buran | c5741701b3866459dd1ffa2477cfd8776713612912693a5897f78aac795d23e9

max time kernel
120s
max time network
121s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
25/03/2025, 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RansomwareSamples/Zeppelin_08_03_2021_813KB.exe
Size

812KB
MD5

5181f541a6d97bab854d5eba326ea7d9
SHA1

16d9967a2658ac765d7acbea18c556b927b810be
SHA256

b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83
SHA512

c282d9d6479c10fcc9fa6f674c901df1f1ad94b9354f6e427a7b445d0efad84efed6d7c29a0bc2a37b5ea07ee9a359f0e922d7c24f061258ae11fe4c44e9e4fa
SSDEEP

6144:73KIrUL3UE1S5mY5/i+i6thb2/VMpfkgXkJX/h/O11/vMLZ935PFXwz6Ui:DTru3FS5C/VMpfkg2ROs9dSz6

Score

10^/10

buran zeppelin defense_evasion discovery execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: FD5-D41-F76 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Buran family
buran

Detects Zeppelin payload 16 IoCs

resource	yara_rule
behavioral26/memory/3568-31-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral26/memory/1036-32-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral26/memory/2388-72-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral26/memory/3568-2649-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral26/memory/4280-2963-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral26/memory/3120-3527-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral26/memory/2104-3518-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral26/memory/1036-4019-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral26/memory/4280-4206-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral26/memory/4280-4596-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral26/memory/4280-7415-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral26/memory/4280-10915-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral26/memory/4280-14310-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral26/memory/4280-15885-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral26/memory/4280-19780-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral26/memory/4280-23193-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Zeppelin family
zeppelin
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (6099) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 3 IoCs

