buran | 3be964c7bdd8349bed41823d242f36bc525df6323eedb9e6a7144118984020af

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2025, 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe
Size

251KB
MD5

8981ec8170d7378709b0f9989b04a922
SHA1

fe1923cef44847e0a128b66c445827e97c3ed7a5
SHA256

3be964c7bdd8349bed41823d242f36bc525df6323eedb9e6a7144118984020af
SHA512

22f05bc348e92e19f904e8d6d6cd1be768a20abf4b3a378425ba976dcfdb994fe8573dca526d7cb29604349977de0b62e2878b16cd972633a21f4df249dd7046
SSDEEP

6144:k9iaEaA+HPsISAzG44DQFu/U3buRKlemZ9DnGAeWBES+iia1vD:dtWvVSAx4DQFu/U3buRKlemZ9DnGAeWP

Score

10^/10

buran neshta zeppelin defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] or [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 23E-1A4-DC9 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Buran family
buran

Detect Neshta payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0006000000020342-16.dat	family_neshta
behavioral1/memory/6072-190-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/6072-505-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/6072-8312-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Detects Zeppelin payload 16 IoCs

resource	yara_rule
behavioral1/files/0x00070000000241c1-4.dat	family_zeppelin
behavioral1/memory/2852-169-0x0000000000980000-0x0000000000AC0000-memory.dmp	family_zeppelin
behavioral1/memory/5812-192-0x0000000000850000-0x0000000000990000-memory.dmp	family_zeppelin
behavioral1/memory/3548-191-0x0000000000850000-0x0000000000990000-memory.dmp	family_zeppelin
behavioral1/memory/4944-214-0x0000000000850000-0x0000000000990000-memory.dmp	family_zeppelin
behavioral1/memory/5812-3004-0x0000000000850000-0x0000000000990000-memory.dmp	family_zeppelin
behavioral1/memory/6136-8410-0x0000000000850000-0x0000000000990000-memory.dmp	family_zeppelin
behavioral1/memory/2572-10037-0x0000000000850000-0x0000000000990000-memory.dmp	family_zeppelin
behavioral1/memory/3548-10937-0x0000000000850000-0x0000000000990000-memory.dmp	family_zeppelin
behavioral1/memory/6136-15055-0x0000000000850000-0x0000000000990000-memory.dmp	family_zeppelin
behavioral1/memory/4252-17904-0x0000000000850000-0x0000000000990000-memory.dmp	family_zeppelin
behavioral1/memory/3548-19042-0x0000000000850000-0x0000000000990000-memory.dmp	family_zeppelin
behavioral1/memory/4252-21229-0x0000000000850000-0x0000000000990000-memory.dmp	family_zeppelin
behavioral1/memory/6136-21228-0x0000000000850000-0x0000000000990000-memory.dmp	family_zeppelin
behavioral1/memory/3548-21233-0x0000000000850000-0x0000000000990000-memory.dmp	family_zeppelin
behavioral1/memory/5812-21232-0x0000000000850000-0x0000000000990000-memory.dmp	family_zeppelin

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta
Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Zeppelin family
zeppelin
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (6093) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe

Executes dropped EXE 7 IoCs

pid	Process
2852	2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe
3548	smss.exe
5812	smss.exe
6136	smss.exe
4944	smss.exe
4252	smss.exe
2572	smss.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\smss.exe\" -start"	2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	smss.exe
File opened (read-only)	\??\H:	smss.exe
File opened (read-only)	\??\W:	smss.exe
File opened (read-only)	\??\J:	smss.exe
File opened (read-only)	\??\Z:	smss.exe
File opened (read-only)	\??\B:	smss.exe
File opened (read-only)	\??\R:	smss.exe
File opened (read-only)	\??\Y:	smss.exe
File opened (read-only)	\??\V:	smss.exe
File opened (read-only)	\??\S:	smss.exe
File opened (read-only)	\??\Q:	smss.exe
File opened (read-only)	\??\E:	smss.exe
File opened (read-only)	\??\M:	smss.exe
File opened (read-only)	\??\B:	smss.exe
File opened (read-only)	\??\T:	smss.exe
File opened (read-only)	\??\A:	smss.exe
File opened (read-only)	\??\W:	smss.exe
File opened (read-only)	\??\X:	smss.exe
File opened (read-only)	\??\V:	smss.exe
File opened (read-only)	\??\T:	smss.exe
File opened (read-only)	\??\N:	smss.exe
File opened (read-only)	\??\L:	smss.exe
File opened (read-only)	\??\K:	smss.exe
File opened (read-only)	\??\E:	smss.exe
File opened (read-only)	\??\Y:	smss.exe
File opened (read-only)	\??\A:	smss.exe
File opened (read-only)	\??\X:	smss.exe
File opened (read-only)	\??\R:	smss.exe
File opened (read-only)	\??\P:	smss.exe
File opened (read-only)	\??\O:	smss.exe
File opened (read-only)	\??\M:	smss.exe
File opened (read-only)	\??\L:	smss.exe
File opened (read-only)	\??\P:	smss.exe
File opened (read-only)	\??\O:	smss.exe
File opened (read-only)	\??\N:	smss.exe
File opened (read-only)	\??\I:	smss.exe
File opened (read-only)	\??\U:	smss.exe
File opened (read-only)	\??\S:	smss.exe
File opened (read-only)	\??\I:	smss.exe
File opened (read-only)	\??\G:	smss.exe
File opened (read-only)	\??\K:	smss.exe
File opened (read-only)	\??\J:	smss.exe
File opened (read-only)	\??\G:	smss.exe
File opened (read-only)	\??\Z:	smss.exe
File opened (read-only)	\??\Q:	smss.exe
File opened (read-only)	\??\H:	smss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
30	iplogger.org
33	iplogger.org
34	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	geoiptool.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Error.m4a	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-256_altform-unplated.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.html.23E-1A4-DC9	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ms_get.svg	smss.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaSansRegular.ttf.23E-1A4-DC9	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-pl.xrm-ms	smss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsSplashScreen.contrast-white_scale-125.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-20_altform-unplated_contrast-white.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\MediumTile.scale-200_contrast-white.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-32.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-96.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\TimerSmallTile.contrast-white_scale-200.png	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msjet.xsl	smss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\view.html	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-400_contrast-white.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-30.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\Logo.scale-100_contrast-black.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\skype-logo-40.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\hscroll-thumb.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\el_get.svg	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteMedTile.scale-200.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxAccountsLargeTile.scale-100.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-24_altform-unplated.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_listview_selected.svg	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ru-ru\ui-strings.js.23E-1A4-DC9	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-180.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\it-IT\View3d\3DViewerProductDescription-universal.xml	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\SmallTile.scale-200.png	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL119.XML.23E-1A4-DC9	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\APPLAUSE.WAV.23E-1A4-DC9	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\offsyml.ttf	smss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-tw\ui-strings.js.23E-1A4-DC9	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-oob.xrm-ms.23E-1A4-DC9	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailBadge.scale-200.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-cn\ui-strings.js.23E-1A4-DC9	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-80_altform-unplated.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\et_get.svg	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-gb\ui-strings.js	smss.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\sunjce_provider.jar.23E-1A4-DC9	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-24.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\core_icons.png.23E-1A4-DC9	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-pl.xrm-ms.23E-1A4-DC9	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-pl.xrm-ms.23E-1A4-DC9	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\msipc.dll.mui	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\msipc.dll.mui.23E-1A4-DC9	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_SplashScreen.scale-200.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewer\LoadingSpinner.glb	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-pl.xrm-ms	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-pl.xrm-ms.23E-1A4-DC9	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluCCFilesEmpty_180x180.svg.23E-1A4-DC9	smss.exe
File opened for modification	C:\Program Files\PingAdd.exe.23E-1A4-DC9	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK.23E-1A4-DC9	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\REFSAN.TTF.23E-1A4-DC9	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-Toolkit\Images\dash.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\scan.png	smss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt.23E-1A4-DC9	smss.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2852	2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe
Token: SeDebugPrivilege	2852	2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe
Token: SeDebugPrivilege	5812	smss.exe
Token: SeIncreaseQuotaPrivilege	5076	WMIC.exe
Token: SeSecurityPrivilege	5076	WMIC.exe
Token: SeTakeOwnershipPrivilege	5076	WMIC.exe
Token: SeLoadDriverPrivilege	5076	WMIC.exe
Token: SeSystemProfilePrivilege	5076	WMIC.exe
Token: SeSystemtimePrivilege	5076	WMIC.exe
Token: SeProfSingleProcessPrivilege	5076	WMIC.exe
Token: SeIncBasePriorityPrivilege	5076	WMIC.exe
Token: SeCreatePagefilePrivilege	5076	WMIC.exe
Token: SeBackupPrivilege	5076	WMIC.exe
Token: SeRestorePrivilege	5076	WMIC.exe
Token: SeShutdownPrivilege	5076	WMIC.exe
Token: SeDebugPrivilege	5076	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5076	WMIC.exe
Token: SeRemoteShutdownPrivilege	5076	WMIC.exe
Token: SeUndockPrivilege	5076	WMIC.exe
Token: SeManageVolumePrivilege	5076	WMIC.exe
Token: 33	5076	WMIC.exe
Token: 34	5076	WMIC.exe
Token: 35	5076	WMIC.exe
Token: 36	5076	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5076	WMIC.exe
Token: SeSecurityPrivilege	5076	WMIC.exe
Token: SeTakeOwnershipPrivilege	5076	WMIC.exe
Token: SeLoadDriverPrivilege	5076	WMIC.exe
Token: SeSystemProfilePrivilege	5076	WMIC.exe
Token: SeSystemtimePrivilege	5076	WMIC.exe
Token: SeProfSingleProcessPrivilege	5076	WMIC.exe
Token: SeIncBasePriorityPrivilege	5076	WMIC.exe
Token: SeCreatePagefilePrivilege	5076	WMIC.exe
Token: SeBackupPrivilege	5076	WMIC.exe
Token: SeRestorePrivilege	5076	WMIC.exe
Token: SeShutdownPrivilege	5076	WMIC.exe
Token: SeDebugPrivilege	5076	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5076	WMIC.exe
Token: SeRemoteShutdownPrivilege	5076	WMIC.exe
Token: SeUndockPrivilege	5076	WMIC.exe
Token: SeManageVolumePrivilege	5076	WMIC.exe
Token: 33	5076	WMIC.exe
Token: 34	5076	WMIC.exe
Token: 35	5076	WMIC.exe
Token: 36	5076	WMIC.exe
Token: SeBackupPrivilege	2288	vssvc.exe
Token: SeRestorePrivilege	2288	vssvc.exe
Token: SeAuditPrivilege	2288	vssvc.exe
Token: SeDebugPrivilege	3548	smss.exe
Token: SeIncreaseQuotaPrivilege	764	WMIC.exe
Token: SeSecurityPrivilege	764	WMIC.exe
Token: SeTakeOwnershipPrivilege	764	WMIC.exe
Token: SeLoadDriverPrivilege	764	WMIC.exe
Token: SeSystemProfilePrivilege	764	WMIC.exe
Token: SeSystemtimePrivilege	764	WMIC.exe
Token: SeProfSingleProcessPrivilege	764	WMIC.exe
Token: SeIncBasePriorityPrivilege	764	WMIC.exe
Token: SeCreatePagefilePrivilege	764	WMIC.exe
Token: SeBackupPrivilege	764	WMIC.exe
Token: SeRestorePrivilege	764	WMIC.exe
Token: SeShutdownPrivilege	764	WMIC.exe
Token: SeDebugPrivilege	764	WMIC.exe
Token: SeSystemEnvironmentPrivilege	764	WMIC.exe
Token: SeRemoteShutdownPrivilege	764	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6072 wrote to memory of 2852	6072	2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe	87
PID 6072 wrote to memory of 2852	6072	2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe	87
PID 6072 wrote to memory of 2852	6072	2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe	87
PID 2852 wrote to memory of 3548	2852	2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe	92
PID 2852 wrote to memory of 3548	2852	2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe	92
PID 2852 wrote to memory of 3548	2852	2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe	92
PID 2852 wrote to memory of 5532	2852	2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe	93
PID 2852 wrote to memory of 5532	2852	2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe	93
PID 2852 wrote to memory of 5532	2852	2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe	93
PID 2852 wrote to memory of 5532	2852	2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe	93
PID 2852 wrote to memory of 5532	2852	2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe	93
PID 2852 wrote to memory of 5532	2852	2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe	93
PID 6032 wrote to memory of 5812	6032	cmd.exe	94
PID 6032 wrote to memory of 5812	6032	cmd.exe	94
PID 6032 wrote to memory of 5812	6032	cmd.exe	94
PID 5812 wrote to memory of 6136	5812	smss.exe	101
PID 5812 wrote to memory of 6136	5812	smss.exe	101
PID 5812 wrote to memory of 6136	5812	smss.exe	101
PID 5812 wrote to memory of 4944	5812	smss.exe	102
PID 5812 wrote to memory of 4944	5812	smss.exe	102
PID 5812 wrote to memory of 4944	5812	smss.exe	102
PID 5812 wrote to memory of 556	5812	smss.exe	103
PID 5812 wrote to memory of 556	5812	smss.exe	103
PID 5812 wrote to memory of 556	5812	smss.exe	103
PID 5812 wrote to memory of 2620	5812	smss.exe	105
PID 5812 wrote to memory of 2620	5812	smss.exe	105
PID 5812 wrote to memory of 2620	5812	smss.exe	105
PID 5812 wrote to memory of 6132	5812	smss.exe	107
PID 5812 wrote to memory of 6132	5812	smss.exe	107
PID 5812 wrote to memory of 6132	5812	smss.exe	107
PID 5812 wrote to memory of 4440	5812	smss.exe	109
PID 5812 wrote to memory of 4440	5812	smss.exe	109
PID 5812 wrote to memory of 4440	5812	smss.exe	109
PID 5812 wrote to memory of 3872	5812	smss.exe	129
PID 5812 wrote to memory of 3872	5812	smss.exe	129
PID 5812 wrote to memory of 3872	5812	smss.exe	129
PID 5812 wrote to memory of 2556	5812	smss.exe	113
PID 5812 wrote to memory of 2556	5812	smss.exe	113
PID 5812 wrote to memory of 2556	5812	smss.exe	113
PID 5812 wrote to memory of 4252	5812	smss.exe	123
PID 5812 wrote to memory of 4252	5812	smss.exe	123
PID 5812 wrote to memory of 4252	5812	smss.exe	123
PID 4252 wrote to memory of 5076	4252	cmd.exe	117
PID 4252 wrote to memory of 5076	4252	cmd.exe	117
PID 4252 wrote to memory of 5076	4252	cmd.exe	117
PID 5812 wrote to memory of 5028	5812	smss.exe	120
PID 5812 wrote to memory of 5028	5812	smss.exe	120
PID 5812 wrote to memory of 5028	5812	smss.exe	120
PID 3548 wrote to memory of 4252	3548	smss.exe	123
PID 3548 wrote to memory of 4252	3548	smss.exe	123
PID 3548 wrote to memory of 4252	3548	smss.exe	123
PID 3548 wrote to memory of 2572	3548	smss.exe	124
PID 3548 wrote to memory of 2572	3548	smss.exe	124
PID 3548 wrote to memory of 2572	3548	smss.exe	124
PID 3548 wrote to memory of 2400	3548	smss.exe	125
PID 3548 wrote to memory of 2400	3548	smss.exe	125
PID 3548 wrote to memory of 2400	3548	smss.exe	125
PID 3548 wrote to memory of 2788	3548	smss.exe	127
PID 3548 wrote to memory of 2788	3548	smss.exe	127
PID 3548 wrote to memory of 2788	3548	smss.exe	127
PID 3548 wrote to memory of 956	3548	smss.exe	130
PID 3548 wrote to memory of 956	3548	smss.exe	130
PID 3548 wrote to memory of 956	3548	smss.exe	130
PID 3548 wrote to memory of 5292	3548	smss.exe	132

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:6072
- C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3548
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 0
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:4252
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 1
      4⤵
      Executes dropped EXE
      PID:2572
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      System Location Discovery: System Language Discovery
      PID:2400
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
      4⤵
      System Location Discovery: System Language Discovery
      PID:2788
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:956
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
      4⤵
      System Location Discovery: System Language Discovery
      PID:5292
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
      4⤵
      System Location Discovery: System Language Discovery
      PID:5932
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C wbadmin delete backup
      4⤵
      System Location Discovery: System Language Discovery
      PID:4044
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
      4⤵
      System Location Discovery: System Language Discovery
      PID:2992
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:4080
  - - C:\Windows\SysWOW64\notepad.exe
      notepad.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:5860
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start
1⤵
- Suspicious use of WriteProcessMemory
PID:6032
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5812
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:6136
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 1
    3⤵
    - Executes dropped EXE
    PID:4944
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - System Location Discovery: System Language Discovery
    PID:556
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6132
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4440
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3872
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete backup
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4252
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5076
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5028
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2936

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:3872

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\9067c5701a2f6bcc5b\2010_x86.log.html.23E-1A4-DC9

Filesize
82KB

MD5
d9a494587a1c8c7a55a12b688b52d34b

SHA1
753a743dc9d17c0a6f0dd790dda6eed95f878d3b

SHA256
6d6877ab98f48d1ecf479ac1eafb5b34da36b172c9dbb1c4ccb93f30530bdaed

SHA512
49b9cfb937e287f990f2d5f4f9ce65fc36dd3a6f43866dc7bed8e18187da4d5202315cf88115f8a01f7d18693a9a532b4c8e46bba31affd027cf89f5aa94e6d4

Download Submit
C:\95a9da8d6083c53f11d88fcfaf8c\2010_x64.log.html

Filesize
87KB

MD5
68aaa0ffaeb037ceefd0045cb3130191

SHA1
28a8f4ea51ddf9d9fe6f03a1f888b3cdf0d8c70a

SHA256
6c27ebd4fca50bce7743090b5218ea47fb4e79d2eff669c9b3e2879c37eeafad

SHA512
5abbd15ea625620f635f8627771a9f9c70692eb87c1105feadd14138ac62763c78b51787b5ae18b2f76e9dab54d69d6c87e1319c26d9f1f2c9f0fd1f16218376

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons_retina_thumb.png

Filesize
52KB

MD5
bd0791144e7f3694fccd01dff7ec2de6

SHA1
0de0b171e83478f4fe1b335d7e1d26739b6a6a85

SHA256
d048cb2920a205a3228a92520a0411cfb17b073e4a2dbd607b83f2c23fc75286

SHA512
8248944dc031dad8f798dc9842557a77c065689abd674e995fec602d17342db6ba795ea3e3347a717838c4224a4bc9a189ba13649d90327e6eb22450e7c3d95e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\ui-strings.js

Filesize
9KB

MD5
5ca0bb530f202bd8b48a596008c8b4cf

SHA1
d201d8a83c2e85cafa9a27b501402a09f6e066ab

SHA256
52a6e072894be33c601f0b340c71f1c581a4bcbf1567d1c3d56d5ec7619178be

SHA512
8e5fc917f528358f3b4f27d2ba1c26b619b0d94d09b7d9447d8beec1ea3a69b783f4b06c3e03a2acb393a0f94217d6d2d7988f2f11b994fa97fc3582e3a01df2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\ui-strings.js

Filesize
5KB

MD5
17e79c0b4b1b5cf1ba9f7bcdf375cce0

SHA1
19f23df9cfd836a54c8c2634f2fe00372d32b465

SHA256
fd8b60cdba84683b902aabcb31ccfca638fdcc4f79c0d933a89039c3eaca6cf4

SHA512
80b6b3e5bac2b3ff90b6f9f3a4b1ea83d6ff13477fd2f27adbdfb38be48bddb577bc4e0d133db4f41f107487f47f3182dec27af82dfd7711b59089ab9acc480c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png

Filesize
9KB

MD5
5ec295d3392e43db20d1764b23e7f530

SHA1
5cfbfc75f1d9cc3c712ed97b44f3ede2008bb03c

SHA256
8987959a0e64f4b3833e7a944fa8074c45dc5ad9e2dd2c04acef420281679863

SHA512
2b4abb4ba9e7c73975810b9a45ed660ad31defcad4c706343d50ed19782a2ecd621f3c0bf21f58b31f5a3e22a87bdd52b7dd25f3cbf7b0c7c663765729bef711

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-selector.js.23E-1A4-DC9

Filesize
175KB

MD5
82da8aa3e6a7c5d8c9c7948ffe3166fd

SHA1
3e3cd9433f2722beff29513b9122e6dc4015079d

SHA256
f247f41ae6334aa447b19d478196d79412d2524794baa65df29764d1cb3e2182

SHA512
66d9d6761a9b937144e7919b6c2194ca7a9793794d24587a1c6815728874e3cc56346a026ad5ea888a680fbb929d6a8b95c4021cc755a4715133f216f0313d90

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\ui-strings.js

Filesize
10KB

MD5
c41a994e09eb1bef62043a0ab16f3869

SHA1
124e20b8d3599afab1dd099a99a3baf43d31be8f

SHA256
8416f0c5b56b49e5e12bd0b9a5baa302e74816bef8311afd3c0e3e7fbc4e17ce

SHA512
f8b8bf97aeeefa42fd8f6042c1e9d378ab46145896097510ab76ba5ce4a69ac0cf69b402527506f9d171c9d1dc1a83f7d8ddc444b3c3a7f930a025f80bb7b54d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\icons_retina.png.23E-1A4-DC9

Filesize
16KB

MD5
f4289e0926fedf274cbf35a579b3fdb0

SHA1
a13de75aaf54e9b07b4cf89f93ae77ca33dc16d3

SHA256
e96bb4e3590a8c8e376cd6cce2eca9f5872d55fd09d7e71b1c7b2e1f08003bbf

SHA512
0bf77a5a78c18bd4712f84544be97cff23520522566058c632d35f4037d8e70e95639efa4a1fe3aef2c02ced806106e2f8a3205125183026cef74dcecf8623a8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\selector.js

Filesize
48KB

MD5
252c33170384643b469f62da2d5e5659

SHA1
a746865ea611ffebed3e9820482a82cb639c3b4b

SHA256
1acc6b8b57048680d9543510d294ae7bf2099e4d8c5a3983027e4a2eee2720ab

SHA512
077c4008174310def5de059d4e2ce3001815100888e52fc431ded34e3a8db768245bfd07c127f21db10405c4dd08992d71807450c74846b6ba0db0946171e76e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-variant2.gif.23E-1A4-DC9

Filesize
404KB

MD5
4de0ee0369d154d941b62b227d83aad7

SHA1
f734529cff5edf77fdb36672964cb92cfce12554

SHA256
c82be0ed70a119ad0c4c37b176c0323cf30eb69aecab55284aad277de5fe7c99

SHA512
8a2c5a03d1b432a5f744ff0161bd19eb6b1136fded8b8f863b0a2e474c0ba3e30812dbb17efc0f2d1333b0665dc7e40463084ab42335bc08c39f47ad6a903e77

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\cstm_brand_preview2x.png.23E-1A4-DC9

Filesize
6KB

MD5
ea81e13911e33fd16e32476643806605

SHA1
97f6124e87f2a7918bfd3aa2552e20c2ba03d5bd

SHA256
3227003a2f555f7a1f243c18bcd3c9dfc8005ee71ef2d7d7ae5e0d024c3020de

SHA512
e9b6fe07dc56d5b14159adc5eb3334a74a3627f8e981a89db8fbf1077a4607692ba58e510a9c1e83fee8221a681ec0f9164d28fd234087b6ad16a98c1d8a9d6b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-fr\ui-strings.js.23E-1A4-DC9

Filesize
18KB

MD5
5c9953e3313a41f372181ad1fa7bdcec

SHA1
be1b5b6f361850d699a3a46a91d9aedee8041258

SHA256
f5163c2e09bda0a3fc84bde713ec488014c31301b5afb4cd2579207a5ba5ae9d

SHA512
c2ae2a4ca134955a87e2e8f69072fa2a1044ed04e8f49ffa2070a9bbbc1c19ab92c1166ed3a58009bd1cd75931cd295f2e05469378fb6d056028bdeaab146dd0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\ui-strings.js

Filesize
17KB

MD5
ead2641ed3452f03621f199cb3bd0c87

SHA1
28470aaf6dd2685ffbbf3e136bc8856eac3b41cb

SHA256
455138d410b45e8deaea2fa52a5c1a41e37f694890d49460291af8a01c8e1c5b

SHA512
e60d0820ec241d1d1851fd415646947054dbfd208473f6217e565324378ddf09de484e2792f74cb1ed2a6ae01703b56d13054c65307999c6a677fb982898c8ea

Download Submit
C:\Program Files\7-Zip\7-zip.chm.23E-1A4-DC9

Filesize
119KB

MD5
1ccb3b0fd95d5e1d95fe12637b3e72a4

SHA1
926d420250710aa7b4f08bdf1f1136a1690f1a90

SHA256
2cb211312448dd22d5429bec5972790da5ad9e62506a628558de5b440fa55b15

SHA512
a0960e911862f355a7df8a9a5f47b84e7ebdf0f733c6320a13bf2d7c070d130a91e3388af92ed323ad05e8cf7311d75de236adbe0ba70ccb8e43bcb6cf364302

Download Submit
C:\Program Files\7-Zip\7z.exe.23E-1A4-DC9

Filesize
550KB

MD5
1f74d7336112fdf4f3b716510db967e6

SHA1
208c91d1bda261d0b84bf79312fae87a61ba2df1

SHA256
a7376129296aab49ecea8a7dc1cb68e345ad547704b9030caf712dc10bf9ac9c

SHA512
a6deba88275c98452255edc2b54ff97623cd07d7cb0b839612eb84b952dd3fbf9ed0fc56709077f7b19b74efb5c988e62150db3ab0365780b0e640fce433a38b

Download Submit
C:\Program Files\7-Zip\7z.sfx.23E-1A4-DC9

Filesize
212KB

MD5
724cf80b99dd72a4c0016886084a50c5

SHA1
c73cb37b41c07e5575dc2e39c18a9e33a8dea5c9

SHA256
e1bd2fad7b90f40e32d8fc42d941ee858e62b99f77e04aff9c1141a3f6a22f64

SHA512
17e9a3f5369931da8460abfab91b52684a10d3f187999386e04e09f85930d1a445a265bf7003ef422fa5d8b8683977d9d559b6fbc7b10994d9e2f887000fd21f

Download Submit
C:\Program Files\7-Zip\7zCon.sfx.23E-1A4-DC9

Filesize
191KB

MD5
4f6f40b63109bc26cf936ce8e2086835

SHA1
e955f3fdd50f2bd410731606668db482db322181

SHA256
ac04d7e99a3bd84925276c9547fdfbef57f06ea02c6b348e9a480da02960ef48

SHA512
b0ff65774f2fafe113ad6fc7ee6fe1599097811724e5dbf63b2e3548e26e41995c7d8fe16b7231490030a1f890506d53bfdac3e694ffc21ce07548bd6e012062

Download Submit
C:\Program Files\7-Zip\7zFM.exe.23E-1A4-DC9

Filesize
965KB

MD5
558b36575a0838cb97b34a2dc8aa0851

SHA1
03196bb00171ec1eaa3f6c0264576589ab60cc00

SHA256
f7942a59d6b20032ce750b812869d3ae010e267fc4f34a35de94e07508dd42ba

SHA512
68d67f9c0599bdefa59ded56d37a9dbf819115783dd81cf7c33292599231ac318793dc40078c7ddd159b05999206d165f6695feaa8b88cf7673d003ff71b6d92

Download Submit
C:\Program Files\7-Zip\7zG.exe.23E-1A4-DC9

Filesize
693KB

MD5
e36343b368e541c4bc75bb120a38e425

SHA1
406677cf622ab0a35323d17914e0c66d7515e960

SHA256
6ce1d65ba797ae57dace22c092236d80254f532f5f1d4d547548c52a62554b85

SHA512
5d06593147546c7559a0f66ef477880dc514ef8b3c26183fc4bb89cf3aeb8be7514008022fc3f113ea8a472fbf61e2f64deb5d678ee91d8aeaf814b5ec03997a

Download Submit
C:\Program Files\7-Zip\History.txt.23E-1A4-DC9

Filesize
8KB

MD5
e35f94fac426ba73fe4ce8fde2387584

SHA1
dede8d016a2e80ddf284f49b94ed959d2cf6421f

SHA256
00eba42d47d7727951b8bcecd42dd793d4376caea19f18e2aa26b3391352441b

SHA512
b6f7deb62808444d84c9fb56b8f64a9f6b7c39a00148e721ba7ff82483adf2bd952c78a8412d8c17f1d71de5a6e85e9af118870e996fce409feb9488d74a431f

Download Submit
C:\Program Files\7-Zip\Lang\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Filesize
985B

MD5
139c84eac3667aa7933ed206b6e25cb7

SHA1
946f29c910cc281333a4815c06e9123eaa9e74a3

SHA256
042b8fcd1e161a9932cc3fb309faa588ededc84f622c772cfe4c21fb5a0dd4e4

SHA512
6ae6e9a96aefcd9e313abcde04c388463ce2173a4eae7998a556f941c0be47d307156188e841b12ae52380b9fc00c6406717bbdc9879a08414a8c2d1c52faaab

Download Submit
C:\Program Files\7-Zip\Lang\af.txt.23E-1A4-DC9

Filesize
6KB

MD5
f8b6bfa2b516f45dbb01c9033f7d3715

SHA1
6300fbd1866e5367367d02358117d46fee76af32

SHA256
94c10f2712e9d306870a4806619c31080d411c0aa52c504800694ae9a0d8db8d

SHA512
47fe1aed442cb3e263e2ce3347ceddefff9c23c7854b2a769c8d4aefd9d96940fc195401220ac3e022f165c0351acbac151e5b32c0436cdb6f49379197a3cf53

Download Submit
C:\Program Files\7-Zip\Lang\an.txt.23E-1A4-DC9

Filesize
8KB

MD5
e725157e6f17a3948adfc285648ea7c8

SHA1
2ced7d0b6b18529f2312e0c9d50d9df0230ba0fd

SHA256
8f75c5729c99b967c4ead3486e856cb69c7302f9c54e301ed3b0c733059e4ca8

SHA512
43bb83fb1dff0c7670017c6073fcdf19df53da14540dc1a9185520677c87d48fbeac408d00d4bdbf3635ceee2d3a5c99e43ade9b81e72d90461b77dfe702bb13

Download Submit
C:\Program Files\7-Zip\Lang\ar.txt.23E-1A4-DC9

Filesize
13KB

MD5
fd71dfe0850fdc562603a5064e00f747

SHA1
5a548beceba6e36658bafb23bc2371b23a299fc1

SHA256
4b0c1644b4f15838b00208f594364ddf83dc1c9ba2a2ca47497d26bbc2eb4c7e

SHA512
b300bb47f22c2748046f32a52de52ab634d5ce9f4811e84623944c6aa7b0451309446c91f0b9d30386eaf9633a4ae916d35024cf10189727045ed33257fc54e6

Download Submit
C:\Program Files\7-Zip\License.txt.23E-1A4-DC9

Filesize
7KB

MD5
5fc03cda6f49437a48ab4c392d086332

SHA1
407167984c056c1c0b0421e620284a18cbc36ddc

SHA256
9f9224c40d66dc9e0183915c5001a656a0438e8d2b3fbb3ef2f41becde62a71a

SHA512
74d6dde51eb22c3b271735dea9f9a8b9ab349dee70dc36aac7f062e9d4dee818aaf1bf52111edca4462e4ade6e439931aa3833bb6eca12695386fd07e2339874

Download Submit
C:\Program Files\7-Zip\Uninstall.exe.23E-1A4-DC9

Filesize
16KB

MD5
ac6cf18c504eab058ea3fbfb42e843c8

SHA1
de41cdd71874b596b69f98b0c307df61263e6c77

SHA256
0f59fa16991ba6393ffb14911125783fc5bb14a7a39ded74244d39fcb77e7f55

SHA512
df9963d9dfad796b01c5e3f91bac309204962e164c0dcdb6ebe0f1c732a27af9f65b046b5b231e842feaec5bb99cbdcd8efb374f5daee2d21c1dd5ab0b2af439

Download Submit
C:\Program Files\7-Zip\descript.ion.23E-1A4-DC9

Filesize
1KB

MD5
43ef013d4d2d81fa5d7d8238716a1d99

SHA1
55bb0038b10e5fd827060f65ef4b954880f52db8

SHA256
ac394c1748cc7bcacecea75d85630f49c43fbb6e37f27bc94ea7daafaca58efc

SHA512
f04fb430d2420c6b468dd226596a7806c9c268b08294162579897193b854b86d7386898b35b26d75df09ccab7d55ada2c16655e2b5087711624a3139051e1d20

Download Submit
C:\Program Files\7-Zip\readme.txt.23E-1A4-DC9

Filesize
3KB

MD5
0054816003e4520be65a070fa527f3e5

SHA1
a55953ed5273fcb069014518ff2a298ff384563e

SHA256
b485c9a13799b9b7920f1cfe72370c9128e3b524261dc54f9a7fd9c515b15a5c

SHA512
5eb10c2ff28ffdd2c0b59639d0c974de024a8fd22fecbe39905d337200b387a69506e47a17163747b4a78a3c2fae7346369f5d71e5344413db6be8ff4d44781c

Download Submit
C:\Program Files\ApproveSwitch.png.23E-1A4-DC9

Filesize
786KB

MD5
6dd86fe24b6f54a9e80b316f18133e9d

SHA1
dfede75ee3b755e3ade2d3deee173e66427b0ea5

SHA256
4f76b88462d52e63203623fccf29e32f6d6ee417fcfa0ca839c37fd3cf13cfab

SHA512
32803c18b24dafc4af61a18c90f831e788abdd79b1cc80a580cdf82fbc5419111896d7a4cd0675ec652b4ed2d011902bc48dfb81b21997963c1388e255a3ddf4

Download Submit
C:\Program Files\CheckpointUnpublish.ppsx.23E-1A4-DC9

Filesize
765KB

MD5
c22e7fba0677bdd1e68018050a3d309b

SHA1
5587062789d1ca180aada8f385569fd11bd4f65e

SHA256
1a608a10aa5915463f3c199adba7ec5652de9df1bfdbc09eb2b2126e2d4a7601

SHA512
03c7aa2867bde6472887d4fdd6280b31661f7683716c701b45001fdd4c68c5f6a82128ce17e9b366bb501a8ab2abadc6cbf4968269c8a3bae2fa27806c7dccbf

Download Submit
C:\Program Files\ClearMove.midi.23E-1A4-DC9

Filesize
531KB

MD5
ea72728d15b93cd30090a6448edb69e9

SHA1
d521cfbf5bcb4dedb6cc40bd41700c5f2e797c44

SHA256
1719a9730730217c72d942205ae0dd5bac04bc696902d92e6433db964765beb4

SHA512
bf54dd0cc4cab57cb3c6a4e96022de94bfeace88b8e9d282d033f3bd616b91c8bbb53458d86d2fac0eddc12401b077192536fecc73014524e31564e327c5861f

Download Submit
C:\Program Files\ConnectJoin.vsx.23E-1A4-DC9

Filesize
425KB

MD5
3930813b5ea87e40d4d747ac23899b2a

SHA1
739f7c52e74a402754c07ede7e02f0feb6cb6066

SHA256
cb3aaf955730c75a9121664309169b040f6a0de2a4d8497f8383b51f13fa1f94

SHA512
7cf860cac33b2d63a251d907b358f0796663b290a36a96086f5a27d49446c476e8c9b2ab953f9b14bddd430524126924010c61a8981dc6d935cfdf4e3fcdeb60

Download Submit
C:\Program Files\ConvertFromResume.dot.23E-1A4-DC9

Filesize
616KB

MD5
1a4bc22cd54c8707c7f2c7d49bb20553

SHA1
6ff55ba0409275a513b1f10d9fc72fe10f3f07ec

SHA256
6c8a59614a4d2c0dc2e89494f03888f768172c7862627279333ff8a98aafe7c6

SHA512
d75429b1c08e01116ee3079bef1b0253fbd73b143256aa5e3bf07024dad31cf8ed11f2f42b41d0fb27872cd0717dc88ff2b5486638878593a27a13a026f41002

Download Submit
C:\Program Files\ConvertToUninstall.odt.23E-1A4-DC9

Filesize
362KB

MD5
c843ff63e55b960b878066608a18ad87

SHA1
a3b964be815edf75abb5e56f8df1cb343355ccd7

SHA256
09e2c9496316a43b7014dafb649c5eee2b2ba16e0a8c7b400bbc3a14c6eddd2d

SHA512
03a0755e96ab3b2bb11d04ca7267587e73ddaee5d3e5196b62bf9f014112c40b867aec1eb1bfa1bbe9809b0c5b3335e485a9769e6de15e0b355fd1f791c3b302

Download Submit
C:\Program Files\DisconnectMove.mov.23E-1A4-DC9

Filesize
701KB

MD5
28c5a970d0e417ce57796e24e59e15aa

SHA1
06360857dd61cf62a16043d504d5dbd63e780d38

SHA256
d86f6c9c1580acedefc5634ee91ee1600403a75ab92865d9722dd119b5475d40

SHA512
49555b5d60b765ef86a41964666c587f1267c26d44b8366726a8fbc15c88056a6219350722e6c2da601d88c231f27079dabd636f86435f4dcf78277d95e4506c

Download Submit
C:\Program Files\EnterAssert.odp.23E-1A4-DC9

Filesize
722KB

MD5
82f00c492c93e16aad568bcd90d757d3

SHA1
22c781aa8e686cc8b93c6059c923bcb3755e5b3d

SHA256
e0f133bb7039828d4aafc0ef26e0ad6d1c45da52960d1b2d8e34e692d605c9fc

SHA512
5cff4ab1f9baff52cbc8f28ecc7aa19ab796d25649e8dd591bda269de7714e652ac5a785ef0a002856f01691682e13966b10ae2dc42b5cd962f2260e2df2493c

Download Submit
C:\Program Files\GrantMove.001.23E-1A4-DC9

Filesize
340KB

MD5
e4fcbbad2bf24930b32280ebf607f9e6

SHA1
afe9b3064f4ff44d6eaf37405946994e397b3b89

SHA256
50116a08e376884571b17e0b4f6f8bed7d5e329fe491b2170415f37c004b98dd

SHA512
7008c1d6f4a3706805de012cbfd587ba95197cbdfa1e4d58f5cd3eaf0dc7b70fb7e0260e9cbf296a168ae72bcd5db8e88be5945172432ecba9e331d104a40af0

Download Submit
C:\Program Files\JoinBlock.M2T.23E-1A4-DC9

Filesize
659KB

MD5
47a706338954eb9d066ef8a564354ca8

SHA1
5e44d8eb5035ea3b1bba6ab6ef65d895c2478c99

SHA256
b2ebd927e311b96303eb1d385a99d76de81c047e084dd755d3a00aa0a13580d4

SHA512
eba2e5f56184aa7cbd2bd49bc75a4e4dbfcb62c30f46fa788f72a92b498b662796a965619ec471b3479a1ac4d5eb5a5276d289a75a147c42010b17f6c967a00d

Download Submit
C:\Program Files\MergeProtect.vsdm.23E-1A4-DC9

Filesize
595KB

MD5
393553f94092d5082eeb54106ce0ebce

SHA1
87a3545052409f6909b3f089ea56ca8faf7e25fc

SHA256
8f63188545da5fc5087db8af76efe1ab9f71ef0eba9ea429ae0ec73ef74da9be

SHA512
2b8c460f330bd080eb63f4e5c1e418027bbb7f6788fc40b2d07507fcbf68fab9d8ea45ec9bf827f05b7d02b07bb253dd91936e485732160132f39f609098f8ea

Download Submit
C:\Program Files\MergeRename.mp4.23E-1A4-DC9

Filesize
510KB

MD5
1c41720fca5d460bc0ea1cf99e93a946

SHA1
3b2323ae4fe7f149f543e1293f685a975f270cae

SHA256
e9dde71d7fe42a83dde09eb1564ce8de446949b6e965105cf92049ec2e02313b

SHA512
a250146be8077e20b05ffebe280ec9696664a0aa641d1d4ab04cef7c3500a9c2ce6616a155c22a61216a9956576aceee6fd4acbefc24084c8eab84fd2e0846e1

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX

Filesize
292KB

MD5
019eb657da99238b387e63b87db1649a

SHA1
bc8c241f84f628baae0fafd654c8cb9aa4da99d4

SHA256
ac3907611da22a1161d1e0e0f507f6506dacf25bc494f5b1587dcf3d50171a84

SHA512
0d7eb6ba965f89f24f86571edf7a8912a18ebf484719c837a48394e8fff90be0701b5740ed4edb56f37d97490430c42c1c821f859e5be8b954de0df16ea1f300

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmia32.msi

Filesize
3.0MB

MD5
7d7fdeedc4254249385b4af4a98bf9b4

SHA1
b04d769ddb0e4314d8aa7888cfcec322965d1f58

SHA256
7f58c9dd5e9563e878edaf1b3b125cfa042ae44c4d2a5f228036bd557922b9a7

SHA512
2b82c379e26f64358a445f8f0a74f61c3cd694f2e1ecd58f999f0b5c17e00b3fb9bd89908b71e99fe5b26ba7aafa0b70fae0a7d28069fe75fc013691e060e221

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe

Filesize
62KB

MD5
b767653268375ec74679777fd53b2fa0

SHA1
e8e94bac84ed0d18a5c5e6e7c0277d892421da58

SHA256
a94e80dcab1466c69d1bcaa42f01fd88b57895462e80eb69a052dc0bf3fec896

SHA512
7a7f91b09d4b700d329987b75d98945795f11dfba82a94622d6151aab184b2cc90399663d354e3715d24310f2542574dbcd7fdd25de28191a7cbfd96439c8d85

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe

Filesize
1015KB

MD5
7abacc696865563a73baba24293ec0a7

SHA1
6f8d0dcde660b42e913ca707e4e4d977c6244987

SHA256
f33b44a53fb0de9db33cebf44007aa45ee1ac8381cda089eec4e1bcf37781f57

SHA512
9919ea036e66822048bd9e688fe6ee3fd1c5659d18d0330b445511bf25e3d6be60d60ddb112a132596b60c820f13cb2ecca6586ecbc3e6c2d85a388677bd8fac

Download Submit
C:\Program Files\PingAdd.exe.23E-1A4-DC9

Filesize
468KB

MD5
094006ed9940b116660c1203ba15e915

SHA1
4ef6ad14d728b0d0c028595d883157a8531a2f8e

SHA256
e2cb7c27cd531d59d00e87ce8f548dad5222b734011b5b5d48d0e5c750341e1b

SHA512
5e52b6f43cbf0a0b1f95eb98ccf9cafbe27771aac3ab6684efb6a8740ea1cce63751f0bbc855641e18db40a83c98f220e4b218c7d014c19eec4049ba63730ff1

Download Submit
C:\Program Files\PublishDeny.cr2.23E-1A4-DC9

Filesize
319KB

MD5
6bc71f80153d4649949375244c2e5943

SHA1
321de94a5b46eafc65bcd7ca340ae710df8477f8

SHA256
b0751aeb9f53b442ee7546c5a32008f04f08867ad4b28ce0c4faa4d26231df20

SHA512
602246ad3b6196658870d3cfe6ac9081d9dc0df61d6069e7a7d100ca36db07ee1f1f00c366230b4a5650ca42594e44250a5aad28de2a9b8a64d1cacccb823c46

Download Submit
C:\Program Files\RegisterSend.MTS.23E-1A4-DC9

Filesize
489KB

MD5
cab577366893891178d805720f567ce4

SHA1
78d4286f96ee482af11f9df17deb04400bce6a09

SHA256
50c7292458d2017740dce4d059be0a74b02103c0122bfcb57c08866d0039946a

SHA512
b2baf5a6838d4f3c9826fa64f1b02680c88c0e963d22c6193e390af48965038677c7adf3484cdb245a5cc15c3406c743f30f02a5911f5963e456e7158f1681b2

Download Submit
C:\Program Files\RegisterUnregister.tiff.23E-1A4-DC9

Filesize
447KB

MD5
9f911f1688b8a48bc979a26bb8820615

SHA1
574b24ca05a4884f389ef3cc147e323d3d4a704e

SHA256
f0345de0d1c56b4a86b04c0f45868cc7e315316281f60b46eb236f2ffc44ec21

SHA512
1abb9dccf5671de8aecac7d7a1de4546c8e2bde805fefca30c172d9e0e14cde578e9de82c47cd2f2662ba797cd539a05278e434192b6fa649cfa5193831de335

Download Submit
C:\Program Files\RequestDisconnect.vsx.23E-1A4-DC9

Filesize
1.1MB

MD5
89afa92b6814e985e0b103eba61bceb0

SHA1
1267bb16fbd60a66a83791721f3e3e2e43c83bd1

SHA256
32e1b657fb2a15baa757c7d539da3600e7341a08f83a5e11039887c303494a06

SHA512
de6f88e1b6d26c5e35fa4425aec8e0f0bca8d65af8204a207130833e7163e2552355bbf5bce6ad91f13462a36ae1de53544f65f16050a4a463d6789f896c0ee2

Download Submit
C:\Program Files\ResetExit.zip.23E-1A4-DC9

Filesize
277KB

MD5
74cb4fe22dbef7c05b4b3a7799d14736

SHA1
579ff0967d8f86dfd5f38bea8f1d841f39f121b7

SHA256
598535faca2df795bd89e2a5c268a6a93dfb97caa066a0783e187cd8598d90fe

SHA512
e968265c57f50ab95680edcacf62d0749a37789074ce050cc45dbbfa0f930127c9ab9c2faa5a3142b1cc472360e21116320805519e425885b5beaa6c35a05c38

Download Submit
C:\Program Files\SaveApprove.scf.23E-1A4-DC9

Filesize
404KB

MD5
dbb6dd9764f23a507a3e5782de2a5c96

SHA1
2945eb261d59f794219e2850fd33745696039fbe

SHA256
7148dcc567a1aa1f68366359a4f29bf3815394087d74ae553d10a3c450e3cf15

SHA512
38c5f5c840553238cc614fa6f8a63ddd281c70a67ac3e728398375172020bbede868d859de9498590a7a0021c898c32c7a99cf586cffcb43c6029b6a1a54bb54

Download Submit
C:\Program Files\SaveGet.jtx.23E-1A4-DC9

Filesize
743KB

MD5
25039238c6c5e8272405e6920f664552

SHA1
421982dbcd20918661f19129011f025854805f05

SHA256
1fe184935121d123292ddee83d240c35bd18a108fe207527e5ccc13ac71d5ab1

SHA512
c1769f44fb2c8663426017a6552dab3a2ff7dccb6b5cd36dd2c0c9ca9dc8bdef0d94bfd8064f31535b89f01fdfffd68e8645b27bd56cbd4f51b17c8820d7987b

Download Submit
C:\Program Files\SkipResume.ps1.23E-1A4-DC9

Filesize
383KB

MD5
9392046a3b39167f4b136798b0090f7b

SHA1
a4c241453d1b0bd8a1ca20507c343b9336b65bf6

SHA256
18ac6e44314ff8dc18b7a2d2cfcef7a98a3819f0174802104fa82836c13e82ba

SHA512
062b15f4b0f18d062990524f16fc10e781f11982fde4c176e1e1701265bf85a29b75e5ff62e1c6e6f23e74c0e9a395651774145400650967f2aca397bc015521

Download Submit
C:\Program Files\UnblockSet.temp.23E-1A4-DC9

Filesize
298KB

MD5
e25feff72027e36d67404807b71470a6

SHA1
13871cecce231c82864d8faeb7feb4ead133e7a7

SHA256
c9b097541c6823c4db60f03ac5804e9cdada468c98525cb69b64e9841fad2414

SHA512
64d403dad3aff2c05ae079d7277f29956e4fe0f5f65984b76ff2f50cb3221920e685ed3a1c23891045ec335790c21da2465e6c5a7bfb342321fa4e4a65a36384

Download Submit
C:\Program Files\UninstallHide.aif.23E-1A4-DC9

Filesize
574KB

MD5
2cd87da2b476083b0a22c17b398c811a

SHA1
6a6b342df762b0f5768f0192fbacf9c4a06c04b7

SHA256
2a42cc32939dc979f008018e585c862bc94db238c07995b28ec04c0955a2ab2d

SHA512
db3d02499425d5b75b14721b68857ef0ddec18dc6f8b985cf39bd16bc7be3bff8ba0d52755e07170932762f54a503262644b0be4118f689245bfbd890c909b2b

Download Submit
C:\Program Files\UnlockUnregister.jpg.23E-1A4-DC9

Filesize
680KB

MD5
46687d85387fbb8126cd0ff0690c0f52

SHA1
98c8f51107c8e7661c9749997dfd4bb15ea96a80

SHA256
dae2dd8c9635e94def2a76824413e0cc8a1b940c651546938f566c5897c5a7e2

SHA512
f962632cd12b816ea83ddbd10fcd17490e921acb092b92bf4f959edf5b0caea7c1300bb717b53fbb1d7ba6c7b53f0ecd5b909a418d83bbee5fec5a42fd96f310

Download Submit
C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\vlc.mo.23E-1A4-DC9

Filesize
612KB

MD5
439e7e5093bf547ed58964fc914462fa

SHA1
73a27a96329baed4edbfe678eea99f6f35f46f4f

SHA256
a3294aad53878776e0f4dbafcd39e662a0c4708fa91066f6b583b6892f6f50a1

SHA512
83a5b2662c69501eff851c81f10b8a66ab2ae7723534957842878b14d6f778a709668538527a820b4fe81d52f0dcac9aaf02960c3dd1399644d3305ecdbd8351

Download Submit
C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo.23E-1A4-DC9

Filesize
595KB

MD5
5f71e4aec8897870213464fef7da9ea8

SHA1
0c0e39da24cdbd996e9a5a56eb71d001f8a0dd16

SHA256
5a3d59c9e0e303e7a902ecb41a7fa9c66708f1684bdef2293d7beb94a9b7f0ad

SHA512
ea184462ed85a623a5c4de5b76acc1f4eca7a41a912de064b91df5703fdb51a00fa3951c836d00acb657186d365489a07ac119a99a1c2da5bf3630bf82577a71

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\vlc.mo

Filesize
773KB

MD5
66b1ea7f716761210d6825591929ec8a

SHA1
35bbe8a41f39b9f04f89569506acda7f648abb96

SHA256
82ef353d5f13bb352f1492a5ce88203d3c9309c6a1516b8dd87c7876e14b7679

SHA512
175d5986864fd6ea18d0b7b868cc9e1d17cc7a5b01ae56e3cbfe6290f7f27c006176f1d6d978c9105852ef3dd712c49192586d73707e6580572b457761d9a25b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
2KB

MD5
5668164eb963fe09048b527314036d40

SHA1
bb0e06ae9d59f4f47a8f95ecb651a6ce6916d09f

SHA256
ea9e21ca506dcacf78c8935b241d1b018d78250a38fa265294b4c83f1d5f02a7

SHA512
f008d664bd96fa7b164d5e2535bb842200aa1054af727acc1317c61783e914fe7d436b98b88e6406a64a8787693745fbf2b147113db0ded6ba1a406edb199ddf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_268232F9B7ADFD0751C3D83F667CFB78

Filesize
472B

MD5
4409f9540813d8809b0f92f65ff349c3

SHA1
8e1307f50dcb5b5155ab91b0873a789c4d9c891b

SHA256
acf57e17a04092a4e4cad5951de3b4cf8bfddbf73062eff0eb5c06cb5fc147ee

SHA512
e487189eb87575263a488ebbef2d11b40d705eeaece0c75ca649da1d21cfe71872a2c1cb434875b281894f2b53907168e37da67111ab93c81d6f1f506424a334

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
4a90329071ae30b759d279cca342b0a6

SHA1
0ac7c4f3357ce87f37a3a112d6878051c875eda5

SHA256
fb6a7c3edcd7b97fabc18855102a39fc4d6d3f82c0fdd39b1667807b71b9c49b

SHA512
f0e206053d4369437c2c0f1f90f0fd03d631e4b9859d807049b41efde823d64cf4d75c28316d932360f7c03bd409e923c8bc2d4f5959361feacecfcf101ae823

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
d06e4d85c8c9d9d1ea0cfa6bedbdd7af

SHA1
f754bf54e36c78a95e590253b27886c820fae8e8

SHA256
0b6f62fb10638c8ec2ef069d9421cafef677d0418306fa9abed18a7ab06a83b5

SHA512
6c22f8eece2046ffae578f878a85b6911dd78ea090653a6996b7e58b8601d17107f8448b7163451d1fd0b3d79a54247fd64e3934e62d516680e2bf59040201e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
530B

MD5
1fbb37f79b317a9a248e7c4ce4f5bac5

SHA1
0ff4d709ebf17be0c28e66dc8bf74672ca28362a

SHA256
6fb1b8e593cb0388f67ead35313a230f524657317ea86271b3a97362e5ec6ad9

SHA512
287e1d62c9ceb660965c266f677c467fbb997c2f5dcd1d63e185e266488aafc3489ac1d3feec81d10f01ce4a72e61a8bc4e124f137ce8675a220aa7797002e74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
484B

MD5
a9ae7e1b2380dcf96b60df1d04b4c63b

SHA1
a88aef0e9ddd9922a38ce4f96765bcb2b4433fd1

SHA256
4dfc139635048919911dc510ebe48da8a6e172a6be8f177a396eea228b7ea22f

SHA512
46a62f2bd71407fe6d76d48892945c08c7d34164fc779792c9263bb3619508183dc07957a4ecc6ccc5da04b292fe93f77fbf7bf23ce560fdc8b1a9b0ed1bc57a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_268232F9B7ADFD0751C3D83F667CFB78

Filesize
488B

MD5
76fa27fb63eff3571cd3c560b3d31d94

SHA1
38aa570df468560b72cfe2146b2b5230a016fceb

SHA256
82d9aa236976888cf1d702a31387b2cafb74acfbe23fd9547615777e007c2a2f

SHA512
81398bb8c31373a53d7439a840eafe6f0cbf824728cbaf42477b11792639f7b71fe549a6f65ad11b0cc5713fc3461e29156557bc60b9b4a6a49785238555f95a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
122f0337154c3feb1b0b467d607fb3e6

SHA1
f1d2fa664b772721ecdd1ec311b49b28554b43a5

SHA256
bba9420927d0330a321d13dd05eafa7510b67ba3c154c21294159c87a5be0005

SHA512
b47f5832d8594d59b10f8b75b3c324836bd2f3555c593f42d7065db1dc75c9459af9410cf25e9754c32019b9413329f431f1004e473b1e77cccb0956fb24ad77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
263a8ce5d9f7c5d0e9f2b24455f8edac

SHA1
4ead9273bd2dba0ef0f947635a6e4436c38e72a3

SHA256
c65f33b1d518cb6d50177fbbaa69aeb32c63fea5643aed21fa2ec4cfa79c6977

SHA512
c30004e186a7ff1bcf9465093c039b93a8c4eabd4f8559346204a2c4b1d7e6c74c0002ac51bb227a1ff4b4a47ae9f41e3a9e034fd15ecc5f13a1395a92ec2c4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
088ef1d77bf3770ba7dcf62b14d13875

SHA1
363dbc41c1fccfe38e75339e8b78d13362e8fc3e

SHA256
cb022af1919f3064b229f35816d4546175fcccbd72710b9e125667b19ef26b7a

SHA512
d257a38aaaa52327963f68a1be22aead6456257cc0e49e7cd2a561e198dff7fff277488e2469f3eec1f51f364c9c9821d9b4c76dd15dba4a1888cf3f27d67cf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\B59V21Q5\VZSG5IXM.htm

Filesize
18KB

MD5
2ecbd831dd268171871be3a7341717ee

SHA1
a1365aa4ddd52cc873c9def7f26aa9848db6434e

SHA256
83006c3ef95cac56570e99cbcff4b7e22120eecbea5f1957cdbd7d40a52cb077

SHA512
4e5ff688f7a714dbefdd3673d9ea765c5beee762de365d233efd3715e1777ffe0d966c7d382ea0d34b50ce857ad90f14b373adcd7bf43bcc925e8ebc06c882e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EAO45EME\30PISW01.htm

Filesize
190B

MD5
6ebbeb8c70d5f8ffc3fb501950468594

SHA1
c06e60a316e48f5c35d39bcf7ed7e6254957ac9e

SHA256
a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1

SHA512
75cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1994424E.zeppelin

Filesize
1B

MD5
93b885adfe0da089cdf634904fd59f71

SHA1
5ba93c9db0cff93f52b521d7420e43f6eda2784f

SHA256
6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d

SHA512
b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe

Filesize
211KB

MD5
f42abb7569dbc2ff5faa7e078cb71476

SHA1
04530a6165fc29ab536bab1be16f6b87c46288e6

SHA256
516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd

SHA512
3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af

Download Submit
memory/2572-10037-0x0000000000850000-0x0000000000990000-memory.dmp

Filesize
1.2MB

Download
memory/2852-169-0x0000000000980000-0x0000000000AC0000-memory.dmp

Filesize
1.2MB

Download
memory/2936-21230-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/3548-19042-0x0000000000850000-0x0000000000990000-memory.dmp

Filesize
1.2MB

Download
memory/3548-191-0x0000000000850000-0x0000000000990000-memory.dmp

Filesize
1.2MB

Download
memory/3548-10937-0x0000000000850000-0x0000000000990000-memory.dmp

Filesize
1.2MB

Download
memory/3548-21233-0x0000000000850000-0x0000000000990000-memory.dmp

Filesize
1.2MB

Download
memory/4252-21229-0x0000000000850000-0x0000000000990000-memory.dmp

Filesize
1.2MB

Download
memory/4252-17904-0x0000000000850000-0x0000000000990000-memory.dmp

Filesize
1.2MB

Download
memory/4944-214-0x0000000000850000-0x0000000000990000-memory.dmp

Filesize
1.2MB

Download
memory/5532-140-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/5812-3004-0x0000000000850000-0x0000000000990000-memory.dmp

Filesize
1.2MB

Download
memory/5812-192-0x0000000000850000-0x0000000000990000-memory.dmp

Filesize
1.2MB

Download
memory/5812-21232-0x0000000000850000-0x0000000000990000-memory.dmp

Filesize
1.2MB

Download
memory/6072-8312-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/6072-190-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/6072-505-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/6136-15055-0x0000000000850000-0x0000000000990000-memory.dmp

Filesize
1.2MB

Download
memory/6136-8410-0x0000000000850000-0x0000000000990000-memory.dmp

Filesize
1.2MB

Download
memory/6136-21228-0x0000000000850000-0x0000000000990000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads