zeppelin | dd89d939c941a53d6188232288a3bd73ba9baf0b4ca6bf6ccca697d9ee42533f

Analysis

max time kernel
151s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2023, 18:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Zeppelinbggaehbcdj18_browsingExe.exe
Size

100KB
MD5

cf5a358a22326f09fd55983bb812b7d8
SHA1

1addcffae4fd4211ea24202783c2ffad6771aa34
SHA256

dd89d939c941a53d6188232288a3bd73ba9baf0b4ca6bf6ccca697d9ee42533f
SHA512

5e4129009c716286c9a2d85f846c75053d71251c9ab52f440da5a3f1a5cc6d9d7d795753bc7e37ef11353fb694f1c0991d127c28d6cd1188316623aa57cb2e5b
SSDEEP

3072:ge2IWDaNiBBXtw4KLStagKwbzCcO8WWZ5:kIeoiBBXGLSYgZzCx8Wq5

Score

10^/10

zeppelin persistence ransomware upx

Malware Config

Extracted

Path

C:\$Recycle.Bin\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Ransom Note

ALL YOUR FILES HAVE BEEN ENCRYPTED BY "VICE SOCIETY" All your important documents, photos, databases were stolen and encrypted. If you don't contact us in 7 days we will upload your files to darknet. The only method of recovering files is to purchase an unique private key. We are the only who can give you tool to recover your files. To proove that we have the key and it works you can send us 2 files and we decrypt it for free (not more than 2 MB each). This file should be not valuable! Write to email: [email protected] Alternative email: [email protected] Public emai:l [email protected] Our tor website: vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad.onion Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to ours) or you can become a victim of a scam.

Emails

[email protected]

URLs

http://vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad.onion

Signatures

Detects Zeppelin payload 21 IoCs

resource	yara_rule
behavioral2/memory/4120-148-0x0000000000400000-0x0000000000546000-memory.dmp	family_zeppelin
behavioral2/memory/1324-150-0x0000000000400000-0x0000000000546000-memory.dmp	family_zeppelin
behavioral2/memory/1324-151-0x0000000000400000-0x0000000000546000-memory.dmp	family_zeppelin
behavioral2/memory/4708-164-0x0000000000400000-0x0000000000546000-memory.dmp	family_zeppelin
behavioral2/memory/1324-2029-0x0000000000400000-0x0000000000546000-memory.dmp	family_zeppelin
behavioral2/memory/2060-2326-0x0000000000400000-0x0000000000546000-memory.dmp	family_zeppelin
behavioral2/memory/2060-2717-0x0000000000400000-0x0000000000546000-memory.dmp	family_zeppelin
behavioral2/memory/2060-6256-0x0000000000400000-0x0000000000546000-memory.dmp	family_zeppelin
behavioral2/memory/1324-8620-0x0000000000400000-0x0000000000546000-memory.dmp	family_zeppelin
behavioral2/memory/2060-10026-0x0000000000400000-0x0000000000546000-memory.dmp	family_zeppelin
behavioral2/memory/2060-13312-0x0000000000400000-0x0000000000546000-memory.dmp	family_zeppelin
behavioral2/memory/1324-15691-0x0000000000400000-0x0000000000546000-memory.dmp	family_zeppelin
behavioral2/memory/2060-16362-0x0000000000400000-0x0000000000546000-memory.dmp	family_zeppelin
behavioral2/memory/2060-18680-0x0000000000400000-0x0000000000546000-memory.dmp	family_zeppelin
behavioral2/memory/2060-18689-0x0000000000400000-0x0000000000546000-memory.dmp	family_zeppelin
behavioral2/memory/2060-18691-0x0000000000400000-0x0000000000546000-memory.dmp	family_zeppelin
behavioral2/memory/2060-18693-0x0000000000400000-0x0000000000546000-memory.dmp	family_zeppelin
behavioral2/memory/2060-18695-0x0000000000400000-0x0000000000546000-memory.dmp	family_zeppelin
behavioral2/memory/2060-18697-0x0000000000400000-0x0000000000546000-memory.dmp	family_zeppelin
behavioral2/memory/2060-18699-0x0000000000400000-0x0000000000546000-memory.dmp	family_zeppelin
behavioral2/memory/2060-18701-0x0000000000400000-0x0000000000546000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (4438) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 3 IoCs

pid	Process
1324	spoolsv.exe
2060	spoolsv.exe
4708	spoolsv.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4120-133-0x0000000000400000-0x0000000000546000-memory.dmp	upx
behavioral2/files/0x000a000000023131-140.dat	upx
behavioral2/files/0x000a000000023131-143.dat	upx
behavioral2/files/0x000a000000023131-142.dat	upx
behavioral2/memory/1324-146-0x0000000000400000-0x0000000000546000-memory.dmp	upx
behavioral2/memory/4120-148-0x0000000000400000-0x0000000000546000-memory.dmp	upx
behavioral2/memory/1324-150-0x0000000000400000-0x0000000000546000-memory.dmp	upx
behavioral2/memory/1324-151-0x0000000000400000-0x0000000000546000-memory.dmp	upx
behavioral2/files/0x000a000000023131-153.dat	upx
behavioral2/files/0x000a000000023131-154.dat	upx
behavioral2/memory/4708-164-0x0000000000400000-0x0000000000546000-memory.dmp	upx
behavioral2/memory/1324-2029-0x0000000000400000-0x0000000000546000-memory.dmp	upx
behavioral2/memory/2060-2326-0x0000000000400000-0x0000000000546000-memory.dmp	upx
behavioral2/memory/2060-2717-0x0000000000400000-0x0000000000546000-memory.dmp	upx
behavioral2/memory/2060-6256-0x0000000000400000-0x0000000000546000-memory.dmp	upx
behavioral2/memory/1324-8620-0x0000000000400000-0x0000000000546000-memory.dmp	upx
behavioral2/memory/2060-10026-0x0000000000400000-0x0000000000546000-memory.dmp	upx
behavioral2/memory/2060-13312-0x0000000000400000-0x0000000000546000-memory.dmp	upx
behavioral2/memory/1324-15691-0x0000000000400000-0x0000000000546000-memory.dmp	upx
behavioral2/memory/2060-16362-0x0000000000400000-0x0000000000546000-memory.dmp	upx
behavioral2/memory/2060-18680-0x0000000000400000-0x0000000000546000-memory.dmp	upx
behavioral2/memory/2060-18689-0x0000000000400000-0x0000000000546000-memory.dmp	upx
behavioral2/memory/2060-18691-0x0000000000400000-0x0000000000546000-memory.dmp	upx
behavioral2/memory/2060-18693-0x0000000000400000-0x0000000000546000-memory.dmp	upx
behavioral2/memory/2060-18695-0x0000000000400000-0x0000000000546000-memory.dmp	upx
behavioral2/memory/2060-18697-0x0000000000400000-0x0000000000546000-memory.dmp	upx
behavioral2/memory/2060-18699-0x0000000000400000-0x0000000000546000-memory.dmp	upx
behavioral2/memory/2060-18701-0x0000000000400000-0x0000000000546000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\spoolsv.exe\" -start"	Zeppelinbggaehbcdj18_browsingExe.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	spoolsv.exe
File opened (read-only)	\??\O:	spoolsv.exe
File opened (read-only)	\??\M:	spoolsv.exe
File opened (read-only)	\??\K:	spoolsv.exe
File opened (read-only)	\??\J:	spoolsv.exe
File opened (read-only)	\??\I:	spoolsv.exe
File opened (read-only)	\??\A:	spoolsv.exe
File opened (read-only)	\??\W:	spoolsv.exe
File opened (read-only)	\??\Y:	spoolsv.exe
File opened (read-only)	\??\X:	spoolsv.exe
File opened (read-only)	\??\N:	spoolsv.exe
File opened (read-only)	\??\H:	spoolsv.exe
File opened (read-only)	\??\B:	spoolsv.exe
File opened (read-only)	\??\Z:	spoolsv.exe
File opened (read-only)	\??\S:	spoolsv.exe
File opened (read-only)	\??\P:	spoolsv.exe
File opened (read-only)	\??\L:	spoolsv.exe
File opened (read-only)	\??\E:	spoolsv.exe
File opened (read-only)	\??\T:	spoolsv.exe
File opened (read-only)	\??\R:	spoolsv.exe
File opened (read-only)	\??\Q:	spoolsv.exe
File opened (read-only)	\??\G:	spoolsv.exe
File opened (read-only)	\??\V:	spoolsv.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml.v-society.567-125-A10	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-phn.xrm-ms.v-society.567-125-A10	spoolsv.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe.v-society.567-125-A10	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_win7.css.v-society.567-125-A10	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaSansDemiBold.ttf.v-society.567-125-A10	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ppd.xrm-ms	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ppd.xrm-ms.v-society.567-125-A10	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-phn.xrm-ms.v-society.567-125-A10	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-phn.xrm-ms.v-society.567-125-A10	spoolsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\vlc.mo	spoolsv.exe
File created	C:\Program Files\VideoLAN\VLC\locale\oc\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_zh_CN.jar	spoolsv.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\vlc.mo.v-society.567-125-A10	spoolsv.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe.v-society.567-125-A10	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.commands_3.6.100.v20140528-1422.jar	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_ja_4.4.0.v20140623020002.jar.v-society.567-125-A10	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml.v-society.567-125-A10	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\calendars.properties	spoolsv.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\vlc.mo	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.base_4.0.200.v20141007-2301.jar	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_zh_CN.jar	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\LICENSE	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml.v-society.567-125-A10	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ul-oob.xrm-ms	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-140.png	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-charts.xml.v-society.567-125-A10	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul.xrm-ms	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\com.jrockit.mc.console.ui.notification_contexts.xml	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml.v-society.567-125-A10	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ppd.xrm-ms.v-society.567-125-A10	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.p2.ui.overridden_5.5.0.165303.jar.v-society.567-125-A10	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.text_3.5.300.v20130515-1451.jar.v-society.567-125-A10	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml.v-society.567-125-A10	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ppd.xrm-ms.v-society.567-125-A10	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-phn.xrm-ms.v-society.567-125-A10	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-pl.xrm-ms	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-pl.xrm-ms	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\officemui.msi.16.en-us.boot.tree.dat.v-society.567-125-A10	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ul-oob.xrm-ms	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\sysinfo	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe.v-society.567-125-A10	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.http.servlet_1.1.500.v20140318-1755.jar.v-society.567-125-A10	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.nl_zh_4.4.0.v20140623020002.jar	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ppd.xrm-ms	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-pl.xrm-ms	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ul-oob.xrm-ms	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\tzdb.dat.v-society.567-125-A10	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets_1.0.0.v20140514-1823.jar	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-pl.xrm-ms	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ppd.xrm-ms	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-140.png.v-society.567-125-A10	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4120	Zeppelinbggaehbcdj18_browsingExe.exe
Token: SeDebugPrivilege	4120	Zeppelinbggaehbcdj18_browsingExe.exe
Token: SeIncreaseQuotaPrivilege	400	WMIC.exe
Token: SeSecurityPrivilege	400	WMIC.exe
Token: SeTakeOwnershipPrivilege	400	WMIC.exe
Token: SeLoadDriverPrivilege	400	WMIC.exe
Token: SeSystemProfilePrivilege	400	WMIC.exe
Token: SeSystemtimePrivilege	400	WMIC.exe
Token: SeProfSingleProcessPrivilege	400	WMIC.exe
Token: SeIncBasePriorityPrivilege	400	WMIC.exe
Token: SeCreatePagefilePrivilege	400	WMIC.exe
Token: SeBackupPrivilege	400	WMIC.exe
Token: SeRestorePrivilege	400	WMIC.exe
Token: SeShutdownPrivilege	400	WMIC.exe
Token: SeDebugPrivilege	400	WMIC.exe
Token: SeSystemEnvironmentPrivilege	400	WMIC.exe
Token: SeRemoteShutdownPrivilege	400	WMIC.exe
Token: SeUndockPrivilege	400	WMIC.exe
Token: SeManageVolumePrivilege	400	WMIC.exe
Token: 33	400	WMIC.exe
Token: 34	400	WMIC.exe
Token: 35	400	WMIC.exe
Token: 36	400	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3496	WMIC.exe
Token: SeSecurityPrivilege	3496	WMIC.exe
Token: SeTakeOwnershipPrivilege	3496	WMIC.exe
Token: SeLoadDriverPrivilege	3496	WMIC.exe
Token: SeSystemProfilePrivilege	3496	WMIC.exe
Token: SeSystemtimePrivilege	3496	WMIC.exe
Token: SeProfSingleProcessPrivilege	3496	WMIC.exe
Token: SeIncBasePriorityPrivilege	3496	WMIC.exe
Token: SeCreatePagefilePrivilege	3496	WMIC.exe
Token: SeBackupPrivilege	3496	WMIC.exe
Token: SeRestorePrivilege	3496	WMIC.exe
Token: SeShutdownPrivilege	3496	WMIC.exe
Token: SeDebugPrivilege	3496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3496	WMIC.exe
Token: SeRemoteShutdownPrivilege	3496	WMIC.exe
Token: SeUndockPrivilege	3496	WMIC.exe
Token: SeManageVolumePrivilege	3496	WMIC.exe
Token: 33	3496	WMIC.exe
Token: 34	3496	WMIC.exe
Token: 35	3496	WMIC.exe
Token: 36	3496	WMIC.exe
Token: SeIncreaseQuotaPrivilege	400	WMIC.exe
Token: SeSecurityPrivilege	400	WMIC.exe
Token: SeTakeOwnershipPrivilege	400	WMIC.exe
Token: SeLoadDriverPrivilege	400	WMIC.exe
Token: SeSystemProfilePrivilege	400	WMIC.exe
Token: SeSystemtimePrivilege	400	WMIC.exe
Token: SeProfSingleProcessPrivilege	400	WMIC.exe
Token: SeIncBasePriorityPrivilege	400	WMIC.exe
Token: SeCreatePagefilePrivilege	400	WMIC.exe
Token: SeBackupPrivilege	400	WMIC.exe
Token: SeRestorePrivilege	400	WMIC.exe
Token: SeShutdownPrivilege	400	WMIC.exe
Token: SeDebugPrivilege	400	WMIC.exe
Token: SeSystemEnvironmentPrivilege	400	WMIC.exe
Token: SeRemoteShutdownPrivilege	400	WMIC.exe
Token: SeUndockPrivilege	400	WMIC.exe
Token: SeManageVolumePrivilege	400	WMIC.exe
Token: 33	400	WMIC.exe
Token: 34	400	WMIC.exe
Token: 35	400	WMIC.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4120 wrote to memory of 1324	4120	Zeppelinbggaehbcdj18_browsingExe.exe	83
PID 4120 wrote to memory of 1324	4120	Zeppelinbggaehbcdj18_browsingExe.exe	83
PID 4120 wrote to memory of 1324	4120	Zeppelinbggaehbcdj18_browsingExe.exe	83
PID 4120 wrote to memory of 3764	4120	Zeppelinbggaehbcdj18_browsingExe.exe	84
PID 4120 wrote to memory of 3764	4120	Zeppelinbggaehbcdj18_browsingExe.exe	84
PID 4120 wrote to memory of 3764	4120	Zeppelinbggaehbcdj18_browsingExe.exe	84
PID 4120 wrote to memory of 3764	4120	Zeppelinbggaehbcdj18_browsingExe.exe	84
PID 4120 wrote to memory of 3764	4120	Zeppelinbggaehbcdj18_browsingExe.exe	84
PID 4120 wrote to memory of 3764	4120	Zeppelinbggaehbcdj18_browsingExe.exe	84
PID 1324 wrote to memory of 2688	1324	spoolsv.exe	92
PID 1324 wrote to memory of 2688	1324	spoolsv.exe	92
PID 1324 wrote to memory of 2688	1324	spoolsv.exe	92
PID 1324 wrote to memory of 2116	1324	spoolsv.exe	104
PID 1324 wrote to memory of 2116	1324	spoolsv.exe	104
PID 1324 wrote to memory of 2116	1324	spoolsv.exe	104
PID 1324 wrote to memory of 2848	1324	spoolsv.exe	103
PID 1324 wrote to memory of 2848	1324	spoolsv.exe	103
PID 1324 wrote to memory of 2848	1324	spoolsv.exe	103
PID 1324 wrote to memory of 4960	1324	spoolsv.exe	94
PID 1324 wrote to memory of 4960	1324	spoolsv.exe	94
PID 1324 wrote to memory of 4960	1324	spoolsv.exe	94
PID 1324 wrote to memory of 2420	1324	spoolsv.exe	93
PID 1324 wrote to memory of 2420	1324	spoolsv.exe	93
PID 1324 wrote to memory of 2420	1324	spoolsv.exe	93
PID 1324 wrote to memory of 4500	1324	spoolsv.exe	102
PID 1324 wrote to memory of 4500	1324	spoolsv.exe	102
PID 1324 wrote to memory of 4500	1324	spoolsv.exe	102
PID 1324 wrote to memory of 2060	1324	spoolsv.exe	101
PID 1324 wrote to memory of 2060	1324	spoolsv.exe	101
PID 1324 wrote to memory of 2060	1324	spoolsv.exe	101
PID 1324 wrote to memory of 4708	1324	spoolsv.exe	95
PID 1324 wrote to memory of 4708	1324	spoolsv.exe	95
PID 1324 wrote to memory of 4708	1324	spoolsv.exe	95
PID 2688 wrote to memory of 3496	2688	cmd.exe	107
PID 2688 wrote to memory of 3496	2688	cmd.exe	107
PID 2688 wrote to memory of 3496	2688	cmd.exe	107
PID 4500 wrote to memory of 400	4500	cmd.exe	106
PID 4500 wrote to memory of 400	4500	cmd.exe	106
PID 4500 wrote to memory of 400	4500	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\Zeppelinbggaehbcdj18_browsingExe.exe
"C:\Users\Admin\AppData\Local\Temp\Zeppelinbggaehbcdj18_browsingExe.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3496
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:4960
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -agent 1
    3⤵
    - Executes dropped EXE
    PID:4708
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2060
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4500
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:400
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:2116
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:3764

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Filesize
1KB

MD5
bbcf34cd6da2b72eabeafe2e82846df8

SHA1
e17a5459251d6fdce6184a438752766158337c4b

SHA256
46bb44ee485f8ae3d19c3890f69430c5dc2fa8f88bb13138bbf5073a3c9812ac

SHA512
520b31de32e5e0acbd7c725ef246b6f049b6ad19060b1631c00ab06caa60480128af39016ae40f7c287ec66a0fbc1ffec6ade85fde12d5333792b92dcec957cf

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg

Filesize
22KB

MD5
ba54c4660cfed28166c187d3c13e21b7

SHA1
60ed1025b8469b4f35ccbad9cdf7f78d3ea78df1

SHA256
39c707700eb3519a24a5ba5d2cba3aa9ea96860735df7760e01a1eeb7f8af54e

SHA512
5c2050dbe9b86b2bd08cef8aec33695ed1c80548e8d2642922be8cf0e3576f57e1094bb434911d2f450560d6982669dec2780fa94769bea58eb78beb3087a799

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html

Filesize
17KB

MD5
f415fc6ccc0874cb61d24ab1ecd1b0e2

SHA1
5a97f0cfe6e87dcfca6bdc3bd311b04a6d00fb45

SHA256
126b3706607bef4ebcfc65c88ef43e7f91b116b13dd3fd1db4d1d1267d80586c

SHA512
4ce348659e7d2df173b45d528d48f57757be240ccc12b3d307019a7f280c3dbcd5473d4b29d66390b5c3223a42aa31fa1b90156c82643228b208fe98eb0ac3c5

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.properties

Filesize
7KB

MD5
b67a9b9a95b6031cae92a82ff373078a

SHA1
86de552f3caf211095ae15d5ac81f6138d0df56b

SHA256
a2cd71ae00d5beef1dad25cbe4cbfd9bd97d95dd4a0370571e64982025574b40

SHA512
a1e12458995c4c04e882d191a29a76c8c6ba700e8dc2116d751e7a2ed2eaecc9fd1ad5379db1b26c7499ddafdb1ee3aa31f91f7b6079f5b0686a7afc92158c37

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html

Filesize
13KB

MD5
5f091ff9fc61c6ba2c55e1096d73c0c6

SHA1
d4e5bf08be3b3674434825820c226b41d3f9ace0

SHA256
d17048e3a999f22e6da43de20d1d892123dff97e3c63aae7455baf63ec5ff816

SHA512
b24e381b31859604b3737990a69a4a0264bc1d9793b3458cd89c6a8993be749d2391f0a4e87756ac61a3dffea38e801e6c03761a0f50e6ca60cb52359e5923b6

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html

Filesize
10KB

MD5
583368806a63c43d7826dc9b856ae628

SHA1
f34261dfbcca1673bc4b5e3de90faf9e288df13e

SHA256
5372096ce57e95ef06c7ee630c3be9b1ba699f4cd32caeb307b16722e251cfa5

SHA512
e393d85dc0d98df280feb0d83d762b2560a0809f51fd5088fb86adbbab8a965281c89f3f647c062098f9ad2b7a405aa1061bdbd0daf3c70fce7a295b49e62c78

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html.v-society.567-125-A10

Filesize
13KB

MD5
5b92a012df63dd460bcd10d8e389d225

SHA1
0b20f346d74503d4a7b5bd446ab31bf81091c4e8

SHA256
274f9cb403c9e693f40705d3eb7a67105eb06404d8ecd41eb893694f644b0397

SHA512
df92bbe2e0eb0074970051a638d8aff3dc47755791800361e48ae32360fc796d8aae511b4af028d1a0b452d97c24026eba917e4482bb6fc715982c70ec55093e

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html.v-society.567-125-A10

Filesize
10KB

MD5
e6a6e62550e5399ef5bd1adc71196ed0

SHA1
83aea539865d3fce1bc7dcf98fb3ad9f4f86e07b

SHA256
92af3f02b9258bd4e8e3666f73aba82d50529fa95bbeb68b3bb6b0204eefcbd7

SHA512
f4ea478c31cffbd8a7efeeb12a83af8279e8c6da6b2a955458116a5945c367e4bff71367bcc3d7ebca976c9a7edc473bf386ff931bae58cc14661ea2d26f166d

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX.v-society.567-125-A10

Filesize
292KB

MD5
a68c6569f94ec61cc60bf08616839941

SHA1
ee42e65a93e13fbc5e162c8f2fbedc0d6f130965

SHA256
f49d416fd6e22925119d38ca5aeb447677e3c701b52a4dac1d64ec6eb650f077

SHA512
ba14885c37cfa831ccdc7909e7401710e4654855f4397bf81a32cae9a5a0bd9ba3fb7bca832e6c5ee6e7937626de5123ec3c10a45141d92fb54da5c5763b1dbd

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp64.msi

Filesize
2.4MB

MD5
929aba7b44fd9bd6733d6fa4bc40578f

SHA1
3605459bf4cd34eb3d0d1564bcc6512194867d0d

SHA256
baefbf989292752cb31d81125294d86b8a2799d7162daacd21081a4a315794c1

SHA512
5e9875fecc742e82ac022a66230e8eb7e368ff61bd602149bd8ef7eede9e68860a6944ab706306cbf928ffd2711e457e0bbb59b76b1bae81c4a9ab7cc92cd07f

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe

Filesize
62KB

MD5
48f5737b637fd5f3c702e78fe878f2e0

SHA1
62181d938b1fd15c709c18543e5cea4895556106

SHA256
24e4dbf5d619e0f59b2756afb5dfb9e644f988329d67c9c943c22b82e3295967

SHA512
c6d9251e6c31be920bd5bf579bac3b71a3cbeaa0d822a886f9f2da9152bf0622e9ea0c42f92a40a7fce42bf5af168c5c27257fa2b4ec521659ade23d818ceb94

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe

Filesize
1015KB

MD5
2615b7189a27da3dda217ca01867d4e7

SHA1
86eaf4102dfd9fb15ba08b313d165cf32d4b155b

SHA256
9d77c446d66077e0703bc22786d9f6a206daf74dfdc09d8e598a5b75ee759923

SHA512
77e6fabdc3cceaa1c117078447da829fa5141b7b5286b78608c04aab1cee773d989b04bb9f9f8c71adc3d1afab65db34c29e03806516eaa72e0c90eff85e32bb

Download Submit
C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\vlc.mo

Filesize
604KB

MD5
237bd7e7ed65aba05165d37544fae618

SHA1
a7a02ead7cb7907bd8b405613177631d23f36c78

SHA256
18cd3dbae72cba326b6db91cfa37e3658aeeb5298d5ca6febd863f01bf524592

SHA512
8b13e9fb3539037ce3b3fa4d5ebee8c31a16cf37e181b9c857a7662d5f90c1bfa5fba6ddb7bf3de8990f4cf26779c9b6a068cb202b3782840a884edb93e3f089

Download Submit
C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo

Filesize
785KB

MD5
ee85e4857ab6e56a049b28a61369485e

SHA1
4498537f1323836036dde86331832a59740b38b6

SHA256
fdedf03645bbeaaefbf34acd3e11d7a414a67c546e6487eff73b44b5cce0d820

SHA512
972d0779fcf62178b1f7975d1304b853bb8bb560ecf70b69d0cb566aa0b19b6fa4c1328016dac247632bfa043f17f3220aabd9ff9ff1d6efbad18d6cdbb3ae2e

Download Submit
C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo

Filesize
599KB

MD5
cf120a0ac3b412472e79bd38fa40d711

SHA1
69413d48768a7af30c169996ecdd767850108ced

SHA256
ca7e85e203077a207016eabe28fe885d7ecb7b208f8b538d1ce80b0d77309e1c

SHA512
f9825f217890d230513523dd9b29a66f096c81f32f28e100c93f27b08b5aaced66a7b162cdb511961533ca2a966692b314e0a45205359841ec15b87ab1029699

Download Submit
C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\vlc.mo

Filesize
621KB

MD5
aeb14ba5197a65020f3ef9c34827de1c

SHA1
575e4782366df2ab0d260d118992f1a7e5c7b875

SHA256
5793badd402b06afa2e7c3a04fd2f6c3bb9ed658f6cb99db4618f112392e2432

SHA512
e00d267dc9851a7f07e08d4a24e835791c3dede38aed20edc34c166a6bcb184dd67da3d02eb153d2b26ebea05723eb786b850d2ee60bfa26b1f4415ad58ef1a5

Download Submit
C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo

Filesize
771KB

MD5
83ca8d48e7c2409dad960f4a1af7c050

SHA1
0fe05d5875909a2e3e0d58cd665b2eae7f420a11

SHA256
5767b46fce6942d9e4f0e9ba402b9b47f14c702548067f29b3de6653fc850f35

SHA512
b07f0b55b9e7e63938aa80aae6559ab21092da2111befba2909d4b9bd7479354a947e1a057e6851cbd7c558192362742fb7f4b6d61db21abe2f66d857142ab0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

Filesize
406B

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe

Filesize
100KB

MD5
cf5a358a22326f09fd55983bb812b7d8

SHA1
1addcffae4fd4211ea24202783c2ffad6771aa34

SHA256
dd89d939c941a53d6188232288a3bd73ba9baf0b4ca6bf6ccca697d9ee42533f

SHA512
5e4129009c716286c9a2d85f846c75053d71251c9ab52f440da5a3f1a5cc6d9d7d795753bc7e37ef11353fb694f1c0991d127c28d6cd1188316623aa57cb2e5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe

Filesize
100KB

MD5
cf5a358a22326f09fd55983bb812b7d8

SHA1
1addcffae4fd4211ea24202783c2ffad6771aa34

SHA256
dd89d939c941a53d6188232288a3bd73ba9baf0b4ca6bf6ccca697d9ee42533f

SHA512
5e4129009c716286c9a2d85f846c75053d71251c9ab52f440da5a3f1a5cc6d9d7d795753bc7e37ef11353fb694f1c0991d127c28d6cd1188316623aa57cb2e5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe

Filesize
100KB

MD5
cf5a358a22326f09fd55983bb812b7d8

SHA1
1addcffae4fd4211ea24202783c2ffad6771aa34

SHA256
dd89d939c941a53d6188232288a3bd73ba9baf0b4ca6bf6ccca697d9ee42533f

SHA512
5e4129009c716286c9a2d85f846c75053d71251c9ab52f440da5a3f1a5cc6d9d7d795753bc7e37ef11353fb694f1c0991d127c28d6cd1188316623aa57cb2e5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe

Filesize
100KB

MD5
cf5a358a22326f09fd55983bb812b7d8

SHA1
1addcffae4fd4211ea24202783c2ffad6771aa34

SHA256
dd89d939c941a53d6188232288a3bd73ba9baf0b4ca6bf6ccca697d9ee42533f

SHA512
5e4129009c716286c9a2d85f846c75053d71251c9ab52f440da5a3f1a5cc6d9d7d795753bc7e37ef11353fb694f1c0991d127c28d6cd1188316623aa57cb2e5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe

Filesize
100KB

MD5
cf5a358a22326f09fd55983bb812b7d8

SHA1
1addcffae4fd4211ea24202783c2ffad6771aa34

SHA256
dd89d939c941a53d6188232288a3bd73ba9baf0b4ca6bf6ccca697d9ee42533f

SHA512
5e4129009c716286c9a2d85f846c75053d71251c9ab52f440da5a3f1a5cc6d9d7d795753bc7e37ef11353fb694f1c0991d127c28d6cd1188316623aa57cb2e5b

Download Submit
C:\odt\.Zeppelin

Filesize
513B

MD5
5d0187ffdf87419fc8f56f58ad65b092

SHA1
1ca27fd360d3d7a42b600de4a047adb2aca31e80

SHA256
2e64b7e05eab9618681023654d37ee007df4592e082b5a78ad88c6b05f73dc12

SHA512
6072ba29bb6da96f42c2461b67bea643b4ddefbd4fab96c1397164c038ff4d9f7cd5ca6733acc685ccf90cb274d8796a9b72da535af036bcbc6d029fbc749c58

Download Submit
C:\vcredist2010_x86.log.html

Filesize
82KB

MD5
57450c0c359a521bb024e5e2f13647d1

SHA1
939ead6a737d04c34d8bf1930414920931961a92

SHA256
f01979dd7997ee51faef1810a714a7354af2d1e994527afc160c7d316b43822b

SHA512
cc96f29da60f6d15f9423b9f65d76116907d566c478a77622c8ee74101b6c34d9ffa0bed01daddf449c583e8b02a05a406a9ce3ec267c7ef5c96f11b04482469

Download Submit
memory/1324-150-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/1324-15691-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/1324-8620-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/1324-146-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/1324-2029-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/1324-151-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/2060-18691-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/2060-18693-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/2060-10026-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/2060-18701-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/2060-6256-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/2060-18699-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/2060-18680-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/2060-13312-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/2060-2326-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/2060-2717-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/2060-16362-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/2060-18689-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/2060-18697-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/2060-18695-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/3764-144-0x00000000010F0000-0x00000000010F1000-memory.dmp

Filesize
4KB

Download
memory/4120-148-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/4120-133-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/4708-164-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download