pid	Process
1036	taskeng.exe
2104	taskeng.exe
3120	taskeng.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskeng.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\taskeng.exe\" -start"	Zeppelin_08_03_2021_813KB.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	Zeppelin_08_03_2021_813KB.exe
File opened (read-only)	\??\A:	Zeppelin_08_03_2021_813KB.exe
File opened (read-only)	\??\S:	taskeng.exe
File opened (read-only)	\??\O:	taskeng.exe
File opened (read-only)	\??\N:	taskeng.exe
File opened (read-only)	\??\M:	taskeng.exe
File opened (read-only)	\??\H:	Zeppelin_08_03_2021_813KB.exe
File opened (read-only)	\??\Y:	taskeng.exe
File opened (read-only)	\??\R:	taskeng.exe
File opened (read-only)	\??\I:	taskeng.exe
File opened (read-only)	\??\Z:	Zeppelin_08_03_2021_813KB.exe
File opened (read-only)	\??\W:	Zeppelin_08_03_2021_813KB.exe
File opened (read-only)	\??\L:	Zeppelin_08_03_2021_813KB.exe
File opened (read-only)	\??\J:	Zeppelin_08_03_2021_813KB.exe
File opened (read-only)	\??\E:	Zeppelin_08_03_2021_813KB.exe
File opened (read-only)	\??\T:	taskeng.exe
File opened (read-only)	\??\Q:	taskeng.exe
File opened (read-only)	\??\L:	taskeng.exe
File opened (read-only)	\??\X:	Zeppelin_08_03_2021_813KB.exe
File opened (read-only)	\??\T:	Zeppelin_08_03_2021_813KB.exe
File opened (read-only)	\??\R:	Zeppelin_08_03_2021_813KB.exe
File opened (read-only)	\??\G:	Zeppelin_08_03_2021_813KB.exe
File opened (read-only)	\??\B:	Zeppelin_08_03_2021_813KB.exe
File opened (read-only)	\??\K:	taskeng.exe
File opened (read-only)	\??\Q:	Zeppelin_08_03_2021_813KB.exe
File opened (read-only)	\??\P:	Zeppelin_08_03_2021_813KB.exe
File opened (read-only)	\??\K:	Zeppelin_08_03_2021_813KB.exe
File opened (read-only)	\??\I:	Zeppelin_08_03_2021_813KB.exe
File opened (read-only)	\??\G:	taskeng.exe
File opened (read-only)	\??\E:	taskeng.exe
File opened (read-only)	\??\A:	taskeng.exe
File opened (read-only)	\??\M:	Zeppelin_08_03_2021_813KB.exe
File opened (read-only)	\??\W:	taskeng.exe
File opened (read-only)	\??\U:	taskeng.exe
File opened (read-only)	\??\J:	taskeng.exe
File opened (read-only)	\??\V:	Zeppelin_08_03_2021_813KB.exe
File opened (read-only)	\??\Z:	taskeng.exe
File opened (read-only)	\??\X:	taskeng.exe
File opened (read-only)	\??\V:	taskeng.exe
File opened (read-only)	\??\P:	taskeng.exe
File opened (read-only)	\??\H:	taskeng.exe
File opened (read-only)	\??\B:	taskeng.exe
File opened (read-only)	\??\Y:	Zeppelin_08_03_2021_813KB.exe
File opened (read-only)	\??\O:	Zeppelin_08_03_2021_813KB.exe
File opened (read-only)	\??\U:	Zeppelin_08_03_2021_813KB.exe
File opened (read-only)	\??\S:	Zeppelin_08_03_2021_813KB.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
9	iplogger.org
1	iplogger.org
5	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	geoiptool.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ppd.xrm-ms.FD5-D41-F76	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sql70.xsl.FD5-D41-F76	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsyml.ttf	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxMailMediumTile.scale-100.png	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_checkbox_unselected_18.svg.FD5-D41-F76	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe.FD5-D41-F76	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote.ini.FD5-D41-F76	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-black\PowerAutomateSquare310x310Logo.scale-200.png	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailBadge.scale-150.png	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\OverflowSet.js	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions2x.png	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\s_checkbox_unselected_18.svg	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_CN.properties	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.XLA	Zeppelin_08_03_2021_813KB.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Folder-48.png.FD5-D41-F76	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_contrast-black.png	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pt-br_get.svg.FD5-D41-F76	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\fontconfig.bfc	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-oob.xrm-ms.FD5-D41-F76	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ppd.xrm-ms.FD5-D41-F76	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_contrast-black.png	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\FeedbackHubAppList.targetsize-72.png	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LargeTile.scale-200_contrast-white.png	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-ma\ui-strings.js.FD5-D41-F76	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Getstarted_10.2.41172.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\TipsWideTile.scale-200.png	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-200_contrast-white.png	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\DetailsList\DetailsHeader.base.js	Zeppelin_08_03_2021_813KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\cs-cz\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	Zeppelin_08_03_2021_813KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\da-dk\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	Zeppelin_08_03_2021_813KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	Zeppelin_08_03_2021_813KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\it-it\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\WeatherAppList.targetsize-32_altform-lightunplated_contrast-black.png	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-64_altform-lightunplated_contrast-black.png	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hu-hu\ui-strings.js	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\css\main.css	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul.xrm-ms.FD5-D41-F76	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ppd.xrm-ms	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-60.png	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png	Zeppelin_08_03_2021_813KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\es-es\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-ma\ui-strings.js.FD5-D41-F76	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\NewsAppList.targetsize-80_altform-lightunplated_contrast-black.png	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxAccountsSmallTile.scale-100.png	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderSplashScreen.scale-100_contrast-white.png	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_2021.2012.10.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib\warn\warn.js	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ul-oob.xrm-ms.FD5-D41-F76	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\Graphing.targetsize-16_contrast-black.png	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_distributed.gif.FD5-D41-F76	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\da-dk\ui-strings.js.FD5-D41-F76	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\close.svg.FD5-D41-F76	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT.FD5-D41-F76	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailSmallTile.scale-150.png	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.50.24002.0_x64__8wekyb3d8bbwe\GameBar.exe	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_neutral_split.scale-200_8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.scale-200.png	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-20_altform-unplated.png	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-white\PowerAutomateSquare150x150Logo.scale-200.png	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-200_contrast-black.png	Zeppelin_08_03_2021_813KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\contrast-black\NotepadAppList.targetsize-20_altform-unplated.png	Zeppelin_08_03_2021_813KB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskeng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zeppelin_08_03_2021_813KB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3568	Zeppelin_08_03_2021_813KB.exe
Token: SeDebugPrivilege	3568	Zeppelin_08_03_2021_813KB.exe
Token: SeIncreaseQuotaPrivilege	1996	WMIC.exe
Token: SeSecurityPrivilege	1996	WMIC.exe
Token: SeTakeOwnershipPrivilege	1996	WMIC.exe
Token: SeLoadDriverPrivilege	1996	WMIC.exe
Token: SeSystemProfilePrivilege	1996	WMIC.exe
Token: SeSystemtimePrivilege	1996	WMIC.exe
Token: SeProfSingleProcessPrivilege	1996	WMIC.exe
Token: SeIncBasePriorityPrivilege	1996	WMIC.exe
Token: SeCreatePagefilePrivilege	1996	WMIC.exe
Token: SeBackupPrivilege	1996	WMIC.exe
Token: SeRestorePrivilege	1996	WMIC.exe
Token: SeShutdownPrivilege	1996	WMIC.exe
Token: SeDebugPrivilege	1996	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1996	WMIC.exe
Token: SeRemoteShutdownPrivilege	1996	WMIC.exe
Token: SeUndockPrivilege	1996	WMIC.exe
Token: SeManageVolumePrivilege	1996	WMIC.exe
Token: 33	1996	WMIC.exe
Token: 34	1996	WMIC.exe
Token: 35	1996	WMIC.exe
Token: 36	1996	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6056	WMIC.exe
Token: SeSecurityPrivilege	6056	WMIC.exe
Token: SeTakeOwnershipPrivilege	6056	WMIC.exe
Token: SeLoadDriverPrivilege	6056	WMIC.exe
Token: SeSystemProfilePrivilege	6056	WMIC.exe
Token: SeSystemtimePrivilege	6056	WMIC.exe
Token: SeProfSingleProcessPrivilege	6056	WMIC.exe
Token: SeIncBasePriorityPrivilege	6056	WMIC.exe
Token: SeCreatePagefilePrivilege	6056	WMIC.exe
Token: SeBackupPrivilege	6056	WMIC.exe
Token: SeRestorePrivilege	6056	WMIC.exe
Token: SeShutdownPrivilege	6056	WMIC.exe
Token: SeDebugPrivilege	6056	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6056	WMIC.exe
Token: SeRemoteShutdownPrivilege	6056	WMIC.exe
Token: SeUndockPrivilege	6056	WMIC.exe
Token: SeManageVolumePrivilege	6056	WMIC.exe
Token: 33	6056	WMIC.exe
Token: 34	6056	WMIC.exe
Token: 35	6056	WMIC.exe
Token: 36	6056	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1996	WMIC.exe
Token: SeSecurityPrivilege	1996	WMIC.exe
Token: SeTakeOwnershipPrivilege	1996	WMIC.exe
Token: SeLoadDriverPrivilege	1996	WMIC.exe
Token: SeSystemProfilePrivilege	1996	WMIC.exe
Token: SeSystemtimePrivilege	1996	WMIC.exe
Token: SeProfSingleProcessPrivilege	1996	WMIC.exe
Token: SeIncBasePriorityPrivilege	1996	WMIC.exe
Token: SeCreatePagefilePrivilege	1996	WMIC.exe
Token: SeBackupPrivilege	1996	WMIC.exe
Token: SeRestorePrivilege	1996	WMIC.exe
Token: SeShutdownPrivilege	1996	WMIC.exe
Token: SeDebugPrivilege	1996	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1996	WMIC.exe
Token: SeRemoteShutdownPrivilege	1996	WMIC.exe
Token: SeUndockPrivilege	1996	WMIC.exe
Token: SeManageVolumePrivilege	1996	WMIC.exe
Token: 33	1996	WMIC.exe
Token: 34	1996	WMIC.exe
Token: 35	1996	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3568 wrote to memory of 1036	3568	Zeppelin_08_03_2021_813KB.exe	82
PID 3568 wrote to memory of 1036	3568	Zeppelin_08_03_2021_813KB.exe	82
PID 3568 wrote to memory of 1036	3568	Zeppelin_08_03_2021_813KB.exe	82
PID 3568 wrote to memory of 4564	3568	Zeppelin_08_03_2021_813KB.exe	83
PID 3568 wrote to memory of 4564	3568	Zeppelin_08_03_2021_813KB.exe	83
PID 3568 wrote to memory of 4564	3568	Zeppelin_08_03_2021_813KB.exe	83
PID 3568 wrote to memory of 4236	3568	Zeppelin_08_03_2021_813KB.exe	84
PID 3568 wrote to memory of 4236	3568	Zeppelin_08_03_2021_813KB.exe	84
PID 3568 wrote to memory of 4236	3568	Zeppelin_08_03_2021_813KB.exe	84
PID 3568 wrote to memory of 5024	3568	Zeppelin_08_03_2021_813KB.exe	85
PID 3568 wrote to memory of 5024	3568	Zeppelin_08_03_2021_813KB.exe	85
PID 3568 wrote to memory of 5024	3568	Zeppelin_08_03_2021_813KB.exe	85
PID 3568 wrote to memory of 1740	3568	Zeppelin_08_03_2021_813KB.exe	86
PID 3568 wrote to memory of 1740	3568	Zeppelin_08_03_2021_813KB.exe	86
PID 3568 wrote to memory of 1740	3568	Zeppelin_08_03_2021_813KB.exe	86
PID 3568 wrote to memory of 1720	3568	Zeppelin_08_03_2021_813KB.exe	87
PID 3568 wrote to memory of 1720	3568	Zeppelin_08_03_2021_813KB.exe	87
PID 3568 wrote to memory of 1720	3568	Zeppelin_08_03_2021_813KB.exe	87
PID 3568 wrote to memory of 6012	3568	Zeppelin_08_03_2021_813KB.exe	88
PID 3568 wrote to memory of 6012	3568	Zeppelin_08_03_2021_813KB.exe	88
PID 3568 wrote to memory of 6012	3568	Zeppelin_08_03_2021_813KB.exe	88
PID 3568 wrote to memory of 4280	3568	Zeppelin_08_03_2021_813KB.exe	89
PID 3568 wrote to memory of 4280	3568	Zeppelin_08_03_2021_813KB.exe	89
PID 3568 wrote to memory of 4280	3568	Zeppelin_08_03_2021_813KB.exe	89
PID 3568 wrote to memory of 2388	3568	Zeppelin_08_03_2021_813KB.exe	90
PID 3568 wrote to memory of 2388	3568	Zeppelin_08_03_2021_813KB.exe	90
PID 3568 wrote to memory of 2388	3568	Zeppelin_08_03_2021_813KB.exe	90
PID 6012 wrote to memory of 6056	6012	cmd.exe	98
PID 6012 wrote to memory of 6056	6012	cmd.exe	98
PID 6012 wrote to memory of 6056	6012	cmd.exe	98
PID 4564 wrote to memory of 1996	4564	cmd.exe	97
PID 4564 wrote to memory of 1996	4564	cmd.exe	97
PID 4564 wrote to memory of 1996	4564	cmd.exe	97
PID 1036 wrote to memory of 1096	1036	taskeng.exe	101
PID 1036 wrote to memory of 1096	1036	taskeng.exe	101
PID 1036 wrote to memory of 1096	1036	taskeng.exe	101
PID 1036 wrote to memory of 388	1036	taskeng.exe	102
PID 1036 wrote to memory of 388	1036	taskeng.exe	102
PID 1036 wrote to memory of 388	1036	taskeng.exe	102
PID 1036 wrote to memory of 2024	1036	taskeng.exe	104
PID 1036 wrote to memory of 2024	1036	taskeng.exe	104
PID 1036 wrote to memory of 2024	1036	taskeng.exe	104
PID 1036 wrote to memory of 5220	1036	taskeng.exe	105
PID 1036 wrote to memory of 5220	1036	taskeng.exe	105
PID 1036 wrote to memory of 5220	1036	taskeng.exe	105
PID 1036 wrote to memory of 5156	1036	taskeng.exe	106
PID 1036 wrote to memory of 5156	1036	taskeng.exe	106
PID 1036 wrote to memory of 5156	1036	taskeng.exe	106
PID 1036 wrote to memory of 3436	1036	taskeng.exe	107
PID 1036 wrote to memory of 3436	1036	taskeng.exe	107
PID 1036 wrote to memory of 3436	1036	taskeng.exe	107
PID 1036 wrote to memory of 2104	1036	taskeng.exe	108
PID 1036 wrote to memory of 2104	1036	taskeng.exe	108
PID 1036 wrote to memory of 2104	1036	taskeng.exe	108
PID 1036 wrote to memory of 3120	1036	taskeng.exe	109
PID 1036 wrote to memory of 3120	1036	taskeng.exe	109
PID 1036 wrote to memory of 3120	1036	taskeng.exe	109
PID 1096 wrote to memory of 2616	1096	cmd.exe	115
PID 1096 wrote to memory of 2616	1096	cmd.exe	115
PID 1096 wrote to memory of 2616	1096	cmd.exe	115
PID 1036 wrote to memory of 4448	1036	taskeng.exe	116
PID 1036 wrote to memory of 4448	1036	taskeng.exe	116
PID 1036 wrote to memory of 4448	1036	taskeng.exe	116
PID 1036 wrote to memory of 4448	1036	taskeng.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Zeppelin_08_03_2021_813KB.exe
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Zeppelin_08_03_2021_813KB.exe bcdedit /set shutdown /r /f /t 2
1⤵
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3568
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1096
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      System Location Discovery: System Language Discovery
      PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    - System Location Discovery: System Language Discovery
    PID:388
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5220
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5156
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3436
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      System Location Discovery: System Language Discovery
      PID:4000
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 0
    3⤵
    - Executes dropped EXE
    PID:2104
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 1
    3⤵
    - Executes dropped EXE
    PID:3120
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4448
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4236
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5024
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1740
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1720
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:6012
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:6056
- C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Zeppelin_08_03_2021_813KB.exe
  "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Zeppelin_08_03_2021_813KB.exe" -agent 0
  2⤵
  - Drops file in Program Files directory
  PID:4280
- C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Zeppelin_08_03_2021_813KB.exe
  "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Zeppelin_08_03_2021_813KB.exe" -agent 1
  2⤵
  PID:2388

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_bow.png

Filesize
52KB

MD5
d35b08cf44f0acdf5ccd27dab12e671b

SHA1
5508eb28ffb8e228a806df2458306963877c1ef6

SHA256
ba08de4ed3fd0f743a0200061984e6841e039507912440b47d8a732c069a3b85

SHA512
488b3eb269af9286da3f6691ad7918093d15a072359097cd89c7c39062e9913314493d81713cea9c3075012257165d32e8dd323571660c33a0cf1e5733100ab1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_wob.png

Filesize
52KB

MD5
8e422eaea65b8b6f05f94e716e72318a

SHA1
1c1d27513009a4e4a42073bd6ba16e09b176b989

SHA256
a0284bd524ad09543d5e271b5c35923101ca057ff01b24b9811be32a08a74237

SHA512
4d4a7f95477b5e253ed4e55270ba623c7b0c0e4e346ca35a6016362bca04022f325f317d92c5ff336d996903ea9cdf926944df81b5d6a49d76a71802f398efb3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png

Filesize
52KB

MD5
a0e255f27e0e3770e4e93146b95d409d

SHA1
b5081093a7c723a3628b82a67ecd2097840bdfe5

SHA256
21f47d502fe70734375ec607c22d0c40a04248d6de4b8d1034a18affdfaf53f6

SHA512
a76a84c2c0b6bdca72714dddf9239a246aa469aec9fc0d36c128ea87bb66f526a24e574afc6b4d63f20439672f2deee9475e53b521d998bcec1d2953bc349e13

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\ui-strings.js

Filesize
35KB

MD5
02f0691d031b8f7dd8ed302195905920

SHA1
640072e9c6718ca54f3b0ade2859b9ec7866cc7e

SHA256
4fe6299e5423187d3fc981683a7d9543909adb3d2f7050351ea175acf90fedb9

SHA512
04828cd876697622e5618e12ef00684b52dc043b8f9e289ed478cba64814edcf72ead97ee3ba36210de6dea0eeca9e5fc5f107651c84552e1afa676a80fa2123

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\ui-strings.js

Filesize
11KB

MD5
0aed8ced5f42c8f9c7bec1b04a571084

SHA1
48ab033b2c9d4c7bb790c205f5a5a7030024c38c

SHA256
c74c47d57e3f18cc195759a58462007cacef9f7c8d3dde6299b0d5076a11fba7

SHA512
f70795385383b9b3a29b523c7f2fe2ff87351a718608a89ec43140d82292de6516f34a14af0099ea5aaf78012a080cb027dce4c439ee33bff5b6e2703e6a03c8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\ui-strings.js

Filesize
6KB

MD5
802887cf94d4230880186a7293eb5488

SHA1
efb8fa8bac56a35c5e2fcd07eba25a9f634ef8c0

SHA256
6fbd6c8529ad8cb85bad168b430a086dd3ceee36c4be06c5ba7193d1cc9e9d7f

SHA512
e38cfe79abf88b038aa1225bf4c4ffe1a065090f74dd2a06eb49172a9eaa5fc729c8e42c48f125eefc282d52aa26b6f5c8f3cddb8b752cba5116705057fc6bea

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\ui-strings.js

Filesize
7KB

MD5
d6b4cbd09eb73890bd9b00b3e74f12dd

SHA1
4a5398b7d3a52e3d5982236da741bd819dbe76ff

SHA256
9ed0221f0362b2363052b2aa8f6116f16e017d4d1ee0cd88d1e42971146bfdf9

SHA512
e8cb832d9124459b45955158147365820b05c401d29ebb8a068e069c8f592f79fb15444c707c108474701c74230d1c25cbc46828ce3c5867cc9ae2b2cc162b28

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\illustrations_retina.png

Filesize
21KB

MD5
abeb9028d7b8eed313b9332b0f4f3e17

SHA1
ea33d63d527caa6919fdf3bb252e0cbf8e63afc3

SHA256
86f232224c2e8dee93241abe4f35a913f7d02c80ad04b1271e97dba63f8345d7

SHA512
85ac6e0ca6e373774e9ee0f458822aeaa3f812db5470cdc1851e1a437cfb184a20e3fb652b32ade8b33873087828154796111ec49d8a6a97791ff5496f44f18d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-selector.js

Filesize
177KB

MD5
8f085564e5cc41c4ae2342a96e344722

SHA1
7cbace4e22db0f25e97ef1860673b43622ef6918

SHA256
b588a773ddb4a10e507b9c02d8bc34342f2de2909521a97dfce23d637e331851

SHA512
681e863cf7bacb5c6b5c881e188c2ddc9ef5dd386fbec94614c6b649b45f2681c270c83d3b6b08a0a4ff9b84acd2e1a1c0ef01bd0820493aa8c236b3a04711fc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-tool-view.js

Filesize
378KB

MD5
e67f839f7ecab4848834ba0f86dab507

SHA1
a0460ad2601832131861884d1e7a8965422f0aa2

SHA256
afe829930a471b698e672acebb67b95a1700fbaf4d8f92206421c69d15fd44cb

SHA512
3475eaf08d61fd01c47a787ab97159af2fcab976148bf87f7f92795fd6f03b09a294d539af7543eb0b1d546603d2e2eabcba2f3c6f7fd5c7e7b6798460cf0c6f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-tool-view.js

Filesize
388KB

MD5
7b278a1568bdc76b59640067667d6621

SHA1
0db894f3d4c6fa6665da67fc63fab73cdfff61ac

SHA256
5cd10e94f135b18a2baddb106c1013309314576bcef0cd78ac688241eeddbb9e

SHA512
0ea8efa975eccf22a4e001ad8c60eb5facffa8665e3c0f1418bc693733973194759c8b2872e545d0d54ec04dd285c7bbea08d57d6719943cd5a8e69079d88a25

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js

Filesize
13KB

MD5
b6ba9d7bd802d9f7230b901174e4f843

SHA1
26c4d489a9dbd5dd15023d7548982080af9be826

SHA256
5c0deac5f230ec23a61a8c22e88e518ab7d3e293976be825d4921b3b3661444a

SHA512
d73b52707f61adbe5547a80815d9ce996fdbd2e6bd1325b04cbd697334a1823a87dec3a85019e7882b7d4ee4401e3632c322c20a53afe6286c2c96f5146ec153

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons.png

Filesize
10KB

MD5
58beee17a3dabd94509f9e6473da5d40

SHA1
5497a653aeadda89d7f9f55a671e17a580e292ce

SHA256
2650cfa017e2252be08fc4efa5f79b428b65e645e2e6491e296a65c972a4f474

SHA512
a0f35e66db1031285c769c82cc26ba9d01e7f7ec840c8cac9c5f1adb6af6f83163a08cf77981ed1be1d70ad7858db97c33073d14a1fa2704504d80aa180d77fb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons_ie8.gif

Filesize
10KB

MD5
0b67e01175c3e63c715e81d3cabf7343

SHA1
fa581a427ab00bbb0caf690205b05461e7e8ede6

SHA256
e5460f5851bb3d2d4868f9171e3a324f80dbb8616024cebcf707e6bcdda8e69e

SHA512
e808a54ef4606e6717390031e33de426f0ef8998b5e5638250bf0da32e154d98457114996c9fe07401ca901265ec651e2338bcead1586eac65a8e47593714c36

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons_retina.png

Filesize
17KB

MD5
d0315cae6fbf858c6441126653920e33

SHA1
8f4f28c7178be714a5947b4e82b5266e8632b149

SHA256
9369a3d0fe9a5af424e6059002788d514f24df2915704d4b0e5c5c5ee7c56e3a

SHA512
5d65c2a8196cc0bf843806b75b93745914d94b6cb382cb6d2325db3931440258131ae1db1b638a09baa94f5c503b7c7c89052199a9e2d8ae0c0aa38f6f6ac9c4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-il\ui-strings.js

Filesize
6KB

MD5
a1d60ad0224371fae24d3e84361194b9

SHA1
b45a4418da95e33ca11631588219bdc87c85da60

SHA256
c60319202cbd54fdebb49c8aa0e89aa6bfa9d6e141739585f0b9f288ac260311

SHA512
d243368fafc97c1c59d56e716937445814c5cdc83457d284cea8872ca807689b2584b97820c4d32aec8d6e99fc904754c3bf00a30e78adad7eecbe92b20de4e6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\ui-strings.js

Filesize
7KB

MD5
a11bc3b07d5857d438fbebcbd59689ac

SHA1
8f20af166b20c7fe2cb4b1321dff8aa9fe3d502a

SHA256
f8facc76d3b4507a6fac4756f8f910de49d0acc84a06865732f38be8fdc6310e

SHA512
c4314423276203e3faff5cdf43e6a41d86196c7a64777b1c4ee8dddd917e4043c2257c76b6097811f32ae4bdd74b3d34f1c5c7b0714400845373fccb675666fa

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf

Filesize
382KB

MD5
ea5337b71d7a0c9253ad9fa891fd5de6

SHA1
cba84fad585b8930fdc1e2b1b51fda71f77733f9

SHA256
2c5cee6fd596e740d1d966caba3f2bff1fbd03a4d2d386bf579fcc64bd65de9a

SHA512
fbf298eccab89edb4105a457852adcf546895a7c536e8f4c87d6195bfb1537fca8093a1cee0bd716c59d49280420cc21a1814f9035f56f7b369ba643a3287e36

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf

Filesize
56KB

MD5
512efaf125296b54743512a9908dc2c9

SHA1
0ecc51678934f5e8008e0975cd0e67877dfb8a8f

SHA256
d9d13d5c31dd16bfe0745fbcf1f1dcf3509b6b6a6158be5fa1600d2ceb4bf88d

SHA512
7601a2e40c6a6e5581033edbb2e0dc868d80d2295dec5f5c752286f3187bd4f01b9888831718c07111ff6695d6b7bd704b4cd5a8f00024c7dbab5f1244ff22bb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\ui-strings.js

Filesize
15KB

MD5
ee453a50105efd8dae67facb1c556039

SHA1
be18306a0c909a7e063aff3377a4ee223a601658

SHA256
7b43397d5f53973593de16df21c7502d059a2e3e919725d5633a57fd1903959b

SHA512
4dc4171bade4e4fb0864d92067e6f030fa5b440b7f8982b50083855575f32bb32a9134dc079735a8f78b009cc96cc65bbbcf27882ad904040d7638ef8e84e207

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\ui-strings.js

Filesize
16KB

MD5
e1265b07807d284ae03c337e3eca1501

SHA1
f464508a219af219fe1187b53f9a7286fca42a77

SHA256
8255e08a85d5c3daac4407f9ef75702a9c2515954908f79755b134659ee3c1eb

SHA512
057b5344365e3e625edc34ee965a831c28801de00d73126333dec4be91d431c83bfc88b24d0133b98b9a710a24cfcbb0387c1a1f0b5548419d90832fa2eca364

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\core_icons.png

Filesize
11KB

MD5
6d213192c8cfa1ac722b115a142d2074

SHA1
1a90db795b2481f2db00a54bca233612cd6b4224

SHA256
3a559300d4dbb491e683611f170bf80eb09f01a9ac5c2dc605175673cc3a1ec2

SHA512
d5552594f00717bf3eb798d0ea2cd8c29e4da22ec998caa4a02cadd714fc31b84c40bc5d8156eb91756e7726a93c6bbfa935ed4e7812545407e9ffcdcb9c2826

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\ui-strings.js

Filesize
10KB

MD5
f70133ddeca68830fd1affb9871f4204

SHA1
d916c0c0545491f95ef52d5a8a75c7426c949932

SHA256
823cf19a9e0400eafa0d45856d63ba0afd586b9cc53c4bb3d9772bd85eb1ffdc

SHA512
2c9db80564dd6c1ecd8a3ddf094269dd3e6148d85cc00231b40feab94e3da00b5456442932938d967d5317ce69745aa07e9c34a51e7ee459170e56b8bf732d83

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\ui-strings.js

Filesize
12KB

MD5
0afd0663f31f4282af042382052618d1

SHA1
ac6d973eec011b9dd8034111ccf001dcdc2acdaa

SHA256
521b862b3f693adb91a33ab2b58479a4fe3e38c504218ec536c6c9c193f78881

SHA512
a0003d898ce1b1ee4b38416c7cbad334b57e3bd5952a5c5ae41ede52e09116c4f7739862e0a74d900babf82e95e59c1fb9b319273fc6fcc79f254f2f0a6ce01c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\ui-strings.js

Filesize
18KB

MD5
3ef1584c1d8c6290904e1505bfc664a4

SHA1
8465b4609bf24271d4a3d568bb3ca3ba0842fb37

SHA256
b3860bb28d0ac27ce3d005ce9fed51efab3cdcbf1a57251bf07e796022330542

SHA512
2a5986ebb09409589176a2a11cc0bd63b965e40b201236c41b2e50a3e8906db553739014c935c0ac41f95afef61df02c735fc679ca3fe81b59f374bdb9b7608d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-ma\ui-strings.js

Filesize
18KB

MD5
544b5f2292894d7ae4b48671a2560b27

SHA1
294ec1a085e04b57b5550721ee0c7559cccfa159

SHA256
d5bdff279a454312fa3ca6e5bae8aa5ec14855106ce524c0702c5fe0a4995234

SHA512
4e9c44d87bd55b1ef5ce53642f31ad453b2e58e83c79f2d1297bd3f7f1f57f0ff1bf265cdcfba4b00c0fa2d6f114ca727d10e96130e254c0fb2d1d171d027dd0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-il\ui-strings.js

Filesize
20KB

MD5
07bca47cbe9d3749b454a0963a513b31

SHA1
568dc561c076577ba5c34bf4b6281eb272926a86

SHA256
fa48e58fd0ee0c20ba305b73519a418b1dbac10dfa98823891696311944f1f2b

SHA512
87776ef4c42f3f36d1016ff99efee803821ede8921749af04182d182a78c5de8a7eda13cbeb7b2ae1795ca5f1c4731e53383fa233021bdbfbed75daa6601144d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\ui-strings.js

Filesize
23KB

MD5
9cf67ff13c48834af34aa304407c8a9a

SHA1
1f1a32b864a83a0e24850f2c8ae5cd8ebb13031a

SHA256
4ea1d0ab95443efd382880aad1c039fadb9ebdc0316b0eb1d4bd5b82f4500f8b

SHA512
0fa52868fdfe0e9f11aaac4943f5b50616582be388ac518f072c95c35c77b116c1056e70ab7387e39bba8aa0c6d7e919359b93373a5055ee2e8526a4d00b31ec

Download Submit
C:\Program Files\7-Zip\Lang\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Filesize
935B

MD5
fb76ad3eafe516eefb100080d142c742

SHA1
b0e6de6f0cd9f0b679d6597e3920d756dca3eaf4

SHA256
fc66f64bc3ac04ff90d1c2715d4a8a1d145864f14ae2600ed79a03e9c006847d

SHA512
3199557c4b19761c7d3893bb70f5d1d9055350774c1cd4d9c326a53feb282a3ab08a51b3fdad7b860dfd0b9cc3c3fbd90132f0284d264ea42bc10f544702a4af

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe

Filesize
4.1MB

MD5
78b701e3b50607367f8eb6a81b7ed0f6

SHA1
2577ba4804048db9f407408692ff69ea0b20e107

SHA256
959c363058779fec59eb7c7d4ca681006c2d1a0856240a29da7c1b433fb2f39a

SHA512
345541a31ddaf4da4cdfd806ba4644d92c2b1e2e853af312d6ea6e9705ea195ada93d9b78d68f5ec077543952ddabe0b4964a0d6d69368320dabdebd981ccfaf

Download Submit
C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690.XSL

Filesize
266KB

MD5
83c4e82798c940672de476587b3e79b0

SHA1
29c0b810151cdb4fbdee61e8a7ad543ba4ee6bbe

SHA256
896efcdf86088107979257740779ba18c226a223e7ce2ce5a49595a28dd3a76d

SHA512
fd294ef834c6d76860747d4f97dc267e537efc153efe84d34b30cfe05377fef46235b34149e51466874763dc45826ee7591ff5e826d0085e35c11756dde642b1

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp64.msi

Filesize
2.4MB

MD5
ba59f7b9568cd2ec5905b1b9a638c8bc

SHA1
af1a44b373091eed74a275259660a58bbf3b0bb4

SHA256
15a1e754f978853945dfbffb5c2083023a6fea3c42c241a9fb9c0cf5bb86d1fd

SHA512
04851319f505d092f8a111971f2af0735a25fe854cd98b3f2ff9d7d239b4322482c0e15c3ac117e397b24909c1a7d6ad31b5bdd00160b6c860537e8d8b540423

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe

Filesize
63KB

MD5
14c1a6a6626c8c23946defc710274411

SHA1
bed5103f3dc2e2b7cd0b3ca510539bd2ce941cdb

SHA256
bdb793346117334a81acb51040ece65e1c0d4f89f3dbf525b8bbae48b49bd51b

SHA512
df83997a6024a3c2aecb96589dabb7526a5edb922a245f1fc67b4cbd7423784f896e167854efe4bdf5b34671e7c2b746056ca17babada80c474f081d0eff9610

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe

Filesize
1016KB

MD5
1850f555696d5b14589b07e9b4ae746d

SHA1
8bbfa0c106e4621c86a2ccea94697355d5e6f9f8

SHA256
3f7c3b3914d394211aa1efdeefcbb8ac5bc535537859adb19ca08c9c843721e4

SHA512
e06425f8888027b8f11bf3f580636bea373968be261749ab61359a62aeb7fedbc113cabeabc5a333f6dfaaab1c9cf103f893070181b543e4120dc1b5c29768a4

Download Submit
C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\vlc.mo

Filesize
607KB

MD5
9f7fa89de8889e29a8a1eb421cea827a

SHA1
ae0e93a9aef2d16882733f799f90c35921ec0575

SHA256
f19f5c317ce400bdfdbc6f94f4cdacc8153de0fbcc78c9089408dff8a85e635f

SHA512
6f2b04819261560387a9ff95afcf2c20d7a498b592de6f46a4aecfcdfb2b7002ba3e40e9bc75261e4146026a9ba41d9a0d54f1cdde4018cc4257f2aae1ea3ba9

Download Submit
C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\vlc.mo

Filesize
611KB

MD5
bb8aaeaf92e42c86bbc4714edd91dfd7

SHA1
c2ac4e589b93669ce13154db8f5f20480a2932db

SHA256
da92d68ebc4f803b5772f09d48c83e29eb09f44be60933fe0c1323953682a805

SHA512
23c280c9358be5117c92e57b76d5a9cd5365359458183407772a25f6e47fa9f1a671361455c488da437e58f8091f64741f2a369ffe83e1dad25be0144f11f429

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\vlc.mo

Filesize
674KB

MD5
685674a9c0b6b9426f498a125238bb50

SHA1
94a3364900717fbfad77ed44fa6ae368d24447d0

SHA256
eb4c9fd6502dea6c9d5e42ae13c7f7082184772605425c4387aa6eeb1259b311

SHA512
417076bcac1656ee7dbb2d096347de271d361d55113c746bf6de3de9849adad10abae5252a8b126d118e609ac01f37beaa2f5a430c3950fa21e70fd43980b6d0

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\vlc.mo

Filesize
1.1MB

MD5
bf03ed0d1b1ba6319a1dde5f3eefe7f5

SHA1
e74ec07c1451552bc3be27592e78a9b1447fb552

SHA256
afda3ceeb633c128e567d90bc820649b117b399f6c90f5b564c8041722a08426

SHA512
a146f3580cd95336a513e694b2014ccb4c172214a19b53b32f0bde51ae2a0ba567f84be1738e1a50d61297322ff4ee51e048c8ecbaf4d33200ba7496bf7eee69

Download Submit
C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo

Filesize
607KB

MD5
af55df4a1918e367828a58f0fbe1dd96

SHA1
c6948eb748d144711af439beac37b46b09834f0f

SHA256
be06b801d92327e6c9cf556bc270e3833ac1a7a1259b99a2cff2499c7e70d568

SHA512
ed7f14ed4d9828f1fcea8cfaa15af02c7589d647a464955eeace2f53fece1d8c193d752459d1fe935a7b2f2a3fe1e0cc4e5bbbc014f312f7455d7251084a5b43

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\vlc.mo

Filesize
773KB

MD5
65a3f9a2e9a8978f321766a56674d2f1

SHA1
dfd75dfa4582340521c3fdc89163ac0db35f4b58

SHA256
e0bf651b980f227edb754a4bf19c96c1854132566319f989b65f77edb8924ccf

SHA512
cc335ba37b5184b5a0c061f2fc9884244483d885c0171ca3aa7fcf2da26407efdd4f5a8765376dd70c678fb3eae36dd66b30d54481e730e60e379a613a7865ef

Download Submit
C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo

Filesize
781KB

MD5
018a9ed75f776164a00c6edf0647498f

SHA1
ad96e31d5f3bbcfe3b0e81140eedf5ec3c782a8e

SHA256
0f14c2f54fcf2f3e5401599762bc6c418f309b37cb4f5b48a90e80ea77bb6bc6

SHA512
8ddca44142ecc90068b3e5cce09dd3ea5218bb8c5bb3398555b1c201fdcae514bde68596af314fae0bf4bc76a368445cc4cec09a510fe85d054b19256fa4755a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
c9be626e9715952e9b70f92f912b9787

SHA1
aa2e946d9ad9027172d0d321917942b7562d6abe

SHA256
c13e8d22800c200915f87f71c31185053e4e60ca25de2e41e160e09cd2d815d4

SHA512
7581b7c593785380e9db3ae760af85c1a889f607a3cd2aa5a2695a0e5a0fe8ee751578e88f7d8c997faeda804e2fc2655d859bee2832eace526ed4379edaa3f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
61e87182d4d4ee6f236fd450c224c31e

SHA1
c08877828e3044340b5f0a6cf73cf2e067152050

SHA256
bff0745ecae7515977b4a0beb44df2a4d152f28a1a548138241896bbafda06dc

SHA512
bb92c04a90f595d5a598ed866795c82170bec0b7cae6ee536cfc4bcb4dcb2e227c59869671a4c18ca26c84ed4fea77abb6d9ed2703cc04330aa589e735bb6629

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
28acbfb9619bc0cfaf3a395fa4cdc000

SHA1
5a029b2f2ccd2bf8ce400c507bd932d18d4795dd

SHA256
794d5022902a5672b14f633648699cca68b7a44dea4c03f77a61269c3cd37768

SHA512
30911328e297257de8d65839ae0688e7c3451e375a8a1fbd6849f893f92d70ebedb667824d9ab8b2ea3939737bdb237ff4791a5ac1e3f6b3b788897f33e63bb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3NB4TH4X\1rtpu7[1].htm

Filesize
166B

MD5
2e656da4987a5a6d7c92ba8c0cf02b37

SHA1
b1bef9f1385ae1ba2801a74b1614cecce1ca6019

SHA256
c328114af0ada56a6089495ad6f67a4bcea89f9ba1c8b9d509aeafc5c0c22b48

SHA512
05c83648110434a672692570c5ac472d05e4bdfccd5256c8b2a81f98edda568298e077a82986697587fea93e95a804e17ae77ace0a4b09f84fbb24ee1d90e3da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E3KQ1V34\04LRRPGR.htm

Filesize
114B

MD5
e89f75f918dbdcee28604d4e09dd71d7

SHA1
f9d9055e9878723a12063b47d4a1a5f58c3eb1e9

SHA256
6dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023

SHA512
8df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

Filesize
406B

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

Filesize
812KB

MD5
5181f541a6d97bab854d5eba326ea7d9

SHA1
16d9967a2658ac765d7acbea18c556b927b810be

SHA256
b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83

SHA512
c282d9d6479c10fcc9fa6f674c901df1f1ad94b9354f6e427a7b445d0efad84efed6d7c29a0bc2a37b5ea07ee9a359f0e922d7c24f061258ae11fe4c44e9e4fa

Download Submit
C:\Users\Admin\Desktop\AddMerge.snd.FD5-D41-F76

Filesize
340KB

MD5
617d05ca7f59bcac85b73fd2b5df23e5

SHA1
4a7621d2ac1fb453603e4c3c90e210b3d188365c

SHA256
07dbbc93456886018febf9eba36f106a2a4898d99711758d96a05e5537e39ef3

SHA512
cded4a721187f706221ca1f40150aed2a0e0abe55616d398d5dc01469383232a7b8a5c86ac4075f30184c3f397005afec524c59f8b3f5f42f349c0ffa8580d12

Download Submit
C:\Users\Admin\Desktop\ApprovePop.xlsx.FD5-D41-F76

Filesize
15KB

MD5
1de178ba2d83be2bed3fdcd475c90547

SHA1
222e14364b3afdef80429bcf21ad7435492a16b3

SHA256
cc343d8ac1ae64850fbbcfcf614a441a5e0c02349c157fc29360bc78ef66f6fc

SHA512
24e2d75e116c889904ecb0dd80be35b64fbe63c7bc17a3e55bccb76970c86237db1b6da1d4052b6538d690bd5e5855a6bb26bc238fdd9f680477b36af894a808

Download Submit
C:\Users\Admin\Desktop\CheckpointRemove.vstm.FD5-D41-F76

Filesize
203KB

MD5
84dcb9c613b9ba3cc1fa1234f90bf5cb

SHA1
20b7e7d779f657ad0cdfa830e92cd1fb21bdd492

SHA256
af8e431a2545f3f3287da9ac6411ef178d9e66c4c7cfb730f9fa63ca8dd4e3c8

SHA512
b8c8513c68744efa6b357863c549bd8043d3d5e3d684e11db6a612475898cd34c7c02051c4eb2a18c0cc6ef972aeef72b1b6e140fc9f37adc5ac62d1ab1fc31b

Download Submit
C:\Users\Admin\Desktop\ConfirmResolve.mov.FD5-D41-F76

Filesize
271KB

MD5
346d748873e94ba55090ad5145659c7c

SHA1
14a879fef805e4c877e2e38747893275cddfe9d8

SHA256
d5bcf03b92b348d2bf7599fad6362f016087f907ababdd7ace03e73246c45663

SHA512
1c4791c384e82dc392eeac3ed7618554404ef9c573fbfae93efa63d2c790c2230935fca11836576062c400299041a05b9656371491fa5eee124977c6222cbe77

Download Submit
C:\Users\Admin\Desktop\ConnectRegister.crw.FD5-D41-F76

Filesize
145KB

MD5
90f809e8109f4c5656f4b1a62b3b28f3

SHA1
4bce1754889b8dcafb1b9de03318dace0abdaa2a

SHA256
aeb71c694346e2ed8b4689cc5dc691dda16b896cf3252412f7727f7ccf073e47

SHA512
27e5947c32ebdd36a5d8be3d1a827b1f5bd40d4037b03c99aa8aaffd7e0bda71e2f89249ee0c74738adc7877339d8203eb252aebbaa5c837ad9c4fea35eee967

Download Submit
C:\Users\Admin\Desktop\ConvertFromStart.eprtx.FD5-D41-F76

Filesize
352KB

MD5
3e07334409007a2068ee0daf7c65a39b

SHA1
7e29d85781b5f88f3b86f2853546f4bbdad2df29

SHA256
a71614ec8cc789db6f21d57e861ed42c33322c7428f490e1a8073e90a8c59d04

SHA512
5e17c4b9cfe547d09daee169880a542dce9520d770156a88e418c7d1a166846b79f379a650021865ea7ce87abc5e62a51afac45bed42e50da6f68ea21d99f4df

Download Submit
C:\Users\Admin\Desktop\DebugResume.html.FD5-D41-F76

Filesize
306KB

MD5
9bcf2eba46d20825def7727807283c67

SHA1
0e52a198b1c318a03049209f520bcc5abf35a3a4

SHA256
10736fe010e355e0f93712fa39e527b606ee4df5ae67bc0ae556fd9c9f6caab5

SHA512
19d0cf841326883e4213a281bc4709014eecea907f9dea386dcb8dad79c0e9fb22272f2b85158793538907ba0a2c3a247cf1421cc45cdbdd870c4ec4dff9fbc3

Download Submit
C:\Users\Admin\Desktop\DenyHide.xlsx.FD5-D41-F76

Filesize
14KB

MD5
7b3183895370e04ad5b7841feb747318

SHA1
8ff62b926f1795a377efb8e5a67a7fdda06f8187

SHA256
afb5d9b3f667d338ad306b35ee0c3cab4789254fbd74761cfc9ef1bdcdb01712

SHA512
4ab70eaf5eeda3f2d5560d8cbe91063f757e69218101f810587a697d0520a5cbd9240c0fc1e52eb0601634d90c5d7ff7a689adc320c90b893967d8c6c57affa8

Download Submit
C:\Users\Admin\Desktop\DisableFormat.mpeg.FD5-D41-F76

Filesize
248KB

MD5
746445533970f37a457a4fcb3d755721

SHA1
4491e4bfb327eda913dfd6c869b3422ca4232fe8

SHA256
07a72319fd5dfb90c3fc889f8abe04bc1246829dc6f2f7679953b6ea400d1f8d

SHA512
059307b9c17455c96b4a6ced2e112ab89adc35effd9830f118c3c25545e453e1356817bcf10b3fa2c077c7829392b53b298487eb572fd5c536cabc992d5cac57

Download Submit
C:\Users\Admin\Desktop\DismountClose.vdw.FD5-D41-F76

Filesize
398KB

MD5
2d45525d610744d80b4e47b4152e18a0

SHA1
a9280f1501e03aee0fe885b061c81e78ff0b6a6e

SHA256
c867f931687ce8cff81ad79fdb8109db795be0484e5f55b2ff0556613ccb5166

SHA512
7d9cd9699761080a8918bb131d6ade8021e2f4f1ce3f1be34d739dae28915342bf009a8d11f8f3bcbba1e5f2c857ef6481d11b82b1f167435fd84f1af45a8b26

Download Submit
C:\Users\Admin\Desktop\FindConvert.pptx.FD5-D41-F76

Filesize
191KB

MD5
889e7de03b36cce75692e22230cbeec0

SHA1
8393d81df6ad256cb2bbb69ffcc2d56e44a2cb9f

SHA256
6fa5cdea5ccaa5c48422a8a5f628cb885ea20c01ec5833d64ea13b196d28a5e3

SHA512
05bd9cbf24231312c9060ee9b68737a0f2107c6b9fd2eef0f0c325114e1f57133c7917b0c06f48aea4d0beedd7c6161a501434c661a990722a194eecbd2dd9f1

Download Submit
C:\Users\Admin\Desktop\FindPublish.tif.FD5-D41-F76

Filesize
329KB

MD5
2d09c9e2adc7ce8a0a697f9586999686

SHA1
0a8806675febffddaa805439347f7952576941f7

SHA256
a5c8ea3051d6aa7948b3c5935eaddb53d0ba4e31a945a69aa5abbac0c81a9243

SHA512
3b0ecb29004a42bde766212415ea806aecd96c600ac3e1749f361514ed05f588574e4e30d852b91f81d8aff018b4d92627467c3df4ee2f87b3de7b3f0a3e2109

Download Submit
C:\Users\Admin\Desktop\ImportTest.mp3.FD5-D41-F76

Filesize
409KB

MD5
28fe03d9d83294e4d19f83a99bb3a798

SHA1
67a3e93fc6490a3ab79dfa15547014d257fb9489

SHA256
8d0472cdbd4f132e8adab493c260a16260d2628c36d845306c8dddf43d17df43

SHA512
36970a4432da1ae347bb8a728f0bd9860aa1e22ae33d115a58f5f245be24adebfc535d9a42b9e22aa8ec65d4dd409226c6ce7a4ac3f85172bcac950946f3e3dd

Download Submit
C:\Users\Admin\Desktop\MeasureRedo.gif.FD5-D41-F76

Filesize
157KB

MD5
911fca65375a5caad74f016882380488

SHA1
34b4194c0014e360d58e9c95d6b5a187cacae94d

SHA256
fa88a3200be4ff91670f1101bfb46b634fe0f8b66959ffafe35b11b0a166da75

SHA512
94ff5318aad188f28601eea8e6932cc6f58ef950d4575fdbec7066d81c19132ea8d2a008031d40853a323eae4c08c2f55d3b77bf7113b65db30b6e1e1a514083

Download Submit
C:\Users\Admin\Desktop\PingSend.doc.FD5-D41-F76

Filesize
294KB

MD5
380cc6facbe4b0f0e68236da02278b95

SHA1
abb53372249f0882e71684484d1ee8c45cc82717

SHA256
ff4f53dd471ed3cd8850f19ac90ce06aa52ed594ea5145b708fa06f27e1cc011

SHA512
7ae4e16aa0d94d7d988e6e184e8b356ba8710599310179c942c6dbcd6b488c85e394acdfd6f618a5ce34fec4e4ca2742dd4cc033dba6699e4d78d4fd1b52b13e

Download Submit
C:\Users\Admin\Desktop\PopReset.gif.FD5-D41-F76

Filesize
375KB

MD5
80f8117721d69603ecc284da07912df7

SHA1
8b952fb35a0f9ddc4ed65e24ee33e681da2a8b3c

SHA256
edd4757a3c38bc3be49a3766a9b9b6b3dd1b3653db7dde461af5efbf7eb45106

SHA512
10bb55d61c5c5dd38a5453e46a58c27f2de4a0ffc9017943a3b497a45bae987085c556684ced002f2d63b8352242016e0f296fd4d0b8b0521fe6ee4b536bbcd0

Download Submit
C:\Users\Admin\Desktop\PublishConnect.ps1.FD5-D41-F76

Filesize
386KB

MD5
51df3114d6b732fb84e748a57ea8bff1

SHA1
4f73df626d675fe93526c7376454f172dedc628b

SHA256
81dbbb48d912828d8043092a5dfa0220a722db4e8435b0fb4fec1972ffba1091

SHA512
b7985cedb6393b37be1c93e3301ddd41f3197b6b5328fde3cfda332b2f552dd4376fa56fc9981908641148b513fef8cbb713d4d36f13b8580e9388201080eb51

Download Submit
C:\Users\Admin\Desktop\PublishRegister.mpv2.FD5-D41-F76

Filesize
168KB

MD5
1fae63822f07c01254ddd0dae17b4e74

SHA1
38cebce23a61e11391c8f63897df262236b194a4

SHA256
1550924070011c5e2d9376fe90740afe224a4e55c3d91afcbd2656dc74a11c33

SHA512
3a28def47f9583fbbe0be3fe25138f3e96a64aba09bdedee23dd7906594a9708904b9d6e08fddc7a1bc82ab9158cbadb00b85d93920894e820428d3d85eac2c3

Download Submit
C:\Users\Admin\Desktop\PushResume.emz.FD5-D41-F76

Filesize
283KB

MD5
8c78a08ca4614f0c39ad723fb134d0b3

SHA1
ead9dd3d0284b13877306796adb3b6dd6be1ece8

SHA256
147fab1608dcb0b627ece9d5bc512c263ef53382355bd37b34577f9195fe0b42

SHA512
dd1922d1e05fef8087805a81c6c8559a89cc85a67f4ce04e0b0a1d11672f228f590f33370bd0f06715c517b7fe6db5e1117401d1a82a97fc1a3eb79eea3825bf

Download Submit
C:\Users\Admin\Desktop\ReadPop.emf.FD5-D41-F76

Filesize
225KB

MD5
29ed4fc653fa9aeb49ed30c235bbbceb

SHA1
5b6c1c58edca5ad8992f0075ac6d323902231971

SHA256
21e2a669db8a23f5104de659b9157d55cfea347270e301b6e0c8a83a4cebc193

SHA512
6a3d82a82ca3b9ec5a356810cb837aa40fb4405893681fe5a80f7ebc1df881dd58942a9fb83d3ca9312e0a3364a2e989f5674e0d8262e0fd58e601ee440a3e96

Download Submit
C:\Users\Admin\Desktop\ReadSplit.vbs.FD5-D41-F76

Filesize
214KB

MD5
8b8572ab1b6a463816b8d860f23c6410

SHA1
edbfc1873f19029c5656972e9f5728d31447b4f4

SHA256
295daa04ad7b0e90f57e73746b6e4e2ef3251f0097f2ae812fa98c534f20e98e

SHA512
8ac87422193d6e5f8bebb29957c11f9052066ec8a7924e89f027426762d255c6a1fd57182ba40d8d90f4a71f8afbc598aa3c41169142f4b51354e05903088cde

Download Submit
C:\Users\Admin\Desktop\ReceiveRequest.DVR-MS.FD5-D41-F76

Filesize
363KB

MD5
7fc100465f8786baf5bbd53932cb5e03

SHA1
9d4d43704e6aa44c1462f54537bfb818c3b515a0

SHA256
be326f4917c6543c3bfb4b2042c829f7309ddb95b3667f180c90558067c04028

SHA512
54d968071994dece48585d73cbd00981dfad5261041b89836539cd608b162d93cfa067f23a12b0e0fa758a0f3a317e976a1ded695eb8272981adeb2fcf3fda8c

Download Submit
C:\Users\Admin\Desktop\RegisterSearch.docx.FD5-D41-F76

Filesize
21KB

MD5
7e3e6e97d632bb116ec70179eef74883

SHA1
f1794196187cc35ce42570486caec581360f08bc

SHA256
96b0052915428b938b728a8fd9c460a083d7663bad3d29c923ea4a0193c54a2e

SHA512
f31b6beea7dc33a4943594a808ba3f49be6bbd151c37c2b651bfbfe398a11022108cdf0cacc82b4d9ba17948f01bbe219269579d91c43a3b674c941fbd31d01a

Download Submit
C:\Users\Admin\Desktop\ShowSearch.inf.FD5-D41-F76

Filesize
260KB

MD5
4dad75598642591f0f1b5a7e0885f30b

SHA1
4a7458f455cf084ff04eca3ec52719116b07ec61

SHA256
4ba848b45c58f36601d144897a7fa5656cd0dc05729ecb67897fef0c51e7476f

SHA512
1257b390e70662ef19f70e2a9780070100c5987a58bc7796c1f46225f0618c249272202d01baec1c49662a2b64488e96eb3440b232375bd8e9c41225dcc5e078

Download Submit
C:\Users\Admin\Desktop\StopUnlock.mp4v.FD5-D41-F76

Filesize
564KB

MD5
f2ed47e29791bde6ad4b5d0f62062839

SHA1
1f7808b4df98802dafb4863c7c56a579b240bd53

SHA256
0bd68e4920aae32247b2d7f7038d287940088bdd4f7fd39cd7159ab67f311008

SHA512
86758cafbb5a6f6779a4d4ddec425243138731771a6f3a84a0afc3f32a418d3b723c5aeb4718678bf8b241ff909724eab057b953dacc3b7b42dc406a55ae4b33

Download Submit
C:\Users\Admin\Desktop\UnblockLimit.wm.FD5-D41-F76

Filesize
317KB

MD5
dfd53937980f274dfdb6b7fc283e66e6

SHA1
31eb4e62752a4cc704f548811e465b2674f8ae71

SHA256
a105b22fbe283d431a64604ed664cba31eddcd9792b1e9c5e266c7b27da663df

SHA512
175093c0de17a3f40d68f237efe75d4abfda6130e1588562afdaa449db521b7f3c965234b52892a34ea8655e31bbc0952b4f95f84bc57c14d340c038f915337c

Download Submit
C:\Users\Admin\Desktop\UnregisterClose.3gp2.FD5-D41-F76

Filesize
180KB

MD5
264f2bead7ea9bc159a66eba7907d78d

SHA1
505097ea2035a1c632608749ececfea1e883b193

SHA256
7df6ac25262fd6e8cdbe22a4508ea0dbbacd71fb7b97b01ab14285f98b99e5cb

SHA512
85462b3cf9808c624c754943e2c8a6f4a9a33f4a9f1e5b54cb2892b7368efcbaca4aefa2c43439aa26365039d214a912e80299711a0c8590cd143ea25430d567

Download Submit
C:\Users\Admin\Desktop\UnregisterSwitch.nfo.FD5-D41-F76

Filesize
237KB

MD5
5fc44cdc50651256cd29c1645d521507

SHA1
865514bc12c2d7045d74a772e17f3b4e071cc830

SHA256
f1732f6539e021b689976b08629cf1adedf8179f736d5f327a19216389fe38d4

SHA512
e149a264f8996e21b24c6f51043cb63d4d50e7f78beff5667e0109b6d4701bf744619751e17aa054df41cee7de8172c8c770691f978ca919ebf2f9137047494d

Download Submit
C:\e57d5b84f944437adbc6f39ef6c7\2010_x64.log.html

Filesize
88KB

MD5
fd5b7aa610618ef70397f0ddc1b06b3c

SHA1
94aa08c7709fc5d23a82394d1b6623f83fa3e178

SHA256
5ff4f09a7ddab77723021fb1e2fbf49811446a12b5ac227b5891c583643aabf8

SHA512
300ac3beca19577ba44f5bc3528e4b57ce6610008d18b992774272eb06825bab9cd771e78d7e82b8cdab79fea87c2bc089003e8398713b136cf455bbddd2029b

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1136229799-3442283115-138161576-1000\.zeppelin

Filesize
513B

MD5
ca780293975fe54e0ac9932e9df4ceb0

SHA1
6d09fead02517635390d47cdc209e23b4826577f

SHA256
67631134ad4592e9aca132a7aa7fd1c34d7d110c033515893de84383cba55de8

SHA512
527c86e7db2d1cd3a104321b56909eadcf75fb84c59d1128c31c2dcd81fa7deedfedd1e4bc0e37b39557881719cb58e4820180d7dd3fff6baa1f22d26e45fd58

Download Submit
memory/1036-32-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/1036-4019-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/2104-3518-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/2388-72-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/3120-3527-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/3568-31-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/3568-2649-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/3568-0-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/4280-4206-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/4280-4596-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/4280-2963-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/4280-7415-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/4280-10915-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/4280-14310-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/4280-15885-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/4280-19780-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/4280-23193-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/4448-3930-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads