Malware Analysis Report

2025-05-05 21:51

Sample ID 250421-mw6ltsvkz7
Target 2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin
SHA256 3be964c7bdd8349bed41823d242f36bc525df6323eedb9e6a7144118984020af
Tags
buran neshta zeppelin defense_evasion discovery execution impact persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3be964c7bdd8349bed41823d242f36bc525df6323eedb9e6a7144118984020af

Threat Level: Known bad

The file 2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin was found to be: Known bad.

Malicious Activity Summary

buran neshta zeppelin defense_evasion discovery execution impact persistence ransomware spyware stealer

Buran family

Detect Neshta payload

Buran

Zeppelin family

Neshta family

Zeppelin Ransomware

Neshta

Detects Zeppelin payload

Renames multiple (6093) files with added filename extension

Deletes shadow copies

Checks computer location settings

Modifies system executable filetype association

Reads user/profile data of web browsers

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Enumerates connected drives

Adds Run key to start application

Looks up external IP address via web service

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-04-21 10:49

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A

Detects Zeppelin payload

Description Indicator Process Target
N/A N/A N/A N/A

Neshta family

neshta

Zeppelin family

zeppelin

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-04-21 10:49

Reported

2025-04-21 11:42

Platform

win11-20250410-en

Max time kernel

7s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe"

Signatures

Buran

ransomware buran

Buran family

buran

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Zeppelin payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Neshta family

neshta

Zeppelin Ransomware

ransomware zeppelin

Zeppelin family

zeppelin

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\smss.exe\" -start" C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A geoiptool.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\133030~1.69\BHO\ie_to_edge_stub.exe C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\133030~1.69\elevated_tracing_service.exe C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\133030~1.69\msedgewebview2.exe C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateCore.exe C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.43\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\133030~1.69\msedge.exe C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateSetup.exe C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\132029~1.140\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.43\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\133030~1.69\cookie_exporter.exe C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\133030~1.69\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\132029~1.140\ELEVAT~1.EXE C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateOnDemand.exe C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.43\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\132029~1.140\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\132029~1.140\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\133030~1.69\identity_helper.exe C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\133030~1.69\msedge_proxy.exe C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeComRegisterShellARM64.exe C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.43\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.43\MI391D~1.EXE C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\133030~1.69\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\132029~1.140\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\133030~1.69\notification_click_helper.exe C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\132029~1.140\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\132029~1.140\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.43\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\Google\GOOGLE~1\134069~1.0\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 224 wrote to memory of 5492 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe
PID 224 wrote to memory of 5492 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe
PID 224 wrote to memory of 5492 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe
PID 5492 wrote to memory of 5144 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
PID 5492 wrote to memory of 5144 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
PID 5492 wrote to memory of 5144 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
PID 5644 wrote to memory of 4864 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
PID 5644 wrote to memory of 4864 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
PID 5644 wrote to memory of 4864 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe

"C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe -start

C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe" -agent 0

C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe" -agent 1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C wbadmin delete backup

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 4864 -ip 4864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 1852

C:\Windows\SysWOW64\notepad.exe

notepad.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 geoiptool.com udp
US 104.21.50.146:80 geoiptool.com tcp
CA 158.69.65.151:443 www.geodatatool.com tcp
US 104.21.50.146:80 geoiptool.com tcp
US 104.21.50.146:80 geoiptool.com tcp
CA 158.69.65.151:443 www.geodatatool.com tcp
CA 158.69.65.151:443 www.geodatatool.com tcp
US 104.26.3.46:80 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
DE 172.217.16.67:80 c.pki.goog tcp
DE 172.217.16.67:80 c.pki.goog tcp

Files

C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe

MD5 f42abb7569dbc2ff5faa7e078cb71476
SHA1 04530a6165fc29ab536bab1be16f6b87c46288e6
SHA256 516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd
SHA512 3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5 3b73078a714bf61d1c19ebc3afc0e454
SHA1 9abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256 ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA512 75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WBLUBCIA\ERZHHU3T.htm

MD5 6ebbeb8c70d5f8ffc3fb501950468594
SHA1 c06e60a316e48f5c35d39bcf7ed7e6254957ac9e
SHA256 a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1
SHA512 75cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G2BL9ZFX\L3YGWQD1.htm

MD5 2ecbd831dd268171871be3a7341717ee
SHA1 a1365aa4ddd52cc873c9def7f26aa9848db6434e
SHA256 83006c3ef95cac56570e99cbcff4b7e22120eecbea5f1957cdbd7d40a52cb077
SHA512 4e5ff688f7a714dbefdd3673d9ea765c5beee762de365d233efd3715e1777ffe0d966c7d382ea0d34b50ce857ad90f14b373adcd7bf43bcc925e8ebc06c882e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_268232F9B7ADFD0751C3D83F667CFB78

MD5 4409f9540813d8809b0f92f65ff349c3
SHA1 8e1307f50dcb5b5155ab91b0873a789c4d9c891b
SHA256 acf57e17a04092a4e4cad5951de3b4cf8bfddbf73062eff0eb5c06cb5fc147ee
SHA512 e487189eb87575263a488ebbef2d11b40d705eeaece0c75ca649da1d21cfe71872a2c1cb434875b281894f2b53907168e37da67111ab93c81d6f1f506424a334

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_268232F9B7ADFD0751C3D83F667CFB78

MD5 a3d1b53140ec83d53d9ff463d005c901
SHA1 f417ab6a2eca4a1e50af1de2531e0e0b157ca1c5
SHA256 23fff8b24a862f71fe72c8579f5681d924834acd64ba87b1c9cb35d3e1970c3d
SHA512 6a590f03a164654a8249b356462241fa0d304db0e7bfa10eb50d8ab4f50a5776423e8d845c295f959aeb8a5ea8008f84d4843cd860d157beaa8e171e6ced2a7f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5 5668164eb963fe09048b527314036d40
SHA1 bb0e06ae9d59f4f47a8f95ecb651a6ce6916d09f
SHA256 ea9e21ca506dcacf78c8935b241d1b018d78250a38fa265294b4c83f1d5f02a7
SHA512 f008d664bd96fa7b164d5e2535bb842200aa1054af727acc1317c61783e914fe7d436b98b88e6406a64a8787693745fbf2b147113db0ded6ba1a406edb199ddf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 d06e4d85c8c9d9d1ea0cfa6bedbdd7af
SHA1 f754bf54e36c78a95e590253b27886c820fae8e8
SHA256 0b6f62fb10638c8ec2ef069d9421cafef677d0418306fa9abed18a7ab06a83b5
SHA512 6c22f8eece2046ffae578f878a85b6911dd78ea090653a6996b7e58b8601d17107f8448b7163451d1fd0b3d79a54247fd64e3934e62d516680e2bf59040201e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5 70c77c508edb7799c04b21adc2013c61
SHA1 3903b5721f79b443e5e04a0b151bf6b3b5562008
SHA256 6478267c4b14824a0a9d06dec611aa4c048f6bf4923588403abbcbca09c62ef4
SHA512 c1b3b0cdd7188e139d7021400a668eade7400f6b7c6e9cca6af3b7aed103d663eb892f5d3052e563e0db0d72a44e9c06a6cc394ced5fbfaa1e1e2baa4600fd8d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 919b0a1c7070e4e99389755c70dfb1ac
SHA1 b3fda183eaa5db3d2dad194521d5641e8f897e2b
SHA256 e68e0a4bb1d83eb26d2eb4b941bc1e6a3d206bf90b963762c97eff774511dd48
SHA512 57dbce5a8df48661855c4ea5f6d224ac0e713fc1197efdd2b2f4363e00fa93478ad38d047df08bb6cb28e00cdc570d78755cd09155932dc685d3c1188a966120

C:\Users\Admin\AppData\Local\Temp\1994424E.zeppelin

MD5 93b885adfe0da089cdf634904fd59f71
SHA1 5ba93c9db0cff93f52b521d7420e43f6eda2784f
SHA256 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d
SHA512 b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee

memory/5144-178-0x0000000000830000-0x0000000000970000-memory.dmp

memory/5492-180-0x0000000000680000-0x00000000007C0000-memory.dmp

memory/224-179-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4864-181-0x0000000000830000-0x0000000000970000-memory.dmp

memory/2620-207-0x0000000000680000-0x00000000007C0000-memory.dmp

C:\435ec8a8125891fda9b522e0\2010_x86.log.html

MD5 0bd293f4914b97825cff86b0da73c91f
SHA1 96a46e6530aec55a845caeecf19263a533c87336
SHA256 525413423fade8e22cc5105d071d6f15e9c1f05eb89bdbf971a640b7904d6b59
SHA512 c809c09cb9e241651119fa52e1223391a9f0b9186627191a4a356250585b7a9167baebf9a5dcde83dfa1b3343db6d5e6f46f8626f72772ab7daa3c192d1bff7a

C:\Program Files\7-Zip\Lang\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

MD5 e02a23aa5e3ae40f5de88c8c94032982
SHA1 2e9974f7512991d56b2d9293dc38685d480b39f9
SHA256 0b294fdaea09f372173f6c63efd2fb297a7dbe5707104108d99aa54092f91114
SHA512 36ea597602a3464dcdab0eabd0dc1e4d44d69884898cd8e58e1c03475c341eaa72dedca153f6231330dcc04da2be7b5550337bb29660915593179e41685d2893

memory/224-410-0x0000000000400000-0x000000000041B000-memory.dmp

memory/5492-1182-0x0000000000680000-0x00000000007C0000-memory.dmp

memory/2364-3497-0x0000000000680000-0x00000000007C0000-memory.dmp

memory/224-3496-0x0000000000400000-0x000000000041B000-memory.dmp

memory/5492-3922-0x0000000000680000-0x00000000007C0000-memory.dmp

memory/4864-5323-0x0000000000830000-0x0000000000970000-memory.dmp

C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX

MD5 2bf939d6550db406244bf008fa875824
SHA1 ff42dbdf646de5c57a59a03f433ce9eba51b7420
SHA256 9bd5f443b7ba2bc8895917a550575a7656c6daa44f785babe98db27fc9bbbb3c
SHA512 8acb36e5d9225a8060bdb4c5641ad6e21402e9ca7f9e74d35fccb3459bea7b51335185aefe62f288b386c8ab3aca0de484fb7706e2584a952dd08b2175cdf414

C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690.XSL

MD5 d41bb12f1d47ce8dcacc61a1e22810f1
SHA1 c03a017f78a3be2094fc3233f0afbae4ea490049
SHA256 c00571177b6f29e056810789cb4a4e27570101ed20b924035004c816510904eb
SHA512 93d5d408c9d584cd340ae12eb7ac00adb1d7967714840b819e6b8926d1eaf198d131796c94abe8c50c0f94ca0190a3987a0e3e1ae23f404386628dcb4ccef00b

memory/224-9535-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2364-10906-0x0000000000680000-0x00000000007C0000-memory.dmp

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmia64.msi

MD5 adbeaeda66ac587cf8d8e789f2df9580
SHA1 a60671a6269fd7c2024a7ab162f10d6de0e37e96
SHA256 ecb7f7707bd8f628b0b4d8e018b38b2e4bdf146ffa2f04b7de03b7b9a1919a5f
SHA512 b38da0651ec27aa117eb86370ad145729460e940c1c19ec25ce49c1a0b6998119a36360ab3de36248ad91420800f85def9b837dffb828e33d0e1e2888ef347f9

C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe

MD5 7bf33e66c6de162675364e86516ddfc2
SHA1 b0a172a7057704b0b11e21fb5b490cb23b4e7bbd
SHA256 e7c067ca9615b7dafaaa8dd533976cad31b7794735bb8ca57abdc39f9edab9a7
SHA512 e7966a34c04f4e0bc563dacdc5e7522fcf14fb28916e657f325b5162f6a168036fbf7a20fe3bdd0623194ed6a25b0c1f83f9f2c47f3b312a1f863c3decf9393d

C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe

MD5 b3334b6c0537e05194db541e8af2c2d9
SHA1 45e00ede2bb414679fd0ed44c39a4ea6adcf2d66
SHA256 548fd24fe0ac24a73ee1ef674e6f43ea4dc74d31f576788f0006db1908a05a60
SHA512 a8c3d13367f8ac3a939a76204f2f40d6cbaec5d19e0c0b1273edb4da0fa8307285e1ad64798deb2ca9bb4d31e0d8524318051e7a4c53567418f34feb58a8d337

C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe

MD5 7822256c0edbcc034ce6653676d65419
SHA1 10156aac5defd05505da6d2a5283e5d9577a5724
SHA256 a934ac9a209e9c107fbb5e38f736acf4dc63e42c854659bd33b7f1ea2ca3dc55
SHA512 a04e47f4bd79eb1ce04f91b3245c643ee7e677560330dedfebd78c0531a8ba3b9c6754e5d46b48b73a87e1fcc30b493ef11fcefc1c1853026f6df749988d7fb8

C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo

MD5 d489b4f9ebc6267d9910a05f911d1f85
SHA1 cbf58df15145448bbc24a9b257021e52c151b780
SHA256 a7ff625cd2ae27fa1a42ccc2eb16c38b7c542d0b6c24c9f2f6c0488ea6ee225f
SHA512 997c1aea9b89d05a890ddd48743f795e6cf12ad4f67d3297700a8df7a90c52a0ea1684be11f305d669b9fc27323c270bdd2cc03d07d90db5bfbb7eb243b4f70f

C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\vlc.mo

MD5 f06ed0d3e831ca314c5738e959998eb7
SHA1 ebea5cbac5bd772c6b79189fbbf4ffb9d7db98da
SHA256 254d6d417241a3fc92d626afae22ac0fa113b36c1ef9a25613c02ad97331f509
SHA512 0f939c824337696b7f44f87650b65ac03c13b96f797f0bbcba7688072387513e73086cf2df146b984fbffce491b6e6fca36e3bd556588fd950e4a4e8ff947088

C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\vlc.mo

MD5 b24f8cadc612f04ca4e02e7f915cb625
SHA1 d693f4416b851e8923091131e1d9d5ee3ca68b61
SHA256 7fef9f59f357f59af1d6d728c989b4ef240ef4eb5511d5406637c476984a3ee1
SHA512 8ad18003c09bc2c2eaeb074a23f16d2afe38049c4545c827796648a9850c6a731e640fb1496e74f50763b6de838f98b41dd2be0083e9db6988cc57ee324e034f

C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\vlc.mo

MD5 c34227c8b1b8e100da7124243b3a0a08
SHA1 93351e36f61289ec0b386743f60c7a5440a9e5d4
SHA256 0b7f750e7ecbee907efd0ab1fc5c8de7cab800b2e0ea0e2419c424612835d44e
SHA512 1c5416dec008af4da4d815e4c3cdaebb1a13dd89eaa8bc2da5cc7bdbc2c90625bf2363d057c3578b308b736504c9aea1fab6493d4102dda4f366c08b4812db56

C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\vlc.mo

MD5 a0e901ffe232dfc8eaeb01d1605b3859
SHA1 64cd956ec5f89cb2a5bb1eade02dd7e414ae8e8b
SHA256 40d9fbe0d973e3f774717122c9b9be47ac34722d3a0f87022fe56ea38369955b
SHA512 4e96dd4ba36c7799e838753d1024f5a30617ae761df4e4aad8b411a4b42935362888bb5a2e3a23bd1c826c6b138fc6eea6634579e4bed3a7e4695c865ff9c3d0

C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\vlc.mo

MD5 34662e076beb789cd8759a60f3233c05
SHA1 1c534f6e985299579d26d4869a1a36a09b52dc0b
SHA256 690d24eb175e03469a78cf2c5732b5b5f053770f894ae7b00dd954ecc337c91e
SHA512 2fc576cb0e9e94b3118f38488a4ba59b47fb03b701aa619ca92d3c49051b96c01277780974d358da9f6599f9d041b399c35c795eb80ad47543bca90ef0498c98

C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\vlc.mo

MD5 53c5e55df119c68f1bae2adc078a206c
SHA1 b833b66e15c76020f46ca0bf0efd61e712c168b4
SHA256 8b2146be7d2afbad740c944bf5102bf489f6b6827f8c295d4f5846207d4a780d
SHA512 e8f749d7a25ae202ee9cfa3625fb5ef401d66596b8e97cb862466c791f904bed548d33f0b3d3d283f8c8832c965032ca9a3ef7b21e3c7deb4e0af1b3381d7393

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe

MD5 d4e516a2a05255cb7e2283732af20f06
SHA1 33fc615cfcb61659c0965aa86b95f5bb839240c2
SHA256 7fcd25487e6bb1639320f2f7837552c890148bc822500fe3f37c88526a8b9a8f
SHA512 06c426f6d85896c9a4cd67f35c4ec7cd6b792392e9fc765162903f42ec0abe9c17858ef48221656390d20edf427274a37f5caae0a85f9a60d481215560547181

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe

MD5 19ac02f064694a290dd89577eecc3fee
SHA1 cd3ba968cd4f09808f2a18186ed2632cd731bd69
SHA256 e7ebb061af62a19b2dbcd7d800f7f96a34f58aa9884cc3c0e0de76cd2b69629c
SHA512 9e271849bbb8b3fcadc246d430d975b508eceaf774a92718cb08ece775f598dde48c1bd7c5bc8c459b0247ad56a6c56ec21b81035e27690cab3148df9f1a8c8c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe

MD5 0c022d5f8e7cd49e18a49581181d5072
SHA1 18bb9f838ae982a9bd726f799df8d23d5a865e09
SHA256 b67b74223b7dc3c8d0889f6f985f34b4cfdb370f77a6e9f04f94091fe846023a
SHA512 e9eda4660448a889dbb0f6fccc0aa10b0d3f8fa4bf6130a0b6b77c57d79e3fd3c84759fec9df3a0e0ff9ee73a7102db90c9b4744aa968bf49a32b53542bd4909

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe

MD5 feb46d41281768b40990d3e15351c937
SHA1 638d6d4b4da9fe930fb9ba0e9cfc79b3451e681f
SHA256 75ec393627e8b18361917a84c0f4bef437cffb39ee181759fcc23d1b50007ae6
SHA512 8187b718912b2c5d5bb4d6675965608b0d86aabb41540ef6f0a1e070ae7844e1888ae53645d64cd3ec8e1019cfef7700962e313540a70eed2a668da6aea82b35

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe

MD5 296ced7e327cfd4613cf53b90df86b8d
SHA1 7218a6bbda7be57663eeb8b9db1e0d7b8ca94451
SHA256 9d8675b5aa0b683cb957ace7a8bbb9235c298ba498953154e2cf1a95c9a3ec79
SHA512 58ff3af0245e3fe631313467b0df00c843b61e29143e039cacb12a0201006460114d394267629a828cd46dea0a24e9cdfaa72f5d5acfe156d4ffaf2d15fc1aff

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe

MD5 c3124ac5e4b604571fcfae5636dd81df
SHA1 2d7f3e9051ebf03e2d8bbdd29da4776a6556eace
SHA256 85b704a4b1f3ec649ce2faa6bae503f5182e7ed4ff25f14f61f2628fe5391964
SHA512 85ea18659a18fdf1216c587777f14be518c26eb9a5d66903bd8bd0daff518c9c7ab391b2103aeb95f023df84860d01ad6d1e68043176b6cfbe0359c57b3eba0a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe

MD5 6e48274e74ed1d66072e883fcca64474
SHA1 9c6c61bf6b3be0453fddacacf9d46d525edada58
SHA256 3ee2e82716606a040104f342469ef779fdb2aa3645f9c9312fe5f76d6b74e91f
SHA512 b4e9033576dcbc1ec4d0b6d11b04d5cf722f704ac9e29602ba1fcc3470d9eac50deb60d3c21d92e0bb68be6a465500c29e014e7998248f14fc70318bd88dcf10

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

MD5 0c8d6021c5fc17f23d463f9bf92173ca
SHA1 f94b428d4d11fb6df3952b511f02c0b6bb4a1360
SHA256 a6a8e3d585d002ac127aec1cb6a6f31b415d423bb309d73c8ff38d46dd32dbbf
SHA512 c82752197b3b8187ba1e6ca8d5fe109b8d82807d3056704c3529d9cbfd626d5e55ab8f04fd8ed8e280c4c630cbb46ea0c9649c535e1677b27aff7d0c75ed682a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe

MD5 aa24b65aaa575f8d3fce1eadae73a090
SHA1 486a0f174056674a0e79e2fccd13a7eaf8da0646
SHA256 e5565d83e01ce40ffd38377b6e6e0ec2656830ab06826bf6247e4907622a2938
SHA512 41323c74b1799fed791bf2040bb453d6fe2e8c7e63370ab99edc8e51cf20197a1e88891efdcd0b080814861e0ea60c1f1914dbbf104e4175754c99d624dad4bc

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe

MD5 90a7d99843a48492d679953ba08c1cc3
SHA1 e6fc63ee2fa6fd60d723ca7a5970853d8aed354c
SHA256 4d0bab4fac5a132f83712c2654db97028dff5ce7944b56baff10a7dd36e478aa
SHA512 1c81642fc92ea119e23fc0d34e9d020bc59a005ecf1ff67e62834aa8939cac0e365437c44cb3609b9dcd9121b4966a3c9c6fec9a6be070c048ee442ff56fce75

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe

MD5 b8a90238821075001c3a4e8cb97c332f
SHA1 c16421ac9bc59d19231816097481b2e84669ce19
SHA256 08fb8b4f7690f302ebb9aa6f7da851dd447f4841ae2d19f716abb1a23135592f
SHA512 ba4f1d1db236ff9338f01964d5e675424a6ac9d780dad09f9f17b205dfcaf22783c6e178d477bd3fc375997ce0414b04381a8e6be5397e6103569268e0738c69

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

MD5 5890517a691f4316e086867aa50ed3d1
SHA1 1d26a7a3c969fd5ac627c50c5eeba7e4b664794c
SHA256 cc5852d0eae13937972f28390d28570838733dcd1a94cef636fba29e1f5fa97d
SHA512 577de3c2330a8164a4d6939c83964c18eea16bb1b71e6894f2775f709953de5cc5afa72678ff777670f897d25b2df6ea4c973cdaf67a9d0f9df48ae7bd0a1ea8

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

MD5 052ac72e25991e65b9dd9fad33b106ba
SHA1 b71e1e9928d34d12371be7e08d19b58b2cfa9b87
SHA256 9e19810ac7411871b14e3406e6fcc7276c34952cc51de4beb1063a0b18147e4a
SHA512 d5a33e2059bb9b540d9fc85d12fae4683101e96ccb1e34609daa602d6f34cfc90e1520b1f5352e58d46bd494279074765316e17944e921b864375b7918ea5c75

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe

MD5 10dcc57864a4be4709473c70a22f6330
SHA1 25ba372439d3eaf0241acbd042a191af7fa491f8
SHA256 301c57d4da893a9e718862741ea75c34ce3a608317567708cfcbbe5282ef2b15
SHA512 e8b1051f5b3315a6e0d6cd2623591d3e3fb3caa1dbd434443a272ce972c91da2808dcf24f2f2559e4662c29ce4a97bbcfa4b12ece564a1cba0b850785ce2b164

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe

MD5 ff56ae6670d121286b6691bf5be56bbf
SHA1 b30a08d95688d44efd67cbaec91a6e2e06030b0c
SHA256 c785c17c0c3922653aaf327a7cd152c8f295e138fbc5820efea0d33e6709153f
SHA512 fcef46d7c162616537748b873d1342a417bbb0dce42f11edbfa13e8b6545885b8ff0dd86efa842120f5f3ecfc05c3f82c4138c4756504f306022dfc2cb331da8

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe

MD5 7a7553463fb7deb03dd1714f8f0e895e
SHA1 8a88c18872e0dbf697c62779972cf940dfe79651
SHA256 2ef30f8ed3449b4ddc7a721f08b1797ce22efd98e6dead498e32c0ff912757d2
SHA512 b7c7d3db5216fa2969b6878b69e64e409141478422324b3ce726a17cbbd8c30acce0cdd09f820457d1b554d6eb9d81d80c213a2a40fb37bb328b23121be5b4ad

memory/2364-14748-0x0000000000680000-0x00000000007C0000-memory.dmp

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb.png

MD5 6f6b1e94e3cb23b53e2bbaff258da344
SHA1 0ae998b184e36fcb012d05ed103e0a59341b79ea
SHA256 4b12ceaa8b892e9307ecbb00b34aaa6323be0bbd4c597b562364eb04915ac31d
SHA512 e9c2bce4f6b62ce62c1d8ddcc03ccdff7fd4e9c8034057366343c11242d0ed7d230e41bf9fceaa73af99526b9fd91680e6fab11dcc42e5f1b11771085bfbc155

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png

MD5 f49d6ac002fb87bb4b7254b731535062
SHA1 7aaf1ab698a1a55a2803ea7671cc7668814d2860
SHA256 80c2516c39fbc596366e3351df8d9587ffa66cd84f1993737997adbab9f5ec47
SHA512 5c75e33005c0d5567a99ddd8342f285dd37cc3de427bff812425959008f1ed9e81ef1e29fee0779e76425cb3d2e76b30201d07744eb948362bc200ba090df6aa

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\ui-strings.js

MD5 50a80fd3273c955be259e10171de8383
SHA1 7f81b2d6396c6ed46b5d2a35ce3dcbe9f3feadc3
SHA256 59010fe0835d39be3cfbe7a0f995b92421c20b239803ab2c60bbbec922fe7dfd
SHA512 bfd8a1975fbee9230ad5f61be05a8a80acf8dd1e3b825224be0d632b7dcdcc95853e4abea6868df2d665fbb462b0a402f77ce4b9e2f69c8ea6513818a79cbf96

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\ui-strings.js

MD5 c206f26ffceacaa405044beb6f6b941f
SHA1 30250744a7ebf69ac672e5571c65bf55690aedfa
SHA256 c3a49d4df2716b9dcef9090f40e1a5a6b8dc7996bdc7246c58e89cbef2e3765b
SHA512 f9e324a631aa0cb2186205a5dc402982417741d107c068ce7de7b6d2972f2c33c9988b4da47c869659b8c34a915e3abcfd51de21a06dee55c33e70921a26cec8

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\ui-strings.js

MD5 8542488fd38d94dc58a0901dd352ad40
SHA1 6d0e4f9da32a4a42ec5038eada2180067f527212
SHA256 03bc2b792c091824bb25a16323b1ca08e495be48cfd1e0a68b9e10de1a62634a
SHA512 53c11d6638c2e0a124d3f45d09db1178bd477a9bad66836126c8866a5dcd20350ae105af44f68e31e630ea7cf179ab47f0de45e90d084fea8d3d3d8a93577754

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\ui-strings.js

MD5 43f735281f6316fd2aea1035313b3cb1
SHA1 69e1ff68c49762ec63405b483efece1c6c80987a
SHA256 bd41f922cf805a3db8bfdd3ebf74f22bfa497bc4797ac77503e520552346d4f6
SHA512 9df4c844fc097e4ebc58a91f9fc103b32364886b8bc48507b46cefc3e44dce9acd9ad9fadf8e3009c9e2ee8c53b081af780804a70a952a2c5e7ab79d1c63fbd2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\ui-strings.js

MD5 2564838e70ae64efcea5776f6d489b7c
SHA1 acf724240fe4703c8b407a95a88584654fa8c149
SHA256 d9234861050a926cfd43552132e911c6587920eafaa41fb67b54d3a0b18fc5ec
SHA512 e77bd148ead29c57a388d24f2ffc80bc837a8f8cb5bbca6526835e83897cf8e1384b40e79e52f35adfce25276cc213dd1dd6ebfd4cac86356292f096739ecf02

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-selector.js

MD5 14f023883d377b91028237eaadfcd8ed
SHA1 dd8bacda5e8dbfe8bf367285cc2c283304362fdc
SHA256 4f27aca39da57d2c0761f59b50323d0da8d641513d3b8a22acf6cf9f9328c5df
SHA512 8af59cbd2fbcac1f275b8e4f7295e3d8a936610c9ae45d7dca283ae31943f2a5cac1152ff94e438fa622236be61caf2fd9475489028d5c2f66730fbee6d7dbeb

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-selector.js

MD5 be656550c76063775f808e78889fb474
SHA1 fee6890e09e37e0ce54e712b43fa48d5440d04aa
SHA256 e5bd2ab4794e9ebf9bd49447fe907b0a95ef4c69baaeadcf526d922f5f82c5c9
SHA512 3488a896c1045614bd6c73f794f33781b1993cd2f9348554e3b6ab49f7518ad4b3f53fa32aa6585fd3e5f6c7dd9136be4841be59afb33c9ed14870d18a88b36c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-tool-view.js

MD5 9cf2c082bff13ebfbbd5fba23a07eb80
SHA1 de6f8ad47709988074b1b55159c5247e1c2683e4
SHA256 40063d276c9a9b4c6745644aa4725003d9d6633afb81d280ae3d46befd131955
SHA512 a0c1c268095ca63a4d10276455f6fd78dbbd7e7c1d1720ab780eff7e06d42f0335e578da90aca660a35853fdf421fa22748c3bd0e3a6620d57fc4194360cdc38

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\ui-strings.js.C07-C33-7BF

MD5 307decc15368ca97283abe116ed06b3a
SHA1 15263ee7df6730fc67a94764b4a3282d7fe0a564
SHA256 79150152e121e579c04451fc791372c2b7f8e26be35083ca265988d9369ed2e8
SHA512 a3bd61561c2fb361e420fbcfeffe6164f4eb6790e8154c1b35eea12d7f27d7e398c1bb519412b8e1bcd835de9b22b5aab0d184b71d2c42acdc938223546cc974

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js

MD5 c62c9014f656942bc924003d6d0be0c1
SHA1 bbf8ea81d4414f727aac52e8b9d78cf4bc9dd770
SHA256 8bcebfd81378ae997cdcf2f3bbcad46707cd10ffbee1c9edaee31a7c174bf954
SHA512 cd3e70ab5b159810c38320ac89114da6f94bc6b41750dee698e2b15ca54920562648744ad77cc4148d98bb794f84cf73332bf441d3738b679995e520f0ada216

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\new_icons_retina.png

MD5 751d0600e0c40a321127aee947817071
SHA1 d9a86cac19b78502ffb37a64f8620ff867ab32db
SHA256 0f1cea602753b01d76ff2654c060f07d4974fc277742a7a13f617ff6d06facfe
SHA512 2770bd4ece0b90517babe4207528180132e7bb9558bce7110171e5797b9913fbb76bdd482f20e44a66f865595d8afc167fc7a83c10c62f8dd60818c9aa9ff6c8

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\new_icons.png

MD5 2959f1fe09d97e01f733667f1a4055d9
SHA1 9a9d75236a0ab054fd6786b3152e6c7e22a2efc9
SHA256 2e297476eab7b7c4fbd55cae430ae6d47ddb557b4de3bd9e44b5d8e9b9e09c8d
SHA512 a98b9e827ca1594cffa378f7e5da2dd3d1735dc10dcd68950e8eaccd945c638274bc73cc6848c105d9098f8097e3aed2dea7b77cf23480879e812240d44df315

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\icons_retina.png

MD5 1184d39704df96f3e817a3678845ec1f
SHA1 2ccb5d87b1830055983bf1f874028232a484b339
SHA256 dcbffe4418b79877b1645c3148628ff023837340baa03294e588b8f059f0bcdb
SHA512 9d81a71d432707b003d11f8375d99fca72d61615f744bada6ad1013a5c7a7db83f9b3925999fa59ff1d2dd452c7c97b052de305fc1b529a9609ba1c0e7b1e03c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\selector.js

MD5 c50d83ad9c16e3506a9f82b83a959824
SHA1 1078c6cd218c5368119fc141c0594fdbf0b5c822
SHA256 b4eadeba7b69512bad4d7ab4e2d1c97bbf18e2a6846ca297b7f7864b0a598a63
SHA512 549d1f0f0e2a9514ff3684ca500de53f348a8870589d13bc3ada9dde65b086d18e3978aae2b1439603e67f4c70dde157c1e4329879d0d4da88f8bb92bacec8b4

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-il\ui-strings.js

MD5 1143465183dc4fa3094252d5b48f5330
SHA1 8f4f846fdb557f8896c793999bf1e21ac9fb8acf
SHA256 7847eeb23e4ae4ee17d5d9d90c0954f2610f718bc028496273187fc7ebf5252d
SHA512 0c09d232a531adae02cd7a54f03a8b8f9de94b06cf02083d6b49b774485e40b428d976af3b8af49118ddca06643215fd34dc65fe6d82269b2648f02d98c203e9

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf

MD5 bc0369de99824b89e63aa6bc00761166
SHA1 7a1afffca2b156ca681ebcf6c905135fe9386cd0
SHA256 21f0d9e6777aac25d182eabe2277d08f8d83e5f4b7efe174d23f57728e521c67
SHA512 22055902a56ddff99aeceaec550fd2ff3c0a3170cf0af92819554d49e24ea6444c571bf087529519188ddb885809d7580f3850b78dd7f703c61fa5d786250af2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf

MD5 eb595ace4a6d2c53378585d516ef3f0c
SHA1 b3205943b99ce2e4189713f6eeb62c40c066b8fc
SHA256 1205b5f9d1597038c3c76fe8e324d7afdbe03465760501dbe0beaee09dc7c4d6
SHA512 5f2b4c32e8b8689e35dd13c065c5b0003319d9754a1e3ef328375e77422f7d3b1632f52130c33b58af5d513968c3cf149ff13211b2cc01092c7a4b5f06a0b6c0

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\en-us\PlayStore_icon.svg

MD5 e7ca1e47be93756715e0af68c809fde7
SHA1 d6c6cb35debbc9b16d14d72c292ad493f39bd759
SHA256 372415af00656d7f2a7cc86a805cad91cc7bd2a55c42e582e4cbf07885b96d56
SHA512 855822645e86c5c2cd9a16d830f9022f26c21c777f710a3d3ff3156c8de1cace807a2837dfab7f9d73ec35e1b29515ff2312ccf7b93c735430817b73e42a1485

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-ma\ui-strings.js

MD5 444afe1e0686838f573ce083c2efb27a
SHA1 055ee5537c616b3849819342daa1ae7d237f9134
SHA256 ac0b1fc903b3f1a075fe35da94c57a275741b835bfa90ee63c7cb99fae53068b
SHA512 fa325110e4f269c0e9ce18321018ee6e21c925db956fadc2e7f9ed9f56403e9809f93e92b009b8f3fbea84385d0d883cf83b9b5449e7e088c3078075858ed927

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\ui-strings.js

MD5 5368426eba7e0573636d534d8dfe17f6
SHA1 b2ea5aa3982d5b5ab406b0a9303ae6c1ddcc9a15
SHA256 078f9f7b4b81b617a867755df2c3f46cbb84d687008c07f7b825944ec29f9cbe
SHA512 ee0cae93b1077cd2722d3dd991ba94d32ac3fc88207b5c571c3962c7ec1d279bf2d77fe0d7ef93bfc39270920ffbc5e0b71d7add5ff84224dd3009f1c8a4c02c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\ui-strings.js

MD5 6ff3f59b5617062396b8c419d0822170
SHA1 6de48c66809b10099a63413e53569b1845e7facd
SHA256 ac8c09f652928028e4f4fc30de4e16d3bbe092d42f19daf8f10504179c32f2e4
SHA512 51f8810f0a301cde513b825a50a15922883ced73459a3eeaa580a8ec4dd9c2fc3faf37ee6e9973bad7407302cd8e8cb9ef80e84801944ed0c0e099b7b547159a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\ui-strings.js

MD5 64f6aa4291eecd270906ae76cdc7b12e
SHA1 8b551cca5385daa1aa939ff76fb767977f026bdd
SHA256 9ef90362e5d8c485f3c30e10cc475619f842f98f244ecafdc722b1f10e27c6f1
SHA512 576539a732c26be422d90264e6a525b92d6306f230592205ebf98816855442a9b4545280339ee5b9b75d2bc3ee2a8f2dd3fcd5d821b786fd5fc194791a64c103

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\ui-strings.js

MD5 3c22de306b9bf458784cac4c804ad79f
SHA1 60d180e788996b6d3745df016a38a361d90c01f5
SHA256 d9fbdcb27841409cdb690cbca0fe44f89a542e6a2c9db731932fa09395765723
SHA512 f16c8136b55b34673dee5af225c2ca5745e64810397e5318efebfc171662a85b516f4ab1fa8a28ccd276fc4c1b75b79166006340b33a76bb2387697c5638c4c2

memory/2364-23543-0x0000000000680000-0x00000000007C0000-memory.dmp

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\ui-strings.js

MD5 e487975b78771e0d094b32a6069071b2
SHA1 dfb2a984b80117ba7d056f0e075419668edbfca4
SHA256 c847bdeee101aefad3fff1a77a74e23c24a21e603bc62e3d02284c61252f2bff
SHA512 237aacfd1c92e3ec6b7ea487602aeeda9c6749399fafe408c90efcff1438997604263947aa5ffde17da74f9124eb742e142213025f1791d70331268345281e52

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\ui-strings.js

MD5 e434d0220b2f630aee19cd085a78a7f8
SHA1 8997737407130913a2e1f196b1f5374d83bf371f
SHA256 8170d34a2a4b3169d3d8e5f400c73a750aae6414c9bdee07dc378280830b6682
SHA512 8df33bcda343b67365831b4b78b1871db1dfb6ca8fa57990bd45999876f87ff06942b33ac3b005915dd4d7c5b7e9ffafde134facc6da4aa91414c1a16d6371c7

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\ui-strings.js

MD5 1a3e94caa006d920156c4483f2d905ab
SHA1 ff465e343fd5045b9fc5e84aa3286fa38e5f4c7c
SHA256 98407e0a4e66de60709cbbe695fecfcc656bb5b55bf799eff9a7bad801c903dc
SHA512 1a1ec26e910ede2349be1ffcb1118a06e0fa9916e9fc3249a26d0b431978e48f2efc80db53b446e322bf8e976a43dfa3c62b8f838349bb82d18e6f5d2cb6ff9a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-ma\ui-strings.js

MD5 33e5eaff4c72e113734eb0f419a9b68c
SHA1 035d663bb5e19f6cce05b215362c5ce7a6bc303d
SHA256 bcc4ba592fefb1110a7c99989ce742054337b60a1fcfc76af2c87050b347883b
SHA512 4a04f49be4e54da2e83e03b73aee9efd8df62ae028d589ce3f081299902937850f507fdd184117ed7777240154602550c9e4386f5a7149050f50f12adcc25ff5

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\ui-strings.js

MD5 06e21f12ccf17d25635b2e83bcd0f15f
SHA1 4ac58fcf2fa9ee66d11bb47c342c6080aa414b83
SHA256 7a10a69f3509d529137ffe8361d70457d3cae70d4ad8658944facfd80702cd1c
SHA512 5f1f4b3178399545fd66b272e72bc105c48ff6dbacf8e742bd1586854403fbb219a8a2cb0d684bf9f13201d19aefe25f77678372f35f6d57f498b523c3fe22fc

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 6f098c8ea91a106fbed73d94b97697c3
SHA1 7cccf6b3e8a63365d820d33bda8e366ec05989d1
SHA256 acefc391609b3e0455d92af392c8413d826edbcbb3f3d101f5dabce066a8ba52
SHA512 5e943a7c811792c9cee2a1410235a6615b9d1e60ddaae959941fe2b2b7bbf9cd38d3de91774fd8de5eb1d923fa63d612c828dc31f45b13d818182427457c5665

C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe

MD5 fce16f7fe048f337fafc524630c5c1f4
SHA1 7187e11a4c332169c614b018f43557fea4a43b11
SHA256 e0077849dbdddc09650b09eb7a18fa9406eb80fa5c9f3443c069ce8a55505c89
SHA512 8c1da8f9ff506e139d47c927d831cbdcc3683bff98822990ed3d9ad0397d939b09f2f7642a394cb3397671e4242b42e0f6de24efafbbeeb7f25db737d9054ac5

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

MD5 164c6cbde7d61780a521534e47341051
SHA1 a525e86ca742d9b789ae5d156cfcd66bcb9a53ab
SHA256 009a4a1c6a98efe13f926616e96a81f0ee42f3f6c95051cd40bc8185e0cf1c0e
SHA512 c60f4d3651ddc182c6da89f85b1afb61574a0e71cedbe0d693a099b83598ef46c0e00ef9e3cf4222201f9895478460aa3949a08bb6c517da8fcccb55b5474263

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

MD5 64ee75042c0f5f6851dcb49eb7be25b7
SHA1 ffe7e98f9e0f8945f33bb792001a4e8c1ef426cc
SHA256 e10dc78b6168764755a86d94194a1b42f4db0ed671fa4a724b3f8d5c27d4a943
SHA512 362b126a59d7457febc151c32caf77b1da895be36af4e101f7fa564aeff45d3c86d6b53ff5f2ac20de87196f0ed704a0d37b696a280e24270114999cde8f1ca8

C:\Users\Admin\Desktop\UnregisterReset.xla.C07-C33-7BF

MD5 aa29d7cc0c2c46a06e80ff7ee2b25b7f
SHA1 2544c8ad75ffdc42ce0821dd63988e205c23e538
SHA256 d3a7826d0f8028f9a55e3a77dd7aab714b7af992cf71283155c1fb187a42d8f3
SHA512 ab74f4ab675d36855097bc373e7e506dc1974c5813dd0ebcecbc00024c73fcbe7efc9981fe16ca837bf8731dd9f8b954003b67df8f9850f597d699113774a07d

memory/5316-26235-0x0000000000590000-0x0000000000591000-memory.dmp

C:\Users\Admin\Desktop\SuspendUnpublish.xlt.C07-C33-7BF

MD5 bd228f859deb5cbfbbb16e22d0dbc6ed
SHA1 31256f566080f394a20c85fc69e9ca6eb54c078b
SHA256 fd41847aaf8765cc1fb6715cf372ece6f2de68dfd83da33d7a44a37ca79d93b6
SHA512 0ca9d34c8768c136747ef4d6de696db4da0ca9dac0e82ae3c5ed154cca1cbcd22ec0a7e144a2130e4d0a9cdf586ad605be0bbfb7ee4b326fe28e0b1010d4a4a1

C:\Users\Admin\Desktop\StopUpdate.au3.C07-C33-7BF

MD5 89cd7e4582bbb84796b9be1e32dc6396
SHA1 5b4ac5af8f8c018494f9ad4cc6d56da6586c68cd
SHA256 fc23cc369be346fe3b6368c4bbbdcbbdc2d84cef8f685adc9a6196b6ee83987b
SHA512 0b3150d13a2277131f52f34e10e17be215aa2cd1998ecc47d6c782b7534be3dd2f11e7a839dd3adfcf42f026f619a66180713beb23d57abe6f9beaf48332c7dd

C:\Users\Admin\Desktop\SaveCopy.avi.C07-C33-7BF

MD5 c2ed08ac9364ae71d9bb406b038ef0a7
SHA1 ae6c561ddc05a138a4383a408b187d93acb155a4
SHA256 7e15d7ab15df8aefbb0f19a7671f8063515bb7fc3ffb7a771055ffcdbf975204
SHA512 b82581bdfb5d7407610b0575ffd866ca82534e037c91ccc1ab79f0a5b73226967fe6859b689fe0cab520597cbb46c6ad7736789fa5ee2f4856fc5a1af2597b16

C:\Users\Admin\Desktop\SkipStop.docx.C07-C33-7BF

MD5 890bb3cafb149dde37af1a28992b0d0d
SHA1 7101d1cd54acfcb4f63d306745643b64caaa2bd5
SHA256 2a9dffa1b1e75c4d05454902ba4d5d594c1bcbaa6410ca8238947fee1e73bbc5
SHA512 50ca21534b50cf1e8a0ba0b7f4f668d43a671b3e161bd90580bcde574101125f2c9ef6261d5cd6e1131803723d784816a4ac299dcdee21c1c66a8b95cfeaca8f

C:\Users\Admin\Desktop\SkipRename.raw.C07-C33-7BF

MD5 3d9a719bc21dd465176064f659a94c11
SHA1 687182933c91cb37c75794b21516995ba4b8b167
SHA256 d303a7e0e74a138ec48d6258813752969faa9f873694031c183da9db1d84ecc6
SHA512 eb878ccca45f140c77ee9b30b28852aa9872cc50333f96e484ffd0c94f402eff01300ef4528f99d19b0a12721c5282ef47ac70d7b3b311ccb49a4ecc875fc1a4

C:\Users\Admin\Desktop\RevokeResolve.7z.C07-C33-7BF

MD5 250e75d89f35ab8af09fad78a57b3c95
SHA1 469970d71698e68d108b869b21092f89ecf47cb8
SHA256 3cdf0d59acc2986d3323af73a9c16832cc1b27f39ba337acbb4baafaf4c01ca4
SHA512 59c9f9f4580755101ac3e1ba918a0986422516fa00a8b13468c07b6716a4642d1ff819fb99e1f23b59ac8ce375156f301016d0ba7af978e1f3812c1c3f821afb

C:\Users\Admin\Desktop\ResumeUninstall.jfif.C07-C33-7BF

MD5 785e1b8f94cb325f21f394f4d99dfdab
SHA1 c1f1beeb3bfd075cc2ed61a447968192d16139ba
SHA256 29accf0c05521a54354297bd45a450116b01394948e9710f2ef7586b3a6849b5
SHA512 6e86adc1014d09bd7b991eb036331c8a0bdcde1f0cfe02a5540a7a73c8d253161fa645c84d70c37a87e3b0d926242849d26c0d23b79e869e9412cdca01709bdd

C:\Users\Admin\Desktop\RenameInvoke.lock.C07-C33-7BF

MD5 7cf4f7e9edc42dd8d80eb9218d1f632a
SHA1 2910ac8b6c197d4eca11e39da48e8ae164994413
SHA256 b60dd832f757477dbabf5313e1eea1a306138532705099f4b73a3cf1d783e1a3
SHA512 9006661918d02930f52815f933a727b487b15bcd000d112477b67dc6d31e8ec516d2235313ffe48dd9f1e787ef0835819a1234b6d0cf6ee5c305db0bd8168582

C:\Users\Admin\Desktop\ReceiveSync.docx.C07-C33-7BF

MD5 52abb30dc0257e1c1095cdb2e2d3ab83
SHA1 55463256683d5a9d3bb4599a09c656b18c50a5ae
SHA256 2c26f57b91fdf2880afacd123d3e3183122dbf59e99237a5f415b9c911892f59
SHA512 1da21ea7d539d0dad304d981ca9a8267aa8f23a4963d8496e46f1843cc1de4cccd09b62dd9a750759ac2ec0260fcf058e89899b9173a315e8b224520ab040c03

C:\Users\Admin\Desktop\ReceiveMerge.ini.C07-C33-7BF

MD5 e92e4a69706108c35d67b6f206cfdfe1
SHA1 7c0e640c31360ab3d1ffe6979283f00153501828
SHA256 377df4b5c5d4b84436caf00dc9eead3416ffafcfb18b29c7c336c52f0fdba5b7
SHA512 9bdd599d3ed7ff476a40cd480536bac483878b2e802d7c32e865d29d19ef0a1fd4846ea97f5e021b78bd5356026bd29d460ab8b8be0592391359b6ee382aff69

C:\Users\Admin\Desktop\ReceiveExpand.m4a.C07-C33-7BF

MD5 41fbc279c07730b59cee21e19cf0e995
SHA1 f0bc147fa2245dca00b5ad1085bf5ff49504bd00
SHA256 18a7bd39ade5ea15c4ab84b4c29a118ff8c871ea76c1f12833f89b69a411c0f1
SHA512 47b7f975d6e578770c428c8c43a6d0c86f5e8a23a7de5cd77c7c2c5da73a4e23440e0256622af980d71209153f82aed0dbc8bc9ccb19707ce1e6606c5da2bc0a

C:\Users\Admin\Desktop\PublishProtect.midi.C07-C33-7BF

MD5 aebe81ccddbf69e708980b0ba95a931b
SHA1 8640f98b5ac25f088d7a302f9550efb0ae120595
SHA256 58390e0ba1510f86075580a53d37a0187ce9a064ed1d21678d409a241ca1d610
SHA512 19b8cb2ab453d813ae9c28e143183e79ccac4d95382ca6aa92c2a693a0de61afaba37224d27a021895bcedd3b5fbff47b13ce0e526164edf7d30dace2c4f8cbb

C:\Users\Admin\Desktop\MeasureEdit.potx.C07-C33-7BF

MD5 23ef2c4016330447cf53b90dc8388103
SHA1 088cf955e68f572a3a5e1c6b6a4e09097d4ca304
SHA256 7e37c8530d93ea505aca131f1545d253b7fa7330d133a2260c4bcd6d3b77e023
SHA512 c1b0f27d30fcb106a658710300a7370423b04004dc39d514279169d9d540e44c67ef7712278cc4f23383f6f042b70047f38439f063cd8cb197b0a76b6190554c

C:\Users\Admin\Desktop\LockFind.mp3.C07-C33-7BF

MD5 4980fc6de483f0b77c223b9beb108ef1
SHA1 6bc22c968ea0fe1a7aaa8f9a417e0c078942313a
SHA256 872fa51d0c0d91e0bbd9fcec55b1fbf1e894da01deb70e6fa12d55cb118051e5
SHA512 c4eff54ecff0c91e18ce720abaebcee4803ff6d9b6cf9d49f961d53cf8b4e44328dd7140d94634397cc21cb6ac571b39e355c34bb5acdadb919af80f2c39f38a

C:\Users\Admin\Desktop\LimitPublish.tiff.C07-C33-7BF

MD5 2b766e50958808c6f923bdd98d7a090a
SHA1 7e0704aa9fb52d67567de0b879420af87d13a7c9
SHA256 448cb6b597199ab77a7d3fed8b87ed880d6d79755c15733642e6c3a0595d2603
SHA512 a7f604bf80bcb6ffd882a07d8b153d62d22173dc11b35746f758945e50a86fdf3ec72f6a9b401e298e674120fbebef75339dfb35d3f95a1d3ae4a02cbde68caa

C:\Users\Admin\Desktop\InstallWatch.mpp.C07-C33-7BF

MD5 122fb4c6305a30364c14eb1e8a8858c8
SHA1 b74337f48d62fd54d4773af34052c53e4b4c2887
SHA256 5c7670b8278986e57758f80e14b316586095991f102fbb1259272d80679f7a3c
SHA512 8e18024e0f42b9939d76a0bb4045eaeac760f7c7090fa6bbb89ca1bb68e26a17e79b14189577c2459f0c3c8e890e2413b6d8622c13c831f4f85e819c5752ed09

C:\Users\Admin\Desktop\InstallUpdate.pptm.C07-C33-7BF

MD5 01608c31c6fb0c8a6e048dd8669a17f7
SHA1 829a35df0ce36b51fef2e286a37fe1db66810ce9
SHA256 1270c45c097a1b45c87e13949dff34e49ef1f48d3bd1b2c418fabde7d4a78bb1
SHA512 978ae8ec5e650e395daed03262ca4dd59fa9d1d54147b3411c0e481a98aef71b93cdf01fd3a7dff196468502c679d723661a6be65afee60210229835b2f4435f

C:\Users\Admin\Desktop\GrantCheckpoint.tif.C07-C33-7BF

MD5 5e9fcf7eefbae550b32e08a28ef156c3
SHA1 3e3c0ecda544b2d1124dfe7a1f67ffc9864ab78d
SHA256 3730a89290dd4f8ef3913b684b0013307c0147d2f63db6c9fad84e7addb88155
SHA512 5c986a721bc492359304ee5278e77823c451ea1cf3657201208ace878c8890f077715ff8cabc57fccb10b204e8558500087d77ecbbd4520c6c3738d3153fce73

memory/5492-26236-0x0000000000680000-0x00000000007C0000-memory.dmp

C:\Users\Admin\Desktop\FindInvoke.avi.C07-C33-7BF

MD5 aed4d7e25473945738168b8e665849ff
SHA1 afe83b7a0f6c398771fe7b45652ba3e992bb4950
SHA256 c266a400e2d4ba0a89f308063a7386482b269937f172bf462c501a67488ff632
SHA512 4f996bc0ee0545772287d294c38708ccf898c79bbdffe95da01a74092abff88f439f71b22f84a6b952c20e2501e333c4f258147a35ac6d9672eef9b3c796123a

C:\Users\Admin\Desktop\ExportMerge.xlsx.C07-C33-7BF

MD5 83e43afb7e35ddb127772ada3bad53ad
SHA1 d1a3dc4486d8eff8254cde1bd477aa233764e210
SHA256 c8758819feb020f3a5ba5f16f6736fecd9b9c48baa6c17d87003dc61cf31a694
SHA512 ef4f748a244859b32f7d18746225dbca29e82c115f2d97a432a6421b10952fd4e657f13cfe801551a2336f242023eca25c0a36c1d8d57047fd7ac9deac388e7f

C:\Users\Admin\Desktop\EnterExit.ex_.C07-C33-7BF

MD5 d7ad4cd4e47671805a7228994f4d2404
SHA1 a861ebb75532440165db4e570f47a5b5e2ab2967
SHA256 06aef5c2b384a56d9a0f9cc7ca575ed72349562a1d619fc6801a227713b788d1
SHA512 3d21aa1a302862d7f10a1b4998e2c8ec51c7f157451933127c729135892196e6170497407b09c11f221df6cd036f89c60cb8a82a86729511540088d8a3da787a

C:\Users\Admin\Desktop\DenyConvert.M2V.C07-C33-7BF

MD5 9032a5c93528eca43c8bc3a81234f237
SHA1 7658665ec64c30af3274fdaa6e08110b2e10e9f9
SHA256 07251095998b90c8c1d4d69413c87dd730f79c28dd10ca511cf9175004b43685
SHA512 9db9b7ae7b58a4b7d1971e57f6ab06ef987e5d7b4e020f82c4e1383fdfd0564ee78b8653972bcd8340725b2828d048cf185c70293f6c0eb3d406638b8698c2c1

C:\Users\Admin\Desktop\ConvertMerge.xlsm.C07-C33-7BF

MD5 9fc96ccc69f2ee556c4a1e1cd944915f
SHA1 86c355b87579066b7fd4ae0a1ecd79408e2e52c6
SHA256 070e20ff8ad4320aa2b4c49c828456b0d3f8baddc55e42dd7ddfaf5d7eeef144
SHA512 598d025841e548e9b52448a728a9fb35cc829d7fcdf06a43988b62a530629bf4309f1996f8f64e5293bc41a61e09359c65422f83005465ab9c5edc1a6d4683e2

C:\Users\Admin\Desktop\ConnectSubmit.xlsx.C07-C33-7BF

MD5 96a8d01a2af9659a0ee572b30245a088
SHA1 30418fb247cbfe6380af66aef639fcc1b75c8141
SHA256 f41a2511309f1110f294272db2caa25299d1df35120ee67ccf3bad63b671b416
SHA512 68a569d4e2b8702418576a6a401aaa3b671e45a4d8587face1794394c99d89ee3616384259d549465793d6d296caea8b9aa1072b29b4193ded0271cac4da26bd

C:\Users\Admin\Desktop\CompleteRemove.vdx.C07-C33-7BF

MD5 fa666c0c27144fc52e02016572489b02
SHA1 28c9bcd9d0302e68c2bf3418c58abd4af8d853c9
SHA256 cc48f207b79fc4e6ae55387d85af7b46a6c4470fa48eab7e19106f0e14697c42
SHA512 14eb29d27c6f5409b21f8875678e3c86015f1c45f5dbcab140ac14d79228ae0084dc3e4f3e1f15704a3de4c86186f51ff19cf5dcfb0afdfb792a5389e9e29d65

C:\Users\Admin\Desktop\BlockJoin.3gpp.C07-C33-7BF

MD5 0acffb8012d650608df4c2890c858e2e
SHA1 39cb5ec11c97431eff36553ebe47bc11c9fcf276
SHA256 c33bd9fceb75009975dc73318156a181700b32ec21ffd505bb4dc55c1d3a2f7d
SHA512 51e47cc46f7f701f06452bb6a26e82e724bf9a9d144ee8cc526ac1e91aed91d7d5e460c3a8b4e7c67ee68cb7f3009a31f7c0ed55a9bb4da26105fad401bc162f

memory/2364-26207-0x0000000000680000-0x00000000007C0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-04-21 10:49

Reported

2025-04-21 11:42

Platform

win10v2004-20250314-en

Max time kernel

149s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe"

Signatures

Buran

ransomware buran

Buran family

buran

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Zeppelin payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Neshta family

neshta

Zeppelin Ransomware

ransomware zeppelin

Zeppelin family

zeppelin

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (6093) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\smss.exe\" -start" C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A geoiptool.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Error.m4a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-256_altform-unplated.png C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.html.23E-1A4-DC9 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ms_get.svg C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaSansRegular.ttf.23E-1A4-DC9 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-pl.xrm-ms C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsSplashScreen.contrast-white_scale-125.png C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-20_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\MediumTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-32.png C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-96.png C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\TimerSmallTile.contrast-white_scale-200.png C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msjet.xsl C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\view.html C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-400_contrast-white.png C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-30.png C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\Logo.scale-100_contrast-black.png C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\skype-logo-40.png C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\hscroll-thumb.png C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\el_get.svg C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteMedTile.scale-200.png C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxAccountsLargeTile.scale-100.png C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-24_altform-unplated.png C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_listview_selected.svg C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ru-ru\ui-strings.js.23E-1A4-DC9 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-180.png C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\it-IT\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24.png C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\SmallTile.scale-200.png C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL119.XML.23E-1A4-DC9 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\APPLAUSE.WAV.23E-1A4-DC9 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\offsyml.ttf C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-tw\ui-strings.js.23E-1A4-DC9 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-oob.xrm-ms.23E-1A4-DC9 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailBadge.scale-200.png C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-cn\ui-strings.js.23E-1A4-DC9 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-80_altform-unplated.png C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\et_get.svg C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-gb\ui-strings.js C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\sunjce_provider.jar.23E-1A4-DC9 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-24.png C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\core_icons.png.23E-1A4-DC9 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-pl.xrm-ms.23E-1A4-DC9 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-pl.xrm-ms.23E-1A4-DC9 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\msipc.dll.mui C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\msipc.dll.mui.23E-1A4-DC9 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_SplashScreen.scale-200.png C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewer\LoadingSpinner.glb C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-pl.xrm-ms C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-pl.xrm-ms.23E-1A4-DC9 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluCCFilesEmpty_180x180.svg.23E-1A4-DC9 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\PingAdd.exe.23E-1A4-DC9 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK.23E-1A4-DC9 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\REFSAN.TTF.23E-1A4-DC9 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-Toolkit\Images\dash.png C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\scan.png C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ba.txt.23E-1A4-DC9 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 6072 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe
PID 6072 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe
PID 6072 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe
PID 2852 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
PID 2852 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
PID 2852 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
PID 2852 wrote to memory of 5532 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe C:\Windows\SysWOW64\notepad.exe
PID 2852 wrote to memory of 5532 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe C:\Windows\SysWOW64\notepad.exe
PID 2852 wrote to memory of 5532 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe C:\Windows\SysWOW64\notepad.exe
PID 2852 wrote to memory of 5532 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe C:\Windows\SysWOW64\notepad.exe
PID 2852 wrote to memory of 5532 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe C:\Windows\SysWOW64\notepad.exe
PID 2852 wrote to memory of 5532 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe C:\Windows\SysWOW64\notepad.exe
PID 6032 wrote to memory of 5812 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
PID 6032 wrote to memory of 5812 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
PID 6032 wrote to memory of 5812 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
PID 5812 wrote to memory of 6136 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
PID 5812 wrote to memory of 6136 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
PID 5812 wrote to memory of 6136 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
PID 5812 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
PID 5812 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
PID 5812 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
PID 5812 wrote to memory of 556 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Windows\SysWOW64\cmd.exe
PID 5812 wrote to memory of 556 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Windows\SysWOW64\cmd.exe
PID 5812 wrote to memory of 556 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Windows\SysWOW64\cmd.exe
PID 5812 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Windows\SysWOW64\cmd.exe
PID 5812 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Windows\SysWOW64\cmd.exe
PID 5812 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Windows\SysWOW64\cmd.exe
PID 5812 wrote to memory of 6132 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Windows\SysWOW64\cmd.exe
PID 5812 wrote to memory of 6132 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Windows\SysWOW64\cmd.exe
PID 5812 wrote to memory of 6132 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Windows\SysWOW64\cmd.exe
PID 5812 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Windows\SysWOW64\cmd.exe
PID 5812 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Windows\SysWOW64\cmd.exe
PID 5812 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Windows\SysWOW64\cmd.exe
PID 5812 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
PID 5812 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
PID 5812 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
PID 5812 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Windows\SysWOW64\cmd.exe
PID 5812 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Windows\SysWOW64\cmd.exe
PID 5812 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Windows\SysWOW64\cmd.exe
PID 5812 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
PID 5812 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
PID 5812 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
PID 4252 wrote to memory of 5076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4252 wrote to memory of 5076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4252 wrote to memory of 5076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 5812 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Windows\SysWOW64\cmd.exe
PID 5812 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Windows\SysWOW64\cmd.exe
PID 5812 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Windows\SysWOW64\cmd.exe
PID 3548 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
PID 3548 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
PID 3548 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
PID 3548 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
PID 3548 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
PID 3548 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
PID 3548 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Windows\SysWOW64\cmd.exe
PID 3548 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Windows\SysWOW64\cmd.exe
PID 3548 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Windows\SysWOW64\cmd.exe
PID 3548 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Windows\SysWOW64\cmd.exe
PID 3548 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Windows\SysWOW64\cmd.exe
PID 3548 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Windows\SysWOW64\cmd.exe
PID 3548 wrote to memory of 956 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Windows\SysWOW64\cmd.exe
PID 3548 wrote to memory of 956 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Windows\SysWOW64\cmd.exe
PID 3548 wrote to memory of 956 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Windows\SysWOW64\cmd.exe
PID 3548 wrote to memory of 5292 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe C:\Windows\SysWOW64\cmd.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe

"C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start

C:\Windows\SysWOW64\notepad.exe

notepad.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe -start

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C wbadmin delete backup

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C wbadmin delete backup

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet

C:\Windows\SysWOW64\notepad.exe

notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 geoiptool.com udp
US 104.21.50.146:80 geoiptool.com tcp
US 8.8.8.8:53 www.geodatatool.com udp
CA 158.69.65.151:443 www.geodatatool.com tcp
US 104.21.50.146:80 geoiptool.com tcp
US 104.21.50.146:80 geoiptool.com tcp
CA 158.69.65.151:443 www.geodatatool.com tcp
CA 158.69.65.151:443 www.geodatatool.com tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:80 iplogger.org tcp
US 104.26.3.46:80 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
DE 172.217.16.67:80 c.pki.goog tcp
DE 172.217.16.67:80 c.pki.goog tcp
US 8.8.8.8:53 c.pki.goog udp
DE 172.217.16.67:80 c.pki.goog tcp

Files

C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe

MD5 f42abb7569dbc2ff5faa7e078cb71476
SHA1 04530a6165fc29ab536bab1be16f6b87c46288e6
SHA256 516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd
SHA512 3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5 3b73078a714bf61d1c19ebc3afc0e454
SHA1 9abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256 ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA512 75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EAO45EME\30PISW01.htm

MD5 6ebbeb8c70d5f8ffc3fb501950468594
SHA1 c06e60a316e48f5c35d39bcf7ed7e6254957ac9e
SHA256 a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1
SHA512 75cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c

memory/5532-140-0x0000000000F60000-0x0000000000F61000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\B59V21Q5\VZSG5IXM.htm

MD5 2ecbd831dd268171871be3a7341717ee
SHA1 a1365aa4ddd52cc873c9def7f26aa9848db6434e
SHA256 83006c3ef95cac56570e99cbcff4b7e22120eecbea5f1957cdbd7d40a52cb077
SHA512 4e5ff688f7a714dbefdd3673d9ea765c5beee762de365d233efd3715e1777ffe0d966c7d382ea0d34b50ce857ad90f14b373adcd7bf43bcc925e8ebc06c882e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_268232F9B7ADFD0751C3D83F667CFB78

MD5 76fa27fb63eff3571cd3c560b3d31d94
SHA1 38aa570df468560b72cfe2146b2b5230a016fceb
SHA256 82d9aa236976888cf1d702a31387b2cafb74acfbe23fd9547615777e007c2a2f
SHA512 81398bb8c31373a53d7439a840eafe6f0cbf824728cbaf42477b11792639f7b71fe549a6f65ad11b0cc5713fc3461e29156557bc60b9b4a6a49785238555f95a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_268232F9B7ADFD0751C3D83F667CFB78

MD5 4409f9540813d8809b0f92f65ff349c3
SHA1 8e1307f50dcb5b5155ab91b0873a789c4d9c891b
SHA256 acf57e17a04092a4e4cad5951de3b4cf8bfddbf73062eff0eb5c06cb5fc147ee
SHA512 e487189eb87575263a488ebbef2d11b40d705eeaece0c75ca649da1d21cfe71872a2c1cb434875b281894f2b53907168e37da67111ab93c81d6f1f506424a334

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5 5668164eb963fe09048b527314036d40
SHA1 bb0e06ae9d59f4f47a8f95ecb651a6ce6916d09f
SHA256 ea9e21ca506dcacf78c8935b241d1b018d78250a38fa265294b4c83f1d5f02a7
SHA512 f008d664bd96fa7b164d5e2535bb842200aa1054af727acc1317c61783e914fe7d436b98b88e6406a64a8787693745fbf2b147113db0ded6ba1a406edb199ddf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5 a9ae7e1b2380dcf96b60df1d04b4c63b
SHA1 a88aef0e9ddd9922a38ce4f96765bcb2b4433fd1
SHA256 4dfc139635048919911dc510ebe48da8a6e172a6be8f177a396eea228b7ea22f
SHA512 46a62f2bd71407fe6d76d48892945c08c7d34164fc779792c9263bb3619508183dc07957a4ecc6ccc5da04b292fe93f77fbf7bf23ce560fdc8b1a9b0ed1bc57a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 d06e4d85c8c9d9d1ea0cfa6bedbdd7af
SHA1 f754bf54e36c78a95e590253b27886c820fae8e8
SHA256 0b6f62fb10638c8ec2ef069d9421cafef677d0418306fa9abed18a7ab06a83b5
SHA512 6c22f8eece2046ffae578f878a85b6911dd78ea090653a6996b7e58b8601d17107f8448b7163451d1fd0b3d79a54247fd64e3934e62d516680e2bf59040201e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 263a8ce5d9f7c5d0e9f2b24455f8edac
SHA1 4ead9273bd2dba0ef0f947635a6e4436c38e72a3
SHA256 c65f33b1d518cb6d50177fbbaa69aeb32c63fea5643aed21fa2ec4cfa79c6977
SHA512 c30004e186a7ff1bcf9465093c039b93a8c4eabd4f8559346204a2c4b1d7e6c74c0002ac51bb227a1ff4b4a47ae9f41e3a9e034fd15ecc5f13a1395a92ec2c4d

C:\Users\Admin\AppData\Local\Temp\1994424E.zeppelin

MD5 93b885adfe0da089cdf634904fd59f71
SHA1 5ba93c9db0cff93f52b521d7420e43f6eda2784f
SHA256 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d
SHA512 b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee

memory/2852-169-0x0000000000980000-0x0000000000AC0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 4a90329071ae30b759d279cca342b0a6
SHA1 0ac7c4f3357ce87f37a3a112d6878051c875eda5
SHA256 fb6a7c3edcd7b97fabc18855102a39fc4d6d3f82c0fdd39b1667807b71b9c49b
SHA512 f0e206053d4369437c2c0f1f90f0fd03d631e4b9859d807049b41efde823d64cf4d75c28316d932360f7c03bd409e923c8bc2d4f5959361feacecfcf101ae823

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

MD5 088ef1d77bf3770ba7dcf62b14d13875
SHA1 363dbc41c1fccfe38e75339e8b78d13362e8fc3e
SHA256 cb022af1919f3064b229f35816d4546175fcccbd72710b9e125667b19ef26b7a
SHA512 d257a38aaaa52327963f68a1be22aead6456257cc0e49e7cd2a561e198dff7fff277488e2469f3eec1f51f364c9c9821d9b4c76dd15dba4a1888cf3f27d67cf4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

MD5 1fbb37f79b317a9a248e7c4ce4f5bac5
SHA1 0ff4d709ebf17be0c28e66dc8bf74672ca28362a
SHA256 6fb1b8e593cb0388f67ead35313a230f524657317ea86271b3a97362e5ec6ad9
SHA512 287e1d62c9ceb660965c266f677c467fbb997c2f5dcd1d63e185e266488aafc3489ac1d3feec81d10f01ce4a72e61a8bc4e124f137ce8675a220aa7797002e74

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 122f0337154c3feb1b0b467d607fb3e6
SHA1 f1d2fa664b772721ecdd1ec311b49b28554b43a5
SHA256 bba9420927d0330a321d13dd05eafa7510b67ba3c154c21294159c87a5be0005
SHA512 b47f5832d8594d59b10f8b75b3c324836bd2f3555c593f42d7065db1dc75c9459af9410cf25e9754c32019b9413329f431f1004e473b1e77cccb0956fb24ad77

memory/6072-190-0x0000000000400000-0x000000000041B000-memory.dmp

memory/5812-192-0x0000000000850000-0x0000000000990000-memory.dmp

memory/3548-191-0x0000000000850000-0x0000000000990000-memory.dmp

C:\95a9da8d6083c53f11d88fcfaf8c\2010_x64.log.html

MD5 68aaa0ffaeb037ceefd0045cb3130191
SHA1 28a8f4ea51ddf9d9fe6f03a1f888b3cdf0d8c70a
SHA256 6c27ebd4fca50bce7743090b5218ea47fb4e79d2eff669c9b3e2879c37eeafad
SHA512 5abbd15ea625620f635f8627771a9f9c70692eb87c1105feadd14138ac62763c78b51787b5ae18b2f76e9dab54d69d6c87e1319c26d9f1f2c9f0fd1f16218376

memory/4944-214-0x0000000000850000-0x0000000000990000-memory.dmp

C:\Program Files\7-Zip\Lang\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

MD5 139c84eac3667aa7933ed206b6e25cb7
SHA1 946f29c910cc281333a4815c06e9123eaa9e74a3
SHA256 042b8fcd1e161a9932cc3fb309faa588ededc84f622c772cfe4c21fb5a0dd4e4
SHA512 6ae6e9a96aefcd9e313abcde04c388463ce2173a4eae7998a556f941c0be47d307156188e841b12ae52380b9fc00c6406717bbdc9879a08414a8c2d1c52faaab

memory/6072-505-0x0000000000400000-0x000000000041B000-memory.dmp

memory/5812-3004-0x0000000000850000-0x0000000000990000-memory.dmp

memory/6072-8312-0x0000000000400000-0x000000000041B000-memory.dmp

memory/6136-8410-0x0000000000850000-0x0000000000990000-memory.dmp

C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX

MD5 019eb657da99238b387e63b87db1649a
SHA1 bc8c241f84f628baae0fafd654c8cb9aa4da99d4
SHA256 ac3907611da22a1161d1e0e0f507f6506dacf25bc494f5b1587dcf3d50171a84
SHA512 0d7eb6ba965f89f24f86571edf7a8912a18ebf484719c837a48394e8fff90be0701b5740ed4edb56f37d97490430c42c1c821f859e5be8b954de0df16ea1f300

memory/2572-10037-0x0000000000850000-0x0000000000990000-memory.dmp

C:\Program Files\7-Zip\Lang\ar.txt.23E-1A4-DC9

MD5 fd71dfe0850fdc562603a5064e00f747
SHA1 5a548beceba6e36658bafb23bc2371b23a299fc1
SHA256 4b0c1644b4f15838b00208f594364ddf83dc1c9ba2a2ca47497d26bbc2eb4c7e
SHA512 b300bb47f22c2748046f32a52de52ab634d5ce9f4811e84623944c6aa7b0451309446c91f0b9d30386eaf9633a4ae916d35024cf10189727045ed33257fc54e6

C:\Program Files\7-Zip\Lang\an.txt.23E-1A4-DC9

MD5 e725157e6f17a3948adfc285648ea7c8
SHA1 2ced7d0b6b18529f2312e0c9d50d9df0230ba0fd
SHA256 8f75c5729c99b967c4ead3486e856cb69c7302f9c54e301ed3b0c733059e4ca8
SHA512 43bb83fb1dff0c7670017c6073fcdf19df53da14540dc1a9185520677c87d48fbeac408d00d4bdbf3635ceee2d3a5c99e43ade9b81e72d90461b77dfe702bb13

C:\Program Files\7-Zip\Lang\af.txt.23E-1A4-DC9

MD5 f8b6bfa2b516f45dbb01c9033f7d3715
SHA1 6300fbd1866e5367367d02358117d46fee76af32
SHA256 94c10f2712e9d306870a4806619c31080d411c0aa52c504800694ae9a0d8db8d
SHA512 47fe1aed442cb3e263e2ce3347ceddefff9c23c7854b2a769c8d4aefd9d96940fc195401220ac3e022f165c0351acbac151e5b32c0436cdb6f49379197a3cf53

C:\Program Files\7-Zip\Uninstall.exe.23E-1A4-DC9

MD5 ac6cf18c504eab058ea3fbfb42e843c8
SHA1 de41cdd71874b596b69f98b0c307df61263e6c77
SHA256 0f59fa16991ba6393ffb14911125783fc5bb14a7a39ded74244d39fcb77e7f55
SHA512 df9963d9dfad796b01c5e3f91bac309204962e164c0dcdb6ebe0f1c732a27af9f65b046b5b231e842feaec5bb99cbdcd8efb374f5daee2d21c1dd5ab0b2af439

C:\Program Files\7-Zip\readme.txt.23E-1A4-DC9

MD5 0054816003e4520be65a070fa527f3e5
SHA1 a55953ed5273fcb069014518ff2a298ff384563e
SHA256 b485c9a13799b9b7920f1cfe72370c9128e3b524261dc54f9a7fd9c515b15a5c
SHA512 5eb10c2ff28ffdd2c0b59639d0c974de024a8fd22fecbe39905d337200b387a69506e47a17163747b4a78a3c2fae7346369f5d71e5344413db6be8ff4d44781c

C:\Program Files\7-Zip\License.txt.23E-1A4-DC9

MD5 5fc03cda6f49437a48ab4c392d086332
SHA1 407167984c056c1c0b0421e620284a18cbc36ddc
SHA256 9f9224c40d66dc9e0183915c5001a656a0438e8d2b3fbb3ef2f41becde62a71a
SHA512 74d6dde51eb22c3b271735dea9f9a8b9ab349dee70dc36aac7f062e9d4dee818aaf1bf52111edca4462e4ade6e439931aa3833bb6eca12695386fd07e2339874

C:\Program Files\7-Zip\History.txt.23E-1A4-DC9

MD5 e35f94fac426ba73fe4ce8fde2387584
SHA1 dede8d016a2e80ddf284f49b94ed959d2cf6421f
SHA256 00eba42d47d7727951b8bcecd42dd793d4376caea19f18e2aa26b3391352441b
SHA512 b6f7deb62808444d84c9fb56b8f64a9f6b7c39a00148e721ba7ff82483adf2bd952c78a8412d8c17f1d71de5a6e85e9af118870e996fce409feb9488d74a431f

C:\Program Files\7-Zip\descript.ion.23E-1A4-DC9

MD5 43ef013d4d2d81fa5d7d8238716a1d99
SHA1 55bb0038b10e5fd827060f65ef4b954880f52db8
SHA256 ac394c1748cc7bcacecea75d85630f49c43fbb6e37f27bc94ea7daafaca58efc
SHA512 f04fb430d2420c6b468dd226596a7806c9c268b08294162579897193b854b86d7386898b35b26d75df09ccab7d55ada2c16655e2b5087711624a3139051e1d20

C:\Program Files\7-Zip\7zG.exe.23E-1A4-DC9

MD5 e36343b368e541c4bc75bb120a38e425
SHA1 406677cf622ab0a35323d17914e0c66d7515e960
SHA256 6ce1d65ba797ae57dace22c092236d80254f532f5f1d4d547548c52a62554b85
SHA512 5d06593147546c7559a0f66ef477880dc514ef8b3c26183fc4bb89cf3aeb8be7514008022fc3f113ea8a472fbf61e2f64deb5d678ee91d8aeaf814b5ec03997a

C:\Program Files\7-Zip\7zFM.exe.23E-1A4-DC9

MD5 558b36575a0838cb97b34a2dc8aa0851
SHA1 03196bb00171ec1eaa3f6c0264576589ab60cc00
SHA256 f7942a59d6b20032ce750b812869d3ae010e267fc4f34a35de94e07508dd42ba
SHA512 68d67f9c0599bdefa59ded56d37a9dbf819115783dd81cf7c33292599231ac318793dc40078c7ddd159b05999206d165f6695feaa8b88cf7673d003ff71b6d92

C:\Program Files\7-Zip\7zCon.sfx.23E-1A4-DC9

MD5 4f6f40b63109bc26cf936ce8e2086835
SHA1 e955f3fdd50f2bd410731606668db482db322181
SHA256 ac04d7e99a3bd84925276c9547fdfbef57f06ea02c6b348e9a480da02960ef48
SHA512 b0ff65774f2fafe113ad6fc7ee6fe1599097811724e5dbf63b2e3548e26e41995c7d8fe16b7231490030a1f890506d53bfdac3e694ffc21ce07548bd6e012062

C:\Program Files\7-Zip\7z.sfx.23E-1A4-DC9

MD5 724cf80b99dd72a4c0016886084a50c5
SHA1 c73cb37b41c07e5575dc2e39c18a9e33a8dea5c9
SHA256 e1bd2fad7b90f40e32d8fc42d941ee858e62b99f77e04aff9c1141a3f6a22f64
SHA512 17e9a3f5369931da8460abfab91b52684a10d3f187999386e04e09f85930d1a445a265bf7003ef422fa5d8b8683977d9d559b6fbc7b10994d9e2f887000fd21f

C:\Program Files\7-Zip\7z.exe.23E-1A4-DC9

MD5 1f74d7336112fdf4f3b716510db967e6
SHA1 208c91d1bda261d0b84bf79312fae87a61ba2df1
SHA256 a7376129296aab49ecea8a7dc1cb68e345ad547704b9030caf712dc10bf9ac9c
SHA512 a6deba88275c98452255edc2b54ff97623cd07d7cb0b839612eb84b952dd3fbf9ed0fc56709077f7b19b74efb5c988e62150db3ab0365780b0e640fce433a38b

memory/3548-10937-0x0000000000850000-0x0000000000990000-memory.dmp

C:\Program Files\7-Zip\7-zip.chm.23E-1A4-DC9

MD5 1ccb3b0fd95d5e1d95fe12637b3e72a4
SHA1 926d420250710aa7b4f08bdf1f1136a1690f1a90
SHA256 2cb211312448dd22d5429bec5972790da5ad9e62506a628558de5b440fa55b15
SHA512 a0960e911862f355a7df8a9a5f47b84e7ebdf0f733c6320a13bf2d7c070d130a91e3388af92ed323ad05e8cf7311d75de236adbe0ba70ccb8e43bcb6cf364302

C:\Program Files\UnlockUnregister.jpg.23E-1A4-DC9

MD5 46687d85387fbb8126cd0ff0690c0f52
SHA1 98c8f51107c8e7661c9749997dfd4bb15ea96a80
SHA256 dae2dd8c9635e94def2a76824413e0cc8a1b940c651546938f566c5897c5a7e2
SHA512 f962632cd12b816ea83ddbd10fcd17490e921acb092b92bf4f959edf5b0caea7c1300bb717b53fbb1d7ba6c7b53f0ecd5b909a418d83bbee5fec5a42fd96f310

C:\Program Files\UninstallHide.aif.23E-1A4-DC9

MD5 2cd87da2b476083b0a22c17b398c811a
SHA1 6a6b342df762b0f5768f0192fbacf9c4a06c04b7
SHA256 2a42cc32939dc979f008018e585c862bc94db238c07995b28ec04c0955a2ab2d
SHA512 db3d02499425d5b75b14721b68857ef0ddec18dc6f8b985cf39bd16bc7be3bff8ba0d52755e07170932762f54a503262644b0be4118f689245bfbd890c909b2b

C:\Program Files\UnblockSet.temp.23E-1A4-DC9

MD5 e25feff72027e36d67404807b71470a6
SHA1 13871cecce231c82864d8faeb7feb4ead133e7a7
SHA256 c9b097541c6823c4db60f03ac5804e9cdada468c98525cb69b64e9841fad2414
SHA512 64d403dad3aff2c05ae079d7277f29956e4fe0f5f65984b76ff2f50cb3221920e685ed3a1c23891045ec335790c21da2465e6c5a7bfb342321fa4e4a65a36384

C:\Program Files\SkipResume.ps1.23E-1A4-DC9

MD5 9392046a3b39167f4b136798b0090f7b
SHA1 a4c241453d1b0bd8a1ca20507c343b9336b65bf6
SHA256 18ac6e44314ff8dc18b7a2d2cfcef7a98a3819f0174802104fa82836c13e82ba
SHA512 062b15f4b0f18d062990524f16fc10e781f11982fde4c176e1e1701265bf85a29b75e5ff62e1c6e6f23e74c0e9a395651774145400650967f2aca397bc015521

C:\Program Files\SaveGet.jtx.23E-1A4-DC9

MD5 25039238c6c5e8272405e6920f664552
SHA1 421982dbcd20918661f19129011f025854805f05
SHA256 1fe184935121d123292ddee83d240c35bd18a108fe207527e5ccc13ac71d5ab1
SHA512 c1769f44fb2c8663426017a6552dab3a2ff7dccb6b5cd36dd2c0c9ca9dc8bdef0d94bfd8064f31535b89f01fdfffd68e8645b27bd56cbd4f51b17c8820d7987b

C:\Program Files\SaveApprove.scf.23E-1A4-DC9

MD5 dbb6dd9764f23a507a3e5782de2a5c96
SHA1 2945eb261d59f794219e2850fd33745696039fbe
SHA256 7148dcc567a1aa1f68366359a4f29bf3815394087d74ae553d10a3c450e3cf15
SHA512 38c5f5c840553238cc614fa6f8a63ddd281c70a67ac3e728398375172020bbede868d859de9498590a7a0021c898c32c7a99cf586cffcb43c6029b6a1a54bb54

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmia32.msi

MD5 7d7fdeedc4254249385b4af4a98bf9b4
SHA1 b04d769ddb0e4314d8aa7888cfcec322965d1f58
SHA256 7f58c9dd5e9563e878edaf1b3b125cfa042ae44c4d2a5f228036bd557922b9a7
SHA512 2b82c379e26f64358a445f8f0a74f61c3cd694f2e1ecd58f999f0b5c17e00b3fb9bd89908b71e99fe5b26ba7aafa0b70fae0a7d28069fe75fc013691e060e221

C:\Program Files\ResetExit.zip.23E-1A4-DC9

MD5 74cb4fe22dbef7c05b4b3a7799d14736
SHA1 579ff0967d8f86dfd5f38bea8f1d841f39f121b7
SHA256 598535faca2df795bd89e2a5c268a6a93dfb97caa066a0783e187cd8598d90fe
SHA512 e968265c57f50ab95680edcacf62d0749a37789074ce050cc45dbbfa0f930127c9ab9c2faa5a3142b1cc472360e21116320805519e425885b5beaa6c35a05c38

C:\Program Files\RequestDisconnect.vsx.23E-1A4-DC9

MD5 89afa92b6814e985e0b103eba61bceb0
SHA1 1267bb16fbd60a66a83791721f3e3e2e43c83bd1
SHA256 32e1b657fb2a15baa757c7d539da3600e7341a08f83a5e11039887c303494a06
SHA512 de6f88e1b6d26c5e35fa4425aec8e0f0bca8d65af8204a207130833e7163e2552355bbf5bce6ad91f13462a36ae1de53544f65f16050a4a463d6789f896c0ee2

C:\Program Files\RegisterUnregister.tiff.23E-1A4-DC9

MD5 9f911f1688b8a48bc979a26bb8820615
SHA1 574b24ca05a4884f389ef3cc147e323d3d4a704e
SHA256 f0345de0d1c56b4a86b04c0f45868cc7e315316281f60b46eb236f2ffc44ec21
SHA512 1abb9dccf5671de8aecac7d7a1de4546c8e2bde805fefca30c172d9e0e14cde578e9de82c47cd2f2662ba797cd539a05278e434192b6fa649cfa5193831de335

C:\Program Files\RegisterSend.MTS.23E-1A4-DC9

MD5 cab577366893891178d805720f567ce4
SHA1 78d4286f96ee482af11f9df17deb04400bce6a09
SHA256 50c7292458d2017740dce4d059be0a74b02103c0122bfcb57c08866d0039946a
SHA512 b2baf5a6838d4f3c9826fa64f1b02680c88c0e963d22c6193e390af48965038677c7adf3484cdb245a5cc15c3406c743f30f02a5911f5963e456e7158f1681b2

C:\Program Files\PublishDeny.cr2.23E-1A4-DC9

MD5 6bc71f80153d4649949375244c2e5943
SHA1 321de94a5b46eafc65bcd7ca340ae710df8477f8
SHA256 b0751aeb9f53b442ee7546c5a32008f04f08867ad4b28ce0c4faa4d26231df20
SHA512 602246ad3b6196658870d3cfe6ac9081d9dc0df61d6069e7a7d100ca36db07ee1f1f00c366230b4a5650ca42594e44250a5aad28de2a9b8a64d1cacccb823c46

C:\Program Files\PingAdd.exe.23E-1A4-DC9

MD5 094006ed9940b116660c1203ba15e915
SHA1 4ef6ad14d728b0d0c028595d883157a8531a2f8e
SHA256 e2cb7c27cd531d59d00e87ce8f548dad5222b734011b5b5d48d0e5c750341e1b
SHA512 5e52b6f43cbf0a0b1f95eb98ccf9cafbe27771aac3ab6684efb6a8740ea1cce63751f0bbc855641e18db40a83c98f220e4b218c7d014c19eec4049ba63730ff1

C:\Program Files\MergeRename.mp4.23E-1A4-DC9

MD5 1c41720fca5d460bc0ea1cf99e93a946
SHA1 3b2323ae4fe7f149f543e1293f685a975f270cae
SHA256 e9dde71d7fe42a83dde09eb1564ce8de446949b6e965105cf92049ec2e02313b
SHA512 a250146be8077e20b05ffebe280ec9696664a0aa641d1d4ab04cef7c3500a9c2ce6616a155c22a61216a9956576aceee6fd4acbefc24084c8eab84fd2e0846e1

C:\Program Files\MergeProtect.vsdm.23E-1A4-DC9

MD5 393553f94092d5082eeb54106ce0ebce
SHA1 87a3545052409f6909b3f089ea56ca8faf7e25fc
SHA256 8f63188545da5fc5087db8af76efe1ab9f71ef0eba9ea429ae0ec73ef74da9be
SHA512 2b8c460f330bd080eb63f4e5c1e418027bbb7f6788fc40b2d07507fcbf68fab9d8ea45ec9bf827f05b7d02b07bb253dd91936e485732160132f39f609098f8ea

C:\Program Files\JoinBlock.M2T.23E-1A4-DC9

MD5 47a706338954eb9d066ef8a564354ca8
SHA1 5e44d8eb5035ea3b1bba6ab6ef65d895c2478c99
SHA256 b2ebd927e311b96303eb1d385a99d76de81c047e084dd755d3a00aa0a13580d4
SHA512 eba2e5f56184aa7cbd2bd49bc75a4e4dbfcb62c30f46fa788f72a92b498b662796a965619ec471b3479a1ac4d5eb5a5276d289a75a147c42010b17f6c967a00d

C:\Program Files\GrantMove.001.23E-1A4-DC9

MD5 e4fcbbad2bf24930b32280ebf607f9e6
SHA1 afe9b3064f4ff44d6eaf37405946994e397b3b89
SHA256 50116a08e376884571b17e0b4f6f8bed7d5e329fe491b2170415f37c004b98dd
SHA512 7008c1d6f4a3706805de012cbfd587ba95197cbdfa1e4d58f5cd3eaf0dc7b70fb7e0260e9cbf296a168ae72bcd5db8e88be5945172432ecba9e331d104a40af0

C:\Program Files\EnterAssert.odp.23E-1A4-DC9

MD5 82f00c492c93e16aad568bcd90d757d3
SHA1 22c781aa8e686cc8b93c6059c923bcb3755e5b3d
SHA256 e0f133bb7039828d4aafc0ef26e0ad6d1c45da52960d1b2d8e34e692d605c9fc
SHA512 5cff4ab1f9baff52cbc8f28ecc7aa19ab796d25649e8dd591bda269de7714e652ac5a785ef0a002856f01691682e13966b10ae2dc42b5cd962f2260e2df2493c

C:\Program Files\DisconnectMove.mov.23E-1A4-DC9

MD5 28c5a970d0e417ce57796e24e59e15aa
SHA1 06360857dd61cf62a16043d504d5dbd63e780d38
SHA256 d86f6c9c1580acedefc5634ee91ee1600403a75ab92865d9722dd119b5475d40
SHA512 49555b5d60b765ef86a41964666c587f1267c26d44b8366726a8fbc15c88056a6219350722e6c2da601d88c231f27079dabd636f86435f4dcf78277d95e4506c

C:\Program Files\ConvertToUninstall.odt.23E-1A4-DC9

MD5 c843ff63e55b960b878066608a18ad87
SHA1 a3b964be815edf75abb5e56f8df1cb343355ccd7
SHA256 09e2c9496316a43b7014dafb649c5eee2b2ba16e0a8c7b400bbc3a14c6eddd2d
SHA512 03a0755e96ab3b2bb11d04ca7267587e73ddaee5d3e5196b62bf9f014112c40b867aec1eb1bfa1bbe9809b0c5b3335e485a9769e6de15e0b355fd1f791c3b302

C:\Program Files\ConvertFromResume.dot.23E-1A4-DC9

MD5 1a4bc22cd54c8707c7f2c7d49bb20553
SHA1 6ff55ba0409275a513b1f10d9fc72fe10f3f07ec
SHA256 6c8a59614a4d2c0dc2e89494f03888f768172c7862627279333ff8a98aafe7c6
SHA512 d75429b1c08e01116ee3079bef1b0253fbd73b143256aa5e3bf07024dad31cf8ed11f2f42b41d0fb27872cd0717dc88ff2b5486638878593a27a13a026f41002

C:\Program Files\ConnectJoin.vsx.23E-1A4-DC9

MD5 3930813b5ea87e40d4d747ac23899b2a
SHA1 739f7c52e74a402754c07ede7e02f0feb6cb6066
SHA256 cb3aaf955730c75a9121664309169b040f6a0de2a4d8497f8383b51f13fa1f94
SHA512 7cf860cac33b2d63a251d907b358f0796663b290a36a96086f5a27d49446c476e8c9b2ab953f9b14bddd430524126924010c61a8981dc6d935cfdf4e3fcdeb60

C:\Program Files\ClearMove.midi.23E-1A4-DC9

MD5 ea72728d15b93cd30090a6448edb69e9
SHA1 d521cfbf5bcb4dedb6cc40bd41700c5f2e797c44
SHA256 1719a9730730217c72d942205ae0dd5bac04bc696902d92e6433db964765beb4
SHA512 bf54dd0cc4cab57cb3c6a4e96022de94bfeace88b8e9d282d033f3bd616b91c8bbb53458d86d2fac0eddc12401b077192536fecc73014524e31564e327c5861f

C:\Program Files\CheckpointUnpublish.ppsx.23E-1A4-DC9

MD5 c22e7fba0677bdd1e68018050a3d309b
SHA1 5587062789d1ca180aada8f385569fd11bd4f65e
SHA256 1a608a10aa5915463f3c199adba7ec5652de9df1bfdbc09eb2b2126e2d4a7601
SHA512 03c7aa2867bde6472887d4fdd6280b31661f7683716c701b45001fdd4c68c5f6a82128ce17e9b366bb501a8ab2abadc6cbf4968269c8a3bae2fa27806c7dccbf

C:\Program Files\ApproveSwitch.png.23E-1A4-DC9

MD5 6dd86fe24b6f54a9e80b316f18133e9d
SHA1 dfede75ee3b755e3ade2d3deee173e66427b0ea5
SHA256 4f76b88462d52e63203623fccf29e32f6d6ee417fcfa0ca839c37fd3cf13cfab
SHA512 32803c18b24dafc4af61a18c90f831e788abdd79b1cc80a580cdf82fbc5419111896d7a4cd0675ec652b4ed2d011902bc48dfb81b21997963c1388e255a3ddf4

C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe

MD5 b767653268375ec74679777fd53b2fa0
SHA1 e8e94bac84ed0d18a5c5e6e7c0277d892421da58
SHA256 a94e80dcab1466c69d1bcaa42f01fd88b57895462e80eb69a052dc0bf3fec896
SHA512 7a7f91b09d4b700d329987b75d98945795f11dfba82a94622d6151aab184b2cc90399663d354e3715d24310f2542574dbcd7fdd25de28191a7cbfd96439c8d85

C:\9067c5701a2f6bcc5b\2010_x86.log.html.23E-1A4-DC9

MD5 d9a494587a1c8c7a55a12b688b52d34b
SHA1 753a743dc9d17c0a6f0dd790dda6eed95f878d3b
SHA256 6d6877ab98f48d1ecf479ac1eafb5b34da36b172c9dbb1c4ccb93f30530bdaed
SHA512 49b9cfb937e287f990f2d5f4f9ce65fc36dd3a6f43866dc7bed8e18187da4d5202315cf88115f8a01f7d18693a9a532b4c8e46bba31affd027cf89f5aa94e6d4

C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe

MD5 7abacc696865563a73baba24293ec0a7
SHA1 6f8d0dcde660b42e913ca707e4e4d977c6244987
SHA256 f33b44a53fb0de9db33cebf44007aa45ee1ac8381cda089eec4e1bcf37781f57
SHA512 9919ea036e66822048bd9e688fe6ee3fd1c5659d18d0330b445511bf25e3d6be60d60ddb112a132596b60c820f13cb2ecca6586ecbc3e6c2d85a388677bd8fac

C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\vlc.mo.23E-1A4-DC9

MD5 439e7e5093bf547ed58964fc914462fa
SHA1 73a27a96329baed4edbfe678eea99f6f35f46f4f
SHA256 a3294aad53878776e0f4dbafcd39e662a0c4708fa91066f6b583b6892f6f50a1
SHA512 83a5b2662c69501eff851c81f10b8a66ab2ae7723534957842878b14d6f778a709668538527a820b4fe81d52f0dcac9aaf02960c3dd1399644d3305ecdbd8351

C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo.23E-1A4-DC9

MD5 5f71e4aec8897870213464fef7da9ea8
SHA1 0c0e39da24cdbd996e9a5a56eb71d001f8a0dd16
SHA256 5a3d59c9e0e303e7a902ecb41a7fa9c66708f1684bdef2293d7beb94a9b7f0ad
SHA512 ea184462ed85a623a5c4de5b76acc1f4eca7a41a912de064b91df5703fdb51a00fa3951c836d00acb657186d365489a07ac119a99a1c2da5bf3630bf82577a71

C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\vlc.mo

MD5 66b1ea7f716761210d6825591929ec8a
SHA1 35bbe8a41f39b9f04f89569506acda7f648abb96
SHA256 82ef353d5f13bb352f1492a5ce88203d3c9309c6a1516b8dd87c7876e14b7679
SHA512 175d5986864fd6ea18d0b7b868cc9e1d17cc7a5b01ae56e3cbfe6290f7f27c006176f1d6d978c9105852ef3dd712c49192586d73707e6580572b457761d9a25b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons_retina_thumb.png

MD5 bd0791144e7f3694fccd01dff7ec2de6
SHA1 0de0b171e83478f4fe1b335d7e1d26739b6a6a85
SHA256 d048cb2920a205a3228a92520a0411cfb17b073e4a2dbd607b83f2c23fc75286
SHA512 8248944dc031dad8f798dc9842557a77c065689abd674e995fec602d17342db6ba795ea3e3347a717838c4224a4bc9a189ba13649d90327e6eb22450e7c3d95e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\ui-strings.js

MD5 5ca0bb530f202bd8b48a596008c8b4cf
SHA1 d201d8a83c2e85cafa9a27b501402a09f6e066ab
SHA256 52a6e072894be33c601f0b340c71f1c581a4bcbf1567d1c3d56d5ec7619178be
SHA512 8e5fc917f528358f3b4f27d2ba1c26b619b0d94d09b7d9447d8beec1ea3a69b783f4b06c3e03a2acb393a0f94217d6d2d7988f2f11b994fa97fc3582e3a01df2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\ui-strings.js

MD5 17e79c0b4b1b5cf1ba9f7bcdf375cce0
SHA1 19f23df9cfd836a54c8c2634f2fe00372d32b465
SHA256 fd8b60cdba84683b902aabcb31ccfca638fdcc4f79c0d933a89039c3eaca6cf4
SHA512 80b6b3e5bac2b3ff90b6f9f3a4b1ea83d6ff13477fd2f27adbdfb38be48bddb577bc4e0d133db4f41f107487f47f3182dec27af82dfd7711b59089ab9acc480c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png

MD5 5ec295d3392e43db20d1764b23e7f530
SHA1 5cfbfc75f1d9cc3c712ed97b44f3ede2008bb03c
SHA256 8987959a0e64f4b3833e7a944fa8074c45dc5ad9e2dd2c04acef420281679863
SHA512 2b4abb4ba9e7c73975810b9a45ed660ad31defcad4c706343d50ed19782a2ecd621f3c0bf21f58b31f5a3e22a87bdd52b7dd25f3cbf7b0c7c663765729bef711

memory/6136-15055-0x0000000000850000-0x0000000000990000-memory.dmp

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-selector.js.23E-1A4-DC9

MD5 82da8aa3e6a7c5d8c9c7948ffe3166fd
SHA1 3e3cd9433f2722beff29513b9122e6dc4015079d
SHA256 f247f41ae6334aa447b19d478196d79412d2524794baa65df29764d1cb3e2182
SHA512 66d9d6761a9b937144e7919b6c2194ca7a9793794d24587a1c6815728874e3cc56346a026ad5ea888a680fbb929d6a8b95c4021cc755a4715133f216f0313d90

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\ui-strings.js

MD5 c41a994e09eb1bef62043a0ab16f3869
SHA1 124e20b8d3599afab1dd099a99a3baf43d31be8f
SHA256 8416f0c5b56b49e5e12bd0b9a5baa302e74816bef8311afd3c0e3e7fbc4e17ce
SHA512 f8b8bf97aeeefa42fd8f6042c1e9d378ab46145896097510ab76ba5ce4a69ac0cf69b402527506f9d171c9d1dc1a83f7d8ddc444b3c3a7f930a025f80bb7b54d

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\icons_retina.png.23E-1A4-DC9

MD5 f4289e0926fedf274cbf35a579b3fdb0
SHA1 a13de75aaf54e9b07b4cf89f93ae77ca33dc16d3
SHA256 e96bb4e3590a8c8e376cd6cce2eca9f5872d55fd09d7e71b1c7b2e1f08003bbf
SHA512 0bf77a5a78c18bd4712f84544be97cff23520522566058c632d35f4037d8e70e95639efa4a1fe3aef2c02ced806106e2f8a3205125183026cef74dcecf8623a8

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\selector.js

MD5 252c33170384643b469f62da2d5e5659
SHA1 a746865ea611ffebed3e9820482a82cb639c3b4b
SHA256 1acc6b8b57048680d9543510d294ae7bf2099e4d8c5a3983027e4a2eee2720ab
SHA512 077c4008174310def5de059d4e2ce3001815100888e52fc431ded34e3a8db768245bfd07c127f21db10405c4dd08992d71807450c74846b6ba0db0946171e76e

memory/4252-17904-0x0000000000850000-0x0000000000990000-memory.dmp

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-variant2.gif.23E-1A4-DC9

MD5 4de0ee0369d154d941b62b227d83aad7
SHA1 f734529cff5edf77fdb36672964cb92cfce12554
SHA256 c82be0ed70a119ad0c4c37b176c0323cf30eb69aecab55284aad277de5fe7c99
SHA512 8a2c5a03d1b432a5f744ff0161bd19eb6b1136fded8b8f863b0a2e474c0ba3e30812dbb17efc0f2d1333b0665dc7e40463084ab42335bc08c39f47ad6a903e77

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\cstm_brand_preview2x.png.23E-1A4-DC9

MD5 ea81e13911e33fd16e32476643806605
SHA1 97f6124e87f2a7918bfd3aa2552e20c2ba03d5bd
SHA256 3227003a2f555f7a1f243c18bcd3c9dfc8005ee71ef2d7d7ae5e0d024c3020de
SHA512 e9b6fe07dc56d5b14159adc5eb3334a74a3627f8e981a89db8fbf1077a4607692ba58e510a9c1e83fee8221a681ec0f9164d28fd234087b6ad16a98c1d8a9d6b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-fr\ui-strings.js.23E-1A4-DC9

MD5 5c9953e3313a41f372181ad1fa7bdcec
SHA1 be1b5b6f361850d699a3a46a91d9aedee8041258
SHA256 f5163c2e09bda0a3fc84bde713ec488014c31301b5afb4cd2579207a5ba5ae9d
SHA512 c2ae2a4ca134955a87e2e8f69072fa2a1044ed04e8f49ffa2070a9bbbc1c19ab92c1166ed3a58009bd1cd75931cd295f2e05469378fb6d056028bdeaab146dd0

memory/3548-19042-0x0000000000850000-0x0000000000990000-memory.dmp

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\ui-strings.js

MD5 ead2641ed3452f03621f199cb3bd0c87
SHA1 28470aaf6dd2685ffbbf3e136bc8856eac3b41cb
SHA256 455138d410b45e8deaea2fa52a5c1a41e37f694890d49460291af8a01c8e1c5b
SHA512 e60d0820ec241d1d1851fd415646947054dbfd208473f6217e565324378ddf09de484e2792f74cb1ed2a6ae01703b56d13054c65307999c6a677fb982898c8ea

memory/2936-21230-0x0000000000130000-0x0000000000131000-memory.dmp

memory/4252-21229-0x0000000000850000-0x0000000000990000-memory.dmp

memory/6136-21228-0x0000000000850000-0x0000000000990000-memory.dmp

memory/3548-21233-0x0000000000850000-0x0000000000990000-memory.dmp

memory/5812-21232-0x0000000000850000-0x0000000000990000-memory.dmp