zeppelin
behavioral4/memory/3220-11780-0x0000000000E20000-0x0000000000F60000-memory.dmp	family_zeppelin
behavioral4/memory/1188-13633-0x0000000000E20000-0x0000000000F60000-memory.dmp	family_zeppelin
behavioral4/memory/3468-18796-0x0000000000230000-0x0000000000370000-memory.dmp	family_zeppelin
behavioral4/memory/1188-21880-0x0000000000E20000-0x0000000000F60000-memory.dmp	family_zeppelin
behavioral4/memory/1880-21879-0x0000000000230000-0x0000000000370000-memory.dmp	family_zeppelin
behavioral4/memory/692-21878-0x0000000000E20000-0x0000000000F60000-memory.dmp	family_zeppelin
behavioral4/memory/3468-21877-0x0000000000230000-0x0000000000370000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (6057) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 3 IoCs

pid	Process
1188	TrustedInstaller.exe
3220	TrustedInstaller.exe
692	TrustedInstaller.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\TrustedInstaller.exe\" -start"	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened (read-only)	\??\W:	TrustedInstaller.exe
File opened (read-only)	\??\O:	TrustedInstaller.exe
File opened (read-only)	\??\Z:	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened (read-only)	\??\T:	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened (read-only)	\??\K:	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened (read-only)	\??\G:	TrustedInstaller.exe
File opened (read-only)	\??\B:	TrustedInstaller.exe
File opened (read-only)	\??\Y:	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened (read-only)	\??\E:	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened (read-only)	\??\R:	TrustedInstaller.exe
File opened (read-only)	\??\J:	TrustedInstaller.exe
File opened (read-only)	\??\A:	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened (read-only)	\??\U:	TrustedInstaller.exe
File opened (read-only)	\??\Q:	TrustedInstaller.exe
File opened (read-only)	\??\Z:	TrustedInstaller.exe
File opened (read-only)	\??\A:	TrustedInstaller.exe
File opened (read-only)	\??\W:	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened (read-only)	\??\Q:	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened (read-only)	\??\I:	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened (read-only)	\??\N:	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened (read-only)	\??\M:	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened (read-only)	\??\J:	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened (read-only)	\??\B:	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened (read-only)	\??\P:	TrustedInstaller.exe
File opened (read-only)	\??\X:	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened (read-only)	\??\V:	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened (read-only)	\??\R:	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened (read-only)	\??\M:	TrustedInstaller.exe
File opened (read-only)	\??\K:	TrustedInstaller.exe
File opened (read-only)	\??\I:	TrustedInstaller.exe
File opened (read-only)	\??\N:	TrustedInstaller.exe
File opened (read-only)	\??\U:	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened (read-only)	\??\S:	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened (read-only)	\??\S:	TrustedInstaller.exe
File opened (read-only)	\??\G:	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened (read-only)	\??\Y:	TrustedInstaller.exe
File opened (read-only)	\??\L:	TrustedInstaller.exe
File opened (read-only)	\??\H:	TrustedInstaller.exe
File opened (read-only)	\??\P:	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened (read-only)	\??\O:	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened (read-only)	\??\L:	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened (read-only)	\??\E:	TrustedInstaller.exe
File opened (read-only)	\??\X:	TrustedInstaller.exe
File opened (read-only)	\??\V:	TrustedInstaller.exe
File opened (read-only)	\??\T:	TrustedInstaller.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-gb\ui-strings.js.255-807-181	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe.255-807-181	TrustedInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\Doughboy.scale-200.png	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\LibrarySquare71x71Logo.scale-100.png	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-96_altform-unplated_contrast-white.png	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nl-nl\ui-strings.js	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\print_poster.png.255-807-181	TrustedInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\tr-tr\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	TrustedInstaller.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.255-807-181	TrustedInstaller.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\COIN.WAV.255-807-181	TrustedInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ScreenSketch_11.2104.2.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SnipSketchSmallTile.scale-125.png	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\WeatherAppList.targetsize-32_altform-unplated_contrast-white.png	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ui-strings.js	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ul-oob.xrm-ms.255-807-181	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\TimelessResume.dotx.255-807-181	TrustedInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\GenericMailLargeTile.scale-150.png	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\flags.png	TrustedInstaller.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\PREVIEW.GIF.255-807-181	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.9.2002.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	TrustedInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\LargeTile.scale-125.png	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf	TrustedInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-amd\fonts\createFontStyles.js	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-amd\types\ITheme.js	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Icons\StickyNotesSplashScreen.scale-100.png	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-32_altform-unplated.png	TrustedInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyCalendarSearch.scale-100.png	TrustedInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarBadge.scale-400.png	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ppd.xrm-ms.255-807-181	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\MSB1CACH.LEX.255-807-181	TrustedInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\NewsAppList.targetsize-80_altform-lightunplated_contrast-black.png	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\ui-strings.js.255-807-181	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\cacerts.255-807-181	TrustedInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Icons\StickyNotesWideTile.scale-125_contrast-black.png	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-32_contrast-black.png	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxAccountsSplashLogo.scale-100.png	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ul-oob.xrm-ms.255-807-181	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contrast-white\GetHelpAppList.targetsize-32_contrast-white.png	TrustedInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-black\PowerAutomateAppIcon.scale-150.png	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\FocusZone.js	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\upsell-2x.png.255-807-181	TrustedInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Assets\Square44x44Logo.targetsize-24_altform-unplated.png	TrustedInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	TrustedInstaller.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\centered.dotx.255-807-181	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Assets\Store\Wide310x150Logo.scale-200.png	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\contrast-white\NotepadAppList.targetsize-36.png	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ui-strings.js.255-807-181	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-256_contrast-white.png	TrustedInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\PeopleSmallTile.scale-100.png	TrustedInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Lumia.AppTk.NativeDirect3d.UAP\Native3d.TextureRendererPixelShader.cso	TrustedInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\components\DetailsList\DetailsFooter.types.js	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ja-jp\ui-strings.js	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\sound.properties.255-807-181	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-200.png	TrustedInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\DocumentCard.js	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ru-ru\ui-strings.js.255-807-181	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL105.XML.255-807-181	TrustedInstaller.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	TrustedInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-256_altform-unplated_contrast-white.png	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.2861444a.pri	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\GetHelpAppList.scale-200.png	TrustedInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Todos_0.33.33351.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-24_altform-unplated_contrast-black.png	TrustedInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_altform-unplated_contrast-black.png	TrustedInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.targetsize-36_altform-unplated_contrast-black.png	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1880	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
Token: SeDebugPrivilege	1880	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
Token: SeDebugPrivilege	1880	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
Token: SeIncreaseQuotaPrivilege	4680	WMIC.exe
Token: SeSecurityPrivilege	4680	WMIC.exe
Token: SeTakeOwnershipPrivilege	4680	WMIC.exe
Token: SeLoadDriverPrivilege	4680	WMIC.exe
Token: SeSystemProfilePrivilege	4680	WMIC.exe
Token: SeSystemtimePrivilege	4680	WMIC.exe
Token: SeProfSingleProcessPrivilege	4680	WMIC.exe
Token: SeIncBasePriorityPrivilege	4680	WMIC.exe
Token: SeCreatePagefilePrivilege	4680	WMIC.exe
Token: SeBackupPrivilege	4680	WMIC.exe
Token: SeRestorePrivilege	4680	WMIC.exe
Token: SeShutdownPrivilege	4680	WMIC.exe
Token: SeDebugPrivilege	4680	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4680	WMIC.exe
Token: SeRemoteShutdownPrivilege	4680	WMIC.exe
Token: SeUndockPrivilege	4680	WMIC.exe
Token: SeManageVolumePrivilege	4680	WMIC.exe
Token: 33	4680	WMIC.exe
Token: 34	4680	WMIC.exe
Token: 35	4680	WMIC.exe
Token: 36	4680	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4680	WMIC.exe
Token: SeSecurityPrivilege	4680	WMIC.exe
Token: SeTakeOwnershipPrivilege	4680	WMIC.exe
Token: SeLoadDriverPrivilege	4680	WMIC.exe
Token: SeSystemProfilePrivilege	4680	WMIC.exe
Token: SeSystemtimePrivilege	4680	WMIC.exe
Token: SeProfSingleProcessPrivilege	4680	WMIC.exe
Token: SeIncBasePriorityPrivilege	4680	WMIC.exe
Token: SeCreatePagefilePrivilege	4680	WMIC.exe
Token: SeBackupPrivilege	4680	WMIC.exe
Token: SeRestorePrivilege	4680	WMIC.exe
Token: SeShutdownPrivilege	4680	WMIC.exe
Token: SeDebugPrivilege	4680	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4680	WMIC.exe
Token: SeRemoteShutdownPrivilege	4680	WMIC.exe
Token: SeUndockPrivilege	4680	WMIC.exe
Token: SeManageVolumePrivilege	4680	WMIC.exe
Token: 33	4680	WMIC.exe
Token: 34	4680	WMIC.exe
Token: 35	4680	WMIC.exe
Token: 36	4680	WMIC.exe
Token: SeBackupPrivilege	3128	vssvc.exe
Token: SeRestorePrivilege	3128	vssvc.exe
Token: SeAuditPrivilege	3128	vssvc.exe
Token: SeDebugPrivilege	1188	TrustedInstaller.exe
Token: SeIncreaseQuotaPrivilege	2900	WMIC.exe
Token: SeSecurityPrivilege	2900	WMIC.exe
Token: SeTakeOwnershipPrivilege	2900	WMIC.exe
Token: SeLoadDriverPrivilege	2900	WMIC.exe
Token: SeSystemProfilePrivilege	2900	WMIC.exe
Token: SeSystemtimePrivilege	2900	WMIC.exe
Token: SeProfSingleProcessPrivilege	2900	WMIC.exe
Token: SeIncBasePriorityPrivilege	2900	WMIC.exe
Token: SeCreatePagefilePrivilege	2900	WMIC.exe
Token: SeBackupPrivilege	2900	WMIC.exe
Token: SeRestorePrivilege	2900	WMIC.exe
Token: SeShutdownPrivilege	2900	WMIC.exe
Token: SeDebugPrivilege	2900	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2900	WMIC.exe
Token: SeRemoteShutdownPrivilege	2900	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 1188	1880	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	76
PID 1880 wrote to memory of 1188	1880	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	76
PID 1880 wrote to memory of 1188	1880	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	76
PID 1880 wrote to memory of 1632	1880	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	77
PID 1880 wrote to memory of 1632	1880	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	77
PID 1880 wrote to memory of 1632	1880	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	77
PID 1880 wrote to memory of 3244	1880	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	79
PID 1880 wrote to memory of 3244	1880	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	79
PID 1880 wrote to memory of 3244	1880	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	79
PID 1880 wrote to memory of 1744	1880	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	81
PID 1880 wrote to memory of 1744	1880	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	81
PID 1880 wrote to memory of 1744	1880	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	81
PID 1880 wrote to memory of 3724	1880	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	83
PID 1880 wrote to memory of 3724	1880	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	83
PID 1880 wrote to memory of 3724	1880	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	83
PID 1880 wrote to memory of 616	1880	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	85
PID 1880 wrote to memory of 616	1880	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	85
PID 1880 wrote to memory of 616	1880	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	85
PID 1880 wrote to memory of 2456	1880	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	87
PID 1880 wrote to memory of 2456	1880	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	87
PID 1880 wrote to memory of 2456	1880	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	87
PID 1880 wrote to memory of 836	1880	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	89
PID 1880 wrote to memory of 836	1880	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	89
PID 1880 wrote to memory of 836	1880	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	89
PID 836 wrote to memory of 4680	836	cmd.exe	91
PID 836 wrote to memory of 4680	836	cmd.exe	91
PID 836 wrote to memory of 4680	836	cmd.exe	91
PID 1880 wrote to memory of 2256	1880	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	94
PID 1880 wrote to memory of 2256	1880	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	94
PID 1880 wrote to memory of 2256	1880	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	94
PID 1880 wrote to memory of 3468	1880	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	96
PID 1880 wrote to memory of 3468	1880	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	96
PID 1880 wrote to memory of 3468	1880	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	96
PID 1880 wrote to memory of 232	1880	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	97
PID 1880 wrote to memory of 232	1880	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	97
PID 1880 wrote to memory of 232	1880	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	97
PID 1188 wrote to memory of 2268	1188	TrustedInstaller.exe	116
PID 1188 wrote to memory of 2268	1188	TrustedInstaller.exe	116
PID 1188 wrote to memory of 2268	1188	TrustedInstaller.exe	116
PID 1188 wrote to memory of 4088	1188	TrustedInstaller.exe	115
PID 1188 wrote to memory of 4088	1188	TrustedInstaller.exe	115
PID 1188 wrote to memory of 4088	1188	TrustedInstaller.exe	115
PID 1188 wrote to memory of 656	1188	TrustedInstaller.exe	114
PID 1188 wrote to memory of 656	1188	TrustedInstaller.exe	114
PID 1188 wrote to memory of 656	1188	TrustedInstaller.exe	114
PID 1188 wrote to memory of 4344	1188	TrustedInstaller.exe	113
PID 1188 wrote to memory of 4344	1188	TrustedInstaller.exe	113
PID 1188 wrote to memory of 4344	1188	TrustedInstaller.exe	113
PID 1188 wrote to memory of 4064	1188	TrustedInstaller.exe	112
PID 1188 wrote to memory of 4064	1188	TrustedInstaller.exe	112
PID 1188 wrote to memory of 4064	1188	TrustedInstaller.exe	112
PID 1188 wrote to memory of 2972	1188	TrustedInstaller.exe	111
PID 1188 wrote to memory of 2972	1188	TrustedInstaller.exe	111
PID 1188 wrote to memory of 2972	1188	TrustedInstaller.exe	111
PID 1188 wrote to memory of 868	1188	TrustedInstaller.exe	104
PID 1188 wrote to memory of 868	1188	TrustedInstaller.exe	104
PID 1188 wrote to memory of 868	1188	TrustedInstaller.exe	104
PID 868 wrote to memory of 2900	868	cmd.exe	105
PID 868 wrote to memory of 2900	868	cmd.exe	105
PID 868 wrote to memory of 2900	868	cmd.exe	105
PID 1188 wrote to memory of 3960	1188	TrustedInstaller.exe	109
PID 1188 wrote to memory of 3960	1188	TrustedInstaller.exe	109
PID 1188 wrote to memory of 3960	1188	TrustedInstaller.exe	109
PID 1188 wrote to memory of 692	1188	TrustedInstaller.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:868
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2900
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe" -agent 1
    3⤵
    - Executes dropped EXE
    PID:3220
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:692
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:3960
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete backup
    3⤵
    PID:2972
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
    3⤵
    PID:4064
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
    3⤵
    PID:4344
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:656
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:4088
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:2268
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1632
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
  2⤵
  PID:3244
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  PID:1744
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
  2⤵
  PID:3724
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
  2⤵
  PID:616
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wbadmin delete backup
  2⤵
  PID:2456
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:836
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4680
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
  2⤵
  PID:2256
- C:\Users\Admin\AppData\Local\Temp\2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe" -agent 0
  2⤵
  - Drops file in Program Files directory
  PID:3468
- C:\Users\Admin\AppData\Local\Temp\2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe" -agent 1
  2⤵
  PID:232

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DumpStack.log.tmp.255-807-181

Filesize
13KB

MD5
f45f3ff05ff5414985ac9a59cd146e7e

SHA1
ae01be85a7a0bcb0003623764950bb7b51ca75f3

SHA256
8593e1fc6a84293cf45fce2a7275a4ec610c820edc11f85badbbc19e2b14e0e0

SHA512
19233a92adef32410cbbd00fd4b0c9da82b0fbf91c370d93f0db2d61b104ca1e96f48b430c37ba1b1121736a756290dc73da3d0e4f85230c68c4270b9c848351

Download Submit
C:\Program Files\7-Zip\7-zip.chm.255-807-181

Filesize
114KB

MD5
6cb238f3cdcc9579637d67cbeec13d94

SHA1
9285081a3e781fbf330883a5c9280f301abb42dc

SHA256
c9a848ac6666879eb416daf946d7a46d974a481eb1786bc1076f73e8e7ddae8b

SHA512
9d58dc2ff2dcc15867683dea2a70e24fab28266214481aae63f84024ee261a5e2f739317a89a2f69ea8ca2ad6d504d9707fca73b63082a19d4873583dad0d335

Download Submit
C:\Program Files\7-Zip\7z.exe.255-807-181

Filesize
545KB

MD5
5fcea35e970904c0844971f60182bcc7

SHA1
2ae83139af720185900e156efada10daaed6da53

SHA256
5688ab70ef95d408b89a28ce95c8c68fa684c05f1f5f8f7339d8a5bfba3009ee

SHA512
a8f6cb5ff5ee3d6bbc36eb0332f3db9e6f3cb3a83cd4cc1d807aad02f2226add2c4790e70227d2536aa806cf282c791841196c2565994367c01cc9a5a1bb7219

Download Submit
C:\Program Files\7-Zip\Lang\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Filesize
936B

MD5
37a2c78dc025197b6fb8827882188c98

SHA1
e162dead5c7b7217bf06b9fe9466aad9721c8dbb

SHA256
7ffa392e2814750b9fc677fa6bada2127cbe4710f85bf9b5f23ff379db6750a0

SHA512
22e85f0982a9ec393db7eb6644281dbe7e10ff51cd1809bfef0316d1385afd3ba15208306d7a999802cebf8b093cc772b8e8dcd8117030d497ee3ab5d7de7f53

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX

Filesize
292KB

MD5
3b0f2bfc8fb6d722b1dd5770a5d495de

SHA1
3283c052f879a6bedc779ea7668ab1c37a7378e5

SHA256
bb5938b4c96db059a06ec563a056596eac9a70e0af9d7e657af8aa2bad64930b

SHA512
f6bfd1aef7a52963e1dbe381ea4997fe6a2d8fd8fe91525260978a103ab4b7b7eecfceb6468dc767f7da84fabb079df703816cf9692b94f78136f3984778a39f

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp64.msi

Filesize
2.4MB

MD5
b5ab95e5916cd48db23166a6b6a32652

SHA1
4cc3bcb7b114e0cb1a16a78270fbda6ea4053df4

SHA256
2bbeddfe24452da48fc8b958daff518c9c1440512098b850978a0b8b65553281

SHA512
fe99168572bba6de3ae4a0d114c6e6aa86118797817e809d6a598fdc6b59e22c0ce53ce47e4d159fc424a6a6cfc1367c5c368e07b9f0787d9513cc056dd8228c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe

Filesize
211KB

MD5
bab201c1a2c8e0f99e683591945e7e3d

SHA1
90e57172d463dcd6df22d2bf96a6b265a7fdec65

SHA256
88b121f3b3e95e36a642cfdcb0c80f47e4b286e4dbf79b26c923909f4a4f11a4

SHA512
d65bc6b40aa4843cf6a9889bcf47b42c8f5b5548c377bd57a32cb7e2cbe2851e5904c3e1631ec87005243b8e33ec371f599f60964e5c94c856943a1846cccc2a

Download Submit
C:\odt\office2016setup.exe.255-807-181

Filesize
92KB

MD5
87c53c71d8389dcc26cf52f5175b76e3

SHA1
f679546c7b6a72f9ae44b9cafd43939474963347

SHA256
df0109db0776aab6a97543dbe0ae485981b5c463a276ed173cfa95cd1cced7f8

SHA512
4a0995186e694924695019874f13de6aa193cf386dc67b44aacd0b606868de6284d140bb7e0b88f5b81a0fab256992a37b674224ce5c22a90ff45c37b9cad5c4

Download Submit
C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.255-807-181

Filesize
381KB

MD5
de5f559e15ed08150e69b83d06572acd

SHA1
b3cbd7a854374a87ee9482936256f9b911a52cd3

SHA256
aa2465a66996129c8fbb5aec3d30f9100a36d825b8ad0ac2318fedfae2f3485e

SHA512
d70ff852d6c8913d0b9bab27280ea605f359a5abfd1da3571333322afbfe1e01b32cda1198b8a528ef882018ad6a62483222f77747700fc1124567a20a5000ea

Download Submit
C:\vcredist2010_x64.log.html.255-807-181

Filesize
88KB

MD5
cc2227f284ce607722b262dfa7e3a950

SHA1
f39412c2dfe6512be35e5fae1753a90e33e3c97c

SHA256
57a7b94617e9c47f747c6ca7eeecaf664cac0fd52234fe7dcc47deb549929cf1

SHA512
798c1b065c546cf73260b608d26cb8e6d85b9a0f13f988586be3878b5a799bb258711ebc21026950edfd5585aa5f671e388af528ad12bb120ba6303ba526cd9a

Download Submit
C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.255-807-181

Filesize
396KB

MD5
da7d520d67dfae88583aa735d68bc736

SHA1
965acdc5a8754d3afd7a4480c085e8e6567184be

SHA256
b4ca08edef05b4dd03fe4e8f7b8b7a249a725d6af76f95e68658155eb6134d63

SHA512
ecae395ea71295d3fe15e355d58521a75b40107aad730fda31917c3a205c7e389ef8a2219104c7451a85100d2afab1373f7f519cc9e4a4d1e4104aa088d4b261

Download Submit
C:\vcredist2010_x86.log.html

Filesize
83KB

MD5
682457952447a2425fbfcea3518d60c7

SHA1
65b4657d7727a5422b9536b49c3b4c91b054a23d

SHA256
87453b2ceaf8ba4acd62fefddec1d2d9711863f27b7c127c75ed9f24c342382a

SHA512
9780985f2214b6f84ec157899cc7440d6735cab546d8413d8bbbbeabe4f4fa0584e13c47ef63a1af97813fd155d4281b824f02f9d7f312277d40e47bd4bc646a

Download Submit
memory/232-23-0x0000000000230000-0x0000000000370000-memory.dmp

Filesize
1.2MB

Download
memory/692-21878-0x0000000000E20000-0x0000000000F60000-memory.dmp

Filesize
1.2MB

Download
memory/1188-13633-0x0000000000E20000-0x0000000000F60000-memory.dmp

Filesize
1.2MB

Download
memory/1188-13-0x0000000000E20000-0x0000000000F60000-memory.dmp

Filesize
1.2MB

Download
memory/1188-21880-0x0000000000E20000-0x0000000000F60000-memory.dmp

Filesize
1.2MB

Download
memory/1880-6103-0x0000000000230000-0x0000000000370000-memory.dmp

Filesize
1.2MB

Download
memory/1880-21879-0x0000000000230000-0x0000000000370000-memory.dmp

Filesize
1.2MB

Download
memory/1880-12-0x0000000000230000-0x0000000000370000-memory.dmp

Filesize
1.2MB

Download
memory/3220-11780-0x0000000000E20000-0x0000000000F60000-memory.dmp

Filesize
1.2MB

Download
memory/3468-10477-0x0000000000230000-0x0000000000370000-memory.dmp

Filesize
1.2MB

Download
memory/3468-18796-0x0000000000230000-0x0000000000370000-memory.dmp

Filesize
1.2MB

Download
memory/3468-21877-0x0000000000230000-0x0000000000370000-memory.dmp

Filesize
1.2MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads