buran | 83739dc8c9f8430b1a8ade85e926bf8084942759cd1d4e502c1960ce02e93d5b

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13-04-2024 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-12_eebfab07abcb75f2aa1821a4efcf7cfd_zeppelin.exe
Size

210KB
MD5

eebfab07abcb75f2aa1821a4efcf7cfd
SHA1

2e2c0667215777d5a0f5e0972af6cf5418febeb1
SHA256

83739dc8c9f8430b1a8ade85e926bf8084942759cd1d4e502c1960ce02e93d5b
SHA512

ac22326f0c365b14b16e3c942a2424d60cb7b1431ece875a3247b0771da3bdb2e7b86bf1ae2bbb3506dfb82f687f1c4d8f51bc0b788f7e919f802c496eef454a
SSDEEP

6144:Ria1vcaEre+HPsKSAzG44DQFu/U3buRKlemZ9DnGAeWBJR1+W:RHcthvzSAx4DQFu/U3buRKlemZ9DnGAL

Score

10^/10

buran zeppelin persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran

Detects Zeppelin payload 19 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012262-4.dat	family_zeppelin
behavioral1/memory/1440-17-0x0000000000C40000-0x0000000000D80000-memory.dmp	family_zeppelin
behavioral1/memory/2664-24-0x0000000000BF0000-0x0000000000D30000-memory.dmp	family_zeppelin
behavioral1/memory/2744-905-0x0000000000BF0000-0x0000000000D30000-memory.dmp	family_zeppelin
behavioral1/memory/2528-3342-0x0000000000BF0000-0x0000000000D30000-memory.dmp	family_zeppelin
behavioral1/memory/2744-3818-0x0000000000BF0000-0x0000000000D30000-memory.dmp	family_zeppelin
behavioral1/memory/2528-5987-0x0000000000BF0000-0x0000000000D30000-memory.dmp	family_zeppelin
behavioral1/memory/2744-6455-0x0000000000BF0000-0x0000000000D30000-memory.dmp	family_zeppelin
behavioral1/memory/2744-9825-0x0000000000BF0000-0x0000000000D30000-memory.dmp	family_zeppelin
behavioral1/memory/2528-9841-0x0000000000BF0000-0x0000000000D30000-memory.dmp	family_zeppelin
behavioral1/memory/2528-12071-0x0000000000BF0000-0x0000000000D30000-memory.dmp	family_zeppelin
behavioral1/memory/2528-15094-0x0000000000BF0000-0x0000000000D30000-memory.dmp	family_zeppelin
behavioral1/memory/2528-18000-0x0000000000BF0000-0x0000000000D30000-memory.dmp	family_zeppelin
behavioral1/memory/2528-21387-0x0000000000BF0000-0x0000000000D30000-memory.dmp	family_zeppelin
behavioral1/memory/2528-24250-0x0000000000BF0000-0x0000000000D30000-memory.dmp	family_zeppelin
behavioral1/memory/2528-27390-0x0000000000BF0000-0x0000000000D30000-memory.dmp	family_zeppelin
behavioral1/memory/2528-30071-0x0000000000BF0000-0x0000000000D30000-memory.dmp	family_zeppelin
behavioral1/memory/2528-30128-0x0000000000BF0000-0x0000000000D30000-memory.dmp	family_zeppelin
behavioral1/memory/2744-30160-0x0000000000BF0000-0x0000000000D30000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (7380) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2532	notepad.exe

Executes dropped EXE 3 IoCs

pid	Process
2744	spoolsv.exe
2528	spoolsv.exe
2664	spoolsv.exe

Loads dropped DLL 4 IoCs

pid	Process
1440	2024-04-12_eebfab07abcb75f2aa1821a4efcf7cfd_zeppelin.exe
1440	2024-04-12_eebfab07abcb75f2aa1821a4efcf7cfd_zeppelin.exe
2744	spoolsv.exe
2744	spoolsv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\spoolsv.exe\" -start"	2024-04-12_eebfab07abcb75f2aa1821a4efcf7cfd_zeppelin.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	spoolsv.exe
File opened (read-only)	\??\W:	spoolsv.exe
File opened (read-only)	\??\Q:	spoolsv.exe
File opened (read-only)	\??\P:	spoolsv.exe
File opened (read-only)	\??\K:	spoolsv.exe
File opened (read-only)	\??\B:	spoolsv.exe
File opened (read-only)	\??\Z:	spoolsv.exe
File opened (read-only)	\??\T:	spoolsv.exe
File opened (read-only)	\??\O:	spoolsv.exe
File opened (read-only)	\??\N:	spoolsv.exe
File opened (read-only)	\??\J:	spoolsv.exe
File opened (read-only)	\??\I:	spoolsv.exe
File opened (read-only)	\??\H:	spoolsv.exe
File opened (read-only)	\??\A:	spoolsv.exe
File opened (read-only)	\??\V:	spoolsv.exe
File opened (read-only)	\??\S:	spoolsv.exe
File opened (read-only)	\??\M:	spoolsv.exe
File opened (read-only)	\??\L:	spoolsv.exe
File opened (read-only)	\??\G:	spoolsv.exe
File opened (read-only)	\??\E:	spoolsv.exe
File opened (read-only)	\??\Y:	spoolsv.exe
File opened (read-only)	\??\U:	spoolsv.exe
File opened (read-only)	\??\R:	spoolsv.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_zh_CN.jar	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV.HXS.48A-94E-72E	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieNewsletter.dotx.48A-94E-72E	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml.48A-94E-72E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar.48A-94E-72E	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02097_.WMF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Sales Pipeline.accdt	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Niue.48A-94E-72E	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE.48A-94E-72E	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN002.XML.48A-94E-72E	spoolsv.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\.zeppelin	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Newsprint.thmx.48A-94E-72E	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Priority.accft	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0297759.WMF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14882_.GIF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Text.zip	spoolsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\vlc.mo	spoolsv.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\.zeppelin	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04385_.WMF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR9B.GIF.48A-94E-72E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-actions.xml	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apex.xml.48A-94E-72E	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14515_.GIF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUB6INTL.REST.IDX_DLL.48A-94E-72E	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt.48A-94E-72E	spoolsv.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01793_.WMF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00555_.WMF.48A-94E-72E	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PPINTL.DLL.IDX_DLL.48A-94E-72E	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNoteNames.gpd	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGBORDER.XML.48A-94E-72E	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099171.WMF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232393.WMF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382836.JPG	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0301076.WMF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\ReadOutLoud.api	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01138_.WMF	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-settings.xml.48A-94E-72E	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIconsMask.bmp.48A-94E-72E	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\CASHREG.WAV	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Rangoon.48A-94E-72E	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313970.JPG	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00828_.WMF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MOR6INT.REST.IDX_DLL	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Midway.48A-94E-72E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher_1.3.0.v20140415-2008.jar	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\StatusAway.ico.48A-94E-72E	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.SG.XML	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_02.MID.48A-94E-72E	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN109.XML.48A-94E-72E	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCHKBRD.DPV.48A-94E-72E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar.48A-94E-72E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00261_.WMF.48A-94E-72E	spoolsv.exe
File opened for modification	C:\Program Files\PopRepair.ppsm.48A-94E-72E	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImages.jpg.48A-94E-72E	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIcon.jpg.48A-94E-72E	spoolsv.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\background.png	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-utilities.xml.48A-94E-72E	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
3064	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe
2744	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	1440	2024-04-12_eebfab07abcb75f2aa1821a4efcf7cfd_zeppelin.exe
Token: SeDebugPrivilege	1440	2024-04-12_eebfab07abcb75f2aa1821a4efcf7cfd_zeppelin.exe
Token: SeDebugPrivilege	2744	spoolsv.exe
Token: SeIncreaseQuotaPrivilege	3036	WMIC.exe
Token: SeSecurityPrivilege	3036	WMIC.exe
Token: SeTakeOwnershipPrivilege	3036	WMIC.exe
Token: SeLoadDriverPrivilege	3036	WMIC.exe
Token: SeSystemProfilePrivilege	3036	WMIC.exe
Token: SeSystemtimePrivilege	3036	WMIC.exe
Token: SeProfSingleProcessPrivilege	3036	WMIC.exe
Token: SeIncBasePriorityPrivilege	3036	WMIC.exe
Token: SeCreatePagefilePrivilege	3036	WMIC.exe
Token: SeBackupPrivilege	3036	WMIC.exe
Token: SeRestorePrivilege	3036	WMIC.exe
Token: SeShutdownPrivilege	3036	WMIC.exe
Token: SeDebugPrivilege	3036	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3036	WMIC.exe
Token: SeRemoteShutdownPrivilege	3036	WMIC.exe
Token: SeUndockPrivilege	3036	WMIC.exe
Token: SeManageVolumePrivilege	3036	WMIC.exe
Token: 33	3036	WMIC.exe
Token: 34	3036	WMIC.exe
Token: 35	3036	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3036	WMIC.exe
Token: SeSecurityPrivilege	3036	WMIC.exe
Token: SeTakeOwnershipPrivilege	3036	WMIC.exe
Token: SeLoadDriverPrivilege	3036	WMIC.exe
Token: SeSystemProfilePrivilege	3036	WMIC.exe
Token: SeSystemtimePrivilege	3036	WMIC.exe
Token: SeProfSingleProcessPrivilege	3036	WMIC.exe
Token: SeIncBasePriorityPrivilege	3036	WMIC.exe
Token: SeCreatePagefilePrivilege	3036	WMIC.exe
Token: SeBackupPrivilege	3036	WMIC.exe
Token: SeRestorePrivilege	3036	WMIC.exe
Token: SeShutdownPrivilege	3036	WMIC.exe
Token: SeDebugPrivilege	3036	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3036	WMIC.exe
Token: SeRemoteShutdownPrivilege	3036	WMIC.exe
Token: SeUndockPrivilege	3036	WMIC.exe
Token: SeManageVolumePrivilege	3036	WMIC.exe
Token: 33	3036	WMIC.exe
Token: 34	3036	WMIC.exe
Token: 35	3036	WMIC.exe
Token: SeBackupPrivilege	2180	vssvc.exe
Token: SeRestorePrivilege	2180	vssvc.exe
Token: SeAuditPrivilege	2180	vssvc.exe
Token: SeDebugPrivilege	2744	spoolsv.exe
Token: SeDebugPrivilege	2744	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 2744	1440	2024-04-12_eebfab07abcb75f2aa1821a4efcf7cfd_zeppelin.exe	28
PID 1440 wrote to memory of 2744	1440	2024-04-12_eebfab07abcb75f2aa1821a4efcf7cfd_zeppelin.exe	28
PID 1440 wrote to memory of 2744	1440	2024-04-12_eebfab07abcb75f2aa1821a4efcf7cfd_zeppelin.exe	28
PID 1440 wrote to memory of 2744	1440	2024-04-12_eebfab07abcb75f2aa1821a4efcf7cfd_zeppelin.exe	28
PID 1440 wrote to memory of 2532	1440	2024-04-12_eebfab07abcb75f2aa1821a4efcf7cfd_zeppelin.exe	29
PID 1440 wrote to memory of 2532	1440	2024-04-12_eebfab07abcb75f2aa1821a4efcf7cfd_zeppelin.exe	29
PID 1440 wrote to memory of 2532	1440	2024-04-12_eebfab07abcb75f2aa1821a4efcf7cfd_zeppelin.exe	29
PID 1440 wrote to memory of 2532	1440	2024-04-12_eebfab07abcb75f2aa1821a4efcf7cfd_zeppelin.exe	29
PID 1440 wrote to memory of 2532	1440	2024-04-12_eebfab07abcb75f2aa1821a4efcf7cfd_zeppelin.exe	29
PID 1440 wrote to memory of 2532	1440	2024-04-12_eebfab07abcb75f2aa1821a4efcf7cfd_zeppelin.exe	29
PID 1440 wrote to memory of 2532	1440	2024-04-12_eebfab07abcb75f2aa1821a4efcf7cfd_zeppelin.exe	29
PID 2744 wrote to memory of 2528	2744	spoolsv.exe	30
PID 2744 wrote to memory of 2528	2744	spoolsv.exe	30
PID 2744 wrote to memory of 2528	2744	spoolsv.exe	30
PID 2744 wrote to memory of 2528	2744	spoolsv.exe	30
PID 2744 wrote to memory of 2664	2744	spoolsv.exe	31
PID 2744 wrote to memory of 2664	2744	spoolsv.exe	31
PID 2744 wrote to memory of 2664	2744	spoolsv.exe	31
PID 2744 wrote to memory of 2664	2744	spoolsv.exe	31
PID 2744 wrote to memory of 2156	2744	spoolsv.exe	32
PID 2744 wrote to memory of 2156	2744	spoolsv.exe	32
PID 2744 wrote to memory of 2156	2744	spoolsv.exe	32
PID 2744 wrote to memory of 2156	2744	spoolsv.exe	32
PID 2744 wrote to memory of 568	2744	spoolsv.exe	34
PID 2744 wrote to memory of 568	2744	spoolsv.exe	34
PID 2744 wrote to memory of 568	2744	spoolsv.exe	34
PID 2744 wrote to memory of 568	2744	spoolsv.exe	34
PID 2744 wrote to memory of 2856	2744	spoolsv.exe	36
PID 2744 wrote to memory of 2856	2744	spoolsv.exe	36
PID 2744 wrote to memory of 2856	2744	spoolsv.exe	36
PID 2744 wrote to memory of 2856	2744	spoolsv.exe	36
PID 2744 wrote to memory of 948	2744	spoolsv.exe	38
PID 2744 wrote to memory of 948	2744	spoolsv.exe	38
PID 2744 wrote to memory of 948	2744	spoolsv.exe	38
PID 2744 wrote to memory of 948	2744	spoolsv.exe	38
PID 2744 wrote to memory of 2152	2744	spoolsv.exe	40
PID 2744 wrote to memory of 2152	2744	spoolsv.exe	40
PID 2744 wrote to memory of 2152	2744	spoolsv.exe	40
PID 2744 wrote to memory of 2152	2744	spoolsv.exe	40
PID 2744 wrote to memory of 1828	2744	spoolsv.exe	42
PID 2744 wrote to memory of 1828	2744	spoolsv.exe	42
PID 2744 wrote to memory of 1828	2744	spoolsv.exe	42
PID 2744 wrote to memory of 1828	2744	spoolsv.exe	42
PID 2744 wrote to memory of 2204	2744	spoolsv.exe	44
PID 2744 wrote to memory of 2204	2744	spoolsv.exe	44
PID 2744 wrote to memory of 2204	2744	spoolsv.exe	44
PID 2744 wrote to memory of 2204	2744	spoolsv.exe	44
PID 2204 wrote to memory of 3036	2204	cmd.exe	46
PID 2204 wrote to memory of 3036	2204	cmd.exe	46
PID 2204 wrote to memory of 3036	2204	cmd.exe	46
PID 2204 wrote to memory of 3036	2204	cmd.exe	46
PID 2744 wrote to memory of 1576	2744	spoolsv.exe	49
PID 2744 wrote to memory of 1576	2744	spoolsv.exe	49
PID 2744 wrote to memory of 1576	2744	spoolsv.exe	49
PID 2744 wrote to memory of 1576	2744	spoolsv.exe	49
PID 1576 wrote to memory of 3064	1576	cmd.exe	51
PID 1576 wrote to memory of 3064	1576	cmd.exe	51
PID 1576 wrote to memory of 3064	1576	cmd.exe	51
PID 1576 wrote to memory of 3064	1576	cmd.exe	51
PID 2744 wrote to memory of 2848	2744	spoolsv.exe	55
PID 2744 wrote to memory of 2848	2744	spoolsv.exe	55
PID 2744 wrote to memory of 2848	2744	spoolsv.exe	55
PID 2744 wrote to memory of 2848	2744	spoolsv.exe	55
PID 2744 wrote to memory of 2848	2744	spoolsv.exe	55

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-12_eebfab07abcb75f2aa1821a4efcf7cfd_zeppelin.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-12_eebfab07abcb75f2aa1821a4efcf7cfd_zeppelin.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -start
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2528
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -agent 1
    3⤵
    - Executes dropped EXE
    PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:2156
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:568
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
    3⤵
    PID:948
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete backup
    3⤵
    PID:1828
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3036
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:3064
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2848
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  PID:2532

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt

Filesize
29KB

MD5
f3a97f8268b92ce534f08c3cb26fc641

SHA1
a5572e8894eb5851f33ba4160fbe873df148c04e

SHA256
da71ef1e25db6e807f1a3878bd939015d3af782367ce09425bf5303d0fc6e29d

SHA512
f914e85de8dfa537bf213fda0b786f0707db7fcafc3999986ca4741800d08702971f1480683940f16434f8bf629168def439987cc565cc8d3f9013723d530146

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME39.CSS

Filesize
122KB

MD5
9d462505c1e1f950d385f2ef573c444e

SHA1
9324cd648e8ae494d0937aba05a25294afb776b1

SHA256
005f9929f6357a44fb165dc058ed276a9c4c769c37fc3bde85f44c2cc5b2e097

SHA512
a839bda3e6135dd398eb7d56da3be9a86fcae0b834087b53155fa47ce592834c79ee3aa8e16db9c71b05d5aecdb5e99e748e7287a306cb99426020313b68c425

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME54.CSS

Filesize
125KB

MD5
fd8992960630d5822ceff4185e91442f

SHA1
5fda6db2f0978a032697f5fe9345152bb397c259

SHA256
be5577fcda8704ceb2a4fa76d9601cb167620219c9e6734bf014afb8c75fd3c3

SHA512
bbe35cb425b018c6d67c03d1560778bd1c3b970005ce99bf943161833c3037faa623d5ac711f3d53b8daba10db77e3302b0c01c52317e6f7e7b8d873b94dc949

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\ISO690.XSL

Filesize
258KB

MD5
2a21970dc7a4a4e07568233232230456

SHA1
91444cde26187ab6b2426f9416f6e439910bd986

SHA256
86708fdf70499b4acd0eef911ba9ef0b9403306b073f2973e2b2c2ba18e173ff

SHA512
314b3731f337da0d3b2f7300d3ddb8d93d12e0c872ec2ff9dcfc10a99bf764cefc312bfb1fd8bc86c358cdadf5cc10c710ef91b791d0ec72852a637a75b81258

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\EXLIRMV.XML

Filesize
78KB

MD5
81f0ede2dbd69e7cab2484459d1e1e48

SHA1
854aa182767a9f0156c8e7be74c938135a93a943

SHA256
34ee7fa6d7b6fb265d277955bf719e75f5e0bcba8dfcfbd7abf8df68b221a0a1

SHA512
60cf58140451834f620304a56e44862dd5bbea240901b1d294938bec0e4911e5b593ce9e8db93f66f6084355ad2437172cfbbb033fe70d50ab9101933dae40c2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImages.jpg

Filesize
7KB

MD5
e494662b8c39a5573885acad697153f5

SHA1
6a69b9b53fcbbba404cae6c63bb0b25198f28ebb

SHA256
c791e431076b54c747c5829f90690cfb7531a097700364ef07a768b3b89946a1

SHA512
2ac3111eeef5f86b12abdadf813c1bd1130f092f2b2726825ebd0cb71202d9e991b102c3cbde34d5c668a1951d37e592b6b5674f19fd6141af22c21f18f0a26c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_OffMask.bmp

Filesize
8KB

MD5
ce75136778c5d1c1c03bede0ac3697ce

SHA1
6402c8cdf9874ec17c197607d12aa3793183171c

SHA256
72971e397ae486b3943a5e646efaa4ec82e89ef8f1777554192ed49f7324140e

SHA512
bfa0ad195fe0ff83defdc6d2f60417bcc82b9a2bdc3ae1f4b90e51b74b989275c164374086289730a4dee2db403fb42b3232d03df84e0d5a1710ee5a332e2d26

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml

Filesize
249KB

MD5
2074d18c90e20702acbfdcb2f6a55bb7

SHA1
78b40481fb43f69d5a8927163abd911895a03063

SHA256
e0ee677532b09d10355fcc54b40d9dabacc93962390d60969f0deb1a33f3decb

SHA512
7194891dbf2e8c52232d383ad8429217905bc6a200da6506553629f67f09cada3c270e8bf0e74beb997e77b7392e9099d2fb5735e1bca36d10a1f30baa489e5b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OLKIRMV.XML

Filesize
78KB

MD5
88c0065e11640adc7aa79ba9e18640aa

SHA1
a427c5defb2ddd56eee5791c89fb2dc796aa6a78

SHA256
9cf187a8b62116ab995c1e8ce747c9a2944469a4d8566de8086a07ddbab6efac

SHA512
3bb3a28b2c38356c82d7d4e9460c33d17a3a1c7ea04c623f54b50bc2ba54f0ca112f4cbda07e8c1a177fd0ae821a608b9468c4eb709bb1306f63d4baf9ceabbc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\PPTIRMV.XML

Filesize
79KB

MD5
b75c91466859ac9fc538a0139fd1da5d

SHA1
01b3bdaa4c0424e7edcbf9d8cd755952c953f0cc

SHA256
4c3cd60101a2b4f6b6c2728eaa15d37d9d33703e181a4ce2a6df85e52222856b

SHA512
cb16df195e710e618674778f48d742c934db4b2c775c65de7e009c20fe470cecce18eab64ef87be1d9f22817fe5e9d5c90aa3b78d2e2e82654b1b37452d64e73

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\WORDIRMV.XML

Filesize
78KB

MD5
0a49c1c5c0731c901e6e0a5a19e2e656

SHA1
57766ca78517d75e2a626976e69ea3e893bbf8ab

SHA256
943a0162b519c4a083c4e819a94f771d13e115325ec8bc935f9dc7d8769846e4

SHA512
6a2ec957f59936da94d7f87da26609564bebd775bd4bcd64cd8c18c6e81d13069942d1ee580a15b47c1947949f775cae6c3a2444918d50d33280aed935f04d71

Download Submit
C:\Program Files\Java\jdk1.7.0_80\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Filesize
935B

MD5
cabd381254d3ad99de7668596bcf0732

SHA1
b7add8109c6066d633802250a74e739de7b0dd09

SHA256
91b9cdab10e645082548b441e9e0c4b92b3936ff6fb9c776939d16dfd2b3cfaa

SHA512
3b3114f2637e2800111b462acd206e87d17ec7efcca57170d846816619554ff385c684e0df8eb0e8d2c1cbafd84c559f10c5d1e9a8e56fd24ae90cb24c8cb536

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg

Filesize
22KB

MD5
8a68fd8df66ece7f76c6f0b2cb862e3d

SHA1
5d1575c8ebd43ff575c78bf20ea0f913f96163ca

SHA256
b93e6159122efe76a7d07c759f1d18411f998262ac32cb86289fadf1833b5c22

SHA512
599a2c346abd93d35e8e8e868e03283221060f8100d556b7eb2933d831ecb87daa0222f6ade939fddd59d7130d1875139b3c96e73899161c9f5ce29118ad45b3

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html

Filesize
17KB

MD5
9170168c4b20a4a3bdbae4b0c22bd3a0

SHA1
3efb5f33adf4e9497d90c6646c09505545f1d355

SHA256
9ef0e869f21ee8b250b957c9e20c3a487ffab30306dd95c63de6a62ef3f0caf7

SHA512
aec83f0f3bf9339bbb857be8c602913a54e3c7a47ad216d1c132a7db7e4fce90783d93e4bf485adf1b1a07a6aa19304393b9bfb42f2c98da25f5666a9e306d6f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.properties

Filesize
7KB

MD5
f37af68e4b0bf62c556c6c3667a76cae

SHA1
a1c33ed3f61cf1ddac781161d01c6a1316e9cd2a

SHA256
6274009518a37f0e6a4f79faf39b3bb4792c186ea8fc12dece37c071adb2eb7f

SHA512
2a74679c10371e1bf2a74579e779341a7998bb329b4599aa51b5161f57836812443623ae140307c89475a292dd17bc743d61ee4643bc0fc13296beb9e322f3ec

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html

Filesize
13KB

MD5
b46be1c2ffdcc2cfce5e10e6ee241f15

SHA1
15c3d51c447e966c8075143e0ead2713932f4558

SHA256
ea025626a7746515a7691978e34f0c13dfa639d8040380b211394fed0f2892e5

SHA512
f066c430cd1b1d8b96d56c84571b742b2951353fc6cb08ffa48046bccd002806389179486eb5eb988778c59f10212058bf894bc9e41e5561ec4a2e3b5d43fb44

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html

Filesize
10KB

MD5
502340709137c791d20b134a58ad1293

SHA1
1c56a8056400f0bc21c5d9c880ac7cb7acf2fa8e

SHA256
2b7cba5cba3123c3165e2a838bfc60a95192bb796407b226de3c2ac806485935

SHA512
7136dc371bbb7b16c36a0fb1823b58560cf30cec5b3e07f53032282c516a846a9f349d60d4299b192c8f761fed8aadb5585b6fb503d8f5c4b40773aab008b405

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html

Filesize
13KB

MD5
a56943fde780e4326ca30eb89e68c787

SHA1
2bc8d063ba3f43ba8089d77b54ace407453404a0

SHA256
8a02eff064a5296032b7d27ae6d90b16b259025a843635accf430121f61a77ab

SHA512
80fbc0191e7f747492ad1246f84fa8d8e1a3c2f5e2796b8c54062c59e4c1bea64ac5526a53689021ae9316b4012c8721c6de54aa8bed6e2a03be7bcbf32c0c8f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html

Filesize
10KB

MD5
dee2131be361d4f287696b966df98750

SHA1
088d21babf57b5e4ca1fd826b8a3f8b808d38c31

SHA256
2e7b982352d61f084a56e6b94d3b803c397367462d18515755ff599aaba69520

SHA512
564ef21730039c575e6e351f0ff27880d8e535eb9d667879f9eb5754cda597d04c52d209922c516f00e1e1a42e2d4d1c4dadc40417dd7fbaf042e7eee0ec9ffa

Download Submit
C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

Filesize
609KB

MD5
8862064fc8522c9659a633ba6204a811

SHA1
749140c56493bfd707b5a6a989bf1108a77ddd8b

SHA256
a9b8e343332d3b0470a3837702c72a830a0e42de7a8fa06fb3f1398958653521

SHA512
7846aef0cc0bb07b4692dbba73408311540878649933908bd718eb125d178a439d4c917b1e2780ad8de8066813572d5090efd8a24ca550e802789c6d0eaff59c

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\vlc.mo

Filesize
610KB

MD5
dad370c55dc9992ccc77a24e30d9de1c

SHA1
d063882d786598b48b673887fca26a291bb17bd7

SHA256
5cd1e5260ebeeeb52d9060a9e5448545e9374f60c0f257a01fb419cd28159005

SHA512
613783dda4446f2d4d1cf7941a1d60d1a7ab795386508c0e607cf468d5a8d2f8b23cd07fb963a902cc429c505d38e3aa6b427df186c816e14fdf7362b8a8f6a8

Download Submit
C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo

Filesize
587KB

MD5
620928e1a7fbbb3d902c754a114c51cc

SHA1
0e59c0c188a3862ba5b6be03a0962e8dd7fa629c

SHA256
267c74d7b372c381929f239b674a3abe5ab2d4824b53b8aa3367303dafe8ab26

SHA512
b8ba1fa79825e89b4e6362e8f39d45dfccb54f9e5ec82e6871170325047f40922b8cdf0befbb677c86f0f17ffa033c018321177a124aa53a97af1251fd96bcaf

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\vlc.mo

Filesize
764KB

MD5
9761cd33aa211c860e12bc99f60bb5ff

SHA1
98eee22602865ae2dc12435a0833fbc73b94e2f5

SHA256
1fce81d5e7bb3957a314a1667c0c2fbc5bdc715b0c577fad354828d9e23b689c

SHA512
530e2276741c633cfcb639eca42855c3582fca8a9c3fe9f389583011f956ef6c52b1778bbed703ac1e168f4e15fa99791ede546ab0a7daed7d39a4a72b344027

Download Submit
C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\vlc.mo

Filesize
545KB

MD5
d1bdd06481a061b9a0cc15bdd58ac1c1

SHA1
5103d0c435f9a335b9b100802fc922c6da05cc23

SHA256
e1596b42c730ff5daae16b84170ce203c9e4c764b25321c47fd7afef90fa968e

SHA512
bb2520f9fc6affc11cfaa40d8de4b253eee209605e4ffac8ed321c036fe18bfb407c7f50e20522d2b35f391f29e1fc7b151def8e770be7553c0b8f03b495cd38

Download Submit
C:\Users\Admin\Desktop\CheckpointRedo.mht.48A-94E-72E

Filesize
334KB

MD5
abf56bb558329f8cb422d1e743c78d10

SHA1
36c48d8765c9c6b1679290fcae03ec3acf067a76

SHA256
e01a176c419241ba3d070e67ffb86146c7496e19b6273ca7445d22589a3a206a

SHA512
a5f106c5fa18f38d4ed8da252c28fe384543668df4a3256dabab3b267072aad5c012d2e2be8dbb8c0039828905462ada6cd44f0f894566db036b45ba30765b06

Download Submit
C:\Users\Admin\Desktop\CloseImport.reg.48A-94E-72E

Filesize
563KB

MD5
dc66dc9848a99e236af9d0af6d2b682e

SHA1
a1566d6415d4f6891470b6cad76ea9baf4ea457c

SHA256
f1a8c3acfdf1f4f61598b3ccf245930e80f50d710cc2fb0cd2af4598a8f57015

SHA512
3bd86715cf0789daacd6c7db28b5886ded9408a43dc9ce98c3136266b624e3428513c28e452c45e80313f6e0db74596bcf2ea3ae2689e936447e94eaf7899805

Download Submit
C:\Users\Admin\Desktop\CloseUninstall.vssx.48A-94E-72E

Filesize
747KB

MD5
feaf83d7240cfce7a738088e512f27c8

SHA1
be8f1397ff527faece2efc0d218b5c60367094eb

SHA256
c6e2555b823e9db5c2d485e06d17c588051b8d7703b7be47fa4bff074e4b6c7c

SHA512
836b577e3362b4ec00429d1a2bf56a8033e2e9d40d5229083eecd38be928086a912a1162bfa0c330598604cbaa480026a169230ff86323b730fc124944ca0fa6

Download Submit
C:\Users\Admin\Desktop\CompleteLock.odt.48A-94E-72E

Filesize
403KB

MD5
4c45a1838934a24de448916e5f9753e7

SHA1
3730f79279e4849e1e00b3f39eb723c4f7714c11

SHA256
203807723edb670481cea4a010ecd50c4ad4eb6edc7e156ecf7b94bc3a16e834

SHA512
28cc8002e35322e42bc4da9c1a4c63255cb525049e02392d5eccbd87092a8d9b09a791ab22f1d870cbb7664d212585f859097410ceb5d747f30b01d36301bc1f

Download Submit
C:\Users\Admin\Desktop\CompressConfirm.contact.48A-94E-72E

Filesize
1.1MB

MD5
cb0914864e0b6fd9e48db70217aa054a

SHA1
3830a0f32ff0f5ff2dfac94481ab5310f98a03b1

SHA256
69f705cb5bcd6cdff0beeba70d23808a2f1c30b34083ec5fd12e83b60bc7d93e

SHA512
0a410a61bcfc745c2f3aa803fb3dc840361f28b9a783e5b57c8828f896a7b443bc4311f1fff0d6986088c8533e4c855da899ca590c24a6c7ed768487400bcbab

Download Submit
C:\Users\Admin\Desktop\ConfirmConvertTo.mpe.48A-94E-72E

Filesize
494KB

MD5
48a1080a0c72164020c43f90c82cdc45

SHA1
f6df585f68320aeca8fbd7a30038629639e14066

SHA256
60647c4744198e1b80b5bf204dbd98bdd8d38dce20e673adcb04f52d4f7b3de8

SHA512
8bf03f2dc803a9c0bef56c0810ee533b017007dd79c5e321540944895402b462b37aae7f79a588794e0f4cb3b1951769ed44a095e09843e7e30a67729d8b9fff

Download Submit
C:\Users\Admin\Desktop\EnableReceive.ps1.48A-94E-72E

Filesize
793KB

MD5
59d452a1d1c1154c42ee4af3aceeca8d

SHA1
65ed411d5057a8a5081254dd447fb7ec61387e15

SHA256
d933667de2f2a7b6f58a3222b49ddfa11433a351d25c2b855b15808ebce59280

SHA512
0a51cbee1ec5d15b72ba1fb220772f203f4126b4452ad542350bc3d19c293d9070344a5f8d65d076f349b7c3390571bef258656fb4d0a926a44e83f4371e6b8f

Download Submit
C:\Users\Admin\Desktop\ExpandSubmit.gif.48A-94E-72E

Filesize
380KB

MD5
d2fa3d7df3df181b7d2815b17a9e5137

SHA1
f2091d049452c5793867c94f2008a48e65234ab3

SHA256
6d6fed7d02d8c5ad5abe4c6a0bb69a28073c610d1e8927d2c3a83f75a1bfe05d

SHA512
9a62616b90188ef7d1e4b847d346e6209e52bc4dcbb6adb9d6662947ab32e144b9ff5d993e38ec544f053a21648c0ba2639a6265c7df058cb53612a07e580435

Download Submit
C:\Users\Admin\Desktop\ExportUndo.docx.48A-94E-72E

Filesize
448KB

MD5
01d6ad2c855f3664d37e2fd5542ba503

SHA1
cdd314cca146ce4050ee8930380d4cace21a0ce7

SHA256
72923472208f34ae647690ae1174f5eef2a357d307ec2869ac770786560ad442

SHA512
dc1692bf6ab292277b17a7ac79e032bb2d488a240267ba74e725a0e075752896da33372a8a1f4cb35cfab764b92c97c415c68a6c27ab95ae480254128b4e3d30

Download Submit
C:\Users\Admin\Desktop\GetUnblock.mp4.48A-94E-72E

Filesize
471KB

MD5
ab430d5d93e36594fe549dd186ba2ffe

SHA1
0b23a091992bb3932903a09b86a669aeefed8023

SHA256
c165d835409b1036ae954bf059e95d7b49062a8683267975d7cc3ae28d1c0537

SHA512
7618587abc5f08e4c56d4a20d4d2ff24c68ef6b0fa956694ccb381d247a4d8fa89810dbea4d0399ad120cd379aeeac69b3d4dc4dd633f231cb506b05450f14b0

Download Submit
C:\Users\Admin\Desktop\ImportMove.bin.48A-94E-72E

Filesize
586KB

MD5
4e4b99ff579acfb218d94980a0d1060d

SHA1
daf9c06722d3062d5aefb2110fcd413bbaaa52e8

SHA256
22a6d0ccbd835ad1a828a9b90de1bf5304851a3bd277e95674a14599ee797a75

SHA512
6a6caafcfe6f377c0b37d922f465ec70609ab777d19ee8e24842a8648ecf5832625d6c73ce4e2aa64ba0e9a1c86d1e20e7e5975b2edc829600abad197a08a656

Download Submit
C:\Users\Admin\Desktop\InstallConnect.dwg.48A-94E-72E

Filesize
724KB

MD5
cd4a31c16e8530d4b4ac0c41ec0907a7

SHA1
f8680bf1f88f3dfde29ed35e8954e8331712ac47

SHA256
88a1c04ad59df77e7122ecc2d8381985b5dc77117befe79313b3ead2b9430ad8

SHA512
8b4d3703d05b3c62081cf0acaa14e09249a5298213e1ebeaa1458225bdcd4c1dca841d1f877bc6969237fa5004672d197ec09ba2686c8d09c116f765dfc6d3aa

Download Submit
C:\Users\Admin\Desktop\MergeClose.wav.48A-94E-72E

Filesize
632KB

MD5
ef1434d38a43c4759e169d5d0cb7128e

SHA1
4731280d3a9ff4573bcba60be4f40c336628f581

SHA256
d5edf74e403cdf01bcd0e7245103afc0831a0250c4483250202e964957fae8a5

SHA512
1c2a5dcd15946bde807fa0590dce8c1682d6fdc39b176947f9f0dbf537f591e08804d5e8200399366faff66f746b3638065476eaf02e1a83985e4f5c0e6701a0

Download Submit
C:\Users\Admin\Desktop\MountHide.vbs.48A-94E-72E

Filesize
426KB

MD5
1d5057f9d68285a1a33ec327728c7add

SHA1
d0a002339926ff3b0eb6aaa70f35f90547a6f1ff

SHA256
7eb564c5b08c3ae41f66b81f9dbca2bfa73d82f48c967a7baed8bd37995e7a35

SHA512
6c3dab505ca46214e56b021b43d7880f169d51910b1cc952c0e991cea55fa1ce34286af73cc735ececf6f010bdd6b21495096b2437c93df1bae4dde5a16825a0

Download Submit
C:\Users\Admin\Desktop\PopUndo.ico.48A-94E-72E

Filesize
288KB

MD5
2988eba98888b36ea6be0eaafad10d2a

SHA1
71f155a2fae0862d0ef4a5ac69057d1e6f57d670

SHA256
e5f3c4c5d590f077f2480e3e774c65a0b0b4777f48c00ea3c3a9c2ae7839a887

SHA512
cba203a44320a8af7c53ca642fea21bb9bea487995b2c2357e1cf98057998d6b3c5ff96dec7754a095442a708f2770b4584cc3901bc810284284b64f95a79057

Download Submit
C:\Users\Admin\Desktop\ReadReset.mpp.48A-94E-72E

Filesize
678KB

MD5
c9a26240f93ecd66b26e6a3896689770

SHA1
0872b2dcc567c1ac14622828307cbbce02ce3073

SHA256
dce0c48869633d0b4b5195430feda054482ab70a56636d59519862fc60b59c5d

SHA512
0864a0849a03b5f316ebe195872a73b178b799d3c04419c3eed0ed215d4776a4b6b1cc7e83a0c01b57d0d879bd3d3f9724c1dfcb14c0b327e853841075354d1d

Download Submit
C:\Users\Admin\Desktop\RepairLimit.bmp.48A-94E-72E

Filesize
770KB

MD5
2e6af510aa489b36b2f5477595ae5d3b

SHA1
e25acbcfab3c9a6c38b9152c84e7d2886f027c30

SHA256
6f8635cf4aeb5dbe416d30821de76b4a6bb8cb5bfc9822caaafb6cfef1aeef00

SHA512
2243e2de7637b2d00ed45757135070c48b5e18d51226fd0a8c7d27aa4d285cb346daae61e516d6e4f5be410c86de8b64840af8cf9f2b3c24f0c13db9a90dba54

Download Submit
C:\Users\Admin\Desktop\RequestDismount.mhtml.48A-94E-72E

Filesize
517KB

MD5
e7e6cc23c5e4d51ead96ae9de0854218

SHA1
d1b55adde9fc13e26e55ea8ff0157b4b6fda9250

SHA256
1548cabf4e928cbb4e70abbb8b994d11db5b67e91f3c2c410719bbb5d3f3e17d

SHA512
299ad1952dd6fd3438c7754146f2e4e0c7d08eeed167dcaa1236da8c539bd95138497384f168f7811d9a8bb37240f9a0957e9206b83efda12b08db55b2f0ef32

Download Submit
C:\Users\Admin\Desktop\ResolveMerge.DVR.48A-94E-72E

Filesize
701KB

MD5
1dd707077e081199479d8f928e8618a0

SHA1
e3f00a4c17a533196a04af7a73b95b2cd7ebc9d7

SHA256
0bccfd9590961e6ee01b4b472dbcb57dbc7d3d1d7b8d40a5f728f1f690376476

SHA512
164a69fc1074291b9f11aeed948d4170f1c6359a6343acc273a0f2c0c60c0a5bc188e1691734ef52b50a3404066dd4047850bee974849c7270470ffa63a8f301

Download Submit
C:\Users\Admin\Desktop\ShowTest.i64.48A-94E-72E

Filesize
815KB

MD5
932faa7cf1fb385efa1a0bc11df0a085

SHA1
8197b70c897111f206b4ed94abacfac77f93189e

SHA256
5e578ad3678bdf3e1bbb09f918407174b0b10f1975513090372e4f7459cc114b

SHA512
cdfb5a165877c3538372f3d2c27f4902a9ec6205d21dc7f29835d6c01930a14e0478b4b546b44ae450faf521ce8241752c79f409c97762641203622fd796fd90

Download Submit
C:\Users\Admin\Desktop\SubmitSearch.wmf.48A-94E-72E

Filesize
540KB

MD5
57a19e42bb54f760eb64fa8d6db01cbf

SHA1
08b2604bba271b88673535fddcb05f2dbd8ea955

SHA256
50af37cc67ac75cc53a66b0a9a15fb6cb33b69c58bee00647bdbc2f6e1539e55

SHA512
76036a4783fcb25cff91bf89630d2fc1642c80e87a63db9d1c788c82fb45e4a68805489dcdea79e09364f5f74158abe7883af64bbb4a6f1bd3430223e3d757d1

Download Submit
C:\Users\Admin\Desktop\SuspendUnpublish.dwfx.48A-94E-72E

Filesize
609KB

MD5
8a8d1dfc5cc3339a0a7ff0f19c59bb39

SHA1
2ed1a82f97b731402ec1a9d7f33f63d90fd30657

SHA256
ffd923263f75de378169d9ca20f39bb8a6c4cb3c43cd5ddd448057eb8f55b5c9

SHA512
98b54ab0599eea59112e004d7f7e7155c34e16eeceebdf1eff5d14efa7bc59653f6589b2984c7024a86eee365eb443176faaaaed3c75b023027bc37f32002e34

Download Submit
C:\Users\Admin\Desktop\UnblockRestart.vssx.48A-94E-72E

Filesize
655KB

MD5
d6cba389ef16ea621c18a91f15a297cd

SHA1
e7c4a805fa95328c087c3941bdbb124e1e696091

SHA256
2cf29526a603280c89a51c0bb6ede59d65cc2aff1c79ab3f88b438810fb1121c

SHA512
199b9eb668d43c65b291be9155f8c90a18277e2b0a3a9b399b3a70e0c3b3afc9e1f518f706a99d6e49e1b28cdf12782bfe2397994657c957de3a6bb9b6a337f6

Download Submit
C:\Users\Admin\Desktop\UnpublishExit.raw.48A-94E-72E

Filesize
311KB

MD5
dc1e77b0a7ca84a5bc573a7236d9d08f

SHA1
cd6eec75e97f812599a9028e263b6c6dd7b73ac4

SHA256
03549e77bf06277a25a0f56387747c2ff66d9d5682c93663ae1d12800d1f8ea4

SHA512
4104a446d03abf10238a4d73971c2ee0a8771a0d607a639a53373ab2d0655c7f305bc3bcfc708347494ef60895d83488d696e72c89f02c1b4007463fa86de664

Download Submit
C:\vcredist2010_x86.log.html

Filesize
82KB

MD5
0428dea307d3344ae568f0880ebd798b

SHA1
e5c42a9aa3acee7f31ab0c08c523062125f37fe0

SHA256
bcd745a008dc662f1622f31d857e86c7bbbaaa8da54e3d8e98641ccff5be2952

SHA512
5f658b27903e5b98509077add77ad6d80636d0ca3c878a86373425cb03c0432b3ec4c02f3cbc97dba59734e820944eca1839931907d6fb4ccbf052d7abd3b002

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe

Filesize
210KB

MD5
eebfab07abcb75f2aa1821a4efcf7cfd

SHA1
2e2c0667215777d5a0f5e0972af6cf5418febeb1

SHA256
83739dc8c9f8430b1a8ade85e926bf8084942759cd1d4e502c1960ce02e93d5b

SHA512
ac22326f0c365b14b16e3c942a2424d60cb7b1431ece875a3247b0771da3bdb2e7b86bf1ae2bbb3506dfb82f687f1c4d8f51bc0b788f7e919f802c496eef454a

Download Submit
memory/1440-17-0x0000000000C40000-0x0000000000D80000-memory.dmp

Filesize
1.2MB

Download
memory/2528-5987-0x0000000000BF0000-0x0000000000D30000-memory.dmp

Filesize
1.2MB

Download
memory/2528-12071-0x0000000000BF0000-0x0000000000D30000-memory.dmp

Filesize
1.2MB

Download
memory/2528-21387-0x0000000000BF0000-0x0000000000D30000-memory.dmp

Filesize
1.2MB

Download
memory/2528-3342-0x0000000000BF0000-0x0000000000D30000-memory.dmp

Filesize
1.2MB

Download
memory/2528-18000-0x0000000000BF0000-0x0000000000D30000-memory.dmp

Filesize
1.2MB

Download
memory/2528-24250-0x0000000000BF0000-0x0000000000D30000-memory.dmp

Filesize
1.2MB

Download
memory/2528-15094-0x0000000000BF0000-0x0000000000D30000-memory.dmp

Filesize
1.2MB

Download
memory/2528-27390-0x0000000000BF0000-0x0000000000D30000-memory.dmp

Filesize
1.2MB

Download
memory/2528-9841-0x0000000000BF0000-0x0000000000D30000-memory.dmp

Filesize
1.2MB

Download
memory/2528-30128-0x0000000000BF0000-0x0000000000D30000-memory.dmp

Filesize
1.2MB

Download
memory/2528-30071-0x0000000000BF0000-0x0000000000D30000-memory.dmp

Filesize
1.2MB

Download
memory/2532-15-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2532-12-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2664-24-0x0000000000BF0000-0x0000000000D30000-memory.dmp

Filesize
1.2MB

Download
memory/2744-30160-0x0000000000BF0000-0x0000000000D30000-memory.dmp

Filesize
1.2MB

Download
memory/2744-905-0x0000000000BF0000-0x0000000000D30000-memory.dmp

Filesize
1.2MB

Download
memory/2744-3818-0x0000000000BF0000-0x0000000000D30000-memory.dmp

Filesize
1.2MB

Download
memory/2744-6455-0x0000000000BF0000-0x0000000000D30000-memory.dmp

Filesize
1.2MB

Download
memory/2744-9825-0x0000000000BF0000-0x0000000000D30000-memory.dmp

Filesize
1.2MB

Download
memory/2848-30159-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download