Analysis Overview
SHA256
3be964c7bdd8349bed41823d242f36bc525df6323eedb9e6a7144118984020af
Threat Level: Known bad
The file 2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin was found to be: Known bad.
Malicious Activity Summary
Buran family
Detect Neshta payload
Buran
Zeppelin family
Neshta family
Zeppelin Ransomware
Neshta
Detects Zeppelin payload
Renames multiple (6093) files with added filename extension
Deletes shadow copies
Checks computer location settings
Modifies system executable filetype association
Reads user/profile data of web browsers
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Enumerates connected drives
Adds Run key to start application
Looks up external IP address via web service
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Uses Volume Shadow Copy service COM API
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-04-21 10:49
Signatures
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Zeppelin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Neshta family
Zeppelin family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2025-04-21 10:49
Reported
2025-04-21 11:42
Platform
win11-20250410-en
Max time kernel
7s
Max time network
125s
Command Line
Signatures
Buran
Buran family
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Zeppelin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Neshta
Neshta family
Zeppelin Ransomware
Zeppelin family
Deletes shadow copies
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\smss.exe\" -start" | C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | geoiptool.com | N/A | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe -start
C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe" -agent 0
C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe" -agent 1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete backup
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 4864 -ip 4864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 1852
C:\Windows\SysWOW64\notepad.exe
notepad.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | geoiptool.com | udp |
| US | 104.21.50.146:80 | geoiptool.com | tcp |
| CA | 158.69.65.151:443 | www.geodatatool.com | tcp |
| US | 104.21.50.146:80 | geoiptool.com | tcp |
| US | 104.21.50.146:80 | geoiptool.com | tcp |
| CA | 158.69.65.151:443 | www.geodatatool.com | tcp |
| CA | 158.69.65.151:443 | www.geodatatool.com | tcp |
| US | 104.26.3.46:80 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| DE | 172.217.16.67:80 | c.pki.goog | tcp |
| DE | 172.217.16.67:80 | c.pki.goog | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe
| MD5 | f42abb7569dbc2ff5faa7e078cb71476 |
| SHA1 | 04530a6165fc29ab536bab1be16f6b87c46288e6 |
| SHA256 | 516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd |
| SHA512 | 3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
| MD5 | 3b73078a714bf61d1c19ebc3afc0e454 |
| SHA1 | 9abeabd74613a2f533e2244c9ee6f967188e4e7e |
| SHA256 | ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29 |
| SHA512 | 75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WBLUBCIA\ERZHHU3T.htm
| MD5 | 6ebbeb8c70d5f8ffc3fb501950468594 |
| SHA1 | c06e60a316e48f5c35d39bcf7ed7e6254957ac9e |
| SHA256 | a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1 |
| SHA512 | 75cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G2BL9ZFX\L3YGWQD1.htm
| MD5 | 2ecbd831dd268171871be3a7341717ee |
| SHA1 | a1365aa4ddd52cc873c9def7f26aa9848db6434e |
| SHA256 | 83006c3ef95cac56570e99cbcff4b7e22120eecbea5f1957cdbd7d40a52cb077 |
| SHA512 | 4e5ff688f7a714dbefdd3673d9ea765c5beee762de365d233efd3715e1777ffe0d966c7d382ea0d34b50ce857ad90f14b373adcd7bf43bcc925e8ebc06c882e6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_268232F9B7ADFD0751C3D83F667CFB78
| MD5 | 4409f9540813d8809b0f92f65ff349c3 |
| SHA1 | 8e1307f50dcb5b5155ab91b0873a789c4d9c891b |
| SHA256 | acf57e17a04092a4e4cad5951de3b4cf8bfddbf73062eff0eb5c06cb5fc147ee |
| SHA512 | e487189eb87575263a488ebbef2d11b40d705eeaece0c75ca649da1d21cfe71872a2c1cb434875b281894f2b53907168e37da67111ab93c81d6f1f506424a334 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_268232F9B7ADFD0751C3D83F667CFB78
| MD5 | a3d1b53140ec83d53d9ff463d005c901 |
| SHA1 | f417ab6a2eca4a1e50af1de2531e0e0b157ca1c5 |
| SHA256 | 23fff8b24a862f71fe72c8579f5681d924834acd64ba87b1c9cb35d3e1970c3d |
| SHA512 | 6a590f03a164654a8249b356462241fa0d304db0e7bfa10eb50d8ab4f50a5776423e8d845c295f959aeb8a5ea8008f84d4843cd860d157beaa8e171e6ced2a7f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
| MD5 | 5668164eb963fe09048b527314036d40 |
| SHA1 | bb0e06ae9d59f4f47a8f95ecb651a6ce6916d09f |
| SHA256 | ea9e21ca506dcacf78c8935b241d1b018d78250a38fa265294b4c83f1d5f02a7 |
| SHA512 | f008d664bd96fa7b164d5e2535bb842200aa1054af727acc1317c61783e914fe7d436b98b88e6406a64a8787693745fbf2b147113db0ded6ba1a406edb199ddf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | d06e4d85c8c9d9d1ea0cfa6bedbdd7af |
| SHA1 | f754bf54e36c78a95e590253b27886c820fae8e8 |
| SHA256 | 0b6f62fb10638c8ec2ef069d9421cafef677d0418306fa9abed18a7ab06a83b5 |
| SHA512 | 6c22f8eece2046ffae578f878a85b6911dd78ea090653a6996b7e58b8601d17107f8448b7163451d1fd0b3d79a54247fd64e3934e62d516680e2bf59040201e6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
| MD5 | 70c77c508edb7799c04b21adc2013c61 |
| SHA1 | 3903b5721f79b443e5e04a0b151bf6b3b5562008 |
| SHA256 | 6478267c4b14824a0a9d06dec611aa4c048f6bf4923588403abbcbca09c62ef4 |
| SHA512 | c1b3b0cdd7188e139d7021400a668eade7400f6b7c6e9cca6af3b7aed103d663eb892f5d3052e563e0db0d72a44e9c06a6cc394ced5fbfaa1e1e2baa4600fd8d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 919b0a1c7070e4e99389755c70dfb1ac |
| SHA1 | b3fda183eaa5db3d2dad194521d5641e8f897e2b |
| SHA256 | e68e0a4bb1d83eb26d2eb4b941bc1e6a3d206bf90b963762c97eff774511dd48 |
| SHA512 | 57dbce5a8df48661855c4ea5f6d224ac0e713fc1197efdd2b2f4363e00fa93478ad38d047df08bb6cb28e00cdc570d78755cd09155932dc685d3c1188a966120 |
C:\Users\Admin\AppData\Local\Temp\1994424E.zeppelin
| MD5 | 93b885adfe0da089cdf634904fd59f71 |
| SHA1 | 5ba93c9db0cff93f52b521d7420e43f6eda2784f |
| SHA256 | 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d |
| SHA512 | b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee |
memory/5144-178-0x0000000000830000-0x0000000000970000-memory.dmp
memory/5492-180-0x0000000000680000-0x00000000007C0000-memory.dmp
memory/224-179-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4864-181-0x0000000000830000-0x0000000000970000-memory.dmp
memory/2620-207-0x0000000000680000-0x00000000007C0000-memory.dmp
C:\435ec8a8125891fda9b522e0\2010_x86.log.html
| MD5 | 0bd293f4914b97825cff86b0da73c91f |
| SHA1 | 96a46e6530aec55a845caeecf19263a533c87336 |
| SHA256 | 525413423fade8e22cc5105d071d6f15e9c1f05eb89bdbf971a640b7904d6b59 |
| SHA512 | c809c09cb9e241651119fa52e1223391a9f0b9186627191a4a356250585b7a9167baebf9a5dcde83dfa1b3343db6d5e6f46f8626f72772ab7daa3c192d1bff7a |
C:\Program Files\7-Zip\Lang\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
| MD5 | e02a23aa5e3ae40f5de88c8c94032982 |
| SHA1 | 2e9974f7512991d56b2d9293dc38685d480b39f9 |
| SHA256 | 0b294fdaea09f372173f6c63efd2fb297a7dbe5707104108d99aa54092f91114 |
| SHA512 | 36ea597602a3464dcdab0eabd0dc1e4d44d69884898cd8e58e1c03475c341eaa72dedca153f6231330dcc04da2be7b5550337bb29660915593179e41685d2893 |
memory/224-410-0x0000000000400000-0x000000000041B000-memory.dmp
memory/5492-1182-0x0000000000680000-0x00000000007C0000-memory.dmp
memory/2364-3497-0x0000000000680000-0x00000000007C0000-memory.dmp
memory/224-3496-0x0000000000400000-0x000000000041B000-memory.dmp
memory/5492-3922-0x0000000000680000-0x00000000007C0000-memory.dmp
memory/4864-5323-0x0000000000830000-0x0000000000970000-memory.dmp
C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX
| MD5 | 2bf939d6550db406244bf008fa875824 |
| SHA1 | ff42dbdf646de5c57a59a03f433ce9eba51b7420 |
| SHA256 | 9bd5f443b7ba2bc8895917a550575a7656c6daa44f785babe98db27fc9bbbb3c |
| SHA512 | 8acb36e5d9225a8060bdb4c5641ad6e21402e9ca7f9e74d35fccb3459bea7b51335185aefe62f288b386c8ab3aca0de484fb7706e2584a952dd08b2175cdf414 |
C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690.XSL
| MD5 | d41bb12f1d47ce8dcacc61a1e22810f1 |
| SHA1 | c03a017f78a3be2094fc3233f0afbae4ea490049 |
| SHA256 | c00571177b6f29e056810789cb4a4e27570101ed20b924035004c816510904eb |
| SHA512 | 93d5d408c9d584cd340ae12eb7ac00adb1d7967714840b819e6b8926d1eaf198d131796c94abe8c50c0f94ca0190a3987a0e3e1ae23f404386628dcb4ccef00b |
memory/224-9535-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2364-10906-0x0000000000680000-0x00000000007C0000-memory.dmp
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmia64.msi
| MD5 | adbeaeda66ac587cf8d8e789f2df9580 |
| SHA1 | a60671a6269fd7c2024a7ab162f10d6de0e37e96 |
| SHA256 | ecb7f7707bd8f628b0b4d8e018b38b2e4bdf146ffa2f04b7de03b7b9a1919a5f |
| SHA512 | b38da0651ec27aa117eb86370ad145729460e940c1c19ec25ce49c1a0b6998119a36360ab3de36248ad91420800f85def9b837dffb828e33d0e1e2888ef347f9 |
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe
| MD5 | 7bf33e66c6de162675364e86516ddfc2 |
| SHA1 | b0a172a7057704b0b11e21fb5b490cb23b4e7bbd |
| SHA256 | e7c067ca9615b7dafaaa8dd533976cad31b7794735bb8ca57abdc39f9edab9a7 |
| SHA512 | e7966a34c04f4e0bc563dacdc5e7522fcf14fb28916e657f325b5162f6a168036fbf7a20fe3bdd0623194ed6a25b0c1f83f9f2c47f3b312a1f863c3decf9393d |
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe
| MD5 | b3334b6c0537e05194db541e8af2c2d9 |
| SHA1 | 45e00ede2bb414679fd0ed44c39a4ea6adcf2d66 |
| SHA256 | 548fd24fe0ac24a73ee1ef674e6f43ea4dc74d31f576788f0006db1908a05a60 |
| SHA512 | a8c3d13367f8ac3a939a76204f2f40d6cbaec5d19e0c0b1273edb4da0fa8307285e1ad64798deb2ca9bb4d31e0d8524318051e7a4c53567418f34feb58a8d337 |
C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe
| MD5 | 7822256c0edbcc034ce6653676d65419 |
| SHA1 | 10156aac5defd05505da6d2a5283e5d9577a5724 |
| SHA256 | a934ac9a209e9c107fbb5e38f736acf4dc63e42c854659bd33b7f1ea2ca3dc55 |
| SHA512 | a04e47f4bd79eb1ce04f91b3245c643ee7e677560330dedfebd78c0531a8ba3b9c6754e5d46b48b73a87e1fcc30b493ef11fcefc1c1853026f6df749988d7fb8 |
C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo
| MD5 | d489b4f9ebc6267d9910a05f911d1f85 |
| SHA1 | cbf58df15145448bbc24a9b257021e52c151b780 |
| SHA256 | a7ff625cd2ae27fa1a42ccc2eb16c38b7c542d0b6c24c9f2f6c0488ea6ee225f |
| SHA512 | 997c1aea9b89d05a890ddd48743f795e6cf12ad4f67d3297700a8df7a90c52a0ea1684be11f305d669b9fc27323c270bdd2cc03d07d90db5bfbb7eb243b4f70f |
C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\vlc.mo
| MD5 | f06ed0d3e831ca314c5738e959998eb7 |
| SHA1 | ebea5cbac5bd772c6b79189fbbf4ffb9d7db98da |
| SHA256 | 254d6d417241a3fc92d626afae22ac0fa113b36c1ef9a25613c02ad97331f509 |
| SHA512 | 0f939c824337696b7f44f87650b65ac03c13b96f797f0bbcba7688072387513e73086cf2df146b984fbffce491b6e6fca36e3bd556588fd950e4a4e8ff947088 |
C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\vlc.mo
| MD5 | b24f8cadc612f04ca4e02e7f915cb625 |
| SHA1 | d693f4416b851e8923091131e1d9d5ee3ca68b61 |
| SHA256 | 7fef9f59f357f59af1d6d728c989b4ef240ef4eb5511d5406637c476984a3ee1 |
| SHA512 | 8ad18003c09bc2c2eaeb074a23f16d2afe38049c4545c827796648a9850c6a731e640fb1496e74f50763b6de838f98b41dd2be0083e9db6988cc57ee324e034f |
C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\vlc.mo
| MD5 | c34227c8b1b8e100da7124243b3a0a08 |
| SHA1 | 93351e36f61289ec0b386743f60c7a5440a9e5d4 |
| SHA256 | 0b7f750e7ecbee907efd0ab1fc5c8de7cab800b2e0ea0e2419c424612835d44e |
| SHA512 | 1c5416dec008af4da4d815e4c3cdaebb1a13dd89eaa8bc2da5cc7bdbc2c90625bf2363d057c3578b308b736504c9aea1fab6493d4102dda4f366c08b4812db56 |
C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\vlc.mo
| MD5 | a0e901ffe232dfc8eaeb01d1605b3859 |
| SHA1 | 64cd956ec5f89cb2a5bb1eade02dd7e414ae8e8b |
| SHA256 | 40d9fbe0d973e3f774717122c9b9be47ac34722d3a0f87022fe56ea38369955b |
| SHA512 | 4e96dd4ba36c7799e838753d1024f5a30617ae761df4e4aad8b411a4b42935362888bb5a2e3a23bd1c826c6b138fc6eea6634579e4bed3a7e4695c865ff9c3d0 |
C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\vlc.mo
| MD5 | 34662e076beb789cd8759a60f3233c05 |
| SHA1 | 1c534f6e985299579d26d4869a1a36a09b52dc0b |
| SHA256 | 690d24eb175e03469a78cf2c5732b5b5f053770f894ae7b00dd954ecc337c91e |
| SHA512 | 2fc576cb0e9e94b3118f38488a4ba59b47fb03b701aa619ca92d3c49051b96c01277780974d358da9f6599f9d041b399c35c795eb80ad47543bca90ef0498c98 |
C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\vlc.mo
| MD5 | 53c5e55df119c68f1bae2adc078a206c |
| SHA1 | b833b66e15c76020f46ca0bf0efd61e712c168b4 |
| SHA256 | 8b2146be7d2afbad740c944bf5102bf489f6b6827f8c295d4f5846207d4a780d |
| SHA512 | e8f749d7a25ae202ee9cfa3625fb5ef401d66596b8e97cb862466c791f904bed548d33f0b3d3d283f8c8832c965032ca9a3ef7b21e3c7deb4e0af1b3381d7393 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
| MD5 | d4e516a2a05255cb7e2283732af20f06 |
| SHA1 | 33fc615cfcb61659c0965aa86b95f5bb839240c2 |
| SHA256 | 7fcd25487e6bb1639320f2f7837552c890148bc822500fe3f37c88526a8b9a8f |
| SHA512 | 06c426f6d85896c9a4cd67f35c4ec7cd6b792392e9fc765162903f42ec0abe9c17858ef48221656390d20edf427274a37f5caae0a85f9a60d481215560547181 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe
| MD5 | 19ac02f064694a290dd89577eecc3fee |
| SHA1 | cd3ba968cd4f09808f2a18186ed2632cd731bd69 |
| SHA256 | e7ebb061af62a19b2dbcd7d800f7f96a34f58aa9884cc3c0e0de76cd2b69629c |
| SHA512 | 9e271849bbb8b3fcadc246d430d975b508eceaf774a92718cb08ece775f598dde48c1bd7c5bc8c459b0247ad56a6c56ec21b81035e27690cab3148df9f1a8c8c |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe
| MD5 | 0c022d5f8e7cd49e18a49581181d5072 |
| SHA1 | 18bb9f838ae982a9bd726f799df8d23d5a865e09 |
| SHA256 | b67b74223b7dc3c8d0889f6f985f34b4cfdb370f77a6e9f04f94091fe846023a |
| SHA512 | e9eda4660448a889dbb0f6fccc0aa10b0d3f8fa4bf6130a0b6b77c57d79e3fd3c84759fec9df3a0e0ff9ee73a7102db90c9b4744aa968bf49a32b53542bd4909 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe
| MD5 | feb46d41281768b40990d3e15351c937 |
| SHA1 | 638d6d4b4da9fe930fb9ba0e9cfc79b3451e681f |
| SHA256 | 75ec393627e8b18361917a84c0f4bef437cffb39ee181759fcc23d1b50007ae6 |
| SHA512 | 8187b718912b2c5d5bb4d6675965608b0d86aabb41540ef6f0a1e070ae7844e1888ae53645d64cd3ec8e1019cfef7700962e313540a70eed2a668da6aea82b35 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe
| MD5 | 296ced7e327cfd4613cf53b90df86b8d |
| SHA1 | 7218a6bbda7be57663eeb8b9db1e0d7b8ca94451 |
| SHA256 | 9d8675b5aa0b683cb957ace7a8bbb9235c298ba498953154e2cf1a95c9a3ec79 |
| SHA512 | 58ff3af0245e3fe631313467b0df00c843b61e29143e039cacb12a0201006460114d394267629a828cd46dea0a24e9cdfaa72f5d5acfe156d4ffaf2d15fc1aff |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe
| MD5 | c3124ac5e4b604571fcfae5636dd81df |
| SHA1 | 2d7f3e9051ebf03e2d8bbdd29da4776a6556eace |
| SHA256 | 85b704a4b1f3ec649ce2faa6bae503f5182e7ed4ff25f14f61f2628fe5391964 |
| SHA512 | 85ea18659a18fdf1216c587777f14be518c26eb9a5d66903bd8bd0daff518c9c7ab391b2103aeb95f023df84860d01ad6d1e68043176b6cfbe0359c57b3eba0a |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
| MD5 | 6e48274e74ed1d66072e883fcca64474 |
| SHA1 | 9c6c61bf6b3be0453fddacacf9d46d525edada58 |
| SHA256 | 3ee2e82716606a040104f342469ef779fdb2aa3645f9c9312fe5f76d6b74e91f |
| SHA512 | b4e9033576dcbc1ec4d0b6d11b04d5cf722f704ac9e29602ba1fcc3470d9eac50deb60d3c21d92e0bb68be6a465500c29e014e7998248f14fc70318bd88dcf10 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
| MD5 | 0c8d6021c5fc17f23d463f9bf92173ca |
| SHA1 | f94b428d4d11fb6df3952b511f02c0b6bb4a1360 |
| SHA256 | a6a8e3d585d002ac127aec1cb6a6f31b415d423bb309d73c8ff38d46dd32dbbf |
| SHA512 | c82752197b3b8187ba1e6ca8d5fe109b8d82807d3056704c3529d9cbfd626d5e55ab8f04fd8ed8e280c4c630cbb46ea0c9649c535e1677b27aff7d0c75ed682a |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe
| MD5 | aa24b65aaa575f8d3fce1eadae73a090 |
| SHA1 | 486a0f174056674a0e79e2fccd13a7eaf8da0646 |
| SHA256 | e5565d83e01ce40ffd38377b6e6e0ec2656830ab06826bf6247e4907622a2938 |
| SHA512 | 41323c74b1799fed791bf2040bb453d6fe2e8c7e63370ab99edc8e51cf20197a1e88891efdcd0b080814861e0ea60c1f1914dbbf104e4175754c99d624dad4bc |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
| MD5 | 90a7d99843a48492d679953ba08c1cc3 |
| SHA1 | e6fc63ee2fa6fd60d723ca7a5970853d8aed354c |
| SHA256 | 4d0bab4fac5a132f83712c2654db97028dff5ce7944b56baff10a7dd36e478aa |
| SHA512 | 1c81642fc92ea119e23fc0d34e9d020bc59a005ecf1ff67e62834aa8939cac0e365437c44cb3609b9dcd9121b4966a3c9c6fec9a6be070c048ee442ff56fce75 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe
| MD5 | b8a90238821075001c3a4e8cb97c332f |
| SHA1 | c16421ac9bc59d19231816097481b2e84669ce19 |
| SHA256 | 08fb8b4f7690f302ebb9aa6f7da851dd447f4841ae2d19f716abb1a23135592f |
| SHA512 | ba4f1d1db236ff9338f01964d5e675424a6ac9d780dad09f9f17b205dfcaf22783c6e178d477bd3fc375997ce0414b04381a8e6be5397e6103569268e0738c69 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
| MD5 | 5890517a691f4316e086867aa50ed3d1 |
| SHA1 | 1d26a7a3c969fd5ac627c50c5eeba7e4b664794c |
| SHA256 | cc5852d0eae13937972f28390d28570838733dcd1a94cef636fba29e1f5fa97d |
| SHA512 | 577de3c2330a8164a4d6939c83964c18eea16bb1b71e6894f2775f709953de5cc5afa72678ff777670f897d25b2df6ea4c973cdaf67a9d0f9df48ae7bd0a1ea8 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
| MD5 | 052ac72e25991e65b9dd9fad33b106ba |
| SHA1 | b71e1e9928d34d12371be7e08d19b58b2cfa9b87 |
| SHA256 | 9e19810ac7411871b14e3406e6fcc7276c34952cc51de4beb1063a0b18147e4a |
| SHA512 | d5a33e2059bb9b540d9fc85d12fae4683101e96ccb1e34609daa602d6f34cfc90e1520b1f5352e58d46bd494279074765316e17944e921b864375b7918ea5c75 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe
| MD5 | 10dcc57864a4be4709473c70a22f6330 |
| SHA1 | 25ba372439d3eaf0241acbd042a191af7fa491f8 |
| SHA256 | 301c57d4da893a9e718862741ea75c34ce3a608317567708cfcbbe5282ef2b15 |
| SHA512 | e8b1051f5b3315a6e0d6cd2623591d3e3fb3caa1dbd434443a272ce972c91da2808dcf24f2f2559e4662c29ce4a97bbcfa4b12ece564a1cba0b850785ce2b164 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe
| MD5 | ff56ae6670d121286b6691bf5be56bbf |
| SHA1 | b30a08d95688d44efd67cbaec91a6e2e06030b0c |
| SHA256 | c785c17c0c3922653aaf327a7cd152c8f295e138fbc5820efea0d33e6709153f |
| SHA512 | fcef46d7c162616537748b873d1342a417bbb0dce42f11edbfa13e8b6545885b8ff0dd86efa842120f5f3ecfc05c3f82c4138c4756504f306022dfc2cb331da8 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe
| MD5 | 7a7553463fb7deb03dd1714f8f0e895e |
| SHA1 | 8a88c18872e0dbf697c62779972cf940dfe79651 |
| SHA256 | 2ef30f8ed3449b4ddc7a721f08b1797ce22efd98e6dead498e32c0ff912757d2 |
| SHA512 | b7c7d3db5216fa2969b6878b69e64e409141478422324b3ce726a17cbbd8c30acce0cdd09f820457d1b554d6eb9d81d80c213a2a40fb37bb328b23121be5b4ad |
memory/2364-14748-0x0000000000680000-0x00000000007C0000-memory.dmp
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb.png
| MD5 | 6f6b1e94e3cb23b53e2bbaff258da344 |
| SHA1 | 0ae998b184e36fcb012d05ed103e0a59341b79ea |
| SHA256 | 4b12ceaa8b892e9307ecbb00b34aaa6323be0bbd4c597b562364eb04915ac31d |
| SHA512 | e9c2bce4f6b62ce62c1d8ddcc03ccdff7fd4e9c8034057366343c11242d0ed7d230e41bf9fceaa73af99526b9fd91680e6fab11dcc42e5f1b11771085bfbc155 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png
| MD5 | f49d6ac002fb87bb4b7254b731535062 |
| SHA1 | 7aaf1ab698a1a55a2803ea7671cc7668814d2860 |
| SHA256 | 80c2516c39fbc596366e3351df8d9587ffa66cd84f1993737997adbab9f5ec47 |
| SHA512 | 5c75e33005c0d5567a99ddd8342f285dd37cc3de427bff812425959008f1ed9e81ef1e29fee0779e76425cb3d2e76b30201d07744eb948362bc200ba090df6aa |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\ui-strings.js
| MD5 | 50a80fd3273c955be259e10171de8383 |
| SHA1 | 7f81b2d6396c6ed46b5d2a35ce3dcbe9f3feadc3 |
| SHA256 | 59010fe0835d39be3cfbe7a0f995b92421c20b239803ab2c60bbbec922fe7dfd |
| SHA512 | bfd8a1975fbee9230ad5f61be05a8a80acf8dd1e3b825224be0d632b7dcdcc95853e4abea6868df2d665fbb462b0a402f77ce4b9e2f69c8ea6513818a79cbf96 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\ui-strings.js
| MD5 | c206f26ffceacaa405044beb6f6b941f |
| SHA1 | 30250744a7ebf69ac672e5571c65bf55690aedfa |
| SHA256 | c3a49d4df2716b9dcef9090f40e1a5a6b8dc7996bdc7246c58e89cbef2e3765b |
| SHA512 | f9e324a631aa0cb2186205a5dc402982417741d107c068ce7de7b6d2972f2c33c9988b4da47c869659b8c34a915e3abcfd51de21a06dee55c33e70921a26cec8 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\ui-strings.js
| MD5 | 8542488fd38d94dc58a0901dd352ad40 |
| SHA1 | 6d0e4f9da32a4a42ec5038eada2180067f527212 |
| SHA256 | 03bc2b792c091824bb25a16323b1ca08e495be48cfd1e0a68b9e10de1a62634a |
| SHA512 | 53c11d6638c2e0a124d3f45d09db1178bd477a9bad66836126c8866a5dcd20350ae105af44f68e31e630ea7cf179ab47f0de45e90d084fea8d3d3d8a93577754 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\ui-strings.js
| MD5 | 43f735281f6316fd2aea1035313b3cb1 |
| SHA1 | 69e1ff68c49762ec63405b483efece1c6c80987a |
| SHA256 | bd41f922cf805a3db8bfdd3ebf74f22bfa497bc4797ac77503e520552346d4f6 |
| SHA512 | 9df4c844fc097e4ebc58a91f9fc103b32364886b8bc48507b46cefc3e44dce9acd9ad9fadf8e3009c9e2ee8c53b081af780804a70a952a2c5e7ab79d1c63fbd2 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\ui-strings.js
| MD5 | 2564838e70ae64efcea5776f6d489b7c |
| SHA1 | acf724240fe4703c8b407a95a88584654fa8c149 |
| SHA256 | d9234861050a926cfd43552132e911c6587920eafaa41fb67b54d3a0b18fc5ec |
| SHA512 | e77bd148ead29c57a388d24f2ffc80bc837a8f8cb5bbca6526835e83897cf8e1384b40e79e52f35adfce25276cc213dd1dd6ebfd4cac86356292f096739ecf02 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-selector.js
| MD5 | 14f023883d377b91028237eaadfcd8ed |
| SHA1 | dd8bacda5e8dbfe8bf367285cc2c283304362fdc |
| SHA256 | 4f27aca39da57d2c0761f59b50323d0da8d641513d3b8a22acf6cf9f9328c5df |
| SHA512 | 8af59cbd2fbcac1f275b8e4f7295e3d8a936610c9ae45d7dca283ae31943f2a5cac1152ff94e438fa622236be61caf2fd9475489028d5c2f66730fbee6d7dbeb |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-selector.js
| MD5 | be656550c76063775f808e78889fb474 |
| SHA1 | fee6890e09e37e0ce54e712b43fa48d5440d04aa |
| SHA256 | e5bd2ab4794e9ebf9bd49447fe907b0a95ef4c69baaeadcf526d922f5f82c5c9 |
| SHA512 | 3488a896c1045614bd6c73f794f33781b1993cd2f9348554e3b6ab49f7518ad4b3f53fa32aa6585fd3e5f6c7dd9136be4841be59afb33c9ed14870d18a88b36c |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-tool-view.js
| MD5 | 9cf2c082bff13ebfbbd5fba23a07eb80 |
| SHA1 | de6f8ad47709988074b1b55159c5247e1c2683e4 |
| SHA256 | 40063d276c9a9b4c6745644aa4725003d9d6633afb81d280ae3d46befd131955 |
| SHA512 | a0c1c268095ca63a4d10276455f6fd78dbbd7e7c1d1720ab780eff7e06d42f0335e578da90aca660a35853fdf421fa22748c3bd0e3a6620d57fc4194360cdc38 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\ui-strings.js.C07-C33-7BF
| MD5 | 307decc15368ca97283abe116ed06b3a |
| SHA1 | 15263ee7df6730fc67a94764b4a3282d7fe0a564 |
| SHA256 | 79150152e121e579c04451fc791372c2b7f8e26be35083ca265988d9369ed2e8 |
| SHA512 | a3bd61561c2fb361e420fbcfeffe6164f4eb6790e8154c1b35eea12d7f27d7e398c1bb519412b8e1bcd835de9b22b5aab0d184b71d2c42acdc938223546cc974 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js
| MD5 | c62c9014f656942bc924003d6d0be0c1 |
| SHA1 | bbf8ea81d4414f727aac52e8b9d78cf4bc9dd770 |
| SHA256 | 8bcebfd81378ae997cdcf2f3bbcad46707cd10ffbee1c9edaee31a7c174bf954 |
| SHA512 | cd3e70ab5b159810c38320ac89114da6f94bc6b41750dee698e2b15ca54920562648744ad77cc4148d98bb794f84cf73332bf441d3738b679995e520f0ada216 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\new_icons_retina.png
| MD5 | 751d0600e0c40a321127aee947817071 |
| SHA1 | d9a86cac19b78502ffb37a64f8620ff867ab32db |
| SHA256 | 0f1cea602753b01d76ff2654c060f07d4974fc277742a7a13f617ff6d06facfe |
| SHA512 | 2770bd4ece0b90517babe4207528180132e7bb9558bce7110171e5797b9913fbb76bdd482f20e44a66f865595d8afc167fc7a83c10c62f8dd60818c9aa9ff6c8 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\new_icons.png
| MD5 | 2959f1fe09d97e01f733667f1a4055d9 |
| SHA1 | 9a9d75236a0ab054fd6786b3152e6c7e22a2efc9 |
| SHA256 | 2e297476eab7b7c4fbd55cae430ae6d47ddb557b4de3bd9e44b5d8e9b9e09c8d |
| SHA512 | a98b9e827ca1594cffa378f7e5da2dd3d1735dc10dcd68950e8eaccd945c638274bc73cc6848c105d9098f8097e3aed2dea7b77cf23480879e812240d44df315 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\icons_retina.png
| MD5 | 1184d39704df96f3e817a3678845ec1f |
| SHA1 | 2ccb5d87b1830055983bf1f874028232a484b339 |
| SHA256 | dcbffe4418b79877b1645c3148628ff023837340baa03294e588b8f059f0bcdb |
| SHA512 | 9d81a71d432707b003d11f8375d99fca72d61615f744bada6ad1013a5c7a7db83f9b3925999fa59ff1d2dd452c7c97b052de305fc1b529a9609ba1c0e7b1e03c |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\selector.js
| MD5 | c50d83ad9c16e3506a9f82b83a959824 |
| SHA1 | 1078c6cd218c5368119fc141c0594fdbf0b5c822 |
| SHA256 | b4eadeba7b69512bad4d7ab4e2d1c97bbf18e2a6846ca297b7f7864b0a598a63 |
| SHA512 | 549d1f0f0e2a9514ff3684ca500de53f348a8870589d13bc3ada9dde65b086d18e3978aae2b1439603e67f4c70dde157c1e4329879d0d4da88f8bb92bacec8b4 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-il\ui-strings.js
| MD5 | 1143465183dc4fa3094252d5b48f5330 |
| SHA1 | 8f4f846fdb557f8896c793999bf1e21ac9fb8acf |
| SHA256 | 7847eeb23e4ae4ee17d5d9d90c0954f2610f718bc028496273187fc7ebf5252d |
| SHA512 | 0c09d232a531adae02cd7a54f03a8b8f9de94b06cf02083d6b49b774485e40b428d976af3b8af49118ddca06643215fd34dc65fe6d82269b2648f02d98c203e9 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf
| MD5 | bc0369de99824b89e63aa6bc00761166 |
| SHA1 | 7a1afffca2b156ca681ebcf6c905135fe9386cd0 |
| SHA256 | 21f0d9e6777aac25d182eabe2277d08f8d83e5f4b7efe174d23f57728e521c67 |
| SHA512 | 22055902a56ddff99aeceaec550fd2ff3c0a3170cf0af92819554d49e24ea6444c571bf087529519188ddb885809d7580f3850b78dd7f703c61fa5d786250af2 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf
| MD5 | eb595ace4a6d2c53378585d516ef3f0c |
| SHA1 | b3205943b99ce2e4189713f6eeb62c40c066b8fc |
| SHA256 | 1205b5f9d1597038c3c76fe8e324d7afdbe03465760501dbe0beaee09dc7c4d6 |
| SHA512 | 5f2b4c32e8b8689e35dd13c065c5b0003319d9754a1e3ef328375e77422f7d3b1632f52130c33b58af5d513968c3cf149ff13211b2cc01092c7a4b5f06a0b6c0 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\en-us\PlayStore_icon.svg
| MD5 | e7ca1e47be93756715e0af68c809fde7 |
| SHA1 | d6c6cb35debbc9b16d14d72c292ad493f39bd759 |
| SHA256 | 372415af00656d7f2a7cc86a805cad91cc7bd2a55c42e582e4cbf07885b96d56 |
| SHA512 | 855822645e86c5c2cd9a16d830f9022f26c21c777f710a3d3ff3156c8de1cace807a2837dfab7f9d73ec35e1b29515ff2312ccf7b93c735430817b73e42a1485 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-ma\ui-strings.js
| MD5 | 444afe1e0686838f573ce083c2efb27a |
| SHA1 | 055ee5537c616b3849819342daa1ae7d237f9134 |
| SHA256 | ac0b1fc903b3f1a075fe35da94c57a275741b835bfa90ee63c7cb99fae53068b |
| SHA512 | fa325110e4f269c0e9ce18321018ee6e21c925db956fadc2e7f9ed9f56403e9809f93e92b009b8f3fbea84385d0d883cf83b9b5449e7e088c3078075858ed927 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\ui-strings.js
| MD5 | 5368426eba7e0573636d534d8dfe17f6 |
| SHA1 | b2ea5aa3982d5b5ab406b0a9303ae6c1ddcc9a15 |
| SHA256 | 078f9f7b4b81b617a867755df2c3f46cbb84d687008c07f7b825944ec29f9cbe |
| SHA512 | ee0cae93b1077cd2722d3dd991ba94d32ac3fc88207b5c571c3962c7ec1d279bf2d77fe0d7ef93bfc39270920ffbc5e0b71d7add5ff84224dd3009f1c8a4c02c |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\ui-strings.js
| MD5 | 6ff3f59b5617062396b8c419d0822170 |
| SHA1 | 6de48c66809b10099a63413e53569b1845e7facd |
| SHA256 | ac8c09f652928028e4f4fc30de4e16d3bbe092d42f19daf8f10504179c32f2e4 |
| SHA512 | 51f8810f0a301cde513b825a50a15922883ced73459a3eeaa580a8ec4dd9c2fc3faf37ee6e9973bad7407302cd8e8cb9ef80e84801944ed0c0e099b7b547159a |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\ui-strings.js
| MD5 | 64f6aa4291eecd270906ae76cdc7b12e |
| SHA1 | 8b551cca5385daa1aa939ff76fb767977f026bdd |
| SHA256 | 9ef90362e5d8c485f3c30e10cc475619f842f98f244ecafdc722b1f10e27c6f1 |
| SHA512 | 576539a732c26be422d90264e6a525b92d6306f230592205ebf98816855442a9b4545280339ee5b9b75d2bc3ee2a8f2dd3fcd5d821b786fd5fc194791a64c103 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\ui-strings.js
| MD5 | 3c22de306b9bf458784cac4c804ad79f |
| SHA1 | 60d180e788996b6d3745df016a38a361d90c01f5 |
| SHA256 | d9fbdcb27841409cdb690cbca0fe44f89a542e6a2c9db731932fa09395765723 |
| SHA512 | f16c8136b55b34673dee5af225c2ca5745e64810397e5318efebfc171662a85b516f4ab1fa8a28ccd276fc4c1b75b79166006340b33a76bb2387697c5638c4c2 |
memory/2364-23543-0x0000000000680000-0x00000000007C0000-memory.dmp
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\ui-strings.js
| MD5 | e487975b78771e0d094b32a6069071b2 |
| SHA1 | dfb2a984b80117ba7d056f0e075419668edbfca4 |
| SHA256 | c847bdeee101aefad3fff1a77a74e23c24a21e603bc62e3d02284c61252f2bff |
| SHA512 | 237aacfd1c92e3ec6b7ea487602aeeda9c6749399fafe408c90efcff1438997604263947aa5ffde17da74f9124eb742e142213025f1791d70331268345281e52 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\ui-strings.js
| MD5 | e434d0220b2f630aee19cd085a78a7f8 |
| SHA1 | 8997737407130913a2e1f196b1f5374d83bf371f |
| SHA256 | 8170d34a2a4b3169d3d8e5f400c73a750aae6414c9bdee07dc378280830b6682 |
| SHA512 | 8df33bcda343b67365831b4b78b1871db1dfb6ca8fa57990bd45999876f87ff06942b33ac3b005915dd4d7c5b7e9ffafde134facc6da4aa91414c1a16d6371c7 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\ui-strings.js
| MD5 | 1a3e94caa006d920156c4483f2d905ab |
| SHA1 | ff465e343fd5045b9fc5e84aa3286fa38e5f4c7c |
| SHA256 | 98407e0a4e66de60709cbbe695fecfcc656bb5b55bf799eff9a7bad801c903dc |
| SHA512 | 1a1ec26e910ede2349be1ffcb1118a06e0fa9916e9fc3249a26d0b431978e48f2efc80db53b446e322bf8e976a43dfa3c62b8f838349bb82d18e6f5d2cb6ff9a |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-ma\ui-strings.js
| MD5 | 33e5eaff4c72e113734eb0f419a9b68c |
| SHA1 | 035d663bb5e19f6cce05b215362c5ce7a6bc303d |
| SHA256 | bcc4ba592fefb1110a7c99989ce742054337b60a1fcfc76af2c87050b347883b |
| SHA512 | 4a04f49be4e54da2e83e03b73aee9efd8df62ae028d589ce3f081299902937850f507fdd184117ed7777240154602550c9e4386f5a7149050f50f12adcc25ff5 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\ui-strings.js
| MD5 | 06e21f12ccf17d25635b2e83bcd0f15f |
| SHA1 | 4ac58fcf2fa9ee66d11bb47c342c6080aa414b83 |
| SHA256 | 7a10a69f3509d529137ffe8361d70457d3cae70d4ad8658944facfd80702cd1c |
| SHA512 | 5f1f4b3178399545fd66b272e72bc105c48ff6dbacf8e742bd1586854403fbb219a8a2cb0d684bf9f13201d19aefe25f77678372f35f6d57f498b523c3fe22fc |
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
| MD5 | 6f098c8ea91a106fbed73d94b97697c3 |
| SHA1 | 7cccf6b3e8a63365d820d33bda8e366ec05989d1 |
| SHA256 | acefc391609b3e0455d92af392c8413d826edbcbb3f3d101f5dabce066a8ba52 |
| SHA512 | 5e943a7c811792c9cee2a1410235a6615b9d1e60ddaae959941fe2b2b7bbf9cd38d3de91774fd8de5eb1d923fa63d612c828dc31f45b13d818182427457c5665 |
C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe
| MD5 | fce16f7fe048f337fafc524630c5c1f4 |
| SHA1 | 7187e11a4c332169c614b018f43557fea4a43b11 |
| SHA256 | e0077849dbdddc09650b09eb7a18fa9406eb80fa5c9f3443c069ce8a55505c89 |
| SHA512 | 8c1da8f9ff506e139d47c927d831cbdcc3683bff98822990ed3d9ad0397d939b09f2f7642a394cb3397671e4242b42e0f6de24efafbbeeb7f25db737d9054ac5 |
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe
| MD5 | 164c6cbde7d61780a521534e47341051 |
| SHA1 | a525e86ca742d9b789ae5d156cfcd66bcb9a53ab |
| SHA256 | 009a4a1c6a98efe13f926616e96a81f0ee42f3f6c95051cd40bc8185e0cf1c0e |
| SHA512 | c60f4d3651ddc182c6da89f85b1afb61574a0e71cedbe0d693a099b83598ef46c0e00ef9e3cf4222201f9895478460aa3949a08bb6c517da8fcccb55b5474263 |
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe
| MD5 | 64ee75042c0f5f6851dcb49eb7be25b7 |
| SHA1 | ffe7e98f9e0f8945f33bb792001a4e8c1ef426cc |
| SHA256 | e10dc78b6168764755a86d94194a1b42f4db0ed671fa4a724b3f8d5c27d4a943 |
| SHA512 | 362b126a59d7457febc151c32caf77b1da895be36af4e101f7fa564aeff45d3c86d6b53ff5f2ac20de87196f0ed704a0d37b696a280e24270114999cde8f1ca8 |
C:\Users\Admin\Desktop\UnregisterReset.xla.C07-C33-7BF
| MD5 | aa29d7cc0c2c46a06e80ff7ee2b25b7f |
| SHA1 | 2544c8ad75ffdc42ce0821dd63988e205c23e538 |
| SHA256 | d3a7826d0f8028f9a55e3a77dd7aab714b7af992cf71283155c1fb187a42d8f3 |
| SHA512 | ab74f4ab675d36855097bc373e7e506dc1974c5813dd0ebcecbc00024c73fcbe7efc9981fe16ca837bf8731dd9f8b954003b67df8f9850f597d699113774a07d |
memory/5316-26235-0x0000000000590000-0x0000000000591000-memory.dmp
C:\Users\Admin\Desktop\SuspendUnpublish.xlt.C07-C33-7BF
| MD5 | bd228f859deb5cbfbbb16e22d0dbc6ed |
| SHA1 | 31256f566080f394a20c85fc69e9ca6eb54c078b |
| SHA256 | fd41847aaf8765cc1fb6715cf372ece6f2de68dfd83da33d7a44a37ca79d93b6 |
| SHA512 | 0ca9d34c8768c136747ef4d6de696db4da0ca9dac0e82ae3c5ed154cca1cbcd22ec0a7e144a2130e4d0a9cdf586ad605be0bbfb7ee4b326fe28e0b1010d4a4a1 |
C:\Users\Admin\Desktop\StopUpdate.au3.C07-C33-7BF
| MD5 | 89cd7e4582bbb84796b9be1e32dc6396 |
| SHA1 | 5b4ac5af8f8c018494f9ad4cc6d56da6586c68cd |
| SHA256 | fc23cc369be346fe3b6368c4bbbdcbbdc2d84cef8f685adc9a6196b6ee83987b |
| SHA512 | 0b3150d13a2277131f52f34e10e17be215aa2cd1998ecc47d6c782b7534be3dd2f11e7a839dd3adfcf42f026f619a66180713beb23d57abe6f9beaf48332c7dd |
C:\Users\Admin\Desktop\SaveCopy.avi.C07-C33-7BF
| MD5 | c2ed08ac9364ae71d9bb406b038ef0a7 |
| SHA1 | ae6c561ddc05a138a4383a408b187d93acb155a4 |
| SHA256 | 7e15d7ab15df8aefbb0f19a7671f8063515bb7fc3ffb7a771055ffcdbf975204 |
| SHA512 | b82581bdfb5d7407610b0575ffd866ca82534e037c91ccc1ab79f0a5b73226967fe6859b689fe0cab520597cbb46c6ad7736789fa5ee2f4856fc5a1af2597b16 |
C:\Users\Admin\Desktop\SkipStop.docx.C07-C33-7BF
| MD5 | 890bb3cafb149dde37af1a28992b0d0d |
| SHA1 | 7101d1cd54acfcb4f63d306745643b64caaa2bd5 |
| SHA256 | 2a9dffa1b1e75c4d05454902ba4d5d594c1bcbaa6410ca8238947fee1e73bbc5 |
| SHA512 | 50ca21534b50cf1e8a0ba0b7f4f668d43a671b3e161bd90580bcde574101125f2c9ef6261d5cd6e1131803723d784816a4ac299dcdee21c1c66a8b95cfeaca8f |
C:\Users\Admin\Desktop\SkipRename.raw.C07-C33-7BF
| MD5 | 3d9a719bc21dd465176064f659a94c11 |
| SHA1 | 687182933c91cb37c75794b21516995ba4b8b167 |
| SHA256 | d303a7e0e74a138ec48d6258813752969faa9f873694031c183da9db1d84ecc6 |
| SHA512 | eb878ccca45f140c77ee9b30b28852aa9872cc50333f96e484ffd0c94f402eff01300ef4528f99d19b0a12721c5282ef47ac70d7b3b311ccb49a4ecc875fc1a4 |
C:\Users\Admin\Desktop\RevokeResolve.7z.C07-C33-7BF
| MD5 | 250e75d89f35ab8af09fad78a57b3c95 |
| SHA1 | 469970d71698e68d108b869b21092f89ecf47cb8 |
| SHA256 | 3cdf0d59acc2986d3323af73a9c16832cc1b27f39ba337acbb4baafaf4c01ca4 |
| SHA512 | 59c9f9f4580755101ac3e1ba918a0986422516fa00a8b13468c07b6716a4642d1ff819fb99e1f23b59ac8ce375156f301016d0ba7af978e1f3812c1c3f821afb |
C:\Users\Admin\Desktop\ResumeUninstall.jfif.C07-C33-7BF
| MD5 | 785e1b8f94cb325f21f394f4d99dfdab |
| SHA1 | c1f1beeb3bfd075cc2ed61a447968192d16139ba |
| SHA256 | 29accf0c05521a54354297bd45a450116b01394948e9710f2ef7586b3a6849b5 |
| SHA512 | 6e86adc1014d09bd7b991eb036331c8a0bdcde1f0cfe02a5540a7a73c8d253161fa645c84d70c37a87e3b0d926242849d26c0d23b79e869e9412cdca01709bdd |
C:\Users\Admin\Desktop\RenameInvoke.lock.C07-C33-7BF
| MD5 | 7cf4f7e9edc42dd8d80eb9218d1f632a |
| SHA1 | 2910ac8b6c197d4eca11e39da48e8ae164994413 |
| SHA256 | b60dd832f757477dbabf5313e1eea1a306138532705099f4b73a3cf1d783e1a3 |
| SHA512 | 9006661918d02930f52815f933a727b487b15bcd000d112477b67dc6d31e8ec516d2235313ffe48dd9f1e787ef0835819a1234b6d0cf6ee5c305db0bd8168582 |
C:\Users\Admin\Desktop\ReceiveSync.docx.C07-C33-7BF
| MD5 | 52abb30dc0257e1c1095cdb2e2d3ab83 |
| SHA1 | 55463256683d5a9d3bb4599a09c656b18c50a5ae |
| SHA256 | 2c26f57b91fdf2880afacd123d3e3183122dbf59e99237a5f415b9c911892f59 |
| SHA512 | 1da21ea7d539d0dad304d981ca9a8267aa8f23a4963d8496e46f1843cc1de4cccd09b62dd9a750759ac2ec0260fcf058e89899b9173a315e8b224520ab040c03 |
C:\Users\Admin\Desktop\ReceiveMerge.ini.C07-C33-7BF
| MD5 | e92e4a69706108c35d67b6f206cfdfe1 |
| SHA1 | 7c0e640c31360ab3d1ffe6979283f00153501828 |
| SHA256 | 377df4b5c5d4b84436caf00dc9eead3416ffafcfb18b29c7c336c52f0fdba5b7 |
| SHA512 | 9bdd599d3ed7ff476a40cd480536bac483878b2e802d7c32e865d29d19ef0a1fd4846ea97f5e021b78bd5356026bd29d460ab8b8be0592391359b6ee382aff69 |
C:\Users\Admin\Desktop\ReceiveExpand.m4a.C07-C33-7BF
| MD5 | 41fbc279c07730b59cee21e19cf0e995 |
| SHA1 | f0bc147fa2245dca00b5ad1085bf5ff49504bd00 |
| SHA256 | 18a7bd39ade5ea15c4ab84b4c29a118ff8c871ea76c1f12833f89b69a411c0f1 |
| SHA512 | 47b7f975d6e578770c428c8c43a6d0c86f5e8a23a7de5cd77c7c2c5da73a4e23440e0256622af980d71209153f82aed0dbc8bc9ccb19707ce1e6606c5da2bc0a |
C:\Users\Admin\Desktop\PublishProtect.midi.C07-C33-7BF
| MD5 | aebe81ccddbf69e708980b0ba95a931b |
| SHA1 | 8640f98b5ac25f088d7a302f9550efb0ae120595 |
| SHA256 | 58390e0ba1510f86075580a53d37a0187ce9a064ed1d21678d409a241ca1d610 |
| SHA512 | 19b8cb2ab453d813ae9c28e143183e79ccac4d95382ca6aa92c2a693a0de61afaba37224d27a021895bcedd3b5fbff47b13ce0e526164edf7d30dace2c4f8cbb |
C:\Users\Admin\Desktop\MeasureEdit.potx.C07-C33-7BF
| MD5 | 23ef2c4016330447cf53b90dc8388103 |
| SHA1 | 088cf955e68f572a3a5e1c6b6a4e09097d4ca304 |
| SHA256 | 7e37c8530d93ea505aca131f1545d253b7fa7330d133a2260c4bcd6d3b77e023 |
| SHA512 | c1b0f27d30fcb106a658710300a7370423b04004dc39d514279169d9d540e44c67ef7712278cc4f23383f6f042b70047f38439f063cd8cb197b0a76b6190554c |
C:\Users\Admin\Desktop\LockFind.mp3.C07-C33-7BF
| MD5 | 4980fc6de483f0b77c223b9beb108ef1 |
| SHA1 | 6bc22c968ea0fe1a7aaa8f9a417e0c078942313a |
| SHA256 | 872fa51d0c0d91e0bbd9fcec55b1fbf1e894da01deb70e6fa12d55cb118051e5 |
| SHA512 | c4eff54ecff0c91e18ce720abaebcee4803ff6d9b6cf9d49f961d53cf8b4e44328dd7140d94634397cc21cb6ac571b39e355c34bb5acdadb919af80f2c39f38a |
C:\Users\Admin\Desktop\LimitPublish.tiff.C07-C33-7BF
| MD5 | 2b766e50958808c6f923bdd98d7a090a |
| SHA1 | 7e0704aa9fb52d67567de0b879420af87d13a7c9 |
| SHA256 | 448cb6b597199ab77a7d3fed8b87ed880d6d79755c15733642e6c3a0595d2603 |
| SHA512 | a7f604bf80bcb6ffd882a07d8b153d62d22173dc11b35746f758945e50a86fdf3ec72f6a9b401e298e674120fbebef75339dfb35d3f95a1d3ae4a02cbde68caa |
C:\Users\Admin\Desktop\InstallWatch.mpp.C07-C33-7BF
| MD5 | 122fb4c6305a30364c14eb1e8a8858c8 |
| SHA1 | b74337f48d62fd54d4773af34052c53e4b4c2887 |
| SHA256 | 5c7670b8278986e57758f80e14b316586095991f102fbb1259272d80679f7a3c |
| SHA512 | 8e18024e0f42b9939d76a0bb4045eaeac760f7c7090fa6bbb89ca1bb68e26a17e79b14189577c2459f0c3c8e890e2413b6d8622c13c831f4f85e819c5752ed09 |
C:\Users\Admin\Desktop\InstallUpdate.pptm.C07-C33-7BF
| MD5 | 01608c31c6fb0c8a6e048dd8669a17f7 |
| SHA1 | 829a35df0ce36b51fef2e286a37fe1db66810ce9 |
| SHA256 | 1270c45c097a1b45c87e13949dff34e49ef1f48d3bd1b2c418fabde7d4a78bb1 |
| SHA512 | 978ae8ec5e650e395daed03262ca4dd59fa9d1d54147b3411c0e481a98aef71b93cdf01fd3a7dff196468502c679d723661a6be65afee60210229835b2f4435f |
C:\Users\Admin\Desktop\GrantCheckpoint.tif.C07-C33-7BF
| MD5 | 5e9fcf7eefbae550b32e08a28ef156c3 |
| SHA1 | 3e3c0ecda544b2d1124dfe7a1f67ffc9864ab78d |
| SHA256 | 3730a89290dd4f8ef3913b684b0013307c0147d2f63db6c9fad84e7addb88155 |
| SHA512 | 5c986a721bc492359304ee5278e77823c451ea1cf3657201208ace878c8890f077715ff8cabc57fccb10b204e8558500087d77ecbbd4520c6c3738d3153fce73 |
memory/5492-26236-0x0000000000680000-0x00000000007C0000-memory.dmp
C:\Users\Admin\Desktop\FindInvoke.avi.C07-C33-7BF
| MD5 | aed4d7e25473945738168b8e665849ff |
| SHA1 | afe83b7a0f6c398771fe7b45652ba3e992bb4950 |
| SHA256 | c266a400e2d4ba0a89f308063a7386482b269937f172bf462c501a67488ff632 |
| SHA512 | 4f996bc0ee0545772287d294c38708ccf898c79bbdffe95da01a74092abff88f439f71b22f84a6b952c20e2501e333c4f258147a35ac6d9672eef9b3c796123a |
C:\Users\Admin\Desktop\ExportMerge.xlsx.C07-C33-7BF
| MD5 | 83e43afb7e35ddb127772ada3bad53ad |
| SHA1 | d1a3dc4486d8eff8254cde1bd477aa233764e210 |
| SHA256 | c8758819feb020f3a5ba5f16f6736fecd9b9c48baa6c17d87003dc61cf31a694 |
| SHA512 | ef4f748a244859b32f7d18746225dbca29e82c115f2d97a432a6421b10952fd4e657f13cfe801551a2336f242023eca25c0a36c1d8d57047fd7ac9deac388e7f |
C:\Users\Admin\Desktop\EnterExit.ex_.C07-C33-7BF
| MD5 | d7ad4cd4e47671805a7228994f4d2404 |
| SHA1 | a861ebb75532440165db4e570f47a5b5e2ab2967 |
| SHA256 | 06aef5c2b384a56d9a0f9cc7ca575ed72349562a1d619fc6801a227713b788d1 |
| SHA512 | 3d21aa1a302862d7f10a1b4998e2c8ec51c7f157451933127c729135892196e6170497407b09c11f221df6cd036f89c60cb8a82a86729511540088d8a3da787a |
C:\Users\Admin\Desktop\DenyConvert.M2V.C07-C33-7BF
| MD5 | 9032a5c93528eca43c8bc3a81234f237 |
| SHA1 | 7658665ec64c30af3274fdaa6e08110b2e10e9f9 |
| SHA256 | 07251095998b90c8c1d4d69413c87dd730f79c28dd10ca511cf9175004b43685 |
| SHA512 | 9db9b7ae7b58a4b7d1971e57f6ab06ef987e5d7b4e020f82c4e1383fdfd0564ee78b8653972bcd8340725b2828d048cf185c70293f6c0eb3d406638b8698c2c1 |
C:\Users\Admin\Desktop\ConvertMerge.xlsm.C07-C33-7BF
| MD5 | 9fc96ccc69f2ee556c4a1e1cd944915f |
| SHA1 | 86c355b87579066b7fd4ae0a1ecd79408e2e52c6 |
| SHA256 | 070e20ff8ad4320aa2b4c49c828456b0d3f8baddc55e42dd7ddfaf5d7eeef144 |
| SHA512 | 598d025841e548e9b52448a728a9fb35cc829d7fcdf06a43988b62a530629bf4309f1996f8f64e5293bc41a61e09359c65422f83005465ab9c5edc1a6d4683e2 |
C:\Users\Admin\Desktop\ConnectSubmit.xlsx.C07-C33-7BF
| MD5 | 96a8d01a2af9659a0ee572b30245a088 |
| SHA1 | 30418fb247cbfe6380af66aef639fcc1b75c8141 |
| SHA256 | f41a2511309f1110f294272db2caa25299d1df35120ee67ccf3bad63b671b416 |
| SHA512 | 68a569d4e2b8702418576a6a401aaa3b671e45a4d8587face1794394c99d89ee3616384259d549465793d6d296caea8b9aa1072b29b4193ded0271cac4da26bd |
C:\Users\Admin\Desktop\CompleteRemove.vdx.C07-C33-7BF
| MD5 | fa666c0c27144fc52e02016572489b02 |
| SHA1 | 28c9bcd9d0302e68c2bf3418c58abd4af8d853c9 |
| SHA256 | cc48f207b79fc4e6ae55387d85af7b46a6c4470fa48eab7e19106f0e14697c42 |
| SHA512 | 14eb29d27c6f5409b21f8875678e3c86015f1c45f5dbcab140ac14d79228ae0084dc3e4f3e1f15704a3de4c86186f51ff19cf5dcfb0afdfb792a5389e9e29d65 |
C:\Users\Admin\Desktop\BlockJoin.3gpp.C07-C33-7BF
| MD5 | 0acffb8012d650608df4c2890c858e2e |
| SHA1 | 39cb5ec11c97431eff36553ebe47bc11c9fcf276 |
| SHA256 | c33bd9fceb75009975dc73318156a181700b32ec21ffd505bb4dc55c1d3a2f7d |
| SHA512 | 51e47cc46f7f701f06452bb6a26e82e724bf9a9d144ee8cc526ac1e91aed91d7d5e460c3a8b4e7c67ee68cb7f3009a31f7c0ed55a9bb4da26105fad401bc162f |
memory/2364-26207-0x0000000000680000-0x00000000007C0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2025-04-21 10:49
Reported
2025-04-21 11:42
Platform
win10v2004-20250314-en
Max time kernel
149s
Max time network
142s
Command Line
Signatures
Buran
Buran family
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Zeppelin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Neshta
Neshta family
Zeppelin Ransomware
Zeppelin family
Deletes shadow copies
Renames multiple (6093) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\smss.exe\" -start" | C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe | N/A |
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | geoiptool.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Error.m4a | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-256_altform-unplated.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.html.23E-1A4-DC9 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ms_get.svg | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaSansRegular.ttf.23E-1A4-DC9 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-pl.xrm-ms | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsSplashScreen.contrast-white_scale-125.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-20_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\MediumTile.scale-200_contrast-white.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-32.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-96.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\TimerSmallTile.contrast-white_scale-200.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msjet.xsl | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\view.html | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-400_contrast-white.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-30.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\Logo.scale-100_contrast-black.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\skype-logo-40.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\hscroll-thumb.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\el_get.svg | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteMedTile.scale-200.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxAccountsLargeTile.scale-100.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-24_altform-unplated.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_listview_selected.svg | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ru-ru\ui-strings.js.23E-1A4-DC9 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-180.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\it-IT\View3d\3DViewerProductDescription-universal.xml | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\SmallTile.scale-200.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL119.XML.23E-1A4-DC9 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MEDIA\APPLAUSE.WAV.23E-1A4-DC9 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\offsyml.ttf | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-tw\ui-strings.js.23E-1A4-DC9 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-oob.xrm-ms.23E-1A4-DC9 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailBadge.scale-200.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-cn\ui-strings.js.23E-1A4-DC9 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-80_altform-unplated.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\et_get.svg | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-gb\ui-strings.js | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\lib\ext\sunjce_provider.jar.23E-1A4-DC9 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-24.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\core_icons.png.23E-1A4-DC9 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-pl.xrm-ms.23E-1A4-DC9 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-pl.xrm-ms.23E-1A4-DC9 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\msipc.dll.mui | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\msipc.dll.mui.23E-1A4-DC9 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_SplashScreen.scale-200.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewer\LoadingSpinner.glb | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-pl.xrm-ms | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-pl.xrm-ms.23E-1A4-DC9 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluCCFilesEmpty_180x180.svg.23E-1A4-DC9 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\PingAdd.exe.23E-1A4-DC9 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK.23E-1A4-DC9 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Fonts\private\REFSAN.TTF.23E-1A4-DC9 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-Toolkit\Images\dash.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\scan.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ba.txt.23E-1A4-DC9 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start
C:\Windows\SysWOW64\notepad.exe
notepad.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe -start
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 0
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete backup
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 0
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete backup
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
C:\Windows\SysWOW64\notepad.exe
notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | geoiptool.com | udp |
| US | 104.21.50.146:80 | geoiptool.com | tcp |
| US | 8.8.8.8:53 | www.geodatatool.com | udp |
| CA | 158.69.65.151:443 | www.geodatatool.com | tcp |
| US | 104.21.50.146:80 | geoiptool.com | tcp |
| US | 104.21.50.146:80 | geoiptool.com | tcp |
| CA | 158.69.65.151:443 | www.geodatatool.com | tcp |
| CA | 158.69.65.151:443 | www.geodatatool.com | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.3.46:80 | iplogger.org | tcp |
| US | 104.26.3.46:80 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| DE | 172.217.16.67:80 | c.pki.goog | tcp |
| DE | 172.217.16.67:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| DE | 172.217.16.67:80 | c.pki.goog | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\3582-490\2025-04-21_8981ec8170d7378709b0f9989b04a922_darkgate_elex_neshta_zeppelin.exe
| MD5 | f42abb7569dbc2ff5faa7e078cb71476 |
| SHA1 | 04530a6165fc29ab536bab1be16f6b87c46288e6 |
| SHA256 | 516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd |
| SHA512 | 3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
| MD5 | 3b73078a714bf61d1c19ebc3afc0e454 |
| SHA1 | 9abeabd74613a2f533e2244c9ee6f967188e4e7e |
| SHA256 | ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29 |
| SHA512 | 75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EAO45EME\30PISW01.htm
| MD5 | 6ebbeb8c70d5f8ffc3fb501950468594 |
| SHA1 | c06e60a316e48f5c35d39bcf7ed7e6254957ac9e |
| SHA256 | a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1 |
| SHA512 | 75cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c |
memory/5532-140-0x0000000000F60000-0x0000000000F61000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\B59V21Q5\VZSG5IXM.htm
| MD5 | 2ecbd831dd268171871be3a7341717ee |
| SHA1 | a1365aa4ddd52cc873c9def7f26aa9848db6434e |
| SHA256 | 83006c3ef95cac56570e99cbcff4b7e22120eecbea5f1957cdbd7d40a52cb077 |
| SHA512 | 4e5ff688f7a714dbefdd3673d9ea765c5beee762de365d233efd3715e1777ffe0d966c7d382ea0d34b50ce857ad90f14b373adcd7bf43bcc925e8ebc06c882e6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_268232F9B7ADFD0751C3D83F667CFB78
| MD5 | 76fa27fb63eff3571cd3c560b3d31d94 |
| SHA1 | 38aa570df468560b72cfe2146b2b5230a016fceb |
| SHA256 | 82d9aa236976888cf1d702a31387b2cafb74acfbe23fd9547615777e007c2a2f |
| SHA512 | 81398bb8c31373a53d7439a840eafe6f0cbf824728cbaf42477b11792639f7b71fe549a6f65ad11b0cc5713fc3461e29156557bc60b9b4a6a49785238555f95a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_268232F9B7ADFD0751C3D83F667CFB78
| MD5 | 4409f9540813d8809b0f92f65ff349c3 |
| SHA1 | 8e1307f50dcb5b5155ab91b0873a789c4d9c891b |
| SHA256 | acf57e17a04092a4e4cad5951de3b4cf8bfddbf73062eff0eb5c06cb5fc147ee |
| SHA512 | e487189eb87575263a488ebbef2d11b40d705eeaece0c75ca649da1d21cfe71872a2c1cb434875b281894f2b53907168e37da67111ab93c81d6f1f506424a334 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
| MD5 | 5668164eb963fe09048b527314036d40 |
| SHA1 | bb0e06ae9d59f4f47a8f95ecb651a6ce6916d09f |
| SHA256 | ea9e21ca506dcacf78c8935b241d1b018d78250a38fa265294b4c83f1d5f02a7 |
| SHA512 | f008d664bd96fa7b164d5e2535bb842200aa1054af727acc1317c61783e914fe7d436b98b88e6406a64a8787693745fbf2b147113db0ded6ba1a406edb199ddf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
| MD5 | a9ae7e1b2380dcf96b60df1d04b4c63b |
| SHA1 | a88aef0e9ddd9922a38ce4f96765bcb2b4433fd1 |
| SHA256 | 4dfc139635048919911dc510ebe48da8a6e172a6be8f177a396eea228b7ea22f |
| SHA512 | 46a62f2bd71407fe6d76d48892945c08c7d34164fc779792c9263bb3619508183dc07957a4ecc6ccc5da04b292fe93f77fbf7bf23ce560fdc8b1a9b0ed1bc57a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | d06e4d85c8c9d9d1ea0cfa6bedbdd7af |
| SHA1 | f754bf54e36c78a95e590253b27886c820fae8e8 |
| SHA256 | 0b6f62fb10638c8ec2ef069d9421cafef677d0418306fa9abed18a7ab06a83b5 |
| SHA512 | 6c22f8eece2046ffae578f878a85b6911dd78ea090653a6996b7e58b8601d17107f8448b7163451d1fd0b3d79a54247fd64e3934e62d516680e2bf59040201e6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 263a8ce5d9f7c5d0e9f2b24455f8edac |
| SHA1 | 4ead9273bd2dba0ef0f947635a6e4436c38e72a3 |
| SHA256 | c65f33b1d518cb6d50177fbbaa69aeb32c63fea5643aed21fa2ec4cfa79c6977 |
| SHA512 | c30004e186a7ff1bcf9465093c039b93a8c4eabd4f8559346204a2c4b1d7e6c74c0002ac51bb227a1ff4b4a47ae9f41e3a9e034fd15ecc5f13a1395a92ec2c4d |
C:\Users\Admin\AppData\Local\Temp\1994424E.zeppelin
| MD5 | 93b885adfe0da089cdf634904fd59f71 |
| SHA1 | 5ba93c9db0cff93f52b521d7420e43f6eda2784f |
| SHA256 | 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d |
| SHA512 | b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee |
memory/2852-169-0x0000000000980000-0x0000000000AC0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
| MD5 | 4a90329071ae30b759d279cca342b0a6 |
| SHA1 | 0ac7c4f3357ce87f37a3a112d6878051c875eda5 |
| SHA256 | fb6a7c3edcd7b97fabc18855102a39fc4d6d3f82c0fdd39b1667807b71b9c49b |
| SHA512 | f0e206053d4369437c2c0f1f90f0fd03d631e4b9859d807049b41efde823d64cf4d75c28316d932360f7c03bd409e923c8bc2d4f5959361feacecfcf101ae823 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
| MD5 | 088ef1d77bf3770ba7dcf62b14d13875 |
| SHA1 | 363dbc41c1fccfe38e75339e8b78d13362e8fc3e |
| SHA256 | cb022af1919f3064b229f35816d4546175fcccbd72710b9e125667b19ef26b7a |
| SHA512 | d257a38aaaa52327963f68a1be22aead6456257cc0e49e7cd2a561e198dff7fff277488e2469f3eec1f51f364c9c9821d9b4c76dd15dba4a1888cf3f27d67cf4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
| MD5 | 1fbb37f79b317a9a248e7c4ce4f5bac5 |
| SHA1 | 0ff4d709ebf17be0c28e66dc8bf74672ca28362a |
| SHA256 | 6fb1b8e593cb0388f67ead35313a230f524657317ea86271b3a97362e5ec6ad9 |
| SHA512 | 287e1d62c9ceb660965c266f677c467fbb997c2f5dcd1d63e185e266488aafc3489ac1d3feec81d10f01ce4a72e61a8bc4e124f137ce8675a220aa7797002e74 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
| MD5 | 122f0337154c3feb1b0b467d607fb3e6 |
| SHA1 | f1d2fa664b772721ecdd1ec311b49b28554b43a5 |
| SHA256 | bba9420927d0330a321d13dd05eafa7510b67ba3c154c21294159c87a5be0005 |
| SHA512 | b47f5832d8594d59b10f8b75b3c324836bd2f3555c593f42d7065db1dc75c9459af9410cf25e9754c32019b9413329f431f1004e473b1e77cccb0956fb24ad77 |
memory/6072-190-0x0000000000400000-0x000000000041B000-memory.dmp
memory/5812-192-0x0000000000850000-0x0000000000990000-memory.dmp
memory/3548-191-0x0000000000850000-0x0000000000990000-memory.dmp
C:\95a9da8d6083c53f11d88fcfaf8c\2010_x64.log.html
| MD5 | 68aaa0ffaeb037ceefd0045cb3130191 |
| SHA1 | 28a8f4ea51ddf9d9fe6f03a1f888b3cdf0d8c70a |
| SHA256 | 6c27ebd4fca50bce7743090b5218ea47fb4e79d2eff669c9b3e2879c37eeafad |
| SHA512 | 5abbd15ea625620f635f8627771a9f9c70692eb87c1105feadd14138ac62763c78b51787b5ae18b2f76e9dab54d69d6c87e1319c26d9f1f2c9f0fd1f16218376 |
memory/4944-214-0x0000000000850000-0x0000000000990000-memory.dmp
C:\Program Files\7-Zip\Lang\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
| MD5 | 139c84eac3667aa7933ed206b6e25cb7 |
| SHA1 | 946f29c910cc281333a4815c06e9123eaa9e74a3 |
| SHA256 | 042b8fcd1e161a9932cc3fb309faa588ededc84f622c772cfe4c21fb5a0dd4e4 |
| SHA512 | 6ae6e9a96aefcd9e313abcde04c388463ce2173a4eae7998a556f941c0be47d307156188e841b12ae52380b9fc00c6406717bbdc9879a08414a8c2d1c52faaab |
memory/6072-505-0x0000000000400000-0x000000000041B000-memory.dmp
memory/5812-3004-0x0000000000850000-0x0000000000990000-memory.dmp
memory/6072-8312-0x0000000000400000-0x000000000041B000-memory.dmp
memory/6136-8410-0x0000000000850000-0x0000000000990000-memory.dmp
C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX
| MD5 | 019eb657da99238b387e63b87db1649a |
| SHA1 | bc8c241f84f628baae0fafd654c8cb9aa4da99d4 |
| SHA256 | ac3907611da22a1161d1e0e0f507f6506dacf25bc494f5b1587dcf3d50171a84 |
| SHA512 | 0d7eb6ba965f89f24f86571edf7a8912a18ebf484719c837a48394e8fff90be0701b5740ed4edb56f37d97490430c42c1c821f859e5be8b954de0df16ea1f300 |
memory/2572-10037-0x0000000000850000-0x0000000000990000-memory.dmp
C:\Program Files\7-Zip\Lang\ar.txt.23E-1A4-DC9
| MD5 | fd71dfe0850fdc562603a5064e00f747 |
| SHA1 | 5a548beceba6e36658bafb23bc2371b23a299fc1 |
| SHA256 | 4b0c1644b4f15838b00208f594364ddf83dc1c9ba2a2ca47497d26bbc2eb4c7e |
| SHA512 | b300bb47f22c2748046f32a52de52ab634d5ce9f4811e84623944c6aa7b0451309446c91f0b9d30386eaf9633a4ae916d35024cf10189727045ed33257fc54e6 |
C:\Program Files\7-Zip\Lang\an.txt.23E-1A4-DC9
| MD5 | e725157e6f17a3948adfc285648ea7c8 |
| SHA1 | 2ced7d0b6b18529f2312e0c9d50d9df0230ba0fd |
| SHA256 | 8f75c5729c99b967c4ead3486e856cb69c7302f9c54e301ed3b0c733059e4ca8 |
| SHA512 | 43bb83fb1dff0c7670017c6073fcdf19df53da14540dc1a9185520677c87d48fbeac408d00d4bdbf3635ceee2d3a5c99e43ade9b81e72d90461b77dfe702bb13 |
C:\Program Files\7-Zip\Lang\af.txt.23E-1A4-DC9
| MD5 | f8b6bfa2b516f45dbb01c9033f7d3715 |
| SHA1 | 6300fbd1866e5367367d02358117d46fee76af32 |
| SHA256 | 94c10f2712e9d306870a4806619c31080d411c0aa52c504800694ae9a0d8db8d |
| SHA512 | 47fe1aed442cb3e263e2ce3347ceddefff9c23c7854b2a769c8d4aefd9d96940fc195401220ac3e022f165c0351acbac151e5b32c0436cdb6f49379197a3cf53 |
C:\Program Files\7-Zip\Uninstall.exe.23E-1A4-DC9
| MD5 | ac6cf18c504eab058ea3fbfb42e843c8 |
| SHA1 | de41cdd71874b596b69f98b0c307df61263e6c77 |
| SHA256 | 0f59fa16991ba6393ffb14911125783fc5bb14a7a39ded74244d39fcb77e7f55 |
| SHA512 | df9963d9dfad796b01c5e3f91bac309204962e164c0dcdb6ebe0f1c732a27af9f65b046b5b231e842feaec5bb99cbdcd8efb374f5daee2d21c1dd5ab0b2af439 |
C:\Program Files\7-Zip\readme.txt.23E-1A4-DC9
| MD5 | 0054816003e4520be65a070fa527f3e5 |
| SHA1 | a55953ed5273fcb069014518ff2a298ff384563e |
| SHA256 | b485c9a13799b9b7920f1cfe72370c9128e3b524261dc54f9a7fd9c515b15a5c |
| SHA512 | 5eb10c2ff28ffdd2c0b59639d0c974de024a8fd22fecbe39905d337200b387a69506e47a17163747b4a78a3c2fae7346369f5d71e5344413db6be8ff4d44781c |
C:\Program Files\7-Zip\License.txt.23E-1A4-DC9
| MD5 | 5fc03cda6f49437a48ab4c392d086332 |
| SHA1 | 407167984c056c1c0b0421e620284a18cbc36ddc |
| SHA256 | 9f9224c40d66dc9e0183915c5001a656a0438e8d2b3fbb3ef2f41becde62a71a |
| SHA512 | 74d6dde51eb22c3b271735dea9f9a8b9ab349dee70dc36aac7f062e9d4dee818aaf1bf52111edca4462e4ade6e439931aa3833bb6eca12695386fd07e2339874 |
C:\Program Files\7-Zip\History.txt.23E-1A4-DC9
| MD5 | e35f94fac426ba73fe4ce8fde2387584 |
| SHA1 | dede8d016a2e80ddf284f49b94ed959d2cf6421f |
| SHA256 | 00eba42d47d7727951b8bcecd42dd793d4376caea19f18e2aa26b3391352441b |
| SHA512 | b6f7deb62808444d84c9fb56b8f64a9f6b7c39a00148e721ba7ff82483adf2bd952c78a8412d8c17f1d71de5a6e85e9af118870e996fce409feb9488d74a431f |
C:\Program Files\7-Zip\descript.ion.23E-1A4-DC9
| MD5 | 43ef013d4d2d81fa5d7d8238716a1d99 |
| SHA1 | 55bb0038b10e5fd827060f65ef4b954880f52db8 |
| SHA256 | ac394c1748cc7bcacecea75d85630f49c43fbb6e37f27bc94ea7daafaca58efc |
| SHA512 | f04fb430d2420c6b468dd226596a7806c9c268b08294162579897193b854b86d7386898b35b26d75df09ccab7d55ada2c16655e2b5087711624a3139051e1d20 |
C:\Program Files\7-Zip\7zG.exe.23E-1A4-DC9
| MD5 | e36343b368e541c4bc75bb120a38e425 |
| SHA1 | 406677cf622ab0a35323d17914e0c66d7515e960 |
| SHA256 | 6ce1d65ba797ae57dace22c092236d80254f532f5f1d4d547548c52a62554b85 |
| SHA512 | 5d06593147546c7559a0f66ef477880dc514ef8b3c26183fc4bb89cf3aeb8be7514008022fc3f113ea8a472fbf61e2f64deb5d678ee91d8aeaf814b5ec03997a |
C:\Program Files\7-Zip\7zFM.exe.23E-1A4-DC9
| MD5 | 558b36575a0838cb97b34a2dc8aa0851 |
| SHA1 | 03196bb00171ec1eaa3f6c0264576589ab60cc00 |
| SHA256 | f7942a59d6b20032ce750b812869d3ae010e267fc4f34a35de94e07508dd42ba |
| SHA512 | 68d67f9c0599bdefa59ded56d37a9dbf819115783dd81cf7c33292599231ac318793dc40078c7ddd159b05999206d165f6695feaa8b88cf7673d003ff71b6d92 |
C:\Program Files\7-Zip\7zCon.sfx.23E-1A4-DC9
| MD5 | 4f6f40b63109bc26cf936ce8e2086835 |
| SHA1 | e955f3fdd50f2bd410731606668db482db322181 |
| SHA256 | ac04d7e99a3bd84925276c9547fdfbef57f06ea02c6b348e9a480da02960ef48 |
| SHA512 | b0ff65774f2fafe113ad6fc7ee6fe1599097811724e5dbf63b2e3548e26e41995c7d8fe16b7231490030a1f890506d53bfdac3e694ffc21ce07548bd6e012062 |
C:\Program Files\7-Zip\7z.sfx.23E-1A4-DC9
| MD5 | 724cf80b99dd72a4c0016886084a50c5 |
| SHA1 | c73cb37b41c07e5575dc2e39c18a9e33a8dea5c9 |
| SHA256 | e1bd2fad7b90f40e32d8fc42d941ee858e62b99f77e04aff9c1141a3f6a22f64 |
| SHA512 | 17e9a3f5369931da8460abfab91b52684a10d3f187999386e04e09f85930d1a445a265bf7003ef422fa5d8b8683977d9d559b6fbc7b10994d9e2f887000fd21f |
C:\Program Files\7-Zip\7z.exe.23E-1A4-DC9
| MD5 | 1f74d7336112fdf4f3b716510db967e6 |
| SHA1 | 208c91d1bda261d0b84bf79312fae87a61ba2df1 |
| SHA256 | a7376129296aab49ecea8a7dc1cb68e345ad547704b9030caf712dc10bf9ac9c |
| SHA512 | a6deba88275c98452255edc2b54ff97623cd07d7cb0b839612eb84b952dd3fbf9ed0fc56709077f7b19b74efb5c988e62150db3ab0365780b0e640fce433a38b |
memory/3548-10937-0x0000000000850000-0x0000000000990000-memory.dmp
C:\Program Files\7-Zip\7-zip.chm.23E-1A4-DC9
| MD5 | 1ccb3b0fd95d5e1d95fe12637b3e72a4 |
| SHA1 | 926d420250710aa7b4f08bdf1f1136a1690f1a90 |
| SHA256 | 2cb211312448dd22d5429bec5972790da5ad9e62506a628558de5b440fa55b15 |
| SHA512 | a0960e911862f355a7df8a9a5f47b84e7ebdf0f733c6320a13bf2d7c070d130a91e3388af92ed323ad05e8cf7311d75de236adbe0ba70ccb8e43bcb6cf364302 |
C:\Program Files\UnlockUnregister.jpg.23E-1A4-DC9
| MD5 | 46687d85387fbb8126cd0ff0690c0f52 |
| SHA1 | 98c8f51107c8e7661c9749997dfd4bb15ea96a80 |
| SHA256 | dae2dd8c9635e94def2a76824413e0cc8a1b940c651546938f566c5897c5a7e2 |
| SHA512 | f962632cd12b816ea83ddbd10fcd17490e921acb092b92bf4f959edf5b0caea7c1300bb717b53fbb1d7ba6c7b53f0ecd5b909a418d83bbee5fec5a42fd96f310 |
C:\Program Files\UninstallHide.aif.23E-1A4-DC9
| MD5 | 2cd87da2b476083b0a22c17b398c811a |
| SHA1 | 6a6b342df762b0f5768f0192fbacf9c4a06c04b7 |
| SHA256 | 2a42cc32939dc979f008018e585c862bc94db238c07995b28ec04c0955a2ab2d |
| SHA512 | db3d02499425d5b75b14721b68857ef0ddec18dc6f8b985cf39bd16bc7be3bff8ba0d52755e07170932762f54a503262644b0be4118f689245bfbd890c909b2b |
C:\Program Files\UnblockSet.temp.23E-1A4-DC9
| MD5 | e25feff72027e36d67404807b71470a6 |
| SHA1 | 13871cecce231c82864d8faeb7feb4ead133e7a7 |
| SHA256 | c9b097541c6823c4db60f03ac5804e9cdada468c98525cb69b64e9841fad2414 |
| SHA512 | 64d403dad3aff2c05ae079d7277f29956e4fe0f5f65984b76ff2f50cb3221920e685ed3a1c23891045ec335790c21da2465e6c5a7bfb342321fa4e4a65a36384 |
C:\Program Files\SkipResume.ps1.23E-1A4-DC9
| MD5 | 9392046a3b39167f4b136798b0090f7b |
| SHA1 | a4c241453d1b0bd8a1ca20507c343b9336b65bf6 |
| SHA256 | 18ac6e44314ff8dc18b7a2d2cfcef7a98a3819f0174802104fa82836c13e82ba |
| SHA512 | 062b15f4b0f18d062990524f16fc10e781f11982fde4c176e1e1701265bf85a29b75e5ff62e1c6e6f23e74c0e9a395651774145400650967f2aca397bc015521 |
C:\Program Files\SaveGet.jtx.23E-1A4-DC9
| MD5 | 25039238c6c5e8272405e6920f664552 |
| SHA1 | 421982dbcd20918661f19129011f025854805f05 |
| SHA256 | 1fe184935121d123292ddee83d240c35bd18a108fe207527e5ccc13ac71d5ab1 |
| SHA512 | c1769f44fb2c8663426017a6552dab3a2ff7dccb6b5cd36dd2c0c9ca9dc8bdef0d94bfd8064f31535b89f01fdfffd68e8645b27bd56cbd4f51b17c8820d7987b |
C:\Program Files\SaveApprove.scf.23E-1A4-DC9
| MD5 | dbb6dd9764f23a507a3e5782de2a5c96 |
| SHA1 | 2945eb261d59f794219e2850fd33745696039fbe |
| SHA256 | 7148dcc567a1aa1f68366359a4f29bf3815394087d74ae553d10a3c450e3cf15 |
| SHA512 | 38c5f5c840553238cc614fa6f8a63ddd281c70a67ac3e728398375172020bbede868d859de9498590a7a0021c898c32c7a99cf586cffcb43c6029b6a1a54bb54 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmia32.msi
| MD5 | 7d7fdeedc4254249385b4af4a98bf9b4 |
| SHA1 | b04d769ddb0e4314d8aa7888cfcec322965d1f58 |
| SHA256 | 7f58c9dd5e9563e878edaf1b3b125cfa042ae44c4d2a5f228036bd557922b9a7 |
| SHA512 | 2b82c379e26f64358a445f8f0a74f61c3cd694f2e1ecd58f999f0b5c17e00b3fb9bd89908b71e99fe5b26ba7aafa0b70fae0a7d28069fe75fc013691e060e221 |
C:\Program Files\ResetExit.zip.23E-1A4-DC9
| MD5 | 74cb4fe22dbef7c05b4b3a7799d14736 |
| SHA1 | 579ff0967d8f86dfd5f38bea8f1d841f39f121b7 |
| SHA256 | 598535faca2df795bd89e2a5c268a6a93dfb97caa066a0783e187cd8598d90fe |
| SHA512 | e968265c57f50ab95680edcacf62d0749a37789074ce050cc45dbbfa0f930127c9ab9c2faa5a3142b1cc472360e21116320805519e425885b5beaa6c35a05c38 |
C:\Program Files\RequestDisconnect.vsx.23E-1A4-DC9
| MD5 | 89afa92b6814e985e0b103eba61bceb0 |
| SHA1 | 1267bb16fbd60a66a83791721f3e3e2e43c83bd1 |
| SHA256 | 32e1b657fb2a15baa757c7d539da3600e7341a08f83a5e11039887c303494a06 |
| SHA512 | de6f88e1b6d26c5e35fa4425aec8e0f0bca8d65af8204a207130833e7163e2552355bbf5bce6ad91f13462a36ae1de53544f65f16050a4a463d6789f896c0ee2 |
C:\Program Files\RegisterUnregister.tiff.23E-1A4-DC9
| MD5 | 9f911f1688b8a48bc979a26bb8820615 |
| SHA1 | 574b24ca05a4884f389ef3cc147e323d3d4a704e |
| SHA256 | f0345de0d1c56b4a86b04c0f45868cc7e315316281f60b46eb236f2ffc44ec21 |
| SHA512 | 1abb9dccf5671de8aecac7d7a1de4546c8e2bde805fefca30c172d9e0e14cde578e9de82c47cd2f2662ba797cd539a05278e434192b6fa649cfa5193831de335 |
C:\Program Files\RegisterSend.MTS.23E-1A4-DC9
| MD5 | cab577366893891178d805720f567ce4 |
| SHA1 | 78d4286f96ee482af11f9df17deb04400bce6a09 |
| SHA256 | 50c7292458d2017740dce4d059be0a74b02103c0122bfcb57c08866d0039946a |
| SHA512 | b2baf5a6838d4f3c9826fa64f1b02680c88c0e963d22c6193e390af48965038677c7adf3484cdb245a5cc15c3406c743f30f02a5911f5963e456e7158f1681b2 |
C:\Program Files\PublishDeny.cr2.23E-1A4-DC9
| MD5 | 6bc71f80153d4649949375244c2e5943 |
| SHA1 | 321de94a5b46eafc65bcd7ca340ae710df8477f8 |
| SHA256 | b0751aeb9f53b442ee7546c5a32008f04f08867ad4b28ce0c4faa4d26231df20 |
| SHA512 | 602246ad3b6196658870d3cfe6ac9081d9dc0df61d6069e7a7d100ca36db07ee1f1f00c366230b4a5650ca42594e44250a5aad28de2a9b8a64d1cacccb823c46 |
C:\Program Files\PingAdd.exe.23E-1A4-DC9
| MD5 | 094006ed9940b116660c1203ba15e915 |
| SHA1 | 4ef6ad14d728b0d0c028595d883157a8531a2f8e |
| SHA256 | e2cb7c27cd531d59d00e87ce8f548dad5222b734011b5b5d48d0e5c750341e1b |
| SHA512 | 5e52b6f43cbf0a0b1f95eb98ccf9cafbe27771aac3ab6684efb6a8740ea1cce63751f0bbc855641e18db40a83c98f220e4b218c7d014c19eec4049ba63730ff1 |
C:\Program Files\MergeRename.mp4.23E-1A4-DC9
| MD5 | 1c41720fca5d460bc0ea1cf99e93a946 |
| SHA1 | 3b2323ae4fe7f149f543e1293f685a975f270cae |
| SHA256 | e9dde71d7fe42a83dde09eb1564ce8de446949b6e965105cf92049ec2e02313b |
| SHA512 | a250146be8077e20b05ffebe280ec9696664a0aa641d1d4ab04cef7c3500a9c2ce6616a155c22a61216a9956576aceee6fd4acbefc24084c8eab84fd2e0846e1 |
C:\Program Files\MergeProtect.vsdm.23E-1A4-DC9
| MD5 | 393553f94092d5082eeb54106ce0ebce |
| SHA1 | 87a3545052409f6909b3f089ea56ca8faf7e25fc |
| SHA256 | 8f63188545da5fc5087db8af76efe1ab9f71ef0eba9ea429ae0ec73ef74da9be |
| SHA512 | 2b8c460f330bd080eb63f4e5c1e418027bbb7f6788fc40b2d07507fcbf68fab9d8ea45ec9bf827f05b7d02b07bb253dd91936e485732160132f39f609098f8ea |
C:\Program Files\JoinBlock.M2T.23E-1A4-DC9
| MD5 | 47a706338954eb9d066ef8a564354ca8 |
| SHA1 | 5e44d8eb5035ea3b1bba6ab6ef65d895c2478c99 |
| SHA256 | b2ebd927e311b96303eb1d385a99d76de81c047e084dd755d3a00aa0a13580d4 |
| SHA512 | eba2e5f56184aa7cbd2bd49bc75a4e4dbfcb62c30f46fa788f72a92b498b662796a965619ec471b3479a1ac4d5eb5a5276d289a75a147c42010b17f6c967a00d |
C:\Program Files\GrantMove.001.23E-1A4-DC9
| MD5 | e4fcbbad2bf24930b32280ebf607f9e6 |
| SHA1 | afe9b3064f4ff44d6eaf37405946994e397b3b89 |
| SHA256 | 50116a08e376884571b17e0b4f6f8bed7d5e329fe491b2170415f37c004b98dd |
| SHA512 | 7008c1d6f4a3706805de012cbfd587ba95197cbdfa1e4d58f5cd3eaf0dc7b70fb7e0260e9cbf296a168ae72bcd5db8e88be5945172432ecba9e331d104a40af0 |
C:\Program Files\EnterAssert.odp.23E-1A4-DC9
| MD5 | 82f00c492c93e16aad568bcd90d757d3 |
| SHA1 | 22c781aa8e686cc8b93c6059c923bcb3755e5b3d |
| SHA256 | e0f133bb7039828d4aafc0ef26e0ad6d1c45da52960d1b2d8e34e692d605c9fc |
| SHA512 | 5cff4ab1f9baff52cbc8f28ecc7aa19ab796d25649e8dd591bda269de7714e652ac5a785ef0a002856f01691682e13966b10ae2dc42b5cd962f2260e2df2493c |
C:\Program Files\DisconnectMove.mov.23E-1A4-DC9
| MD5 | 28c5a970d0e417ce57796e24e59e15aa |
| SHA1 | 06360857dd61cf62a16043d504d5dbd63e780d38 |
| SHA256 | d86f6c9c1580acedefc5634ee91ee1600403a75ab92865d9722dd119b5475d40 |
| SHA512 | 49555b5d60b765ef86a41964666c587f1267c26d44b8366726a8fbc15c88056a6219350722e6c2da601d88c231f27079dabd636f86435f4dcf78277d95e4506c |
C:\Program Files\ConvertToUninstall.odt.23E-1A4-DC9
| MD5 | c843ff63e55b960b878066608a18ad87 |
| SHA1 | a3b964be815edf75abb5e56f8df1cb343355ccd7 |
| SHA256 | 09e2c9496316a43b7014dafb649c5eee2b2ba16e0a8c7b400bbc3a14c6eddd2d |
| SHA512 | 03a0755e96ab3b2bb11d04ca7267587e73ddaee5d3e5196b62bf9f014112c40b867aec1eb1bfa1bbe9809b0c5b3335e485a9769e6de15e0b355fd1f791c3b302 |
C:\Program Files\ConvertFromResume.dot.23E-1A4-DC9
| MD5 | 1a4bc22cd54c8707c7f2c7d49bb20553 |
| SHA1 | 6ff55ba0409275a513b1f10d9fc72fe10f3f07ec |
| SHA256 | 6c8a59614a4d2c0dc2e89494f03888f768172c7862627279333ff8a98aafe7c6 |
| SHA512 | d75429b1c08e01116ee3079bef1b0253fbd73b143256aa5e3bf07024dad31cf8ed11f2f42b41d0fb27872cd0717dc88ff2b5486638878593a27a13a026f41002 |
C:\Program Files\ConnectJoin.vsx.23E-1A4-DC9
| MD5 | 3930813b5ea87e40d4d747ac23899b2a |
| SHA1 | 739f7c52e74a402754c07ede7e02f0feb6cb6066 |
| SHA256 | cb3aaf955730c75a9121664309169b040f6a0de2a4d8497f8383b51f13fa1f94 |
| SHA512 | 7cf860cac33b2d63a251d907b358f0796663b290a36a96086f5a27d49446c476e8c9b2ab953f9b14bddd430524126924010c61a8981dc6d935cfdf4e3fcdeb60 |
C:\Program Files\ClearMove.midi.23E-1A4-DC9
| MD5 | ea72728d15b93cd30090a6448edb69e9 |
| SHA1 | d521cfbf5bcb4dedb6cc40bd41700c5f2e797c44 |
| SHA256 | 1719a9730730217c72d942205ae0dd5bac04bc696902d92e6433db964765beb4 |
| SHA512 | bf54dd0cc4cab57cb3c6a4e96022de94bfeace88b8e9d282d033f3bd616b91c8bbb53458d86d2fac0eddc12401b077192536fecc73014524e31564e327c5861f |
C:\Program Files\CheckpointUnpublish.ppsx.23E-1A4-DC9
| MD5 | c22e7fba0677bdd1e68018050a3d309b |
| SHA1 | 5587062789d1ca180aada8f385569fd11bd4f65e |
| SHA256 | 1a608a10aa5915463f3c199adba7ec5652de9df1bfdbc09eb2b2126e2d4a7601 |
| SHA512 | 03c7aa2867bde6472887d4fdd6280b31661f7683716c701b45001fdd4c68c5f6a82128ce17e9b366bb501a8ab2abadc6cbf4968269c8a3bae2fa27806c7dccbf |
C:\Program Files\ApproveSwitch.png.23E-1A4-DC9
| MD5 | 6dd86fe24b6f54a9e80b316f18133e9d |
| SHA1 | dfede75ee3b755e3ade2d3deee173e66427b0ea5 |
| SHA256 | 4f76b88462d52e63203623fccf29e32f6d6ee417fcfa0ca839c37fd3cf13cfab |
| SHA512 | 32803c18b24dafc4af61a18c90f831e788abdd79b1cc80a580cdf82fbc5419111896d7a4cd0675ec652b4ed2d011902bc48dfb81b21997963c1388e255a3ddf4 |
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe
| MD5 | b767653268375ec74679777fd53b2fa0 |
| SHA1 | e8e94bac84ed0d18a5c5e6e7c0277d892421da58 |
| SHA256 | a94e80dcab1466c69d1bcaa42f01fd88b57895462e80eb69a052dc0bf3fec896 |
| SHA512 | 7a7f91b09d4b700d329987b75d98945795f11dfba82a94622d6151aab184b2cc90399663d354e3715d24310f2542574dbcd7fdd25de28191a7cbfd96439c8d85 |
C:\9067c5701a2f6bcc5b\2010_x86.log.html.23E-1A4-DC9
| MD5 | d9a494587a1c8c7a55a12b688b52d34b |
| SHA1 | 753a743dc9d17c0a6f0dd790dda6eed95f878d3b |
| SHA256 | 6d6877ab98f48d1ecf479ac1eafb5b34da36b172c9dbb1c4ccb93f30530bdaed |
| SHA512 | 49b9cfb937e287f990f2d5f4f9ce65fc36dd3a6f43866dc7bed8e18187da4d5202315cf88115f8a01f7d18693a9a532b4c8e46bba31affd027cf89f5aa94e6d4 |
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe
| MD5 | 7abacc696865563a73baba24293ec0a7 |
| SHA1 | 6f8d0dcde660b42e913ca707e4e4d977c6244987 |
| SHA256 | f33b44a53fb0de9db33cebf44007aa45ee1ac8381cda089eec4e1bcf37781f57 |
| SHA512 | 9919ea036e66822048bd9e688fe6ee3fd1c5659d18d0330b445511bf25e3d6be60d60ddb112a132596b60c820f13cb2ecca6586ecbc3e6c2d85a388677bd8fac |
C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\vlc.mo.23E-1A4-DC9
| MD5 | 439e7e5093bf547ed58964fc914462fa |
| SHA1 | 73a27a96329baed4edbfe678eea99f6f35f46f4f |
| SHA256 | a3294aad53878776e0f4dbafcd39e662a0c4708fa91066f6b583b6892f6f50a1 |
| SHA512 | 83a5b2662c69501eff851c81f10b8a66ab2ae7723534957842878b14d6f778a709668538527a820b4fe81d52f0dcac9aaf02960c3dd1399644d3305ecdbd8351 |
C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo.23E-1A4-DC9
| MD5 | 5f71e4aec8897870213464fef7da9ea8 |
| SHA1 | 0c0e39da24cdbd996e9a5a56eb71d001f8a0dd16 |
| SHA256 | 5a3d59c9e0e303e7a902ecb41a7fa9c66708f1684bdef2293d7beb94a9b7f0ad |
| SHA512 | ea184462ed85a623a5c4de5b76acc1f4eca7a41a912de064b91df5703fdb51a00fa3951c836d00acb657186d365489a07ac119a99a1c2da5bf3630bf82577a71 |
C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\vlc.mo
| MD5 | 66b1ea7f716761210d6825591929ec8a |
| SHA1 | 35bbe8a41f39b9f04f89569506acda7f648abb96 |
| SHA256 | 82ef353d5f13bb352f1492a5ce88203d3c9309c6a1516b8dd87c7876e14b7679 |
| SHA512 | 175d5986864fd6ea18d0b7b868cc9e1d17cc7a5b01ae56e3cbfe6290f7f27c006176f1d6d978c9105852ef3dd712c49192586d73707e6580572b457761d9a25b |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons_retina_thumb.png
| MD5 | bd0791144e7f3694fccd01dff7ec2de6 |
| SHA1 | 0de0b171e83478f4fe1b335d7e1d26739b6a6a85 |
| SHA256 | d048cb2920a205a3228a92520a0411cfb17b073e4a2dbd607b83f2c23fc75286 |
| SHA512 | 8248944dc031dad8f798dc9842557a77c065689abd674e995fec602d17342db6ba795ea3e3347a717838c4224a4bc9a189ba13649d90327e6eb22450e7c3d95e |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\ui-strings.js
| MD5 | 5ca0bb530f202bd8b48a596008c8b4cf |
| SHA1 | d201d8a83c2e85cafa9a27b501402a09f6e066ab |
| SHA256 | 52a6e072894be33c601f0b340c71f1c581a4bcbf1567d1c3d56d5ec7619178be |
| SHA512 | 8e5fc917f528358f3b4f27d2ba1c26b619b0d94d09b7d9447d8beec1ea3a69b783f4b06c3e03a2acb393a0f94217d6d2d7988f2f11b994fa97fc3582e3a01df2 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\ui-strings.js
| MD5 | 17e79c0b4b1b5cf1ba9f7bcdf375cce0 |
| SHA1 | 19f23df9cfd836a54c8c2634f2fe00372d32b465 |
| SHA256 | fd8b60cdba84683b902aabcb31ccfca638fdcc4f79c0d933a89039c3eaca6cf4 |
| SHA512 | 80b6b3e5bac2b3ff90b6f9f3a4b1ea83d6ff13477fd2f27adbdfb38be48bddb577bc4e0d133db4f41f107487f47f3182dec27af82dfd7711b59089ab9acc480c |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png
| MD5 | 5ec295d3392e43db20d1764b23e7f530 |
| SHA1 | 5cfbfc75f1d9cc3c712ed97b44f3ede2008bb03c |
| SHA256 | 8987959a0e64f4b3833e7a944fa8074c45dc5ad9e2dd2c04acef420281679863 |
| SHA512 | 2b4abb4ba9e7c73975810b9a45ed660ad31defcad4c706343d50ed19782a2ecd621f3c0bf21f58b31f5a3e22a87bdd52b7dd25f3cbf7b0c7c663765729bef711 |
memory/6136-15055-0x0000000000850000-0x0000000000990000-memory.dmp
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-selector.js.23E-1A4-DC9
| MD5 | 82da8aa3e6a7c5d8c9c7948ffe3166fd |
| SHA1 | 3e3cd9433f2722beff29513b9122e6dc4015079d |
| SHA256 | f247f41ae6334aa447b19d478196d79412d2524794baa65df29764d1cb3e2182 |
| SHA512 | 66d9d6761a9b937144e7919b6c2194ca7a9793794d24587a1c6815728874e3cc56346a026ad5ea888a680fbb929d6a8b95c4021cc755a4715133f216f0313d90 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\ui-strings.js
| MD5 | c41a994e09eb1bef62043a0ab16f3869 |
| SHA1 | 124e20b8d3599afab1dd099a99a3baf43d31be8f |
| SHA256 | 8416f0c5b56b49e5e12bd0b9a5baa302e74816bef8311afd3c0e3e7fbc4e17ce |
| SHA512 | f8b8bf97aeeefa42fd8f6042c1e9d378ab46145896097510ab76ba5ce4a69ac0cf69b402527506f9d171c9d1dc1a83f7d8ddc444b3c3a7f930a025f80bb7b54d |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\icons_retina.png.23E-1A4-DC9
| MD5 | f4289e0926fedf274cbf35a579b3fdb0 |
| SHA1 | a13de75aaf54e9b07b4cf89f93ae77ca33dc16d3 |
| SHA256 | e96bb4e3590a8c8e376cd6cce2eca9f5872d55fd09d7e71b1c7b2e1f08003bbf |
| SHA512 | 0bf77a5a78c18bd4712f84544be97cff23520522566058c632d35f4037d8e70e95639efa4a1fe3aef2c02ced806106e2f8a3205125183026cef74dcecf8623a8 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\selector.js
| MD5 | 252c33170384643b469f62da2d5e5659 |
| SHA1 | a746865ea611ffebed3e9820482a82cb639c3b4b |
| SHA256 | 1acc6b8b57048680d9543510d294ae7bf2099e4d8c5a3983027e4a2eee2720ab |
| SHA512 | 077c4008174310def5de059d4e2ce3001815100888e52fc431ded34e3a8db768245bfd07c127f21db10405c4dd08992d71807450c74846b6ba0db0946171e76e |
memory/4252-17904-0x0000000000850000-0x0000000000990000-memory.dmp
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-variant2.gif.23E-1A4-DC9
| MD5 | 4de0ee0369d154d941b62b227d83aad7 |
| SHA1 | f734529cff5edf77fdb36672964cb92cfce12554 |
| SHA256 | c82be0ed70a119ad0c4c37b176c0323cf30eb69aecab55284aad277de5fe7c99 |
| SHA512 | 8a2c5a03d1b432a5f744ff0161bd19eb6b1136fded8b8f863b0a2e474c0ba3e30812dbb17efc0f2d1333b0665dc7e40463084ab42335bc08c39f47ad6a903e77 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\cstm_brand_preview2x.png.23E-1A4-DC9
| MD5 | ea81e13911e33fd16e32476643806605 |
| SHA1 | 97f6124e87f2a7918bfd3aa2552e20c2ba03d5bd |
| SHA256 | 3227003a2f555f7a1f243c18bcd3c9dfc8005ee71ef2d7d7ae5e0d024c3020de |
| SHA512 | e9b6fe07dc56d5b14159adc5eb3334a74a3627f8e981a89db8fbf1077a4607692ba58e510a9c1e83fee8221a681ec0f9164d28fd234087b6ad16a98c1d8a9d6b |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-fr\ui-strings.js.23E-1A4-DC9
| MD5 | 5c9953e3313a41f372181ad1fa7bdcec |
| SHA1 | be1b5b6f361850d699a3a46a91d9aedee8041258 |
| SHA256 | f5163c2e09bda0a3fc84bde713ec488014c31301b5afb4cd2579207a5ba5ae9d |
| SHA512 | c2ae2a4ca134955a87e2e8f69072fa2a1044ed04e8f49ffa2070a9bbbc1c19ab92c1166ed3a58009bd1cd75931cd295f2e05469378fb6d056028bdeaab146dd0 |
memory/3548-19042-0x0000000000850000-0x0000000000990000-memory.dmp
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\ui-strings.js
| MD5 | ead2641ed3452f03621f199cb3bd0c87 |
| SHA1 | 28470aaf6dd2685ffbbf3e136bc8856eac3b41cb |
| SHA256 | 455138d410b45e8deaea2fa52a5c1a41e37f694890d49460291af8a01c8e1c5b |
| SHA512 | e60d0820ec241d1d1851fd415646947054dbfd208473f6217e565324378ddf09de484e2792f74cb1ed2a6ae01703b56d13054c65307999c6a677fb982898c8ea |
memory/2936-21230-0x0000000000130000-0x0000000000131000-memory.dmp
memory/4252-21229-0x0000000000850000-0x0000000000990000-memory.dmp
memory/6136-21228-0x0000000000850000-0x0000000000990000-memory.dmp
memory/3548-21233-0x0000000000850000-0x0000000000990000-memory.dmp
memory/5812-21232-0x0000000000850000-0x0000000000990000-memory.dmp