buran | d0c022853ce5af49e193e9187be3710d0bc2380d6c93171d3ba6c483a3483205

Analysis

max time kernel
104s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Zeppelin.exe
Size

211KB
MD5

f42abb7569dbc2ff5faa7e078cb71476
SHA1

04530a6165fc29ab536bab1be16f6b87c46288e6
SHA256

516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd
SHA512

3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af
SSDEEP

6144:zia1vcaEaA+HPsISAzG44DQFu/U3buRKlemZ9DnGAeWBES+:zHctWvVSAx4DQFu/U3buRKlemZ9DnGAn

Score

10^/10

buran zeppelin defense_evasion discovery execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] or [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 21F-2DE-3FE Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Buran family
buran

Detects Zeppelin payload 11 IoCs

resource	yara_rule
behavioral1/files/0x000900000002423e-17.dat	family_zeppelin
behavioral1/memory/5636-39-0x0000000000360000-0x00000000004A0000-memory.dmp	family_zeppelin
behavioral1/memory/4836-42-0x0000000000160000-0x00000000002A0000-memory.dmp	family_zeppelin
behavioral1/memory/4732-50-0x0000000000160000-0x00000000002A0000-memory.dmp	family_zeppelin
behavioral1/memory/3060-54-0x0000000000160000-0x00000000002A0000-memory.dmp	family_zeppelin
behavioral1/memory/4732-3467-0x0000000000160000-0x00000000002A0000-memory.dmp	family_zeppelin
behavioral1/memory/6048-8917-0x0000000000160000-0x00000000002A0000-memory.dmp	family_zeppelin
behavioral1/memory/6048-14483-0x0000000000160000-0x00000000002A0000-memory.dmp	family_zeppelin
behavioral1/memory/6048-24383-0x0000000000160000-0x00000000002A0000-memory.dmp	family_zeppelin
behavioral1/memory/6048-26022-0x0000000000160000-0x00000000002A0000-memory.dmp	family_zeppelin
behavioral1/memory/4732-26049-0x0000000000160000-0x00000000002A0000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Zeppelin family
zeppelin
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (6079) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	Zeppelin.exe

Deletes itself 1 IoCs

pid	Process
4948	notepad.exe

Executes dropped EXE 4 IoCs

pid	Process
4732	taskeng.exe
4836	taskeng.exe
6048	taskeng.exe
3060	taskeng.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskeng.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\taskeng.exe\" -start"	Zeppelin.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	taskeng.exe
File opened (read-only)	\??\V:	taskeng.exe
File opened (read-only)	\??\U:	taskeng.exe
File opened (read-only)	\??\S:	taskeng.exe
File opened (read-only)	\??\P:	taskeng.exe
File opened (read-only)	\??\T:	taskeng.exe
File opened (read-only)	\??\O:	taskeng.exe
File opened (read-only)	\??\N:	taskeng.exe
File opened (read-only)	\??\M:	taskeng.exe
File opened (read-only)	\??\I:	taskeng.exe
File opened (read-only)	\??\E:	taskeng.exe
File opened (read-only)	\??\B:	taskeng.exe
File opened (read-only)	\??\W:	taskeng.exe
File opened (read-only)	\??\R:	taskeng.exe
File opened (read-only)	\??\Q:	taskeng.exe
File opened (read-only)	\??\L:	taskeng.exe
File opened (read-only)	\??\K:	taskeng.exe
File opened (read-only)	\??\J:	taskeng.exe
File opened (read-only)	\??\A:	taskeng.exe
File opened (read-only)	\??\Z:	taskeng.exe
File opened (read-only)	\??\Y:	taskeng.exe
File opened (read-only)	\??\H:	taskeng.exe
File opened (read-only)	\??\G:	taskeng.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
38	iplogger.org
40	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	geoiptool.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-tw\ui-strings.js	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-140.png.21F-2DE-3FE	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-180.png.21F-2DE-3FE	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\msipc.dll.mui.21F-2DE-3FE	taskeng.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\NEWS.txt	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageBadgeLogo.scale-125_contrast-black.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16_altform-unplated.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-48_altform-colorize.png	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ppd.xrm-ms.21F-2DE-3FE	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\notice.txt.21F-2DE-3FE	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\CortanaApp.ViewElements\Assets\[email protected]	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fi-fi\ui-strings.js	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms.21F-2DE-3FE	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-phn.xrm-ms.21F-2DE-3FE	taskeng.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ko-kr\AppStore_icon.svg.21F-2DE-3FE	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sk-sk\ui-strings.js.21F-2DE-3FE	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL118.XML	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN092.XML	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN108.XML	taskeng.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\graph.ico	taskeng.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\nb-no\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngcc.md	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-pl.xrm-ms	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Protocol.xml	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\complete.contrast-white.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\KnownGameListRS3.bin	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\cs-cz\ui-strings.js.21F-2DE-3FE	taskeng.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\sv-se\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\sl_get.svg	taskeng.exe
File opened for modification	C:\Program Files\BlockExpand.rtf	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_shared_multi_filetype.svg.21F-2DE-3FE	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\ui-strings.js.21F-2DE-3FE	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\he-il\ui-strings.js.21F-2DE-3FE	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_opencarat_18.svg.21F-2DE-3FE	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\SearchEmail.png	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\santuario.md	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightRegular.ttf	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms.21F-2DE-3FE	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-16_altform-unplated_contrast-white.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ro-ro\ui-strings.js	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\SearchEmail2x.png.21F-2DE-3FE	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Marquee.xml.21F-2DE-3FE	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-phn.xrm-ms	taskeng.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\images\PayLockScreenLogo.scale-200.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-400_contrast-black.png	taskeng.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\ja-jp\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-pl.xrm-ms	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_hiContrast_bow.png.21F-2DE-3FE	taskeng.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\nb-no\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Cortana.exe	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-100.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\resources.pri	taskeng.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt.21F-2DE-3FE	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-200.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-125_contrast-black.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosStoreLogo.contrast-black.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_contrast-black.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\de-de\PlayStore_icon.svg	taskeng.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zeppelin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskeng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskeng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	5636	Zeppelin.exe
Token: SeDebugPrivilege	5636	Zeppelin.exe
Token: SeDebugPrivilege	4732	taskeng.exe
Token: SeIncreaseQuotaPrivilege	5664	WMIC.exe
Token: SeSecurityPrivilege	5664	WMIC.exe
Token: SeTakeOwnershipPrivilege	5664	WMIC.exe
Token: SeLoadDriverPrivilege	5664	WMIC.exe
Token: SeSystemProfilePrivilege	5664	WMIC.exe
Token: SeSystemtimePrivilege	5664	WMIC.exe
Token: SeProfSingleProcessPrivilege	5664	WMIC.exe
Token: SeIncBasePriorityPrivilege	5664	WMIC.exe
Token: SeCreatePagefilePrivilege	5664	WMIC.exe
Token: SeBackupPrivilege	5664	WMIC.exe
Token: SeRestorePrivilege	5664	WMIC.exe
Token: SeShutdownPrivilege	5664	WMIC.exe
Token: SeDebugPrivilege	5664	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5664	WMIC.exe
Token: SeRemoteShutdownPrivilege	5664	WMIC.exe
Token: SeUndockPrivilege	5664	WMIC.exe
Token: SeManageVolumePrivilege	5664	WMIC.exe
Token: 33	5664	WMIC.exe
Token: 34	5664	WMIC.exe
Token: 35	5664	WMIC.exe
Token: 36	5664	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5664	WMIC.exe
Token: SeSecurityPrivilege	5664	WMIC.exe
Token: SeTakeOwnershipPrivilege	5664	WMIC.exe
Token: SeLoadDriverPrivilege	5664	WMIC.exe
Token: SeSystemProfilePrivilege	5664	WMIC.exe
Token: SeSystemtimePrivilege	5664	WMIC.exe
Token: SeProfSingleProcessPrivilege	5664	WMIC.exe
Token: SeIncBasePriorityPrivilege	5664	WMIC.exe
Token: SeCreatePagefilePrivilege	5664	WMIC.exe
Token: SeBackupPrivilege	5664	WMIC.exe
Token: SeRestorePrivilege	5664	WMIC.exe
Token: SeShutdownPrivilege	5664	WMIC.exe
Token: SeDebugPrivilege	5664	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5664	WMIC.exe
Token: SeRemoteShutdownPrivilege	5664	WMIC.exe
Token: SeUndockPrivilege	5664	WMIC.exe
Token: SeManageVolumePrivilege	5664	WMIC.exe
Token: 33	5664	WMIC.exe
Token: 34	5664	WMIC.exe
Token: 35	5664	WMIC.exe
Token: 36	5664	WMIC.exe
Token: SeBackupPrivilege	2248	vssvc.exe
Token: SeRestorePrivilege	2248	vssvc.exe
Token: SeAuditPrivilege	2248	vssvc.exe
Token: SeDebugPrivilege	4732	taskeng.exe
Token: SeDebugPrivilege	4732	taskeng.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 4732	4740	cmd.exe	91
PID 4740 wrote to memory of 4732	4740	cmd.exe	91
PID 4740 wrote to memory of 4732	4740	cmd.exe	91
PID 5636 wrote to memory of 4836	5636	Zeppelin.exe	92
PID 5636 wrote to memory of 4836	5636	Zeppelin.exe	92
PID 5636 wrote to memory of 4836	5636	Zeppelin.exe	92
PID 5636 wrote to memory of 4948	5636	Zeppelin.exe	93
PID 5636 wrote to memory of 4948	5636	Zeppelin.exe	93
PID 5636 wrote to memory of 4948	5636	Zeppelin.exe	93
PID 5636 wrote to memory of 4948	5636	Zeppelin.exe	93
PID 5636 wrote to memory of 4948	5636	Zeppelin.exe	93
PID 5636 wrote to memory of 4948	5636	Zeppelin.exe	93
PID 4732 wrote to memory of 6048	4732	taskeng.exe	101
PID 4732 wrote to memory of 6048	4732	taskeng.exe	101
PID 4732 wrote to memory of 6048	4732	taskeng.exe	101
PID 4732 wrote to memory of 3060	4732	taskeng.exe	102
PID 4732 wrote to memory of 3060	4732	taskeng.exe	102
PID 4732 wrote to memory of 3060	4732	taskeng.exe	102
PID 4732 wrote to memory of 1976	4732	taskeng.exe	103
PID 4732 wrote to memory of 1976	4732	taskeng.exe	103
PID 4732 wrote to memory of 1976	4732	taskeng.exe	103
PID 4732 wrote to memory of 2412	4732	taskeng.exe	105
PID 4732 wrote to memory of 2412	4732	taskeng.exe	105
PID 4732 wrote to memory of 2412	4732	taskeng.exe	105
PID 4732 wrote to memory of 1044	4732	taskeng.exe	107
PID 4732 wrote to memory of 1044	4732	taskeng.exe	107
PID 4732 wrote to memory of 1044	4732	taskeng.exe	107
PID 4732 wrote to memory of 3092	4732	taskeng.exe	109
PID 4732 wrote to memory of 3092	4732	taskeng.exe	109
PID 4732 wrote to memory of 3092	4732	taskeng.exe	109
PID 4732 wrote to memory of 4584	4732	taskeng.exe	111
PID 4732 wrote to memory of 4584	4732	taskeng.exe	111
PID 4732 wrote to memory of 4584	4732	taskeng.exe	111
PID 4732 wrote to memory of 4512	4732	taskeng.exe	113
PID 4732 wrote to memory of 4512	4732	taskeng.exe	113
PID 4732 wrote to memory of 4512	4732	taskeng.exe	113
PID 4732 wrote to memory of 1712	4732	taskeng.exe	115
PID 4732 wrote to memory of 1712	4732	taskeng.exe	115
PID 4732 wrote to memory of 1712	4732	taskeng.exe	115
PID 1712 wrote to memory of 5664	1712	cmd.exe	117
PID 1712 wrote to memory of 5664	1712	cmd.exe	117
PID 1712 wrote to memory of 5664	1712	cmd.exe	117
PID 4732 wrote to memory of 4556	4732	taskeng.exe	120
PID 4732 wrote to memory of 4556	4732	taskeng.exe	120
PID 4732 wrote to memory of 4556	4732	taskeng.exe	120
PID 4732 wrote to memory of 2040	4732	taskeng.exe	130
PID 4732 wrote to memory of 2040	4732	taskeng.exe	130
PID 4732 wrote to memory of 2040	4732	taskeng.exe	130
PID 4732 wrote to memory of 2040	4732	taskeng.exe	130
PID 4732 wrote to memory of 2040	4732	taskeng.exe	130
PID 4732 wrote to memory of 2040	4732	taskeng.exe	130

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Zeppelin.exe
"C:\Users\Admin\AppData\Local\Temp\Zeppelin.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5636
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -start
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4836
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -start
1⤵
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4732
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:6048
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 1
    3⤵
    - Executes dropped EXE
    PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1044
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3092
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4584
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete backup
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4512
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5664
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4556
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2040

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_bow.png

Filesize
52KB

MD5
26252653f6b2b0df7c09270875ccea36

SHA1
a4c919a59ae46eb55a8644df7a9bd331b92da5fd

SHA256
45fd7b43f58929d6ebb3db26e87d0e5c0657b193ad900bd55800b8a896d48516

SHA512
d46ab275208a2cfd5fa5e295b3be5a0021b9bbd2c8d0057b7d0cf1e5cf018f3bcb2e8620f948ad6f4ecef4c6159748a8cf158f446da858fe0cdeecda3ce443bc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_wob.png

Filesize
52KB

MD5
748bce68fefd91de1ed513041c793bde

SHA1
b541962fac709af1c935db2dcd3c4843b4caeaea

SHA256
39b552edcadb49c2f9fda00a84e4b0351fa5e1be1717ac295c03b0ab7c5cdd9a

SHA512
4266dc54a86cf467a976490d63d9b680704d649ea840856f1c141cea9d0a68995252bcb038cb16b900667f017237259efd3b000f4cfe1878cb5545b302d45047

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png

Filesize
52KB

MD5
d99602856ef16e8e307388315b443fcb

SHA1
b1c6b149c127e27cfae4e80f301822919b98688c

SHA256
48a5fe996ad0b0dd8ff8b38d4315c80b052067a0a4e50fc0f54bc9352e86d152

SHA512
a6fc31e5a7c1dd9c886ffb693bb4f4e21dd804df142f3bd3255c64bab5226e9c82e7321b2cf20489e892d1b2f40bb4322fe69af192f731b257c36f72b52face4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\ui-strings.js

Filesize
34KB

MD5
937f1e7e92898ced3abb6202a13b02b2

SHA1
58e084d8e7978f42dfc9c839dc327ffad3fb0875

SHA256
6775080316b38ceafadccdd498c3b2e5859ccd8d557e8b5579382f1b4701b7c3

SHA512
2279d9612d6cba41def7e328635b691dbf248fb52dfea41e4b98759c3d04e597faebef810767731ad845fd07e4384bfc5188fef902f35be47cc92ebc96a0400a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\ui-strings.js

Filesize
10KB

MD5
5a92aac4133c6fa59bb196b6d44e6ecc

SHA1
cf57da41796909e31a106c62e4bdc110fd5518dc

SHA256
8651617733b97b819a31df38df0476f8c70ff754dfd10e589e2cb388fe8ba9b8

SHA512
7feca88442d874b43a3cc87ac203684c3d2a52dad1f0d2b98f95804d35eed5974c19ec1833277ee66a25e6df4067c6bc2d85bbc4ffa2bf797d8ccf75371743ba

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\ui-strings.js

Filesize
6KB

MD5
4a72923ec53834321319beea0f38c91f

SHA1
89c86b430e2ada0305d0adb7c92feaf344a75237

SHA256
5224a4081c11848ac03387aa9ccc2bccca26e2079d907fff99af52fa17e47da8

SHA512
75e698d72905a2d64906bd74a6f613c4ffeb9030d86ad7bdcb7c34f2fafb21931e7c912fee81806e4378bf97d54c589a61a7217d168435864f37173559ab0539

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\illustrations.png

Filesize
10KB

MD5
712e5d7021e5aad6a4514108606bfada

SHA1
ee3be397ee902534849a153179310688b1b3c1e1

SHA256
9c50288207d8a4bac5b3f85143445aaf90fddd0929a613cf18c31a921214d411

SHA512
066b7246eec7655ecae65d6f3f4165222adf1e4d5a113f1459e0c264142272b532dfca7e23073d264057644f881ec868ad18445ee4dacac7153b0562e846b056

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-selector.js

Filesize
175KB

MD5
5c69cdb829148301305c04ac6b7400d8

SHA1
77c95ba8d1aac158effb1e473e943af1170c27c7

SHA256
2f3e26eae1b3d752394d6e1d5344ef1ea6e3c6696d6392ead8cbe36f400479a7

SHA512
d0143257fd6d4f66daf10913bd8b80b26ce3f5b0af5c1b1d8018464963683cf5b8166e739a382ba7fdd61f73a1956887b352afcf3e50f2c1d3ad6dc5d5217591

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-tool-view.js

Filesize
395KB

MD5
b8b3ecaa78ea83d5b66eca1801a4218f

SHA1
d91d1be8cfcbae52043b19d6c01b9a9f17505065

SHA256
3cd213bff1cad72954cd733ecb39935cc8dc5930a0209b1408e624ce287cc0ef

SHA512
46c1bbf771fe08176ba409d512e92e1cfe1a0a71594062b0b1fbce8be4ebca95639aad391c432987b89d8644cb686f1386e99eb54f68a8e15133802aa422827c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\ui-strings.js

Filesize
10KB

MD5
c0f2f6154bc271460411fb1a1cd3f281

SHA1
45e62432e5d2e490174e748dbbfa2243b2d3a485

SHA256
c212b374b6b567e7d173a8d8138a8e305fe5641bf526a0b44c8831e0a3b3d2dc

SHA512
20a590351c94df09d7479c2642abe5e1c9307af77b28f21cf623bf13dc2883da035526beeafcd85bb68810612c3d26b64eeea8de9d33d3544f6d5b7d436c031e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js

Filesize
12KB

MD5
d4e757fc76177d314a51e55df7adea2a

SHA1
dc850e77d6928d337756fd371a9d6a1a80f04562

SHA256
e1c7494fa242317c1d66c2014399fef48940268e2258b62487606d967e3dee56

SHA512
f04b978b4225704f08892bb915eaa2a09b71b6e16419dc15741c97a770a5d59c836e19b8ad2a8448bf9c40b51fbde1f022b33dcd41d457cc80a3e8ed03c5c62c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons.png

Filesize
9KB

MD5
2db7ee3a1a5f3683bce68f6d2b53779e

SHA1
2ed4ef66ec30ca66f03c3459c574943a367a6936

SHA256
0ada06685cdfbef2be8fb2f17c46c7c8ffc6d41d539f3f3e37a544027bf8fa9d

SHA512
a157e028da8289534b439fa999560b13329cf03f2784d81ea42955b43805dbdd399b9f06b3dcb94eae6bb3c855cdd9eaa11b17a23713274d6a5effa47af7db6f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons_ie8.gif

Filesize
9KB

MD5
e7b66c19aa7e4dcf3e49de2d76adfc32

SHA1
c24dc400df5e05f55aee04b745d5a49159e0fd89

SHA256
cbe50b5fe047db419a5dd497aca61923b6d80588d270dd184f12edbea617785c

SHA512
b394f961f6b60d3e2fbb91ad3e851b45e0a60d05317919e4023fe17938b38f49848ea6f14063a3125698b7a7b515c9ce8fb056613fc490d857bafd8aeb789a43

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\ui-strings.js

Filesize
7KB

MD5
1728e5e10f1bc1053c27901ad88f6107

SHA1
24178c4bb52958f05fc5a8ec9cfabcef977c34f4

SHA256
c11f8dd6aa8587b8996e57d60103d3c66c9bd074569f841d348b48d693d1ae3e

SHA512
2c986d443e82817cc466e250a821434137f04e2320a1bdcba6a825cc008b04c238ab1dd192766ac15665dd48ea82f40c441d57c1a3c1c13416dd74123764a2d1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\selector.js

Filesize
48KB

MD5
6ea0859bb31f5639024f424196265ce1

SHA1
1a137292b6f132aa701eb7b617d2287caab25ba1

SHA256
376f8dd447e720827196c177b38dfc4c97971d0336fc4d76923925f12a9a0ffc

SHA512
5afc37b839b080e2f3aad6def62d51236d4d555510fb362e532081f37bcf90be927e9a9bafd8bc3b40a0a9d2dc6190bb113dcfd0f57487907ad1e184902cf31e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf

Filesize
381KB

MD5
10fd39017ff58000fb3e35c2f14ef73a

SHA1
4fbf5dd62d104db6150f0cb13ac75557f226c301

SHA256
5a332db7f1c93de17b9c4a62f57a11f224628e3e1b63327c7e6531488db94566

SHA512
304ccbe8e4eb213d94c4395a792a216a07268857769334d56ab05dcbcee42b16071fd7e02078673500ab6617f9dc8a0f25d903de6c4fdeb81d4f55b1cfd0a0a8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf

Filesize
56KB

MD5
1ee5a8698dbadf426fd05b3b933d6acb

SHA1
6ec8c35f47e0bf384a77c537b2bb999aad73b376

SHA256
0361a7fd7d9e189e51b37d9c9ae2292a02fd139a4b054f1e93807a66042072e6

SHA512
ea17dfd8569845ee5909e64ff42067ad2d63fda8e764c9248c993c06f2adbb11146d7a0ff66f5ec0b1bf7a1bba68a60a0110107190f9c50570989a76d5dc8e01

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\ui-strings.js

Filesize
14KB

MD5
3443c9a7297bc2eaa6cdc632d2aae3ca

SHA1
c982a047ee7a2f2848ae7a41216f2ab4f2c16789

SHA256
c1291a0df39d228a32572ff96151cc8c83503ccb3a9c5a6ab7172a205eb7d65e

SHA512
9d86bb71a828c4023ad3bf93f70db13c45ae25f84c6ffe6ff08b4aefbab289983b66f5d12cdab528e726835b861c3a8c23d745870d363c3f1fae87c1d47ad902

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\ui-strings.js

Filesize
15KB

MD5
869ef07a9f8484548a04175b03aacb12

SHA1
625bb8bbd39b83325ad414e9d07be165b1341d04

SHA256
53b6041b827c15d6662157903e5034eb7b89881df7d845a46847141f35e806cd

SHA512
881aa7a251777f7c21f30026bb0ba2981821fc5f6758d6ae0c81f8da662924b712c91687111d7d5d1c8d3ed49902d27422a9ce1bdf9c5a60520e4de28d9cb8cc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\ui-strings.js

Filesize
18KB

MD5
7c7ce2edd02d4475557a0c0442b1253b

SHA1
70dda170b7ddb6b344587a1d185004610c9c9fc9

SHA256
6b247a12d6077f761fb636f407c131ab8c3c61fc6796ea95c972bd7cd0d7b0d1

SHA512
aad90127884fded762042be98c264ebcea756c9d6982f63f1426217d66a105d5f84f4941ec1986f1db4a3a662a7a73e63e7e8721dfe9c01403943d4fa6d3b12a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\cloud_secured_lg.png

Filesize
8KB

MD5
a5d8b2f1e8e765a88ff5f72e9f0ea42f

SHA1
c12250a9323cdac8c533beae833b0d8cd2da44f1

SHA256
7f4138435e1713abbb36ccc9a67049b4849eac2011ec7860a44ac827afe451ae

SHA512
2c53d0a89ec3145cf0109ca415daa10bf32ad9c56a6533adf01a87229c9d52638e549a878ea88a1ca2063e4f961b092bc45bf0adc8e33a52af67abb7ca01b588

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\ui-strings.js

Filesize
9KB

MD5
576e96b472000559d7df5ca3cc21e836

SHA1
a6098b8efd06e2e96a3cd065cc26affcbcc0ed19

SHA256
aaf75a6b247cc530045e9550b4c09fc1190772a3dbacd343953a21ed7ba93947

SHA512
94e98aaa80ef4cfe3a8b537a860b613cc203a6ba6530374c42e1e97515aafef7302c39c2a095d5857b8205e7cff922f90f7d1bb56e7a158c5bc73b1ec5a0df22

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\ui-strings.js

Filesize
11KB

MD5
6f1e7471ac16ae8e4a6ddf451e461270

SHA1
961bd1ac4cb427b54a8a9f4d7ee29b2f44908d84

SHA256
e84e9bb2cccda70d1eb89985dbcfb6545ea8a274de3bf8ae815642a3619119db

SHA512
4c5d5957105d617282f6121fd6c86d930e6dd202c48b6126870a9676da047860989ca19bad9372839ced76c0dfa5b26d3b87e69295ceb5c3dab986ab27366600

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\ui-strings.js

Filesize
15KB

MD5
4ccd9b221c1462a0a4fc9f84f916b6fc

SHA1
f7b6662efcf59f3822bc7baee64b7962b83ad91c

SHA256
29f808beb768fb6101669f7f46cb005c4227c071ac46fe97084ba8b8b557fe20

SHA512
8a79dca62995cfb436eff73d9953ec6f5aeef1417f6be1779478a196c004a3f81b96919ded624e9aaaf0441a388c768b2548c02c9d74a68765651514b0750e39

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\ui-strings.js

Filesize
17KB

MD5
e6c595ee4538bb5c9d88315f86f3616f

SHA1
e7feb0cc5d0890528d7e6e38bae57c03b523c62a

SHA256
b48d79ab3451c6a8ae01310b69885e25b94b5e12bde2c5c04bba545a269b5396

SHA512
bdfd071bd360bb7822cccfba10aa3747b5189bbe08ab569ac8d498d5c08226c2371ba13eec64293754d7216c51436778f96b50692348ba9f2c082c6b42c04d0f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-ma\ui-strings.js

Filesize
18KB

MD5
044618ebae6f4c5c3f4b8970fc55999e

SHA1
47c83c998a48e46626d6e49e147e22c7894debe5

SHA256
48506973cfe9c4bd5477f3f711ba7a703518807a1e07e685c48cc58e983b5807

SHA512
de9f170006d95ba5c8a54d311f69c9d5a3e325fe12e87091d9eba8e13bb194af8c65f5a4f51e4ce8a30391b579037540559a6a0f0dffc6ae63fdcc53b1098dc5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-il\ui-strings.js

Filesize
19KB

MD5
0f64c350a866a51c31621a764d15d4d0

SHA1
7c2ee5730bc919d8c2ee262a99ce0ff155aae607

SHA256
f6d84a9c33c225f311121a63a489e2b8034e5ae3b8680a15edfc0e0baa178cac

SHA512
9afec948a8e2dd514afb175cb7eb0f98409ddfab5bf38222b27b11b143ba1c8e9daac7517276d27f5ef432ecae74c942350032cfd450835f38f016a67e1fa9aa

Download Submit
C:\Program Files\7-Zip\Lang\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Filesize
985B

MD5
1189263c132c7dfc675265afb396e9a4

SHA1
3f4710ae1c5c311718a59892761cb3ae3309a960

SHA256
9137736785741b7eb77ddec7a49381f2e3ac7696aab0d908579d04842c1a6c5f

SHA512
643cc0c57ff36821ce3d4926e4e39a9f28d32126019edf4c41a0c16e8e42571af6a9b85d7df92c8eb06b64b940b4b7d53624c9c77f7060f5aeb51a2f013afc1e

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe

Filesize
4.1MB

MD5
3f6c9937ccd7d4db61c165f1dca73b76

SHA1
3239b9918d813a7499cadd66a9c1f295f30dbebf

SHA256
d146809b492e76b734a6a780ab395cd2d580d6fcda79f57ab96ed0fbafe62496

SHA512
4bc156562230b1c92fdfb63803be6efaaf613668cfa8adec26b9a3d38d610e41d871f56f31230b313bb57c23ff8bb60cdbd6a1fe600029bd01ef1dda0ec0e422

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX

Filesize
292KB

MD5
57682417d6afe60a419ad82220055407

SHA1
aa93423d113f1c6ab4ee485c28185a43c6ddec14

SHA256
3da163ef29e54a5d587e5cdba58bf4b76415f4dbbac6dac9f7f4ba13f4efeb84

SHA512
709eb61eb63d53ccd633b9d48fb9148b561ea2f420369004fdcd76acc2d823f543384327c26fa313daef97196f6cbaf6164264d4dcf9323fbd1e0da293acc16f

Download Submit
C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690.XSL

Filesize
265KB

MD5
46138304e706c9e9397c6916da75305f

SHA1
ed4d1684d9168c211c392e1c79e5a9a4ada2caff

SHA256
bcffd31ed74259bb12eea107e13c8efec989003ae8ebd4a33fd9de46e8b41508

SHA512
55e139adca3eabb33f059d9a23dbf3c47bfc6b1c97d01fe2168f83d22cc48b2880dce175519068f0387d3f95d554edc1d04a2fd31c30447b25ed275c9591e073

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp64.msi

Filesize
2.4MB

MD5
4eeecf724eeaceb061a69cb867b4787a

SHA1
f85a123014190128f2fd49a982648fc7e33b300e

SHA256
832edc44080dada912c673fecb2031fd35da627f81d5dcdc6e0425f0500801e1

SHA512
48910e7083b5779ac71dc64cad634598f23d3ea0ed7906161b77c93d8a4415b7032cad36065c2f6ce5452d1159aaed8e1f708e8de79cdfdf880a381b37347aa0

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe

Filesize
62KB

MD5
d86b1c19bbdd1e73a457492327a03a63

SHA1
1a01ebc14264b748795a835944e107adc4096b6c

SHA256
40816d4f320c36b414ad61b7b0c23e4e3a01808933065aa66b18e9bb385b5aa5

SHA512
743950d42fdeff1554221546c4f3a224704e8ad6e2010628e6ca41640fc68e741ac8636c1137e3ad530b9180dc121073e27d820f3add28787836e5904ff174c2

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe

Filesize
1015KB

MD5
425974e407c9f6d70a98322452792898

SHA1
6881501b963d124babaab00725c460a5e5bbe635

SHA256
4ce68da8043ea0e41a821c06161dab402834c8a6f439542e70f6a699c377c4c1

SHA512
c76a9e47bce5e80a3c763ca47c044eb4d830e1d3ec5557299abfc04304414745eb3f4ce57d596c17e40b068f36897037c2654d502f96f5971c2d6253a3e86510

Download Submit
C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\vlc.mo

Filesize
606KB

MD5
13e9767452d09ee6f59120d7d80f0e66

SHA1
c03a9f2ef1df035b82770257feb010362477eb0a

SHA256
31a9bbda1b0d5aac276fa848b301a21f939f17260e625f5332c1c7fd8f9f3005

SHA512
38bb91adab4d71380e7bdc6ba503b050017e95198f71beb0f24b2a2d53fca9e7ccc62da2e8bff66d90b450bb2668b8efe943e21f75e147138352bce526a49de0

Download Submit
C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\vlc.mo

Filesize
610KB

MD5
c62b1b429a2f206db5790b56fd344fbf

SHA1
5cf14e632e7b13996f461921e01cc588d6641678

SHA256
5ac9b65fd928ff8613869dc58a90710313c25b718d61ebce27bdc932a3eef6aa

SHA512
3cfc75a51776659cd53aa3c9b0fe721c26b3db6000f3e01b965dca187cfb2c1ddb4338691d67a65779c98697369b81d7d7a9b5ee3031c0c3df1e2ab75731c65a

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\vlc.mo

Filesize
674KB

MD5
3f700493a0fcffecd1e64578c9b1a321

SHA1
87a168b9b02823f5d3bbf225b1130e1c92b4db58

SHA256
56f84ec125cdce6350e029b5b2ef26b407b80a66bfb8d34bc3aeadef68f7607e

SHA512
b14d4e9ccdfa8607e23e9f4775f0da65172ebe1b2a8a79db1295f5868c3bdc626b45c2f40afd740235f4e8832c33a669f3d8504f24735a006ac20f34eb34e184

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\vlc.mo

Filesize
1.1MB

MD5
9586c303dfe2884e5f72226253a109ea

SHA1
c1e22c73bf2a6263123c82099656f9fdb5f44d76

SHA256
1081824c82735f867b35ed12fdbe90c202e46452fec6a50947a47076ee5adc98

SHA512
338451cccec2d1045b07f641f41b78e9d7e4e8cfa898df20904c9d573d00390bcaa62ab13e9375f6b954954305339284d5b293f29af1c18c705946fcf50f38c0

Download Submit
C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo

Filesize
606KB

MD5
e2bef35eafc7e66fa49dda54c35253f7

SHA1
06d540385f5a3a16f81b2ecb33ba9fcc4c1be965

SHA256
5db82245b38eed6b46c283c68c71c51cd2061dce26b8429dfe53fc0c33625d6f

SHA512
1923dd4193cb5825039ddf6b1d1995a20ac8b18f83995325287298e8b2a272ac505ce9bd449bafd5360aba782a83b0514a78d8e9bc6859867ab90c7338f65230

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\vlc.mo

Filesize
773KB

MD5
03173c6774498e3e6b62373eb920f3fe

SHA1
4259c7b65f933e6b146462cfc5ab15023730758f

SHA256
ccf7e4bb0fa493bb47776088646cebbef716696d9a01fc26840ad53d7abfa986

SHA512
952634345d47379df793406dac31ca30cde6ea977568e06c3bd99c1fc8d4eca46d5d992e37d2fd079261801eb4128fc6904451e2e09d2566ff65a82aace05ab6

Download Submit
C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo

Filesize
780KB

MD5
ab07a542c5194c882cb573430f20c932

SHA1
568bb81ee0e01ea9458d2a5e547ae86e04c68df9

SHA256
62479ce1c6f72a9022833d7b760c0e9090030479582c05a713f8bbf72b57ddac

SHA512
8e8b06387af21ef11031e07eb510b0d03079f67a70b3d81c00ce1e1335f985497ddbb458f60052461c30e0364b213e62004f7e9c9e29d587aa04d46d8da26874

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
2KB

MD5
8ed991a3f510e33e0dc92e7f109c333c

SHA1
532116bb1cd5215adc804460aa71a1238092d5cc

SHA256
4152c830ea069adc42ec7703d9515837eb695f72fbf1730eca26a9f916496bb1

SHA512
b1162bc560f3977152370b25d057f03c28b68d9afac34da748b2d0c71e6ba9f02a67017ce61964685528f84cbb0dbd3f8536724afa66358565185b18367f51c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_268232F9B7ADFD0751C3D83F667CFB78

Filesize
472B

MD5
c5a4792fe498c21c79c1b954ab08d7e0

SHA1
509cb8142c772aac48603db381517288ef2db1fe

SHA256
2b96b8be54b5b970397d23ee683a2330c35ebd93342aefb5440e6fb63321e498

SHA512
551f58efe30366fb69679b31584a2b801efa552d2820b896dd14cc09af7d958f2155560d0ccb7dce0f82c52d0567302e3d5000e0211081736bd2de331470f03e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
d08b946a3baf0d0783d53b1e750cb537

SHA1
a2e48069bd543e82341ceabffced5d75a210b9c4

SHA256
6a2e54d408632a9ca55df40f47a9957a793b5bc2a47d7d2ee2424d5c9ff3490b

SHA512
b312ae8396e7d0a3b82a0d0bd31664b8525a79e27e59e6e770a83abcf66bc8f99d6084280794e35baa1e5bfdb3aca63f93682c3c386f0d6a1e54f7ea077d8644

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
484B

MD5
5db44335762b766efe877eaa0104b77b

SHA1
0e99239141bf4da0037663d1b34b2bd515ec0915

SHA256
d36aa0ed6de769eb1f25d68123d96f8d1a881b86f944568ed0351c9803a333b8

SHA512
4d7b5a44160b3da10d11b236ae7530894e79e0b31eb58495d68897f9e641b0d1ae1a96c222f1c96e57e52cc1f4bc1ccf77edbffd41bc4c2b36cec3b637cd7a82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_268232F9B7ADFD0751C3D83F667CFB78

Filesize
488B

MD5
9faed845364cacb6a45bf700174d5834

SHA1
c629846ca4657cda0b4d01f9cd3d1034c9c6d98a

SHA256
fc61f14f38dfa762ffb473ed2c81e8d1109a7fd8cd01af9aad47705a7f2eb0e5

SHA512
038a324d71bb93f5b92abeadffe001f20be916b90cb4b92c5238c224acb0dbc73661ec988171c576ea8107c1dd1fd37a9ab96fc93af56644280ab699c9e983dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
e032edea10cc1acff794ac47a30182f6

SHA1
4495cbc2316c613d427612f6c0bd1d23cc98450b

SHA256
5f295410fdc5550dfee76df389aff2480d6f1057ae526b6303cccd302652e093

SHA512
cad33effb9caf3afb91d1c886123f65c0089e98389ae6891e8a3720565634c52577e06203828361c44d3295e25a03968ab547c3c3759f75ec31bfee252590d4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\I11VJ0E7\LJAMMIM4.htm

Filesize
190B

MD5
6ebbeb8c70d5f8ffc3fb501950468594

SHA1
c06e60a316e48f5c35d39bcf7ed7e6254957ac9e

SHA256
a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1

SHA512
75cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NOQVVS9S\DE83Z3BG.htm

Filesize
18KB

MD5
becd7f8471d0c78886cd1ea6c531a7af

SHA1
6510b22f45d06507a404b24a026160d82cabe43b

SHA256
9643165b888174dcd39b47911846a17db2479f2c4a1148c3314e9d36d14f5d0d

SHA512
2c1b878689130cc8304d9c7fbdd769eeb5b2638c3012fd270ff2025167cf2690ad4381c44c0660e29e344951dc5947c0272952435fb8bec4d074ce6ce5c42993

Download Submit
C:\Users\Admin\AppData\Local\Temp\C53C6457.zeppelin

Filesize
1B

MD5
93b885adfe0da089cdf634904fd59f71

SHA1
5ba93c9db0cff93f52b521d7420e43f6eda2784f

SHA256
6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d

SHA512
b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

Filesize
211KB

MD5
f42abb7569dbc2ff5faa7e078cb71476

SHA1
04530a6165fc29ab536bab1be16f6b87c46288e6

SHA256
516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd

SHA512
3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af

Download Submit
C:\Users\Admin\Desktop\AddWatch.docx.21F-2DE-3FE

Filesize
21KB

MD5
dd169ba65b10a3efc1e2d9bb2c4aced1

SHA1
d114e7c59ac840a798a74ccd4c4bc715a5b10d53

SHA256
cfa473dcfc8f43f13ea342d968f4e70ea73d630cf13900d64350f7d34356de44

SHA512
721af9d6e020253f1fcc4cfa29c627b3693994223c0dc6c9a496bd54c3a38ac5a7af9330103ce0be2e5219158b2c20d4a48b517f3769492ca532e546d43eb88c

Download Submit
C:\Users\Admin\Desktop\ClearRedo.temp.21F-2DE-3FE

Filesize
412KB

MD5
0bdc1abad9a75824bbd722ee58265d42

SHA1
1fdedea7cc9e767cddc64f09f3003668706e9562

SHA256
f93f925db417bf4897e71ca11525e510f7ec26ef511467fd5769a2cf639c1d2c

SHA512
0a9851664d871776d81b2421b41ec9bd4206433118e21d295c89a02a356b3817fad88b8523cf8562e96ea833ef7fe533aaaac2a8f4ea717848563b3a260a7698

Download Submit
C:\Users\Admin\Desktop\CompareUninstall.inf.21F-2DE-3FE

Filesize
195KB

MD5
0dfcab9911bbb1c8bc562765ba604fed

SHA1
1beae7d3c24c8806d3c6edd1942b58752cfa7819

SHA256
2272304107edbc28ad69320b3d2b7cfcafd2f0572cd4d9c305c8ca49c223079f

SHA512
9e8ad3770b6881fa22fc3da0810f8d2808c7de130aee319c619bb9e9648df2644cec28e0d10e6c3940aa1f0b702c5d0ceeb5ffbaccda64b8acfff34665cdf8c8

Download Submit
C:\Users\Admin\Desktop\ExitResume.dotx.21F-2DE-3FE

Filesize
226KB

MD5
5598ca4e8a4fe2bff578319e80a827b0

SHA1
93b600788057a5b5f62db08284641f2a5b8a5188

SHA256
f05eb0e375cefe648187382fe16d4cce72f547cc1282ee8e8ce6ce0b5afa77b0

SHA512
9679acc13c5e7e7210938027f4a5e013dba4c852db75b3bbcf7929c26169c25664c89d19c958a5a998512027241e6221f87f28dc3ecc8ead698e1e0aef618eb4

Download Submit
C:\Users\Admin\Desktop\FindEdit.xlsx.21F-2DE-3FE

Filesize
288KB

MD5
8af07c1f94bb8974b8f676ab1703285b

SHA1
dbc37ff4a2d87156c45fc7257c77e65f9047b8a9

SHA256
858551894a9d1e2c728255a7e2f486eacce7553fab95870dd8f3d8e662727464

SHA512
ab221953b265ddc70989a03a9dcf88686c9820b4ee6966640f635ca74646c1a0c36dd48d3acefeaf2af741008d5ad04366573093a674ce7b8d4359101e4ab325

Download Submit
C:\Users\Admin\Desktop\FormatBlock.wpl.21F-2DE-3FE

Filesize
458KB

MD5
8d9ccfa73e701ed9662875f80472ced4

SHA1
5b662d221617cc4fb1bdb78e4ce7842b3068a1bc

SHA256
270b3e68373e9d1ef3b4769196d2f03190815b1887c512a7ab6513022520e51f

SHA512
e2c1268151595f7cc7ae7214419259dc4b6a980b3ed2540899d5973c38ddc54742b09438258c3210ad1b764f44425d55541c896e464143f84c6c6a47fe6abea3

Download Submit
C:\Users\Admin\Desktop\GroupSwitch.htm.21F-2DE-3FE

Filesize
179KB

MD5
85b068370ffdb55438e5610cbcfa705c

SHA1
6ff5c493b3f15230160349a21c667a7431fc8a29

SHA256
c9b737a3be235a60a685facd154d8d34f60055da0e904e556cb0a79ba9621389

SHA512
08e765ea383183f68a27418ef7c28db1f3249437f5256b8b1f361975d94f1b1ee34db33f7bd8547f413a473fc0d939c854eb05f1da0c4a825e314340256d9aa3

Download Submit
C:\Users\Admin\Desktop\InvokeConvert.hta.21F-2DE-3FE

Filesize
698KB

MD5
86ed521834f111a0a50ba12a6517ea1e

SHA1
5a4f0782eea279f7df72e42cf33efc21509bfed3

SHA256
d44b022ca8e415f7e4997b4570fe08d126a4b01ecccfb6d68ca66d959738efb5

SHA512
768701ffce8da8a9744fa872c8a3ece6ae32b9fc306ebb82ef5986a469f1cebacd1c181b5fa39ee3d19ff21478528566bd5b27a9891efc3951ccb42b183122fa

Download Submit
C:\Users\Admin\Desktop\InvokeResume.html.21F-2DE-3FE

Filesize
396KB

MD5
22ce07c5d70c6c7e8d4f7e50db822173

SHA1
c94e14b2b80f84b4495ba5ab3bd621672731953b

SHA256
2e378e55d8c1fb9973bb7f797d41cd71ed787cc26410fa39a8050cc640014b49

SHA512
c4fc948c5db5c6bd094d62d5789aeadc68f3a012d00283e35ffaafec39a0817697bf3828e4619e3e9a02e63571c0388f6ad59e53493a6bb47652e480fe5c1271

Download Submit
C:\Users\Admin\Desktop\LockDisable.zip.21F-2DE-3FE

Filesize
257KB

MD5
d445dac1cf34195315173193bf950996

SHA1
919ae019ea6a09877e40488b4de08ea5777b5ae1

SHA256
8a8c39965868b64ea9c3dc3bf7fc79e24f77308ef5a0fd1e48e1fce3ad959d74

SHA512
fe66634007b9d81036ceba17b9441fa278cfe03b651d59ad0bcc376f9eee7054446bf37b0f4f7332e16d74f4ff9847676ad376b618edf8ce3de7463045dda3ae

Download Submit
C:\Users\Admin\Desktop\MoveStep.cab.21F-2DE-3FE

Filesize
473KB

MD5
cd2336e6f2dad49a0315a75e8bb7ed50

SHA1
f8adc43073b2102ec59cde04b5c3d901d39a92b2

SHA256
49299b1b08dc4ffb1c7cf2d17a48e3315f66c88ea9972584e2d26604472f6cd5

SHA512
03c6b805ca4af371ee9e3fb3d0805d1ba8c6248d0ed12564112849e207e8d87f6494391ec989230547f61972a6a977843223930cb4150d7e3c5eb07efaf30296

Download Submit
C:\Users\Admin\Desktop\MoveSubmit.M2TS.21F-2DE-3FE

Filesize
303KB

MD5
a68ad8316fe73558a61d7de633afe2ef

SHA1
15696030fc594c5a9d031ad5a1024e8ac4ae5076

SHA256
44922e951fa64e19cf9e8113f5222e40cb8c34482243a7b6b8553355009a9079

SHA512
50fe2c1a2a017a062a02aec3fc8a982560c021caec6964a19cb74c4d428f06c064c95583f6ac53fa6d71650eab46cba2feb3009c0b36bb3dee4411ec4d76830d

Download Submit
C:\Users\Admin\Desktop\NewUndo.wma.21F-2DE-3FE

Filesize
272KB

MD5
a2a3569ef37cec0ff467f340569df9b1

SHA1
46bb8fe5a317324f1518cac32e115b343e3f5857

SHA256
9e8599bc82c4d9ab0ca5abe1cb37a4066eb482119b59ad4f51466772fdf57367

SHA512
a7efa34c4330be41215d187da8d7b8d3b415f60ee0db4aea4c1e0ec6e4ef0f1193ad737e4b3a309dfce50c9f3a393f68c3300dcab26e398446c7ba8ef278b0da

Download Submit
C:\Users\Admin\Desktop\RemoveImport.mpeg.21F-2DE-3FE

Filesize
381KB

MD5
40de7c393027de3b0ffd328b5f68a54b

SHA1
9f54bcdd5931654c910e31947b0f94b9a51d5942

SHA256
f1747897e67d6b1380ead8a89e7b62b60a376604c658c3362b9cd327ad96dc79

SHA512
f5aed629b16b02ce2193726d743471a682e14c63760341ec0255eb16e059e61854e5ad77005c43ce75fd2c5f005a01583109d50cbb89cd503cc21d978d800f48

Download Submit
C:\Users\Admin\Desktop\ResetResize.xlsx.21F-2DE-3FE

Filesize
14KB

MD5
9fee4b11dd123c41260e6340b594ab70

SHA1
9293ac1fafbe66e42eb13114a51868b53bc7582b

SHA256
0a22c76cda359999cc21dd9c907bd6b770ee4b3e91718621a8f934f49e85b780

SHA512
c591d5382307227fd6cd2a8ab818c064d7f6affbeece644bd559b5c5f4cd720704df8a747d2d559379461e4e047af8061971d773bf4ab2f937c43df05763da35

Download Submit
C:\Users\Admin\Desktop\ResolveConfirm.docx.21F-2DE-3FE

Filesize
504KB

MD5
21fbaa1b06e911be8804b13050c135a2

SHA1
a3be3de1f3a629ae9ca4943ba1182bd3ec55fdc6

SHA256
05900a946bd035bd9f820de4056b7a3a2cf937d4e656216c00333cc2d8fcebce

SHA512
1e7b7f902c2188753b9ee8969b67447bf2c5b2e28da6c4d61ec8277aa7316598a9e504cbb350cc7403a6fb5178815016cd45b22ffa1f13fd9135c008dc786336

Download Submit
C:\Users\Admin\Desktop\SendRedo.ADT.21F-2DE-3FE

Filesize
427KB

MD5
b25010cc4166ff6ef9120675d2273bc2

SHA1
77dc5b9309c5d3339b9d8d2e68bdac1fbaf1cf64

SHA256
e58df3c5ead2927bd0255195e4e25a1db890c978cf348bee98b0865575f80da7

SHA512
79d4e8d3460374729ba1677091d165dc8bb40bf67e5aaa0f0f43d069a8c5cc69bbd9aa38478c9d7a8b8bfcc7f0ad37711243bb34218cda33dd62f9c0e6605d03

Download Submit
C:\Users\Admin\Desktop\ShowRemove.png.21F-2DE-3FE

Filesize
319KB

MD5
72c0b4d071d1d99098ef2b587913cdba

SHA1
18c3a8bdff4eb2e55bc9a04b378130e1219efb5a

SHA256
67f2f10ea779c6aaa31fa5d5c782e7b0ddc9eb3e9d395c18a017b41349553eda

SHA512
11a6ce63c654f23d9335ac46c1744b9da37df68be6b8dc2fb6f7bc3d348d845caf4eb483cf2343ba130d1a528cf984585bf7eff4a6c773f58638ca2513c00143

Download Submit
C:\Users\Admin\Desktop\SplitImport.mpeg2.21F-2DE-3FE

Filesize
241KB

MD5
5a6eb590a44b6e2d36d9a84694020d37

SHA1
74ace4fff6f08650391844813c18082cb7338d37

SHA256
c28eb0e3437da880f41b812aeed7ee104d3c24d7e9cec18c2d32d4becc40946b

SHA512
01ee8f15c890bda1ac2efcb539f87a805ee5818a88c38f31e843d22dd3fdbe1ff1213fcc19bcb1685853715f99e24a2c3446e317abafbbef0fbaf878192afdf5

Download Submit
C:\Users\Admin\Desktop\TestCompare.vsw.21F-2DE-3FE

Filesize
365KB

MD5
6bb2ab3f65dc412ccf206ac201da7a5a

SHA1
c63f8b76d8e161201a1d4e06afc7597ee7356d34

SHA256
6893acb8ad1da5e680369b1baa7f335dd5a888c5f6c9ca2fa8a69fb47c02f965

SHA512
470b4a8b60afc37c570e35848094201869c82af83021f74e46c2f5c66bcf7cafd669b46dd9bc25ba2192961b06ac5e2fadd9fe0e3ddbe05c607bf59a6fc13226

Download Submit
C:\Users\Admin\Desktop\TestPop.ocx.21F-2DE-3FE

Filesize
350KB

MD5
0eb17dd97333e521975ce23bab79795c

SHA1
8ec37ce3775ed43d64789c45057b957ad1d1cf1c

SHA256
fc8e2e5962b73b741fff87d27a8c875cea538002214de678bf5f90a5447b7cdf

SHA512
0063fdc5d6d12ab30f8adf3ec76e7af72b005bcbc07c068b3e4c33ed4b4c4bf95d26a54a22fbbb5ffda90ba3c97da32e281fb38169c15bb32340cb11194037fc

Download Submit
C:\Users\Admin\Desktop\UninstallFormat.mhtml.21F-2DE-3FE

Filesize
489KB

MD5
6c32e9902489982a0c85a1d20cad951d

SHA1
dd18a5f7508fdd1b43a52027e97c0908ad8775b9

SHA256
f26589a5f0c4eeaa4a39dd7696a427373dc41419e80bff55b21ec4bbb08db630

SHA512
4f7c52ebc106f51c30d8c08483224cdd60ef403ddc9689022f1dde387c4a78f94e1a1d3384765f4445816cc84b850abf9477e044d2676c4c8762f0816c3be844

Download Submit
C:\Users\Admin\Desktop\UnlockReset.tif.21F-2DE-3FE

Filesize
334KB

MD5
a1df6c572cd9684e130dac699230290e

SHA1
ed6bc5b8946505ac8bcfd9508e133f91530ac182

SHA256
fa8df5fde312892a09bf173ffa865809ba247fe07e4cd8008fc54a627b9e1fdb

SHA512
d78b3e5e50bc48e44519742c8e33a72caada9c6b647d2e0f529107141f607d60e46616a089b5b4327616cfbdcb4ee192549171cbf534ca06749b8cb38a455f73

Download Submit
C:\Users\Admin\Desktop\UnprotectEdit.midi.21F-2DE-3FE

Filesize
210KB

MD5
0a2374b17557f1b51ef65c60b04040b5

SHA1
6c36f7995049aaf4450e345210edf74923b1eec8

SHA256
78753021d00b45ddb0a2223aea2b8ebd2225c3b7d36871b12ba0aa8d8faafe9c

SHA512
5a015d880d3da2fd575d953bd9c1dc48e5441cd4937be7159d2d6e5f2245b7c00544821af74a260d7e190e0ae077231384e461eb0d67280e54f4ef3f50354b3b

Download Submit
C:\Users\Admin\Desktop\UnprotectExpand.xlsx.21F-2DE-3FE

Filesize
13KB

MD5
1e36da54e15faccee1e2830ea0aa571a

SHA1
060cb210d956fccb86aa15cf20c58caa5cc20e10

SHA256
5793ca372b48e5aa0f26c1654a29bcb68ce3f2781038814a2ae77859b2acbf0f

SHA512
82577e64aad73cddb1d52a40b3db253dcc2333f54452adcf6857a5ead6698b790e7a9685f2653eef30ffa0686b692c22d2baee3e2d3b23acfed0f99027ac178a

Download Submit
C:\fe11fc83a38900fcf766413d81eba9\2010_x86.log.html

Filesize
83KB

MD5
a3b183992e34154a976b4f4f6dc90f71

SHA1
b44bb8b2ead53a559cdfbbc6aeaf24db0df9ffbd

SHA256
960d9154aea14e1d31af84db6e07c109513722ce96fc535be4133f8e5f7810b8

SHA512
0f3519f659bc7ade31d7316464a078987e2da78bffe23b1e035944ec60e0fc54de5142f1229b4f4ccf73bf355b32f9f22fccbd9b78b1722eadf7a444368d31d2

Download Submit
memory/2040-26048-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/3060-54-0x0000000000160000-0x00000000002A0000-memory.dmp

Filesize
1.2MB

Download
memory/4732-50-0x0000000000160000-0x00000000002A0000-memory.dmp

Filesize
1.2MB

Download
memory/4732-3467-0x0000000000160000-0x00000000002A0000-memory.dmp

Filesize
1.2MB

Download
memory/4732-26049-0x0000000000160000-0x00000000002A0000-memory.dmp

Filesize
1.2MB

Download
memory/4836-42-0x0000000000160000-0x00000000002A0000-memory.dmp

Filesize
1.2MB

Download
memory/4948-22-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/5636-39-0x0000000000360000-0x00000000004A0000-memory.dmp

Filesize
1.2MB

Download
memory/6048-26022-0x0000000000160000-0x00000000002A0000-memory.dmp

Filesize
1.2MB

Download
memory/6048-24383-0x0000000000160000-0x00000000002A0000-memory.dmp

Filesize
1.2MB

Download
memory/6048-14483-0x0000000000160000-0x00000000002A0000-memory.dmp

Filesize
1.2MB

Download
memory/6048-8917-0x0000000000160000-0x00000000002A0000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads