buran | d0c022853ce5af49e193e9187be3710d0bc2380d6c93171d3ba6c483a3483205

Analysis

max time kernel
104s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Zeppelin.exe
Size

211KB
MD5

f42abb7569dbc2ff5faa7e078cb71476
SHA1

04530a6165fc29ab536bab1be16f6b87c46288e6
SHA256

516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd
SHA512

3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af
SSDEEP

6144:zia1vcaEaA+HPsISAzG44DQFu/U3buRKlemZ9DnGAeWBES+:zHctWvVSAx4DQFu/U3buRKlemZ9DnGAn

Score

10^/10

buran zeppelin defense_evasion discovery execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] or [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 1ED-570-C13 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Buran family
buran

Detects Zeppelin payload 11 IoCs

resource	yara_rule
behavioral1/files/0x0005000000022bb8-18.dat	family_zeppelin
behavioral1/memory/5556-36-0x0000000000670000-0x00000000007B0000-memory.dmp	family_zeppelin
behavioral1/memory/2112-41-0x0000000000070000-0x00000000001B0000-memory.dmp	family_zeppelin
behavioral1/memory/4748-49-0x0000000000070000-0x00000000001B0000-memory.dmp	family_zeppelin
behavioral1/memory/2584-52-0x0000000000070000-0x00000000001B0000-memory.dmp	family_zeppelin
behavioral1/memory/4748-3067-0x0000000000070000-0x00000000001B0000-memory.dmp	family_zeppelin
behavioral1/memory/2004-8428-0x0000000000070000-0x00000000001B0000-memory.dmp	family_zeppelin
behavioral1/memory/2004-14279-0x0000000000070000-0x00000000001B0000-memory.dmp	family_zeppelin
behavioral1/memory/2004-21587-0x0000000000070000-0x00000000001B0000-memory.dmp	family_zeppelin
behavioral1/memory/2004-26123-0x0000000000070000-0x00000000001B0000-memory.dmp	family_zeppelin
behavioral1/memory/4748-26152-0x0000000000070000-0x00000000001B0000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Zeppelin family
zeppelin
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (6104) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	Zeppelin.exe

Deletes itself 1 IoCs

pid	Process
1720	notepad.exe

Executes dropped EXE 4 IoCs

pid	Process
4748	csrss.exe
2112	csrss.exe
2584	csrss.exe
2004	csrss.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe\" -start"	Zeppelin.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	csrss.exe
File opened (read-only)	\??\X:	csrss.exe
File opened (read-only)	\??\U:	csrss.exe
File opened (read-only)	\??\S:	csrss.exe
File opened (read-only)	\??\O:	csrss.exe
File opened (read-only)	\??\K:	csrss.exe
File opened (read-only)	\??\I:	csrss.exe
File opened (read-only)	\??\G:	csrss.exe
File opened (read-only)	\??\T:	csrss.exe
File opened (read-only)	\??\Q:	csrss.exe
File opened (read-only)	\??\N:	csrss.exe
File opened (read-only)	\??\J:	csrss.exe
File opened (read-only)	\??\B:	csrss.exe
File opened (read-only)	\??\W:	csrss.exe
File opened (read-only)	\??\P:	csrss.exe
File opened (read-only)	\??\M:	csrss.exe
File opened (read-only)	\??\H:	csrss.exe
File opened (read-only)	\??\E:	csrss.exe
File opened (read-only)	\??\Z:	csrss.exe
File opened (read-only)	\??\V:	csrss.exe
File opened (read-only)	\??\R:	csrss.exe
File opened (read-only)	\??\L:	csrss.exe
File opened (read-only)	\??\A:	csrss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
41	iplogger.org
43	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	geoiptool.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.1ED-570-C13	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailSmallTile.scale-125.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\example_icons.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewer\LoadingSpinner.glb	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-64.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-72_altform-lightunplated.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24_altform-lightunplated.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_agreement_filetype.svg.1ED-570-C13	csrss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\de-de\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt.1ED-570-C13	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-pl.xrm-ms	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\ui-strings.js	csrss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-il\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\plugin.js	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\pt-br\ui-strings.js.1ED-570-C13	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\PICTIM32.FLT	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\onenotemui.msi.16.en-us.vreg.dat.1ED-570-C13	csrss.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-96_altform-unplated.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-24_altform-unplated_contrast-white.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluNoSearchResults_180x160.svg.1ED-570-C13	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.1ED-570-C13	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\PREVIEW.GIF.1ED-570-C13	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare.HxS	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarSmallTile.scale-150.png	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ul-oob.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Light.scale-250.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_closereview_18.svg.1ED-570-C13	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ppd.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-100.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\SmallTile.scale-125.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-200_contrast-white.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Viewer.aapp.1ED-570-C13	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\PlayStore_icon.svg.1ED-570-C13	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-phn.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHICB.TTF.1ED-570-C13	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\4px.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\1x1transparent.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\IrisProtocol.winmd	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookLargeTile.scale-125.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\skype-to-phones-small.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailSmallTile.scale-125.png	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ppd.xrm-ms.1ED-570-C13	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalStoreLogo.scale-125_contrast-white.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-30.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ind_prog.gif.1ED-570-C13	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\eu-es\ui-strings.js	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-fr\ui-strings.js.1ED-570-C13	csrss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-tw\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt.1ED-570-C13	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ppd.xrm-ms.1ED-570-C13	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Graph.exe.manifest.1ED-570-C13	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE.1ED-570-C13	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio_Model_CX.winmd	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteWideTile.scale-200.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchSquare150x150Logo.scale-100_contrast-white.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.1ED-570-C13	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ONGuide.onepkg.1ED-570-C13	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_2019.125.2243.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeMediumTile.scale-150.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviewers.gif	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInTray.gif	csrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zeppelin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	5556	Zeppelin.exe
Token: SeDebugPrivilege	5556	Zeppelin.exe
Token: SeDebugPrivilege	4748	csrss.exe
Token: SeIncreaseQuotaPrivilege	5036	WMIC.exe
Token: SeSecurityPrivilege	5036	WMIC.exe
Token: SeTakeOwnershipPrivilege	5036	WMIC.exe
Token: SeLoadDriverPrivilege	5036	WMIC.exe
Token: SeSystemProfilePrivilege	5036	WMIC.exe
Token: SeSystemtimePrivilege	5036	WMIC.exe
Token: SeProfSingleProcessPrivilege	5036	WMIC.exe
Token: SeIncBasePriorityPrivilege	5036	WMIC.exe
Token: SeCreatePagefilePrivilege	5036	WMIC.exe
Token: SeBackupPrivilege	5036	WMIC.exe
Token: SeRestorePrivilege	5036	WMIC.exe
Token: SeShutdownPrivilege	5036	WMIC.exe
Token: SeDebugPrivilege	5036	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5036	WMIC.exe
Token: SeRemoteShutdownPrivilege	5036	WMIC.exe
Token: SeUndockPrivilege	5036	WMIC.exe
Token: SeManageVolumePrivilege	5036	WMIC.exe
Token: 33	5036	WMIC.exe
Token: 34	5036	WMIC.exe
Token: 35	5036	WMIC.exe
Token: 36	5036	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5036	WMIC.exe
Token: SeSecurityPrivilege	5036	WMIC.exe
Token: SeTakeOwnershipPrivilege	5036	WMIC.exe
Token: SeLoadDriverPrivilege	5036	WMIC.exe
Token: SeSystemProfilePrivilege	5036	WMIC.exe
Token: SeSystemtimePrivilege	5036	WMIC.exe
Token: SeProfSingleProcessPrivilege	5036	WMIC.exe
Token: SeIncBasePriorityPrivilege	5036	WMIC.exe
Token: SeCreatePagefilePrivilege	5036	WMIC.exe
Token: SeBackupPrivilege	5036	WMIC.exe
Token: SeRestorePrivilege	5036	WMIC.exe
Token: SeShutdownPrivilege	5036	WMIC.exe
Token: SeDebugPrivilege	5036	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5036	WMIC.exe
Token: SeRemoteShutdownPrivilege	5036	WMIC.exe
Token: SeUndockPrivilege	5036	WMIC.exe
Token: SeManageVolumePrivilege	5036	WMIC.exe
Token: 33	5036	WMIC.exe
Token: 34	5036	WMIC.exe
Token: 35	5036	WMIC.exe
Token: 36	5036	WMIC.exe
Token: SeBackupPrivilege	5480	vssvc.exe
Token: SeRestorePrivilege	5480	vssvc.exe
Token: SeAuditPrivilege	5480	vssvc.exe
Token: SeDebugPrivilege	4748	csrss.exe
Token: SeDebugPrivilege	4748	csrss.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 4748	4812	cmd.exe	94
PID 4812 wrote to memory of 4748	4812	cmd.exe	94
PID 4812 wrote to memory of 4748	4812	cmd.exe	94
PID 5556 wrote to memory of 2112	5556	Zeppelin.exe	95
PID 5556 wrote to memory of 2112	5556	Zeppelin.exe	95
PID 5556 wrote to memory of 2112	5556	Zeppelin.exe	95
PID 5556 wrote to memory of 1720	5556	Zeppelin.exe	96
PID 5556 wrote to memory of 1720	5556	Zeppelin.exe	96
PID 5556 wrote to memory of 1720	5556	Zeppelin.exe	96
PID 5556 wrote to memory of 1720	5556	Zeppelin.exe	96
PID 5556 wrote to memory of 1720	5556	Zeppelin.exe	96
PID 5556 wrote to memory of 1720	5556	Zeppelin.exe	96
PID 4748 wrote to memory of 2004	4748	csrss.exe	104
PID 4748 wrote to memory of 2004	4748	csrss.exe	104
PID 4748 wrote to memory of 2004	4748	csrss.exe	104
PID 4748 wrote to memory of 2584	4748	csrss.exe	105
PID 4748 wrote to memory of 2584	4748	csrss.exe	105
PID 4748 wrote to memory of 2584	4748	csrss.exe	105
PID 4748 wrote to memory of 1072	4748	csrss.exe	106
PID 4748 wrote to memory of 1072	4748	csrss.exe	106
PID 4748 wrote to memory of 1072	4748	csrss.exe	106
PID 4748 wrote to memory of 348	4748	csrss.exe	108
PID 4748 wrote to memory of 348	4748	csrss.exe	108
PID 4748 wrote to memory of 348	4748	csrss.exe	108
PID 4748 wrote to memory of 4104	4748	csrss.exe	110
PID 4748 wrote to memory of 4104	4748	csrss.exe	110
PID 4748 wrote to memory of 4104	4748	csrss.exe	110
PID 4748 wrote to memory of 536	4748	csrss.exe	112
PID 4748 wrote to memory of 536	4748	csrss.exe	112
PID 4748 wrote to memory of 536	4748	csrss.exe	112
PID 4748 wrote to memory of 2132	4748	csrss.exe	114
PID 4748 wrote to memory of 2132	4748	csrss.exe	114
PID 4748 wrote to memory of 2132	4748	csrss.exe	114
PID 4748 wrote to memory of 2916	4748	csrss.exe	116
PID 4748 wrote to memory of 2916	4748	csrss.exe	116
PID 4748 wrote to memory of 2916	4748	csrss.exe	116
PID 4748 wrote to memory of 4660	4748	csrss.exe	118
PID 4748 wrote to memory of 4660	4748	csrss.exe	118
PID 4748 wrote to memory of 4660	4748	csrss.exe	118
PID 4660 wrote to memory of 5036	4660	cmd.exe	120
PID 4660 wrote to memory of 5036	4660	cmd.exe	120
PID 4660 wrote to memory of 5036	4660	cmd.exe	120
PID 4748 wrote to memory of 4404	4748	csrss.exe	123
PID 4748 wrote to memory of 4404	4748	csrss.exe	123
PID 4748 wrote to memory of 4404	4748	csrss.exe	123
PID 4748 wrote to memory of 452	4748	csrss.exe	133
PID 4748 wrote to memory of 452	4748	csrss.exe	133
PID 4748 wrote to memory of 452	4748	csrss.exe	133
PID 4748 wrote to memory of 452	4748	csrss.exe	133
PID 4748 wrote to memory of 452	4748	csrss.exe	133
PID 4748 wrote to memory of 452	4748	csrss.exe	133

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Zeppelin.exe
"C:\Users\Admin\AppData\Local\Temp\Zeppelin.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5556
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -start
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2112
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -start
1⤵
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2004
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -agent 1
    3⤵
    - Executes dropped EXE
    PID:2584
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1072
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    - System Location Discovery: System Language Discovery
    PID:348
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4104
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
    3⤵
    - System Location Discovery: System Language Discovery
    PID:536
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2132
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete backup
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5036
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4404
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:452

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\2010_x64.log.html

Filesize
88KB

MD5
07dd87d85a774d2cfd1bcaf3281e8090

SHA1
4a9e49b82cecdc5c28548b901b274c3ce9c2736e

SHA256
b8081dd3795b39ddc9b1a631ed9db69c33ec125ebf1d12d763f7a58128023d28

SHA512
822aa914c693ea5cd04295fd8bb554fad9a733ef7a8bf5148aab3467013625a3e837a8f1ddb01024ed6ce22d9d1bc021a8084eeda02b6ce1ee2fb3cba8ee6177

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb.png

Filesize
64KB

MD5
0df89fd9243e18f6ffc81f8b56f5d804

SHA1
09c95dcaf0774a3d68af5e2be62517aa552c6e7c

SHA256
6b9851d58f1321ec115bd9e03c4412ee9cc52b34aef283b073006f0628fbe541

SHA512
18adfa81f6b20508628d2e8f6f13f5dcf5eda9d3f4159bde9a32762b337b2667d63b0bb8e5b69f0a871e193eed7ccdf29d8a42038f68ad8fc76f2abaa261dd27

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_bow.png

Filesize
52KB

MD5
5434c0599b02b1f2e05adf3cf6c4c95c

SHA1
b8272b10987527693e5797e7d451bb5458116544

SHA256
3fb619ce6e6320945cdb95b7636633bc0482586365f703e896e89fb870365812

SHA512
57faf04b4959edeb5e49059e6b2c05972016a8441a90d83d126dc5bc7d192e1f6b587ca13131b5dbbd88b8bb49e3535731d5faa9eb65665748703143a97db9b7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons_retina_thumb.png

Filesize
52KB

MD5
be77e8eb09213ee798ff297779ad1ee4

SHA1
90c4484b3d9fd8f9e92ddb6c377e66400da2171e

SHA256
41e9e0a537976869f2d20b0dda607b9fc1e658ab8f6b52aeee106fdaa786b12a

SHA512
0f8ab554010e2f0c013f76568bd8c6e52e1f8ce6f1e675239dfa0494d5b73aa68870da70b7c1c4ebb5f14eb18b6154d97aeded7cfc7718e1e9db57763bd49eb2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\ui-strings.js

Filesize
29KB

MD5
600803fe3f58216a095ff54ad08e0171

SHA1
60fd0f1e60cda06e3844a34638641510a1ef74b4

SHA256
291813de06f8feac47faaaf72a1e49034979ba6aacd3fa3344ffa3005d493d6c

SHA512
59deb424a03c6d82ae06e9963ea29e82a56cfb42e7f9d05a25b4b4e682dd8dee79ce6154c9faf10a044d6a499785c3e2c807af853cb3e13da9ff163af298d520

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\ui-strings.js

Filesize
9KB

MD5
a102a46ebd0ed6dfc61010e5c0314e07

SHA1
f659c546f3915f6a2d9d9cc9d350e281dec91932

SHA256
b357b6e54bb0797d6dcb7453d03d6c0fa66075142dedc8e33c91117b30f58f47

SHA512
0afb7bf4dc369ffee395bd6ea8ad63c5170453a6c06511efe27d98b459a2ca8c083b6fee87e727623b8bd2897934a81457263ec2e179e4b01eefc737fbb5551b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\ui-strings.js

Filesize
10KB

MD5
191a88f6243617e148eddc324b1a6b9d

SHA1
b2ea9f13766ee0275ec06e2288a29e6adf5bf59e

SHA256
6c03a35a3caea9345868efaa32502cf631d64b8093f5d53fef78175aa6017dbe

SHA512
c593b697fed18472f43178028a4bb6c2f3175920d4ea7ede858be36b559a8782f5377b78e9213fb327831aae6b2030f8fa83dd5844fa078ddb4d5ef10d637b76

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\ui-strings.js

Filesize
5KB

MD5
9fa1f6a215040b4a4c50032d295828df

SHA1
35ffb438518f56461139124479b217f0067e2895

SHA256
4e631400f7b9ed03a3b3c766dd93d7a251e9c2572ded3f36fde462add2be3591

SHA512
46b952c4a44e488b94783f8b76f4a1e2e8b95b242148a5ae2f92035c1a718e5ce458982de2a1c13d0e69c63ee8f5dd54260ff94696f9ec76a4102a19699f32f3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\ui-strings.js

Filesize
6KB

MD5
b733487b6bd399be7b3dc7dc65053add

SHA1
c59416be97be065ef7762f7372ac44fe8f22542c

SHA256
d1436c4372878ad4c39eb8ed773e69e020a24bd88bdc88c13f926ce1e789bd5f

SHA512
e7ba5a552cc5bf71cbe8d984ebb835efbf8779f10f8430d7aa34670f713e45369e67de30e9e766e5931564cd25e39b2c458f97d1f284dbadbf23a7729fe94ede

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-selector.js

Filesize
175KB

MD5
77a5208816c27499d9e720955d0af307

SHA1
308f2fd67d99a47b43c4c083446ccbefb0c0e8b8

SHA256
80a027d43147a2ed1f8457e8852383b85071e203e9f76bf407d7e07f4162da6d

SHA512
0db69c4aeea0c47633d0d65a805bfc603d5493b9fd03a0e9b1dee3ac95be46c99690db40f7f524359196f6159f81958b2172427d12d0b6cbb7c6be4bae25f780

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-tool-view.js

Filesize
395KB

MD5
0f695ac3b340dfdacbc10f49e8ee418c

SHA1
75238ba15fb11949e949b2b5f1aeb86c820f1ea6

SHA256
a8e46155a29fde697ae3e70750dd2ea4590ce1606d5cbadefa95dd39f3e04d77

SHA512
894be8fea59423d441f27fd367189f706b7d36bad609eec14084b1d25d165788a50e48a1f83da6f327f39495aa3e9863415ea25a4758cf594dc6c45c4b90ef81

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\ui-strings.js

Filesize
10KB

MD5
2d84ded6e79f7230661848b6b0bc0870

SHA1
abc28f5b57ebb1e971324f273c2866332ccb2fbc

SHA256
696ee9ebb99399a952041811eef59542cb710f443fe27e233280d9787d4d737c

SHA512
b9d9219f556c8907b5ce6e153dc3b8a115ebd3eaf5a63de48a689b4b3b1e3d88a6ad0991bf3d1714092327a915863daf42183f318c1eeda9c1399b2380fc7242

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\new_icons.png

Filesize
9KB

MD5
02df4d086fd533216b17fcf747d5135d

SHA1
dd0707792663cdc1b9c8fc8fec267600bfa72ea7

SHA256
87ad3be0d51136e7969f1bf8c77502b1c59df06679a07056a2e1fa4bde23ebca

SHA512
09cd7e9b393f516683ea300a3c814569ab3a876be686df6650e7f0ecba46bff530e3ab2b0cccb92de7a7eb49c6f4846d8877aaab99bf9e21f2be52a5cbdb96c6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-il\ui-strings.js

Filesize
6KB

MD5
466539b3e3d6ee609c6dcad78e391077

SHA1
3521d842a772a7762bc3c4bdb8259adc266b420b

SHA256
0a6eb43d027f3ebb5bda211564151b590447537101a1856672ac8b504cd37eb2

SHA512
23fc4dc9554f311db8b0a08180972f58665b9d41ab03bceb69f3cc81a0a4f80a3313be388f12f514afd8eb3463f49c9baab8662ae2d12393dde8ab4e930c862a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\ui-strings.js

Filesize
7KB

MD5
59006248aede0ce7d7aeb862e36ecc00

SHA1
ed9947b376e6ac5af15f675cfaaa20210115260a

SHA256
8721bce19b7f7193a9e9391354f0d0a9896d5af8fa53752941b4384f9b31a94f

SHA512
b34e589799521f2774ba88045c7a6c5fb4a640fa255f8ead9e6a0b2a50320a3cc1ce47f23f4abffd2322c8d6ae1830ef63ae0f5e9cbadfc0bb00a287dffeb2cf

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\selector.js

Filesize
48KB

MD5
86fb9a557c83b575101b1839d4451bc8

SHA1
9a0b94402d1b957343d18ca5787f337c1f394ff0

SHA256
e23b4f0302dec118ab246abefbfe9606318df9d279f92a3cb0d324c767f7e87b

SHA512
7df8de2918a462913927ce733218e08eeaea2c48fa9a3b8161c7cd6e55eb8c7ddf62c4e7a23d22de9056f8ceb0ceea7c35323d7b2905a7e30c84791f2ab9e7ba

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf

Filesize
381KB

MD5
b7b5f03e063ad5caa2184c804d321884

SHA1
b992b23c9b586b75d5e9a56a9db641cb0227721d

SHA256
c40f14f4849b5c6302192d2c3e09d3a564212031f3fb90de7ce2498a5f9d7648

SHA512
4c0a305b177bece4342d809aa0fcd86f96f178748f2e7e809c998e8a44a04266480cd6601201eb7619c0a279cfc8400824aba955d25c8f8080ffa09eb8bbf86a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-variant2-2x.gif

Filesize
813KB

MD5
60bfaed2f1a7fd3013032278e963a2d6

SHA1
9c6acac1dd895353a1b0d9eae1e663148929f9f9

SHA256
a17e2876278273bc010a9ee413f175b91b34537d633b22011df2d7ebc1604f61

SHA512
2db0216ab582576b77ebf3cd1e0e37d27a77b220424e49d0d6503bd9b0e127c1c4f8d20774ad4e5076fe371ae9fe0ed4391d4d56d46d5251c45f81db0b8ceb3d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-ma\ui-strings.js

Filesize
17KB

MD5
2aa3552060530a2840bea27c13780ac6

SHA1
95c8e5e2cb97a64adda571e9f2183f42dfd3b8e5

SHA256
ae8edaf15f1dee905a6d52e433e75581536c500c13201476f173b1f745232312

SHA512
a4ad6c1ae4e3c244965e1941b0165ffc703f1634e7971c0b8e1fbe801a10974fdcd2a4eb29589315aff66e0f81dc33c4d86ea71326b71011285a494d5f307774

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\ui-strings.js

Filesize
18KB

MD5
8276ce6877e349c96a5d221d3669dcc9

SHA1
85ca63f6759513bcbb57d5a88aba842fb5732263

SHA256
a3d705ec988c5ab305ffc82565a74db53080f44146db94352f5a87394c3084b6

SHA512
4929e9bee137bdb4a6687632f4b4847beb7feb5f4edbfabaeca5acc35b402256b34222e123fe990612df75afd354349f80d70adb1c6271b6913758c9202a4219

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\ui-strings.js

Filesize
9KB

MD5
61f18afcd485ead1aedec498b511c5ec

SHA1
25ee5ad0f71b78bc886d9c33c5f0a5ee6917c291

SHA256
c505f32df6eaf7a35f65df9e0821c2bab004b3c8b947cde0f56599cfb8eea828

SHA512
0ef4ec6e53eeafebbc68ba4ee289efefc1cc70b74f850703910257afa5cb31e6bd2c00af641a8ad93d48fd8f3f138473a4dfe154d4cf325322821ade853619ce

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\ui-strings.js

Filesize
11KB

MD5
49d4c06bd3b37730d3c50bc0f6a9c93d

SHA1
30e77544e3bd481c5e417a4f037c1ac68d45364f

SHA256
88eed33fc011b0de1d20111ff82e97e043c8db4fabc131351cc3b92b88ee61d1

SHA512
193bf7d7fbf5653421716b42e6bceaa1791ea43c77d0f91bd31e75ef1adb85027c98499ddc727c225fbe0623a8c697e6cc07bd21a221eee994f833ee21671c23

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\ui-strings.js

Filesize
15KB

MD5
9a53d58cf5480668a2e50f5a8b33d7d8

SHA1
84dc83709384f40a88eb0bf1c5615351d08f2e3a

SHA256
0a057ea84f6097940796b08db8d152ed827472d44da42d478272dcf3991d986d

SHA512
9eb5dc18c9f3bc8f51a1333af19e4713c41fb5a4e560df30ae65adffe52b3683388021fd171c929b3f9c92b3367528e94dd988948aeca6616d92aae44f52a5ec

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\ui-strings.js

Filesize
15KB

MD5
d16b387d8aec1a68b4e7ac46992b1123

SHA1
4910c38f1adae52e30f09d5e64da5d068d99773d

SHA256
72832d324b754f6ea5404c190deac77b94d92ae7a9589b9dbe23bbb871f73d71

SHA512
b184e932be04147f869b5c845685f1e23da869da66e0b3d095f1bfc676e08d24e609eb90004ea5e1da890e09a51bc086595ed90b534f691f5db189b198e3c2c1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-il\ui-strings.js

Filesize
19KB

MD5
7b5d179930892905307969bbe7a1fedd

SHA1
622c6e0420089bcd7cf1b28b726db9760ca6f8dc

SHA256
84d381c1cca2ed99febb0cd362aad8a8752a05b3b020f54f0c58c18d43e7ac4b

SHA512
52f85768069b5706bb136bb1d01318d320f0b4eda315dcf6db03af70ec644d863925c155f110d1d61a541337fe123a194ea4202716c46a0ecc2483a99fee7b6e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\ui-strings.js

Filesize
23KB

MD5
e16fa576de26530ba048495abdba9717

SHA1
e8f85f95ab6f2b56205c2bb55d4ae1c3cfd9e92a

SHA256
cd997b7af2503d62acce464ab452e239d776e44e27f87be4c323b82dc32ba50f

SHA512
8ccf18dbe7cb234c3710c9c6e2931115f310c60e93afdac0fedffedf1fd54b8118a3a0500405401c60303b13a8c1923e783c99fef6dbee1b7153fc425a658be9

Download Submit
C:\Program Files\7-Zip\Lang\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Filesize
985B

MD5
646cc2c03e57e2758c29811a2b7e2874

SHA1
559bb35c51db2a4c3393a837af45ce8fe3f71351

SHA256
364e6af0143e3d4745079cd78d71ff894a75d0a47a71791ca416f8252ce49062

SHA512
58055564cf941dee4ff9242b091c8a69c02f9640e2f4d087d5204ffb5ed2ff55e21d401c03111fa1ff9050319468c2f9333e47a738867c1114a4d6f6f3555099

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe

Filesize
4.1MB

MD5
1f032d8da7d284cee5b2a3139a2a6c24

SHA1
7313380a93cc929055cb5c458ad1b8e0d63e700e

SHA256
4b48c6bf37e1bae1b925b3c0f0224b02e6a3a630d2d1c69fdf1a4ac15c2bbc8e

SHA512
c3ddbd49e7ab9628b8a67eee12ec238c3cebe946e871fa94821c072d88dcf43c7263b121b7e2440b690274a634e8a1a6da73625337f648730025e73bf7d34f3f

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX

Filesize
292KB

MD5
5924d5f499238e1e3880ceaa58bd9afa

SHA1
19012442e6262f7dcc979079c2e5920a90ab5eeb

SHA256
4bf2e77f4e21ca0038cd51ad3a77133d737ab8838be065170dc604602da3bfe2

SHA512
18098808644927436fdb4befc2e2d1eb44ed53c27430a4d1d1c165ee1839faf96cb7b1f052372ffdc7e5218133ee6b33eae14002b2b87a837a8b7f0b24324122

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp64.msi

Filesize
2.4MB

MD5
4aa58ddc212b89c6b888c6b8628677c7

SHA1
a76a4bea5ae824cc08b5337640f783586f623f58

SHA256
626e31e4a9c2b52ff3b9b164724fe5b51c5293b6341508982aa395a498cddca9

SHA512
f18aadeece45ef9451708211615668e14d1b900c9f9824138fcd08c4f402225d3994841eec8d8d075980051a4de91681122356e2c9b591b2d99222d23916f719

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe

Filesize
62KB

MD5
88c4f6cf1b3592fc9f63b4bb7269dbfc

SHA1
e34cdd1119d16ab1e37d2c02e634463692d0baa0

SHA256
c8a66f3a9661659b3088bd214290e24b96f7482ab4b2cea22a9e3341deb41c3e

SHA512
d4d4c42bcfb3062c09dd3ceb486194bb29ef4afcab139f2c8467f91d217df1bfa738be9ce7ad69cd77c1d7e8300025deb88f843f0b2e3e6d481471114dd589b5

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe

Filesize
1015KB

MD5
3f150380a872068ecf0f5692abfb2383

SHA1
ec3378930ad002aca81745753ad9829fb9ca0431

SHA256
b6369918a408706a57557c1dbcd8bfdf61f298e69e9f1262eb0af7d949e688ef

SHA512
6830a356484e2122819903e2438ebce7fc2951a48ee5414002ab24176a42db58dddbe255ed987402dec1bfc4a8290e3253feeedaa35440701540836ff6d1b90f

Download Submit
C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\vlc.mo

Filesize
606KB

MD5
92b1d31f8d8a2b7138db82f9bdff5082

SHA1
ac5f0165d98d2b8426d6d7a10abf089e3f99ea5f

SHA256
6b35dc9cd99d8e9cccfe99b36ff6662ecd7f0fa0c50584acd60819059c034c0c

SHA512
e31288f9b969032d9864da91c7008ce6d31b15d63e5e5f19f6d5983f5f1807bd1344eb3e3b344c6bf9673208054b737093cd49491db89ee843ccc3811727c347

Download Submit
C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\vlc.mo

Filesize
609KB

MD5
e4f9d1df7b54c90e4f609315334a7284

SHA1
621e3a1a7e222e0e9eff8b18f2056b6016ff05f3

SHA256
b64ddab60b5547ab4bb4feb42ff3204c9ef62f9138f4675bf502fe17804c60a5

SHA512
1ea9619b6830741266c517c0505fa7df883d32fc13ee71d26b3e9e9d5bb9c2c0224114406745830864a8e159010a77fe335daa5ce517dc93b364354b13b43827

Download Submit
C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo

Filesize
615KB

MD5
a952fc69599035756a7465461f76763d

SHA1
ff65a832f47124561179c769faf37492accd2c38

SHA256
6fbe288fe61e34c15224f2a3fcdaea64cbb0b8fee08996e7fb549af9b4620d77

SHA512
dba5ddad3c2a26470492f1d1fdecb986b2087c3465106e7a906da872709358515ee49f30956c1bf994b140188b0806786f426085ec4e7fa6a8f4237f07ac27ac

Download Submit
C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\vlc.mo

Filesize
612KB

MD5
59047db3b1f7dea6cbfabde0b77e09ac

SHA1
a542cea0af4339f082c0b5ffad812a96d6e27d19

SHA256
66f4a3fa8b9eca21382d003b9de50cae64bfcf400d9065bf619b17b951a2ebc7

SHA512
5131d4d9c05532937c7760e92a2fa3fa824c06a7f3f2bf4c20d639ebd32a76c6766be0bd80759fc0f6b4418b9ef5702ce35412538f8b2746eb603076440891e8

Download Submit
C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\vlc.mo

Filesize
613KB

MD5
d636e905da7439f58b22807e6bc373ae

SHA1
7a0f84d1c255251035b2550cdf8081432a70ae47

SHA256
4b9ae7e03fe0fcfac659b4abacbf58762f9ea0a16ef9efdadae42c08c81c7c71

SHA512
766ece37d7174c57dff38038a85ab3282226d84cf41ccb9b9100a112992e8ebf560568ea7a87d3012c9995244d772fdacf2e2dfdcbd3a07be28fea276027e6e0

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\vlc.mo

Filesize
579KB

MD5
460c70333962917110f8dc6c747379ca

SHA1
1da31044993724601ea3de1682a4a279c74851e0

SHA256
df7915a5d7299f37dbd2981dd10ec539da2afd40c86978f76183b77039db69b7

SHA512
07d72fae4a88cfd6dfa23417c1265d96f539edfe28fa6e1b277998bfa869bbcbcc0b0b89346708f6e212b813a040b9d60cf26dbff7782c8e1b56c6033ae48607

Download Submit
C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\vlc.mo

Filesize
615KB

MD5
5d4e906310f4b0a4e92ed322b858b868

SHA1
2f79b392afbe613f2a69c1ede4d5a9c81e288c2a

SHA256
3aba0c4d5540469bddaf4212cdfbe057711e28e939532fe8eefcc4f5c049bccd

SHA512
03c32e438c0e1b08d78738ec802fae8bce7d6faf1654fce1bb230c2b7edba8dee5cece7e5274aacb60a61c8f13506e3f7d35b53c2442001f428008d4bbc911dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
2KB

MD5
8ed991a3f510e33e0dc92e7f109c333c

SHA1
532116bb1cd5215adc804460aa71a1238092d5cc

SHA256
4152c830ea069adc42ec7703d9515837eb695f72fbf1730eca26a9f916496bb1

SHA512
b1162bc560f3977152370b25d057f03c28b68d9afac34da748b2d0c71e6ba9f02a67017ce61964685528f84cbb0dbd3f8536724afa66358565185b18367f51c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_268232F9B7ADFD0751C3D83F667CFB78

Filesize
472B

MD5
c5a4792fe498c21c79c1b954ab08d7e0

SHA1
509cb8142c772aac48603db381517288ef2db1fe

SHA256
2b96b8be54b5b970397d23ee683a2330c35ebd93342aefb5440e6fb63321e498

SHA512
551f58efe30366fb69679b31584a2b801efa552d2820b896dd14cc09af7d958f2155560d0ccb7dce0f82c52d0567302e3d5000e0211081736bd2de331470f03e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
d08b946a3baf0d0783d53b1e750cb537

SHA1
a2e48069bd543e82341ceabffced5d75a210b9c4

SHA256
6a2e54d408632a9ca55df40f47a9957a793b5bc2a47d7d2ee2424d5c9ff3490b

SHA512
b312ae8396e7d0a3b82a0d0bd31664b8525a79e27e59e6e770a83abcf66bc8f99d6084280794e35baa1e5bfdb3aca63f93682c3c386f0d6a1e54f7ea077d8644

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
484B

MD5
8d894abdef6efd15f8da486b89091aef

SHA1
b4b54bb8bb7e70bd63a9bf83e527e5bcdcad6d29

SHA256
4143d0ac2a75d2a9b53529581f2426c0b70e26414826ac27ffbc5c22043a5431

SHA512
926ae6401d70c5cc10ed5cb04cd58a541404394ba1fa182ef6f077b50f68dede700abe977bf43dfc3b4e81a7fd86a522c7c3738d8895a303ebc7bf60c75ab7ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_268232F9B7ADFD0751C3D83F667CFB78

Filesize
488B

MD5
e393e7b25d6323faf6e114da11570020

SHA1
f29d983de38442cd37887288e62be0dcf4b3c59c

SHA256
d30ccd14d835e4678b0505a6e749c45f85d3d62b260a2aca41a39bc0bab99dab

SHA512
7c934cee547d84ab5903c8027049428f64e84725bdf8de56c5af4a83f7748225d37ae107478832818df00d761b4e1894fa9b206abf18095fa4b49bf7cc486632

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
2c30d2b32ec2530a2d37d98f66f2ac17

SHA1
e828dfaf3f2352f0f517a4c57ed5715dcf97581d

SHA256
db62db621dec346503fa3a8e54f119bc7b916553cb00e1c39c20311bd5f3b4cb

SHA512
4c337f24f3f9b529d2121e2f31940e88d93fe2362ab81c649722429d8f9a86f18fc1f362167a216fb0678bb71875097edd54bf9163e413697b74a7b8257617e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8RDJB14J\E46SY2UA.htm

Filesize
190B

MD5
6ebbeb8c70d5f8ffc3fb501950468594

SHA1
c06e60a316e48f5c35d39bcf7ed7e6254957ac9e

SHA256
a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1

SHA512
75cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ONPDW741\4Y2ISIYW.htm

Filesize
18KB

MD5
becd7f8471d0c78886cd1ea6c531a7af

SHA1
6510b22f45d06507a404b24a026160d82cabe43b

SHA256
9643165b888174dcd39b47911846a17db2479f2c4a1148c3314e9d36d14f5d0d

SHA512
2c1b878689130cc8304d9c7fbdd769eeb5b2638c3012fd270ff2025167cf2690ad4381c44c0660e29e344951dc5947c0272952435fb8bec4d074ce6ce5c42993

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8278FA7.zeppelin

Filesize
1B

MD5
93b885adfe0da089cdf634904fd59f71

SHA1
5ba93c9db0cff93f52b521d7420e43f6eda2784f

SHA256
6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d

SHA512
b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe

Filesize
211KB

MD5
f42abb7569dbc2ff5faa7e078cb71476

SHA1
04530a6165fc29ab536bab1be16f6b87c46288e6

SHA256
516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd

SHA512
3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af

Download Submit
C:\Users\Admin\Desktop\AddRename.xlsx.1ED-570-C13

Filesize
14KB

MD5
99908fc88623b07a1e7c6d47460a92bc

SHA1
6c20f640c29fe6ac3fb72487c1c7090aea132c40

SHA256
d84dfdd27d81891364340a6a17079edb04dcc843fd056027ee18ddf071795814

SHA512
f73ea5d26754c1681190caba2531651aacdb858fbf0908ea8da4635b78731219294c032c4d5a5fdbbdd54065638a3eda23ecf7a053476caea2c7721dbbd85211

Download Submit
C:\Users\Admin\Desktop\ApproveExit.docx.1ED-570-C13

Filesize
19KB

MD5
3bc34f8e47b5a2319b1a07bcf4200ec3

SHA1
189c27933eb6b25c5dfe2f7eb1e7a1ecf74af642

SHA256
25ddd633a8e5b8457e05f6f3c5440ad5e303c9834448df5b4c321d8c499fd8c1

SHA512
2de90852b7c392fa037b05febceaedb2c322f52675bb6146a13cffda7f5d1e7c2571424684800baa3669caf19022ca60d9ad4067487227722b0df81c77d46a6d

Download Submit
C:\Users\Admin\Desktop\BlockHide.pps.1ED-570-C13

Filesize
425KB

MD5
4d375f6b5c18855146393188ee903b76

SHA1
fdb609595a4fcebee78d3ba23225857f82be20b9

SHA256
5bfdb34a2f5bebb1da1e67807600af3e26e7d9c85356ddaa74b02e31acbb0e9f

SHA512
5edc73efae77f405bfbfe788ae61e7294c4ecaa3c97755976079d175d07f56dedfbd9fe5e4d9469e9b77e98639ded9173cff0254b040c5acaec3b92c9811bf68

Download Submit
C:\Users\Admin\Desktop\EditFormat.pps.1ED-570-C13

Filesize
531KB

MD5
94a348926f9b843032fc23f3d18bf19a

SHA1
c019f00a4048e3c633575ebbfa56978c9072e5c4

SHA256
90dec4758558731b9259fc1ac98636036348576302e9fe03903f4e73c402a4b8

SHA512
32d97e7e1b475991b3a4260aec1dc74bfa3d2ab1b13931c1004759716e0b85fee6deed76e7864d29a7fd8af0eff1ed62acd093980e899a131e6985151a9b848d

Download Submit
C:\Users\Admin\Desktop\FormatLock.jpg.1ED-570-C13

Filesize
510KB

MD5
6d2861f2b44a9f62ab964324ae0ff2f8

SHA1
1073729f6537d9b54e79c224b8135068ecbd7b7e

SHA256
e1d6cbcad6ac97844151c919ff2a6538de3e0b58087e291f1649e108a28097c5

SHA512
da48ed70873430dd2c90b8700c65ecdaa07836a09df54ae1d6a9f33699b4cfc42b65f26d8479307c803e18d07f411628f016eb952127a2564de06807766e034a

Download Submit
C:\Users\Admin\Desktop\ImportAdd.mp2.1ED-570-C13

Filesize
489KB

MD5
029f4846a78d728d86868a137b759b06

SHA1
8f7ad51872e932e84a257c40ee34fd7e08edb9ac

SHA256
6bb27200b8ff5589794359cf38600c309db0acbcac3f626bac8bb0646395d9ee

SHA512
dbb19f0a138507452d5b5d3f4453dd5bf281419d1ec951ca61ed2577ff50305927cf165cce6dfea94c9dc03c1afb7c976c5d63c1b3090350d0821309afe0b92f

Download Submit
C:\Users\Admin\Desktop\LockStop.jpeg.1ED-570-C13

Filesize
722KB

MD5
f90a2aa328de8ceecc3e06fb3fdbd145

SHA1
5e45342eddf5bc3ab8677aca87d11f63f8dcac84

SHA256
f4b64807087215f79803d39cc43180c52781137a9a1f5c35b2f96059e4ad68e4

SHA512
c2571fc1aca286a45e83fb432fbc16957a88794d37b8665626b4c79bb16ac42ea4a474bfc7027edca362f52e0fd26ecdbed313b72377146df6de34ff824851ce

Download Submit
C:\Users\Admin\Desktop\MeasurePush.tiff.1ED-570-C13

Filesize
404KB

MD5
3cda462e8a282a6109c49c3ec7d6edea

SHA1
fcebb5410624498255b153b04c3bf106d8c4ca47

SHA256
c9991bfd26b3ca296763f0341bd08483293c5bfc17071ca7e29e5f50d6514e51

SHA512
83533a295b397ad95a532b2268b7392480f07da3e46122aa2b0c7ffba00dd8f08315bbe0af260ca41d33e736835ba7a9f4924331a36481f0ff889584e9788be8

Download Submit
C:\Users\Admin\Desktop\MoveLimit.potm.1ED-570-C13

Filesize
574KB

MD5
d416f04b29a2d19a381e076faef4ed81

SHA1
d935f8795ad76f1e9537d0467f4b61e56957901a

SHA256
72b9d62d9c3a290d66bf9133d33af699b8aedd5dd2804c8ea25626ba912932de

SHA512
0483fade62eab056785799b6d752315731c78967aeb201a4e518082a9877407a284ba308964b984bb368da166d702f82694c31c06388183ff9efb5518913540e

Download Submit
C:\Users\Admin\Desktop\MovePublish.vdx.1ED-570-C13

Filesize
383KB

MD5
abed1b41bb605c1b08a567c96f20bd61

SHA1
972afe6ad533e1cadcbeb96116dd0232e39735d9

SHA256
0533befdca2761f9ead55ea2a94a388484213c64d2503ec3845ba30d2f20dc75

SHA512
68bb4c0d00f57db6cc36bcaea3d3b0939322ddff4bce82ec1b22762221ee6beebfddaff9063dcdbae5d9bb081dd6ceb0a5d4015795b0ca27d5a5afe9eb828c60

Download Submit
C:\Users\Admin\Desktop\PublishWait.mpe.1ED-570-C13

Filesize
701KB

MD5
20de6b2586651bcf6d06eea8003f1a14

SHA1
54ffddc6eda5ceecafa6df50d4d323d3e63c89c1

SHA256
ea01c3c2edb51aa83f5c54839ec84768cecfe7e568b1a5bfbcf07e4dc67a5bd2

SHA512
825369157651b48a22479124ccdd4e5f1459482aef064aea232d7ed886ac092ec69ab3c9c4af434c303c6cfcb4c1c6a6ce60c33381567c16c201855c7c81ec34

Download Submit
C:\Users\Admin\Desktop\RequestConfirm.wax.1ED-570-C13

Filesize
659KB

MD5
3273298127fc1d9657b0080aa634cca1

SHA1
8afa8828d26cc003aa7d345d1e6447cc8cb2e34e

SHA256
e78c089a26af067d840c9b9bf2e83a29a6c2fc86b81e60e6a7fe1465b3785a78

SHA512
61c45233068bcfd16814485b8dfa9ae4b8922d16409450303c9262e46f29e0e93659ca86504e7b63c995bcdfc3bb0f66dc68ede8b162f0c60a0ccee3705533f0

Download Submit
C:\Users\Admin\Desktop\ResizeConvertTo.mov.1ED-570-C13

Filesize
277KB

MD5
337d5c2914acd1ce92e5296e3050cab7

SHA1
fd24482e5f8a4894944524803f045de2bc36b903

SHA256
3e92355691addeac986314f56c2905dd0efdbb789381bbe2fbd69e767d2965a1

SHA512
4c45fc133a0dbd5dee261ac1f100968df728a2c8b9cd7d0880309f5d3a391d7a904df558197b8df4c97001e43b9d8b705af250de7f0beba3224b999e55f7b0ea

Download Submit
C:\Users\Admin\Desktop\ResizeLock.TS.1ED-570-C13

Filesize
680KB

MD5
c38ab23d06cea7298e0d930135e395b6

SHA1
b4c3ebae7f90ac84ae29aeba057ca48b47fae2cc

SHA256
dbf1006ae670e10336b981994c2b537cd166a56a82c3e9480e20ae48e3fe26ee

SHA512
09ac4cfcad82614116526df1c28f97c3589af4f0c90e319be72e1aa6a6bb50c45181e50af4f28427e4178d3549c617ae15accb218be6de1b2063a9d4fcb43483

Download Submit
C:\Users\Admin\Desktop\RestartPing.xsl.1ED-570-C13

Filesize
765KB

MD5
4a311272abfbb687ac0436a02bf4bedd

SHA1
0d75e2162695d73ad47ced8baea5dcaa3ca484b2

SHA256
45bf3ea9f1f01b1bf7133075710173d4024b63932e19b5455c8536243257f528

SHA512
050819b831ce50e9f4fe45f0cb0752e38ebb1ab283abbd162874fdba24b46e723d82d6946e8faafa73b42614575c5ed9495f1a1175313cdb4cd93fac2ab296b0

Download Submit
C:\Users\Admin\Desktop\SaveClear.ps1xml.1ED-570-C13

Filesize
553KB

MD5
064760c0f45246f06ba72cf4689262c4

SHA1
ba302a82091e581fc2553abb9c8e764cc3597568

SHA256
6786b07e3b546e2527aecbad6b536c7167911437a710043d466f21676ce55523

SHA512
4b5348370658ac6a923bd08bb4d829da3d27392219668128ff2c4b6d5c9cf613538a99fa62ee0a9c9816b7d3d1a65f4e9cb90705667adc775b989d24cc191071

Download Submit
C:\Users\Admin\Desktop\SetBlock.pcx.1ED-570-C13

Filesize
786KB

MD5
fc454aa441679b96ebb6781f8aecad22

SHA1
15e2b643f7ce1ca1b66a977fb188ceb8f5abac0b

SHA256
8ad03692c47209ed4f96e284e02b6d35ed00f2a662fd878c63554c0da890c6e1

SHA512
ee7930aa3a81e3d0ef61da136ccb85b1e199e7a770b544508ce9ef6c97def62dc3c5b2b4a3605532573970105e58ca434d3318da57b340452389ab772f29ece5

Download Submit
C:\Users\Admin\Desktop\SetMeasure.rar.1ED-570-C13

Filesize
1.1MB

MD5
9064c04ccb1f779833b633903716268a

SHA1
6b9bdb8232df753b1653162272217266eb5d758b

SHA256
0b047b5cef3082bbb7de244e3712fe03df265ea9492ea64490bfbf02bb2a646b

SHA512
4ee9461894f3b0fc966063dc422b5a7e5f462264cbea641894babe0b7e71b25c725accaf778504e1d54698c2f7112c093be577b03057ba5ff221cdd8cadb7411

Download Submit
C:\Users\Admin\Desktop\StartWait.vb.1ED-570-C13

Filesize
595KB

MD5
d6a34e84016ec36aab0906b9b7cbd011

SHA1
d05dbdb5574ee829a151c0dd8aaa087cea39ef71

SHA256
4a1be2ba5c616be5eef751eea31687b09f97764ecec70e8ffc3f5eb349a601f2

SHA512
ae4cf1cdbc9acdb7cef9b959f23ccedcba7b48d41dbf86bd9bebe354b000f88d9a48370f0449106130957ae8c676a13b78a5244ccdda9eb6b8e091fa1bd85c5f

Download Submit
C:\Users\Admin\Desktop\StepGrant.aifc.1ED-570-C13

Filesize
298KB

MD5
014c20d60af395a13f6337581eed58e9

SHA1
4506ea7c90b47f78190359e8ba3479f3ee3ec951

SHA256
5938f18732e45210f405d3dc5eeabca1e902c1075fef646258818e336d21e364

SHA512
43f28b4bab41b1370adfffa73da7643dc2b9bbbb8e2e5cee8f400d18a79cd476d1d83c1b6bc9553089fcaa0a2ba93ac70b9c5db33d62afa6046b43a9e501f6ab

Download Submit
C:\Users\Admin\Desktop\StopUndo.bmp.1ED-570-C13

Filesize
468KB

MD5
d7afca6faca0d896b5b82d2c4f6d9849

SHA1
2f9ea05bc18bf039d3aa8af77765e81f6a7fa756

SHA256
32631a65611b9b14940dfa5a58566ca2e009d9051a8cd85bff79e4647dfc033b

SHA512
14823ca75478e74b013b3bc320cce4b8797541689035768a05f9f6a64f6818e20ea5c0c80f7ea845cb5a0864520b7c9ec76bd2cf051043bfa1d68b822152ca5d

Download Submit
C:\Users\Admin\Desktop\SubmitUnlock.vstx.1ED-570-C13

Filesize
447KB

MD5
f10a9aa5ed23b779d66adfaf95875548

SHA1
a565fe32cbaf76410caca46109f6da8237e44612

SHA256
14d9dea95707f9ea7f4dae308318d0db205ce0d1d1c3c1a295f5162d91fb8492

SHA512
8b9f1a61e67de0cba43c2276bf539c3b3fdd586d48eb65c7c5cbd0e51d260e829cdcf4d5805009e96ab64be6e1351e8fa86be06c25c4dc44b513efaac75a307e

Download Submit
C:\Users\Admin\Desktop\UnblockExit.csv.1ED-570-C13

Filesize
616KB

MD5
fbbb4c0b0f197a6c3189236cdd95f803

SHA1
a4051ebf4c0a5deb2513df8e7c22c0834c92b748

SHA256
22ede2b6d947850107f32015325a66505fdf5a63cfa3f8eb3bc7dd654c513df7

SHA512
391d9ea86308a742689d9642b99768012f12c1cd1395d111fed156a72910840c1481619b8f8fd29ae9fe1de8e3473f2843350d235d92b7709bd04aa0f03be0b8

Download Submit
C:\Users\Admin\Desktop\UpdateRevoke.m3u.1ED-570-C13

Filesize
319KB

MD5
c72c0538c045365421602277713e8000

SHA1
4e4f5a0e50b71f8098d424c31ed5aa2102753813

SHA256
3a4671aa2548a5baf879c99bd81e972e2daa271040236c8cccc9d1edf189bfc5

SHA512
4c7963c872a91c238d8053f0504b1dfbac6732d8622d341dbe016a6f6496bd51e48076674780640368f92c2558327b10909c1656c0b710287dc3d418dbbb3641

Download Submit
C:\Users\Admin\Desktop\UseSplit.TS.1ED-570-C13

Filesize
637KB

MD5
b8dd1904b81e0bd253a477a28e79eea0

SHA1
fb67a3ede9a8d1caec78521219bdbeecdb18cfd4

SHA256
ab9e43df607e792fb58b7cfa1cee244ea1689772ceed6936f1e6353fac73865b

SHA512
91a2fd88a8b08021c8446122e57f1a748237ffc3a964a0bfbd1749eca908be8095b14b3413eb995bd64c32a6f9567d1fe7f35fe0dc04a332a779adefc4a609e1

Download Submit
C:\Users\Admin\Desktop\WaitPush.emz.1ED-570-C13

Filesize
340KB

MD5
9db90557569b122b639c8024c612709c

SHA1
f6307d23226100f874b28d6afd18efb9a10b972d

SHA256
a58ed47e5366ee95ec1af79ea4b642bc3781248d933cb4206fa982dd001b5bc2

SHA512
a65edb550c1e0f22bd9c04e2ce667b9c5c273a6cc40799ffa6ac4ee07bc74ddd85291efb487bb261d5e24387577901f772c5968159e6a130f8d3de190f9738b1

Download Submit
C:\Users\Admin\Desktop\WatchInitialize.xls.1ED-570-C13

Filesize
362KB

MD5
79ebefc0a0421002acb1e89809e7b657

SHA1
c1a8d62b28825020a05d5e2cb7c6baac69f2cf28

SHA256
2a76c1ea50f12dc9246f928992ea6ad7780835b8bc52af31f2a1a6e31ee7933b

SHA512
a4ce2559cd9034d6e4420b11988492004966ef5ae72855a1d1bb7e02ab4ba1a85e25c2a3631ba4f48d81c10c279741234a15af8c5a161473c36ce9112e88dfce

Download Submit
memory/452-26151-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/1720-22-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/2004-26123-0x0000000000070000-0x00000000001B0000-memory.dmp

Filesize
1.2MB

Download
memory/2004-14279-0x0000000000070000-0x00000000001B0000-memory.dmp

Filesize
1.2MB

Download
memory/2004-21587-0x0000000000070000-0x00000000001B0000-memory.dmp

Filesize
1.2MB

Download
memory/2004-8428-0x0000000000070000-0x00000000001B0000-memory.dmp

Filesize
1.2MB

Download
memory/2112-41-0x0000000000070000-0x00000000001B0000-memory.dmp

Filesize
1.2MB

Download
memory/2584-52-0x0000000000070000-0x00000000001B0000-memory.dmp

Filesize
1.2MB

Download
memory/4748-49-0x0000000000070000-0x00000000001B0000-memory.dmp

Filesize
1.2MB

Download
memory/4748-3067-0x0000000000070000-0x00000000001B0000-memory.dmp

Filesize
1.2MB

Download
memory/4748-26152-0x0000000000070000-0x00000000001B0000-memory.dmp

Filesize
1.2MB

Download
memory/5556-36-0x0000000000670000-0x00000000007B0000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads