aeb36aa6d3eb358179aede6e745ed1079e5e358021ba7a2067780f94525fadb2

Resubmissions

03/05/2024, 19:40

240503-ydhb3adh4v 6

03/05/2024, 19:38

240503-ychw7sdh21 6

03/05/2024, 19:28

240503-x639kagf87 6

Analysis

max time kernel
114s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2024, 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Zulu2021_x64_ru.msi
Size

206.4MB
MD5

e260569b5a0e6f095e05ce8dac46db99
SHA1

2649b0409a76e8552b995597bf2a166812b4be23
SHA256

aeb36aa6d3eb358179aede6e745ed1079e5e358021ba7a2067780f94525fadb2
SHA512

d2629ee23c5351f36feafb466ac870797140722d05d79f9891fc46e491dff8d650130e7772dd998e85c0092bc5f7bc34674c5e5e6135e31227e2b214bae0196f
SSDEEP

6291456:sze6qDEqmeopAntDHavQPkhNjK02C5uQN6E:szehER7poD6IMhNO78uQN

Score

6^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
11	3392	msiexec.exe
16	3392	msiexec.exe
20	3392	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\ZuluGIS\Examples\OSM\OpenStreetMap\poi-polygon.b01	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\OSM\OpenStreetMap\railway-station-point.b04	msiexec.exe
File created	C:\Program Files\ZuluGIS\lang\Zb.en.lang	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Building\FLOOR\0001.b00	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Gaz\Gaz_v\Gaz.d04	msiexec.exe
File created	C:\Program Files\ZuluGIS\Drain.dll	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\OSM\OpenStreetMap\water-polygon.lnn	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Thermo\Magistral\Quart.b01	msiexec.exe
File created	C:\Program Files\ZuluGIS\zulurep.dll	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\OSM\OpenStreetMap\landuse-polygon.sqlite	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Thermo\Magistral\Teplo_zt.tl	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\OSM\OpenStreetMap\building-polygon.b03	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Drain\Sample3\drain.l00	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Thermo\Kvartal\TEXT.b01	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Thermo\Ctp\ctp.zmp	msiexec.exe
File created	C:\Program Files\ZuluGIS\Preset\osm\MapQuest.zww	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Steam\SteamNetwork\par.d10	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Thermo\Ctp\seti_Len.b02	msiexec.exe
File created	C:\Program Files\ZuluGIS\lang\zpump.en.lang	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Drain\Sample2\drain2.zsx	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Steam\SteamDevices\par.d09	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\OSM\OpenStreetMap\highway-line.b05	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\OSM\OpenStreetMap\poi-point.b07	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Drain\Sample1\drain.b03	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Drain\Sample2\drain2.b04	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Thermo\Thermogram\out.b04	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Thermo\Ctp\seti_Len.l01	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\OSM\OpenStreetMap\vegetation-polygon.b06	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\WaterHammer\Append\append.b00	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Defect\defect.lnn	msiexec.exe
File created	C:\Program Files\ZuluGIS\Preset\osm\OpenStreetMap.zww	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Steam\SteamDevices\par.d03	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Thermo\Magistral\Teplo.l00	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Thermo\Kvartal\teplosam.sqlite	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Hydro\Sample1\water supply.b04	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Hydro\Sample1\water supply.d05	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\WaterHammer\Append\append.b04	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Gaz\Gaz_v\Doma.zx	msiexec.exe
File created	C:\Program Files\ZuluGIS\ZuluGaz.chm	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\OSM\OpenStreetMap\highway-line.lnn	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Thermo\Kvartal\TEXT.zsx	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Building\TEPLO\ARM_T_UZ.d10	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\OSM\OpenStreetMap\highway-line.l00	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Drain\Sample1\drain.b01	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Hydro\Kvartal\voda_rezerv.zsx	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Building\FLOOR\0001.b01	msiexec.exe
File created	C:\Program Files\ZuluGIS\Preset\2gis\2gis.zww	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\OSM\OpenStreetMap\railway-line.zsx	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\OSM\OpenStreetMap\railway-station-point.b06	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Thermo\Kvartal\QUART.b10	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Thermo\Kvartal\teplosam.b08	msiexec.exe
File created	C:\Program Files\ZuluGIS\Plug-Ins\Politerm\FindArm.plugin	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Steam\SteamDevices\par.b08	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Steam\SteamPipe\par.b00	msiexec.exe
File created	C:\Program Files\ZuluGIS\lang\ZuluChrt.en.lang	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\WaterHammer\Simple\Test_wt.wt	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Hydro\Kvartal\voda.b08	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\OSM\OpenStreetMap\landuse-polygon.b03	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Building\TEPLO\PROCH.zsx	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Thermo\Kvartal\DOMA.b00	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\OSM\OpenStreetMap\poi-polygon.zsx	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Thermo\Magistral\Teplo.d05	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\WaterHammer\Basic\VODA.zx	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\WaterHammer\Append\append.d06	msiexec.exe

Drops file in Windows directory 62 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{A5FCA64A-E586-4777-A1A4-8C3C7941D98E}	msiexec.exe
File created	C:\Windows\assembly\tmp\AFNTPT51\Zulu.Interop.ZuluLib.dll	msiexec.exe
File created	C:\Windows\Installer\e57b0a5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\mfc140fra.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\vcruntime140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\mfc140cht.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\mfc140kor.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\msvcp140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\mfcm140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1D0A.tmp	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\mfc140esn.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\msvcp140_2.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\e57b0a3.msi	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\concrt140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\mfc140deu.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\msvcp140_1.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\msvcp140_1.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\assembly\GACLock.dat	msiexec.exe
File created	C:\Windows\assembly\tmp\EZLLD6G0\Zulu.Interop.Zb.dll	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\mfc140cht.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\mfc140deu.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\mfc140fra.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\vcruntime140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\mfc140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\mfc140chs.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\mfc140ita.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\mfc140rus.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\mfcm140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\msvcp140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\vccorlib140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI225A.tmp	msiexec.exe
File created	C:\Windows\assembly\tmp\5ZUTEEKU\Zulu.Interop.zuluui.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\mfc140enu.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\mfc140u.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\mfc140u.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\msvcp140_2.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\mfc140chs.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\mfc140esn.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\mfc140jpn.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\mfc140kor.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\mfc140rus.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\mfcm140u.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\{A5FCA64A-E586-4777-A1A4-8C3C7941D98E}\Company.ico	msiexec.exe
File created	C:\Windows\Installer\e57b0a3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\concrt140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\mfc140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\mfc140ita.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\assembly\tmp\DMH538RO\Zulu.Interop.ZuluComNetOcx.dll	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\mfc140enu.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\Installer\{A5FCA64A-E586-4777-A1A4-8C3C7941D98E}\Company.ico	msiexec.exe
File created	C:\Windows\assembly\tmp\GBLCV2US\Zulu.Interop.Zulu.dll	msiexec.exe
File created	C:\Windows\assembly\tmp\OJSILBDY\Zulu.Interop.ZuluOcx.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\vccorlib140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3F88.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1CCA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\mfc140jpn.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\A46ACF5A685E77741A4AC8C397149DE8\10.0.8880\mfcm140u.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
2800	ZuluOPCService.exe

Loads dropped DLL 5 IoCs

pid	Process
3872	MsiExec.exe
3872	MsiExec.exe
2464	MsiExec.exe
2464	MsiExec.exe
3316	MsiExec.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{30C0B93C-873C-11D3-BF56-D212EB700DCD}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{125070A8-0B01-11D2-B55D-444553540000}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\ZuluLib.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507454-11DD-4DDC-AFDA-3007DB025F4D}\LocalServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{30C0B730-873C-11D3-BF56-D212EB700DCD}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\ZuluChrt.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507502-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\ZuluComNetCtrl.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12507511-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507511-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\ZuluComNetCtrl.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{30C0B959-873C-11D3-BF56-D212EB700DCD}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12507025-0B01-11D2-B55D-444553540000}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{1250748F-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12507139-0B01-11D2-B55D-444553540000}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{1250713F-0B01-11D2-B55D-444553540000}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507504-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{1250751C-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12507094-0B01-11D2-B55D-444553540000}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{125070A4-0B01-11D2-B55D-444553540000}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507136-0B01-11D2-B55D-444553540000}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{125ED011-16FE-4E3D-90B0-195EFCF6E174}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1250746E-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\ZuluLib.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1250713C-0B01-11D2-B55D-444553540000}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1250713F-0B01-11D2-B55D-444553540000}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1250744D-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\ZuluLib.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{125074C1-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{125074C6-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{30C0C928-873C-11D3-BF56-D212EB700DCD}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{1250747B-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1250737F-0B01-11D2-B55D-444553540000}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507436-11DD-4DDC-AFDA-3007DB024F4D}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{125070B2-0B01-11D2-B55D-444553540000}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\ZuluLib.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507363-0B01-11D2-B55D-444553540000}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\Zb.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1250751C-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{125074D6-0B01-11D2-B55D-444553540000}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\ZuluLib.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12507387-0B01-11D2-B55D-444553540000}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1250712B-0B01-11D2-B55D-444553540000}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\ZuluCtrl.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12507413-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{125073B1-0B01-11D2-B55D-444553540000}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{30C0C937-873C-11D3-BF56-D212EB700DCD}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507454-11DD-4DDC-AFDA-3007DB025F4D}\LocalServer32\ = "\"C:\\Program Files\\ZuluGIS\\zvstahost.exe\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507387-0B01-11D2-B55D-444553540000}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507133-0B01-11D2-B55D-444553540000}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12507475-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507342-0B01-11D2-B55D-444553540000}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\Zb.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{30C0B730-873C-11D3-BF56-D212EB700DCD}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507444-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\ZuluLib.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{30C0C928-873C-11D3-BF56-D212EB700DCD}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{30C0C937-873C-11D3-BF56-D212EB700DCD}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12507436-11DD-4DDC-AFDA-3007DB024F4D}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{30C0B72E-873C-11D3-BF56-D212EB700DCD}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1250708E-0B01-11D2-B55D-444553540000}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\ZuluLib.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12507415-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{125074D6-0B01-11D2-B55D-444553540000}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12507435-11DD-4DDC-AFDA-3007DB024F4D}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507502-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{30C0B72D-873C-11D3-BF56-D212EB700DCD}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{125ED013-16FE-4E3D-90B0-195EFCF6E174}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{30C0B94D-873C-11D3-BF56-D212EB700DCD}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\zuluui.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12507071-0B01-11D2-B55D-444553540000}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507071-0B01-11D2-B55D-444553540000}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\ZuluLib.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{125070A4-0B01-11D2-B55D-444553540000}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\ZuluLib.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{125074DF-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12507454-11DD-4DDC-AFDA-3007DB025F4D}\LocalServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{1250708E-0B01-11D2-B55D-444553540000}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12507223-0B01-11D2-B55D-444553540000}\LocalServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1250713C-0B01-11D2-B55D-444553540000}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\ZuluCtrl.dll"	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000d9d47eb9a1a06eb40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000d9d47eb90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900d9d47eb9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dd9d47eb9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000d9d47eb900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ZuluOPCService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ZuluOPCService.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	ZuluOPCService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	ZuluOPCService.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{12507065-0B01-11D2-B55D-444553540000}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\zulu.zwwfile	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Zb.Database\CLSID\ = "{12507363-0B01-11D2-B55D-444553540000}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12507220-0B01-11D2-B55D-444553540000}\a.0\0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{12507464-11DD-4DDC-AFDA-3007DB025F4D}\TypeLib\ = "{12507020-0B01-11D2-B55D-444553540000}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{125070D5-0B01-11D2-B55D-444553540000}\TypeLib\ = "{12507020-0B01-11D2-B55D-444553540000}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12507096-0B01-11D2-B55D-444553540000}\ProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12507023-0B01-11D2-B55D-444553540000}\MiscStatus	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A46ACF5A685E77741A4AC8C397149DE8\Feature.ZuluThermo	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A46ACF5A685E77741A4AC8C397149DE8\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{30C0B92C-873C-11D3-BF56-D212EB700DCD}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\zuluui.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{125074E0-11DD-4DDC-AFDA-3007DB025F4D}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1250744D-11DD-4DDC-AFDA-3007DB025F4D}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ZuluLib.ZRasterGroup	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ztt\ = "zulu.zttfile"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30C0B710-873C-11D3-BF56-D212EB700DCD}\8.0\0\win64	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{125070F0-0B01-11D2-B55D-444553540000}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507342-0B01-11D2-B55D-444553540000}\ToolboxBitmap32\ = "C:\\Program Files\\ZuluGIS\\Zb.dll, 1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30C0C938-873C-11D3-BF56-D212EB700DCD}\TypeLib\Version = "8.0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30C0C927-873C-11D3-BF56-D212EB700DCD}\ = "ILegendCtrlEvents"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{12507457-11DD-4DDC-AFDA-3007DB025F4D}\TypeLib\ = "{12507220-0B01-11D2-B55D-444553540000}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{30C0B713-873C-11D3-BF56-D212EB700DCD}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{12507137-0B01-11D2-B55D-444553540000}\TypeLib\Version = "a.0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507516-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\ZuluComNetCtrl.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{30C0B92C-873C-11D3-BF56-D212EB700DCD}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{30C0B93C-873C-11D3-BF56-D212EB700DCD}\ProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{125073B7-0B01-11D2-B55D-444553540000}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1250751C-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\ZuluComNetCtrl.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{30C0C938-873C-11D3-BF56-D212EB700DCD}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12507023-0B01-11D2-B55D-444553540000}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{30C0B72D-873C-11D3-BF56-D212EB700DCD}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{30C0B730-873C-11D3-BF56-D212EB700DCD}\ProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{30C0B712-873C-11D3-BF56-D212EB700DCD}\Programmable\	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{125074C8-11DD-4DDC-AFDA-3007DB025F4D}\TypeLib\ = "{12507020-0B01-11D2-B55D-444553540000}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507520-11DD-4DDC-AFDA-3007DB025F4D}\ProgID\ = "ZuluComNetOcx.TaskGaz"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{12507070-0B01-11D2-B55D-444553540000}\TypeLib\Version = "a.0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{30C0C92D-873C-11D3-BF56-D212EB700DCD}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{1250752C-11DD-4DDC-AFDA-3007DB025F4D}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{12507521-11DD-4DDC-AFDA-3007DB025F4D}\TypeLib\Version = "8.0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{125074C5-11DD-4DDC-AFDA-3007DB025F4D}\ = "IPrintToRasterParams"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{12507443-11DD-4DDC-AFDA-3007DB025F4D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{12507341-0B01-11D2-B55D-444553540000}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{12507514-11DD-4DDC-AFDA-3007DB025F4D}\TypeLib\Version = "8.0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{12507086-0B01-11D2-B55D-444553540000}\TypeLib\Version = "a.0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{1250744F-11DD-4DDC-AFDA-3007DB025F4D}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12507022-0B01-11D2-B55D-444553540000}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12507090-0B01-11D2-B55D-444553540000}\ProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{1250736F-0B01-11D2-B55D-444553540000}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{30C0C928-873C-11D3-BF56-D212EB700DCD}\Version	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1250751E-11DD-4DDC-AFDA-3007DB025F4D}\ProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{12507369-0B01-11D2-B55D-444553540000}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\zulu.zrpfile	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\zulu.zrgfile\shell\open\ddeexec\application\ = "Zulu"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30C0B721-873C-11D3-BF56-D212EB700DCD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Zulu.Chart.Document.5\CurVer	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507502-11DD-4DDC-AFDA-3007DB025F4D}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1250749C-11DD-4DDC-AFDA-3007DB025F4D}\ProgID\ = "ZuluLib.FillStyleElement"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ZuluLib.Contour\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{30C0B72A-873C-11D3-BF56-D212EB700DCD}\MiscStatus\ = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{12507360-0B01-11D2-B55D-444553540000}\a.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\zulu.zwwfile\shell\open\ddeexec\ifexec\ = "[]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507436-11DD-4DDC-AFDA-3007DB024F4D}\ProgID\ = "ZuluOcx.PpgMapToolBarButtons"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{1250746F-11DD-4DDC-AFDA-3007DB025F4D}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{12507485-11DD-4DDC-AFDA-3007DB025F4D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1296	msiexec.exe
1296	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3392	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3392	msiexec.exe
Token: SeSecurityPrivilege	1296	msiexec.exe
Token: SeCreateTokenPrivilege	3392	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3392	msiexec.exe
Token: SeLockMemoryPrivilege	3392	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3392	msiexec.exe
Token: SeMachineAccountPrivilege	3392	msiexec.exe
Token: SeTcbPrivilege	3392	msiexec.exe
Token: SeSecurityPrivilege	3392	msiexec.exe
Token: SeTakeOwnershipPrivilege	3392	msiexec.exe
Token: SeLoadDriverPrivilege	3392	msiexec.exe
Token: SeSystemProfilePrivilege	3392	msiexec.exe
Token: SeSystemtimePrivilege	3392	msiexec.exe
Token: SeProfSingleProcessPrivilege	3392	msiexec.exe
Token: SeIncBasePriorityPrivilege	3392	msiexec.exe
Token: SeCreatePagefilePrivilege	3392	msiexec.exe
Token: SeCreatePermanentPrivilege	3392	msiexec.exe
Token: SeBackupPrivilege	3392	msiexec.exe
Token: SeRestorePrivilege	3392	msiexec.exe
Token: SeShutdownPrivilege	3392	msiexec.exe
Token: SeDebugPrivilege	3392	msiexec.exe
Token: SeAuditPrivilege	3392	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3392	msiexec.exe
Token: SeChangeNotifyPrivilege	3392	msiexec.exe
Token: SeRemoteShutdownPrivilege	3392	msiexec.exe
Token: SeUndockPrivilege	3392	msiexec.exe
Token: SeSyncAgentPrivilege	3392	msiexec.exe
Token: SeEnableDelegationPrivilege	3392	msiexec.exe
Token: SeManageVolumePrivilege	3392	msiexec.exe
Token: SeImpersonatePrivilege	3392	msiexec.exe
Token: SeCreateGlobalPrivilege	3392	msiexec.exe
Token: SeCreateTokenPrivilege	3392	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3392	msiexec.exe
Token: SeLockMemoryPrivilege	3392	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3392	msiexec.exe
Token: SeMachineAccountPrivilege	3392	msiexec.exe
Token: SeTcbPrivilege	3392	msiexec.exe
Token: SeSecurityPrivilege	3392	msiexec.exe
Token: SeTakeOwnershipPrivilege	3392	msiexec.exe
Token: SeLoadDriverPrivilege	3392	msiexec.exe
Token: SeSystemProfilePrivilege	3392	msiexec.exe
Token: SeSystemtimePrivilege	3392	msiexec.exe
Token: SeProfSingleProcessPrivilege	3392	msiexec.exe
Token: SeIncBasePriorityPrivilege	3392	msiexec.exe
Token: SeCreatePagefilePrivilege	3392	msiexec.exe
Token: SeCreatePermanentPrivilege	3392	msiexec.exe
Token: SeBackupPrivilege	3392	msiexec.exe
Token: SeRestorePrivilege	3392	msiexec.exe
Token: SeShutdownPrivilege	3392	msiexec.exe
Token: SeDebugPrivilege	3392	msiexec.exe
Token: SeAuditPrivilege	3392	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3392	msiexec.exe
Token: SeChangeNotifyPrivilege	3392	msiexec.exe
Token: SeRemoteShutdownPrivilege	3392	msiexec.exe
Token: SeUndockPrivilege	3392	msiexec.exe
Token: SeSyncAgentPrivilege	3392	msiexec.exe
Token: SeEnableDelegationPrivilege	3392	msiexec.exe
Token: SeManageVolumePrivilege	3392	msiexec.exe
Token: SeImpersonatePrivilege	3392	msiexec.exe
Token: SeCreateGlobalPrivilege	3392	msiexec.exe
Token: SeCreateTokenPrivilege	3392	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3392	msiexec.exe
Token: SeLockMemoryPrivilege	3392	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3392	msiexec.exe
3392	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2800	ZuluOPCService.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 3872	1296	msiexec.exe	87
PID 1296 wrote to memory of 3872	1296	msiexec.exe	87
PID 1296 wrote to memory of 3872	1296	msiexec.exe	87
PID 1296 wrote to memory of 1340	1296	msiexec.exe	99
PID 1296 wrote to memory of 1340	1296	msiexec.exe	99
PID 1296 wrote to memory of 2464	1296	msiexec.exe	103
PID 1296 wrote to memory of 2464	1296	msiexec.exe	103
PID 1296 wrote to memory of 3316	1296	msiexec.exe	105
PID 1296 wrote to memory of 3316	1296	msiexec.exe	105

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Zulu2021_x64_ru.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3392

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Registers COM server for autorun
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 965AD65B4680893F1DBA0C5FE252981C C
  2⤵
  - Loads dropped DLL
  PID:3872
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1340
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 2BD7A267348E121440F28881C9D0D73F
  2⤵
  - Loads dropped DLL
  PID:2464
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 0774EE4AE917039480B5A382632A0A51 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:3316

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4120

C:\Program Files\ZuluGIS\ZuluOPCService.exe
"C:\Program Files\ZuluGIS\ZuluOPCService.exe" /s
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57b0a4.rbs

Filesize
366KB

MD5
627f8fa535896d717a7cff1ca2e8a704

SHA1
6c426e3daaf515830372ffa2027a520b06015ddb

SHA256
eb5ef38ac5b8bfb6a0f3201c085034951da8b4bdb18a56b62f46ab179683b258

SHA512
c0498c2c3546a700e65f2ca4c6ed42e23e011ae142aaf20f29c9f38a10cf9588f9e7903987499217370bb07bb8f9a50e7d9b42e07dfe18d4d8cd362099f4c28e

Download Submit
C:\Program Files\ZuluGIS\Examples\Building\FLOOR\0000.b00

Filesize
1KB

MD5
770b47295299695fae4d794d87987d6b

SHA1
6ae95ba0a5d61206ee5c68e384f508437a3c598c

SHA256
b8849cc460347c9793461e51fe05bce22bdac9e4078fbe367e2a11a87f97d4f1

SHA512
ea27995cafd9ca7c58eeb43656fe7b9af7668578d656eaaf7417f6a20136942fa3e46a260680f621fff13d9bf918c9372081912a220baf66d40d34d517d8c6f4

Download Submit
C:\Program Files\ZuluGIS\Examples\Building\FLOOR\0000.b01

Filesize
14KB

MD5
51099112deebf361202a630e11ed3604

SHA1
fa6f1ea1e79e2337c38b50b302b67e3e4518a1e1

SHA256
9c207e50a8089fbedb2efac349be873dfc384d6d1c4e48f28bc9979ff9824bbb

SHA512
f50e9558291b0ca236b0e5620a156caa0e6eb336eaed73fb62379c978d39d81bb9ec70ef4acd731cfe247c71fd33420a7006c83de602b94024edb1551cc5e765

Download Submit
C:\Program Files\ZuluGIS\Examples\Building\FLOOR\0000.b03

Filesize
1KB

MD5
23808b2a178aaccda6d6daa856b2ae82

SHA1
211794eb6dda93fc2d5b01c8d39252c1aa934d50

SHA256
826e6c98e4edd2b160ed65c1805a0ba39937b2c887577d636847fcfa740ace89

SHA512
82a2d01ea84a03b86451e1eef724b3cc22dbc8782ce62b40913e8c04e98fd0a2e48aea986f143513d8030eea66d7a072984f91fb30ffdf6d8940c1d96f4b512b

Download Submit
C:\Program Files\ZuluGIS\Examples\Building\FLOOR\0000.b08

Filesize
3KB

MD5
e6b3ce9e1a3d0fb6015d05d199076d75

SHA1
7915101843609316ab3eb0b021304a2c54f14267

SHA256
1a39313f6597fc5b21a62a6f71aec4c51c0ac6cc7aaa059616d1ee586e8ee8a3

SHA512
0923dab42017277f58d129cc9efbb0433f8a138dd78ebf336f8e53efd1a192c77467ae860dc24e187a6abfc35a8ffff54ad64a10fcb5249f286f4e077a6550bc

Download Submit
C:\Program Files\ZuluGIS\Examples\Building\FLOOR\0000.lnn

Filesize
38B

MD5
49ec08889f847bff3e59b4a84261b35a

SHA1
32f3f45adf3df781b11ef7c6266484f4f54861ee

SHA256
da7750d0303bbc021dedd0bc871b1931497abbe9245c633c6e2b045d2fed6ab6

SHA512
9344c9857210838a4986a23b0fe02e08e5d83d3841f0454620bd1736249181eb5ff7730539969f33834713ac16df888d186c3faa7496fcdde3de96dbb5b2258f

Download Submit
C:\Program Files\ZuluGIS\Examples\Building\FLOOR\0000.zsx

Filesize
10KB

MD5
687e146a591f5f0b597b9ef034cbae78

SHA1
3cb55d43644ebf2cf5a1be8c3e0410da3d103040

SHA256
a2b750ebce746c38d091dd403933dc6b630cc2ca01e7c870fa4291bf3cabe6dc

SHA512
5490a9af9cee9638b209382d3317df7012d7a991c3d85be50cf866a5f9e1ad87ad0e34a64bce2cfd7542cbd698d2c9269e6e8739dfb491827ae7ba9ed9912089

Download Submit
C:\Program Files\ZuluGIS\Examples\Building\FLOOR\0000.zx

Filesize
34KB

MD5
fab7828808d5a29de6bba3c7db435e0c

SHA1
a8c15eb81752291cb6eee2223e3d22de853899a1

SHA256
3a982a7f8f8c51834c8dafe984339a56f1b76966a209d8e7e9fb9a509ea03bd6

SHA512
69e568a2c6736b866e8f1d34f1a3580b8a518a58517d8456ccc657b4cbe2a1127c56db02c9f5158d703edbec74f947802811f30804973697a021e53b157debf2

Download Submit
C:\Program Files\ZuluGIS\Examples\Building\FLOOR\0001.b00

Filesize
1KB

MD5
5651e27ea2f425430dce0686853a0325

SHA1
5a02c265b584da5a1c16c478be8ba0d48e492622

SHA256
16e47011ca9a5cb5ec20be99b2e4c458ba93f7aff9245534700d4cd8dce0d231

SHA512
be234de9cc7ac1a2d9af7f0f9b58ce33018d59bbb950d354314d629effef9a2c376051a9843259eb68b58c611dc21195570ff59833af6dbc092b875acdbff704

Download Submit
C:\Program Files\ZuluGIS\Examples\Building\FLOOR\0001.b01

Filesize
47KB

MD5
4424eaa1073cee249681d0f3eb469279

SHA1
92e379037c37afb525f18cdc0b69d748837e72b4

SHA256
cb8ea05155543df54879c3ef4fe446a73a847b39bf0c071aa4597e12badc0c72

SHA512
d036aae7f02836496263fe268fdba2c372bd066620456fa3dfbe1996049cd150dc9f33d490353582c427c82d486bae4581cf9808aef55f3610cca25cf2043994

Download Submit
C:\Program Files\ZuluGIS\Examples\Building\FLOOR\0001.b03

Filesize
1KB

MD5
3654fe7c94811ee5e3cf92b987f83546

SHA1
dfe7af8ade58e5b18aaaa8b8a9d21923ead72fec

SHA256
ba29c99064de5866f587a1902487efcc9766afe03d7680e443f6734a4d389f61

SHA512
ad6941e3dd662a5ce70a1fc26b362e21dfb850927c00375e78d31008adcc56feae81de4cfc24dd17dbec6df0b78862b0fed07bd597aa0004e9f00f2e118544e4

Download Submit
C:\Program Files\ZuluGIS\Examples\Building\FLOOR\0001.b04

Filesize
3KB

MD5
6312791190bba690e0e83a77392e7d39

SHA1
73a94d924ef63eb9af930470c81d61bbed499d20

SHA256
b3068b9fe4e2f6fee27f8399d2c7196810ea3bafeeed656be0bafd814a485e39

SHA512
8ef0bcb964a9ad1c14cea0079473bec6a0af49cee0f35961dde6c1c146a5239d6f18035cd9e6365de555835e3115961fa9ee657ee127d49fae6f9ffee6aa9dbe

Download Submit
C:\Program Files\ZuluGIS\Examples\Building\FLOOR\0001.b06

Filesize
26KB

MD5
bedc8ac6e69cc6bb571ccc884776ad80

SHA1
ed9de0f291db71772336dfa0067189547c00a651

SHA256
e3e6e1d22aeb016391b260cd9d39f4d001c2ff49c0de18b8732194a7994fca05

SHA512
162146848b229e97bc9bf59efa8c2b884be43c6b1c7996de7918c433fd017eef1d000142ca7ddd4b6287c2964cd8149734de39a49c541ecb809dece8af561e8b

Download Submit
C:\Program Files\ZuluGIS\Examples\Building\FLOOR\0001.b07

Filesize
65KB

MD5
36030462c2e563094f5002c547b43278

SHA1
e94847fdd9440f57d5d34fc72f7440cb8d55e8cb

SHA256
e6c290ca71d4f60dc9205bfd004120b4c2650c598ef396aa0fd2975abb5184b7

SHA512
09b027283463c696009dec72ff12d695916fbec4a23f2ab8819e418f8a67c7f044d1da022990c5b9876ea7c783a761ba8b53f1b2fb15c9a10ab4fdd623cd6342

Download Submit
C:\Program Files\ZuluGIS\Examples\Building\FLOOR\0001.b08

Filesize
3KB

MD5
3afc8983828adc2c3ea7c6a158dc73b4

SHA1
a55e7e91b3419962010de87fc6a77e3ce9d559a8

SHA256
b1e2da0efbbedb198e742c17339ccea9597c696910b911db22139d4af98879fa

SHA512
3d252b8b59e18b2168a495406f1aa7973602a31dce7e4fa4903a723516907f8a0b6ee493232b9e61092c7ee37f351890bec02f933165408a1ba161dd9f627007

Download Submit
C:\Program Files\ZuluGIS\Examples\Building\FLOOR\0001.lnn

Filesize
38B

MD5
31b23b286d630e3b5b4018ebcbd3a147

SHA1
f23792a91d877e92f477bfd955d129c4434d2f45

SHA256
5ddecafa45271397c2843a94d9ba3efc8b654bdebaa9a9b557ec7fbf94b11ccb

SHA512
c273d4ee2e0b504d08ea9cbe5c6f4dc35e0b47f45d3cc17b56c4e4487c7ef32ec36a386fad77bca9a2f7f1b545f67452fb5a35a2b584bcf9a0aa555e4a5261b6

Download Submit
C:\Program Files\ZuluGIS\Examples\Building\FLOOR\0001.zsx

Filesize
11KB

MD5
adad96ad1c56f0d43000c4142e838fc0

SHA1
fec455f9192bbdc1f2573fe2955dbfa2340e8c59

SHA256
f063f1526258e6cfcba27e6a7735b1c9cd1698bbc7da409ebdc57e3642a1177f

SHA512
b73030cabdc33e12d993fcca6646edfa532450515bab97a1b34c415f0b299e982aeecbeb610277122d05c8d4477be1ad38d3493e22d86c2988e383c4f837caef

Download Submit
C:\Program Files\ZuluGIS\Examples\Building\FLOOR\0001.zx

Filesize
36KB

MD5
349a463f39d10dfc3684d007c271e312

SHA1
fd1f184896509e7d0d0843106d3070ba71d11c6f

SHA256
03e7804ff8897d1efa1837fe6e60abbfef3754418fb521a0c01cf5c3464d0ff0

SHA512
50f655761de455973c1740b8e57d758953924d528b85ba0287d18c6a66b445b9930a510c42e5e5fe4ac39da483f70f8e3a7e233addb143ba41e0ff538d1fdcce

Download Submit
C:\Program Files\ZuluGIS\Examples\Building\FLOOR\0002.b00

Filesize
1KB

MD5
8fa880a0817c5f8901c3d28a9ab84cb4

SHA1
9727e6bf8f81911a3db2409cbe0b2b1ba6cbcf9c

SHA256
29dcbcd2f9fdc0ce71f725248e924a79196d50cfc4a31befb3f720574a32d4b3

SHA512
a03f7487572823f2675c7edfff78aff9a36c2a991528a3a37dc343c94922da6333e313ed093994e751c2288028e37303f6009b0bbd8ca61a9763eac07d4c242f

Download Submit
C:\Program Files\ZuluGIS\Examples\OSM\OpenStreetMap\highway-line.zx

Filesize
457KB

MD5
bacdcfc6cdeaf578bbb559db324f2872

SHA1
843f504c83e34c176f2bb68678bd2665c050e230

SHA256
54539c5b2259e5fe90c2371600abe4cd3b2e8057fb25ff52f6408e611ddf96c3

SHA512
8098a21c133121cfa7a71b0e5b73da0d02f36c5db3fe117f96815763120890642307a2565ec0e15cad148898165bc4ba78346a0332ff75751c4e07a2120ff8b3

Download Submit
C:\Program Files\ZuluGIS\Examples\OSM\OpenStreetMap\landuse-polygon.b04

Filesize
55B

MD5
0ab8bac388159d1b920aeec7a49c93ef

SHA1
12205fcafdd935f4c71fcd90fffb50bad3d22565

SHA256
b49d2a3d6714a9ce670ee76500f9d44b94e6b6d171150595eb8f285705f291ea

SHA512
1e272123fe3dfcc3e7d30120d9f06688532a802b34faf14faed02a33d0eaf35d7a1163a3d94f7d6569e8b43e09ce92325c1785333f2eb96dea31caea110cdeba

Download Submit
C:\Program Files\ZuluGIS\Examples\OSM\OpenStreetMap\poi-point.b06

Filesize
26KB

MD5
cc9791ab71953156fdbe2b084a956527

SHA1
1acb05465f7ce00ea527920e262605fbbd8f3fc7

SHA256
2c1e5a602d3223701a298d5b0773398764b5007c3c794fb112c5fee47953511d

SHA512
b1cbf53dedab47496836f62267b0787e64288043bb9ee3f05f5885c0479a5899c5b63525d9e201793f87d572cbeddefcc512d309bad6dc9f08e95b1daaf2683c

Download Submit
C:\Program Files\ZuluGIS\Examples\OSM\OpenStreetMap\poi-point.b07

Filesize
65KB

MD5
cd315edd9ed6c69231c975b5951fe1fe

SHA1
0b6724cddf3e8e734342889c0114021f35e62210

SHA256
d00fc04f0cef268395b1b70ead71fac3d5ab88dc2d0d4efa246459c1ea3532a2

SHA512
a397d12eef734612f08b042650e4974de38c675dce29bb842acd76d3dcd2853e76543a86b3f5be14d5c126a73f1a826ca8ff5603bb01c462665ff0d2d80b1582

Download Submit
C:\Program Files\ZuluGIS\Examples\OSM\OpenStreetMap\water-polygon.b08

Filesize
4KB

MD5
b7b2d5f279d00305be7272a4e0434b7d

SHA1
35f7b2211c92259a404ac7ceb0d7b9f032cd12c5

SHA256
8ac5b6dc8133f93fd0dfa458c6900feda2d58ccfdb7620bfade5ae706e28ee84

SHA512
5510173f8f6a8546c7a9b075482aba5dd0fff5e3d890deba0aa6884f3709969fa78b43b1bd309ab8b120847ce888126b04d8d300d666e5555834ac62212772c6

Download Submit
C:\Program Files\ZuluGIS\Examples\Thermo\Ctp\kvartal.b02

Filesize
22B

MD5
ad4936d83feec0c4cd6ded31d0a38142

SHA1
0e7c4290874abff8f5227d4720d42ec6a84849b1

SHA256
254735a72c65fb423e14f978a1b80f64b4c2497caedece0219a4b220a57acf65

SHA512
860e57f9c88bff08cf91cafb4b8f31e232f9738c38f53ed0e0065c68e44a2a697c7e2ee0a2e616d709b8cf80f078c1870449e7f1bb555f0a6ce874fade57c721

Download Submit
C:\Program Files\ZuluGIS\Examples\Thermo\Nasos\teploNS_zt.tl

Filesize
7KB

MD5
cb5bb50c5e8a16fa17079b9cd9409f75

SHA1
be552bcb35726224aa7a3a11b22b71df5acdb074

SHA256
403a92f1a110c973518524cb7a047b23be2de7018abce701456284511847811e

SHA512
60f12d56c3db2f354315f2e9562f642231311684db84508dc1e2848c50050a133da69643e0454b5ba8bd93cf7dea9b09ff4683a12899ca1f0c83200cfc8a22bf

Download Submit
C:\Program Files\ZuluGIS\Examples\Thermo\Thermogram\building.b02

Filesize
8KB

MD5
82abdb8a01f4597ffab920abac75df7a

SHA1
76ccf54430958cffe3e4b3bb1043ee6ccb1c373f

SHA256
91e91b093b374d082562b709247d2037c99500d968d5a69d3f32c624b0592ec1

SHA512
3a0e60a85451e891ab4e5b261a0550801cd8875889e6b4e0d3de78d955da1eedb57fd4d8d7bb969462ab7f6a14775c6573a541d8517bbb7aeeca78d2482d0726

Download Submit
C:\Program Files\ZuluGIS\Macros\LocalToGaussKruger.vbs

Filesize
4KB

MD5
5b89b74b4d879e2e600abd6726d78c90

SHA1
fa4da8e617516770ccbf7f90fb9318ce550bdf2f

SHA256
1e9a6a6498e6c516b2656056d41ed977ea568387edc14fa3656c584557306e4d

SHA512
d91f6a7d4a4be11568e084cc657a7f11f4d19c734ef221115dc0cf4915db6b866f37987d1f7b7f46e4888242047cc9f9b617ad52d97ed1b6852341306c854ee7

Download Submit
C:\Program Files\ZuluGIS\Preset\2gis\2gis.zww

Filesize
215B

MD5
adfb050dbeb03008b4c017746609e8fd

SHA1
6349cae9a9fc19aa2ab3b673f5ff5d8d79678523

SHA256
b3ff45248d31e6ebc658f57f84a7c2871e64c3ed00fbc8f30982dde70e975779

SHA512
40ff164b0e1f004d4e9471f5c45ea902bdc430b04b0c05fff53a11cfdca02d569b65f1fd08a760261b84493633783f88a0c2585ff223ea8e38950f580a15007e

Download Submit
C:\Program Files\ZuluGIS\Preset\arcgisonline\NatGeo_World_Map.zww

Filesize
302B

MD5
86543fdd0fef9ad9cacc540a0f69389e

SHA1
29c3aebcc4e9df5f36e976e0f77b4ae7c46fd61b

SHA256
510f2347e9b5b1e0539577abb1e037acfdd75a8ea3909bc68491f1c220285a1d

SHA512
263d0e8f806c8f7a76aa9a613fb7949763e1ee3362f59574c76d5ebb7fc8fce3357b5bd129e027a051863fe6531e0e40713d06bbebadc1552ba3532564999113

Download Submit
C:\Program Files\ZuluGIS\Preset\arcgisonline\USA_Topo_Maps.zww

Filesize
283B

MD5
b951a540b5a33036ffb4e72647db45b4

SHA1
bce1a86f9c1bea3b2a10a5225fd2c4087ab1c43e

SHA256
5c30e6324b45ab2a9e583cd2dde39ce4199a24ea8c5b2be6152cac883a9853de

SHA512
dda8b025f585606abad5148a9ba08bf9095e4381792ed19748023ccbf3cbbf8c6f2dc7aee267fa9380e7af7ce65ebeb65faf45b9a8b259ca038371cdb4fc7cde

Download Submit
C:\Program Files\ZuluGIS\Preset\arcgisonline\World_Imagery.zww

Filesize
279B

MD5
3cdfa8429b6da95b3d96ef285eff0ab5

SHA1
6ff0d384edb8b1ef3633009fd714d0b4d30f6daf

SHA256
4f26f61933ffa69b47737b53b3c356ae81bdb0e4297c92cdf19e17a5aad8fafa

SHA512
c4d223fa3754e5ac3c2438133cc22de2b706a797cd37de829c892b195a52b46a5db6d22e879887488a1f9e929ea0c573a5415a3f2b2de928e945aabda45794af

Download Submit
C:\Program Files\ZuluGIS\Preset\arcgisonline\World_Physical_Map.zww

Filesize
312B

MD5
ecbb89ee2fa41ea6de615a057da3cfb1

SHA1
2e9e8818e97dff6f8be6a6cee687247ceffc3ef5

SHA256
fdd52aa081a053de3c9fee2dc2424edc74dffafef02da15de461e608c77e1f45

SHA512
3802004160f86d08ebf20f67ddc52f53093847c3f578c1ade33969faa58dc267bc13b81f7d93fe31c6e0227c87fa433f339ba77f321fc932659338a133fba088

Download Submit
C:\Program Files\ZuluGIS\Preset\arcgisonline\World_Shaded_Relief.zww

Filesize
317B

MD5
06f2d838cf3ee8694bb2fdce246105d1

SHA1
fe5c467782fd196893d5948878bef73cb3a4d318

SHA256
6c124644fb92d7d478c2ac55b0b1076fecd4f410e6b0640b5ecdce84e664276f

SHA512
24bcd8832dc0a4c01dd6660fe812fb16c417ac6a16800121646f54b57f530a3931d31a801c4ef0c3caa809ae5fd4f330400626eecb81518fdd05f60c4f26669f

Download Submit
C:\Program Files\ZuluGIS\Preset\arcgisonline\World_Street_Map.zww

Filesize
302B

MD5
a71a7653ef25b8c4447474798d2485ee

SHA1
cb5081e05eb640ca13a7c340cee1d72df14249b7

SHA256
a4744535da288582dfe0ca3ee7fdfd5316bf82c259d97a7c005ac8e3c0e4e447

SHA512
3ed7dfc8a6a850398cd2ed5e905822b9392251cde61ddb384e1af8d1896b1edca799edf27fab91286b50464e58bd706a774733783c3bf61e3068e60dc9d954e1

Download Submit
C:\Program Files\ZuluGIS\Preset\arcgisonline\World_Terrain_Base.zww

Filesize
312B

MD5
0e67cff4a344ac6e4df78f54ed2bc462

SHA1
da104548034e02267f251973463ac569c7fd6fe4

SHA256
4d94c18deacd934e6a75670001441c8ae1cb24d2e2d393cfea4cd9821b277b4d

SHA512
0509398e91dfb7c35e36f30638fb455f3953fd9b3256cc594b157f094da0e8f9581400a24ec688ee50c31fd8fcfa6ed2fd9b0d5462962dfd3118801bddcac77c

Download Submit
C:\Program Files\ZuluGIS\Preset\arcgisonline\World_Topo_Map.zww

Filesize
292B

MD5
0df467451a6ccb6d4975ac1b598c2a04

SHA1
67417e3c60e75f3b1ae2d8709562a420d0d256ee

SHA256
7ba23f5521aef19e0135fa3ec335e7e1ab9d321f796350f8c524105a898b68ff

SHA512
a604a3989b51e505f308f410a2127b2e0b01f8f7225ad486c75eefcc97695ccf3ba545aac8c8adae57137e6d259db986177b15a64822480ac0600e6972559f5f

Download Submit
C:\Program Files\ZuluGIS\Preset\hydro\standart.zhd

Filesize
3KB

MD5
200b594fcef0ff9c26c7be05714b8693

SHA1
d5ed60c4a564c8c62f64c660d74c476b23873a3f

SHA256
87b979b924ad9e4d1b99816045e3417278e6a265f132e5468755002e0bdd8839

SHA512
451cbb1716ed96cf5904d896192a697017fabda808816ec22fc6eba0dea30abb5d76617c9991af6be59b6f2a89273846a4c2b133095f99949604e06027d0fc65

Download Submit
C:\Program Files\ZuluGIS\Preset\hydro\voda.ini

Filesize
426B

MD5
59e32e5e69c5f6306f9ebf137f4df4e9

SHA1
be356c0247654cb5462cb84373972b3aa3b471e5

SHA256
ad06570617d2d3f8f93d8ba472999113438e42a8a959a53dd1ad895c32948e84

SHA512
ab4acc43a0cb6a2ae9d63ea470de71d7b6c10feb401489c274e2319894f4debf04eabf2f62db9e7a5d14f59335521b7b7e43966bf0cb48c07bcf86728f27e2a3

Download Submit
C:\Program Files\ZuluGIS\Preset\hydro\voda_sample.ini

Filesize
7KB

MD5
bdd61440ec6b8f8298ae889e96cf6e60

SHA1
fa80b7e39010decf53e543103fbe8969282db4e8

SHA256
508897a47aaa0d69b373faedb9cd6491d11a09702a76d76eb5fe6fe842ff5517

SHA512
46286a07205a4bcd9f1546069940ca9259a479c6a9566b301c7a043c47ed7d6515622c88d5b1c3001d49c5f614f06651e651baf257673173a1baaf95a50a8ee8

Download Submit
C:\Program Files\ZuluGIS\Preset\kosmosnimki\kosmosnimki_base.zww

Filesize
295B

MD5
78bdd151b2d23bd44aa9afaccf1814a0

SHA1
fbbd3e9f4b4aaddb7529a350bdb3ba219d883759

SHA256
9753001be170ccfc1b0580028131480879b55e7daac64b32645dd69d7cc51806

SHA512
030117ab882b0bed663f1dfe660ed1d0920c05daa624b492fdbd97aece557438c274d49fa6e19b148b5b522611a76bef7eeb07cc1783bfa75dbef3f1668da1ea

Download Submit
C:\Program Files\ZuluGIS\Preset\osm\MapQuest.zww

Filesize
213B

MD5
18ab5a82a4b8cb2b7ce55af1f64e4256

SHA1
54d9a0e34b7f4609aa72f033af47b89506d948da

SHA256
83a7105a945ab629bf2af013f20c1e80fd29b69bed7a44ed03c7f6bc43facd33

SHA512
a74aa6399835670a87d25643746da64fdf4da3e0bbf11575e7188d882f3d9be21f1fe78faad7fc8cc672be0e9ef3d257968bb552ae6a2488cb62bbe897b4ef48

Download Submit
C:\Program Files\ZuluGIS\Preset\osm\MapQuestSat.zww

Filesize
207B

MD5
bbb0921e596db881b797a11ff18e88ce

SHA1
aae4e12999decb4d9e6bb32df725c4a03d9c5cf3

SHA256
e3a54a1dc24461ab46fac2f89152e9e5d97e228b43b6780a3e3d47b622161904

SHA512
7e0427a0ab9a7c4088fd700a77a3bcf8829c2edbd9a44821d34237c9da57d60021cfe2ec253f680fcdbcb267b00681e8f4ca71894b7f32bf0ebbc2cff819f2ef

Download Submit
C:\Program Files\ZuluGIS\Preset\osm\OpenCircleMap.zww

Filesize
207B

MD5
65ca4e75f483e1478943c6e2431cd506

SHA1
eb58b7327b25f4e2537023750fca1f8b119dc0c0

SHA256
3d8f35da2e7c285103ced12ece6c8a18ca6a0c0c24f92e61586e6005307303f9

SHA512
b14ef461ec887b844feb255c3ef22eae980d31f263e1a1e30f7053435f40656c05034b44243d6414d07465c154fa3a8aaeeef6794c6f1a9e289dfcf79d1e91a0

Download Submit
C:\Program Files\ZuluGIS\Preset\osm\OpenStreetMap.zww

Filesize
200B

MD5
6d8dc403598bb5fb2cb223468a3af5f5

SHA1
ab20261cc8de02b15d9bb3b3be78e61ab90a3524

SHA256
5fecd6034f376bf6c59bbe54a25081acf3038327d76bd7337e969992cf1b0b6d

SHA512
b2aeb1f8a20cd3739f791b8695b44ca96eb7cb1951b08c5d6d7b62d36ca97468434590f1f2d582c69a47a30f9db0a9873070748d81e620eee943aa58fbadba8f

Download Submit
C:\Program Files\ZuluGIS\Preset\osm\OsmLandscape.zww

Filesize
212B

MD5
ec850f1d2b98084279c50d802225d52d

SHA1
e546830488667f3fecbf5135d59ad4c295e3535f

SHA256
7008f37b0e1d735ef750622ba8188260e9183ef54d8e92c3cc057fd3c01dd281

SHA512
6bea9449004bb8f404b00db8af7f0959645ce593f0698c59f1275a41a1d80ca82c7d66c0273355f0c233034a596f7fd23217befc1741206104b8356317861a6c

Download Submit
C:\Program Files\ZuluGIS\Preset\osm\OsmTransport.zww

Filesize
213B

MD5
752b0583b42103f473107955808ecc00

SHA1
7112b5d63ef29defa880f79895a2850313ca02ce

SHA256
747f8160ebcf95faa6edb7ba5d428f855a49d84df58a2d5ed6763c82643b36a4

SHA512
ea50d040f86c91a9a4dfe4b7b55f9e7813dc635d4f58c51e5a0c8cf472c20a7653787ae2d292212edcf86ecad6120d406db26cbb2d7fb99c82fcf7256187e608

Download Submit
C:\Program Files\ZuluGIS\Preset\piezo\hydro\Voda.preset1.zch

Filesize
22KB

MD5
06ee1f6dca020f09a32d237566f95b1a

SHA1
f540e4e25da8fd7bd8d2301fcfe22051e96ca654

SHA256
77a8a426d0a2a0d6008a6959cf8f75aa2c4cd6d716ca748de49e0e0a1fc6bb09

SHA512
91f72bf460fd960ffc4b02897b926ae7be889273d36ccbc82978cb316e0fcecdfa41f77aa07a9ceb053e7f14b675a49e75262147b4cbee33ef84e785a4248d74

Download Submit
C:\Program Files\ZuluGIS\Preset\piezo\thermo\Piezo.preset1.zch

Filesize
32KB

MD5
c9dc20938f7f2996f0f058d7b3fa26e2

SHA1
cc518fba49942cac64bb15e2e3ef3abd0a791ac2

SHA256
4e4c229a5a979060b5d2db4ea572f34c83ae5dbc683abfd90e3b75965cd7edfd

SHA512
0fe0db2907228675d5d77636274adaba15e2a6f0e8ae48e4cea5ba7e55d2c4794e0739a662f6a2d373ac9438fb3d026c51a6d97b925fbbee829d1efc99371693

Download Submit
C:\Program Files\ZuluGIS\Preset\piezo\thermo\Piezo.preset2.zch

Filesize
15KB

MD5
609c5be00abf67f6c6f6e116fec8e187

SHA1
e712660e38abc66cf605d499fc15747fdd9ba8cb

SHA256
e6f4c84c88f302ea02165b5e23217ff125303803f6f1248e26dfdf72cc01b187

SHA512
113fa810b53847e6ae6ad0e9fdb0e8c921f4a46470231b58eb12ba8e5a9d7d5772c909f3180ab2d3d2ce447d4a998da1314132861ebf75cf387a3ec8a99e1b34

Download Submit
C:\Program Files\ZuluGIS\Preset\vsta\csmacros.vstax

Filesize
7KB

MD5
3a97db57be8c45558262fdda9be61a5e

SHA1
a75bf3cf0512a4c61a46ccb1d2e5a4911914e395

SHA256
d89eb4997912caca434a1ac35e1c3aa1daa9c6b507f6bce5bbca7815e98acee3

SHA512
612e1c97a9e7e6f9a5eb2d38ef5193ebbd6318f7e24159d6381441952310951711d257af3da87f401a1fef2b8ce5869438d5e678c0619c63de641f54439b36ff

Download Submit
C:\Program Files\ZuluGIS\Preset\vsta\vbmacros.vstax

Filesize
23KB

MD5
91890730ab3f95be58fa1ee1482dbfca

SHA1
998b1078e681b2efe1121ff7a2c2efba0dbfa891

SHA256
8b0b1fd5db00d16da35c8ae9ce282125d64f62a40a129001d44f9ba1c6e02edd

SHA512
18b5a95084c5cc66b99e8d5ef38b8da084bbceffbe18f27e37274d964ac5cf612d49b4adf4a04a934663cec265b1467149d7608b1d866709ae9a87628501fff9

Download Submit
C:\ProgramData\SafeNet Sentinel\Sentinel LDK\566e7aa9-2a68-4381-5062-562f6af6d621\.434e4631\.gfh6chl6

Filesize
120B

MD5
59106776c49e17f71ab3716a9f103376

SHA1
4970d03cc1cb671c01ec7e436ac1a833a66a3d3b

SHA256
4dce896638522bfc4245b49632565fe06ac42cb6befda1c713bfcd97827a7110

SHA512
86dea1737532abebb9fdcc4e0173aa4bca40294dcd5929f45768ed4eab413676f4a637c9a851fc9028633dbb27cd5e2a1aea41b00601dff17481e768b445cb1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164

Filesize
1KB

MD5
6d520e48856aa6fea533e83fd15c0f36

SHA1
205f4a6c99cc537a3998de315d2ffcb254cde5a0

SHA256
acd6bebab8e8e3e020d53ebc92eafbcf826e89f19e8cc870f00baeb150055a07

SHA512
eb175f4dcbd50118cd59f0ccbf13d0595881b8aedafa6953695689231580280b16bce9d51183311b4247eaf02f135a00e658baaf81d4db4c1745597a615c5ae9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A1D627669EFC8CD4F21BCF387D97F9B5_F4E4B21067274B135B7E3D27EAD5EF52

Filesize
1KB

MD5
de68e521e7177ed03614a0c78fc77135

SHA1
02f8bf040f73b790f91f2e67db1afde102d9eb66

SHA256
94bae7e70a521c5a51f73f0cc7e0e508faad0165a531af019e65cb60d0d8486f

SHA512
55331fec3f81a064bf787719c698e9f4730e6d992e8a0b6ec63038dc79a901d1675e8271c9eac5bd069800c7cebd7648ca57efb6da1db22dd6c61e9a37d03a13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164

Filesize
532B

MD5
fe5c3c4f0af9c01347a36fba265d7cab

SHA1
41d1c7ffd75b598b96f94314d28920143a26ec2c

SHA256
4b5094cf7aa6d973fe14df4916500196c73316a04f58b410c2435e4288497065

SHA512
dcabb6fa0ca619a806aab975846244b344572589fec64d3a9624d7e4775da7ab157eda30ce9c3e7ddfba9af8641d984427b9794189bb796088d9fd92e0ba5067

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A1D627669EFC8CD4F21BCF387D97F9B5_F4E4B21067274B135B7E3D27EAD5EF52

Filesize
540B

MD5
38e64aaea243d20d6bead0a583cbfffe

SHA1
b785634f4f0d888de0cd020b3a5141a226c83262

SHA256
944c27080c6315f87d0ca8d2640af2f775d4541c38e9b0c8ecc476c24f2a6386

SHA512
31a28ae36bbee326f0e6b4175157b580a29a974d20cbbd04fd6049ec9b81ef9d4dcf67711d753121af8bf69b5b4749b9ae87d338b4c723f28c2fae891ae9a669

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4D93.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI762B.tmp

Filesize
113KB

MD5
4fdd16752561cf585fed1506914d73e0

SHA1
f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

SHA256
aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

SHA512
3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

Download Submit
C:\Windows\Installer\MSI1D0A.tmp

Filesize
154KB

MD5
b2e2c24ebce4f188cf28b9e1470227f5

SHA1
9de61721326d8e88636f9633aa37fcb885a4babe

SHA256
233f5e43325615710ca1aa580250530e06339def861811073912e8a16b058c69

SHA512
343ea590c7f6b682b3b3e27fd4ab10ffeded788c08000c6dd1e796203f07bf9f8c65d64e9d4b17ce0da8eb17aaf1bd09c002359a89a7e5ab09cf2cb2960e7354

Download Submit
C:\Windows\assembly\tmp\5ZUTEEKU\Zulu.Interop.zuluui.dll

Filesize
66KB

MD5
b772ad97b5bbb4b37a7745050e56efc4

SHA1
45e35fe00c8e1ba0515785f20977cab34c88dffe

SHA256
b4041f9a02c379ebba2098a3bc0bc2e1e67cbc493846beb191c67be406a9ebb1

SHA512
adeeccb542d3ad6a6f812f4d339045b5f6fec2911b143cd445fdcf5bd145c3326b9ac86719f23397a78fa407969103bb2822522310bf369cb01533ce0c8918e9

Download Submit
C:\Windows\assembly\tmp\AFNTPT51\Zulu.Interop.ZuluLib.dll

Filesize
267KB

MD5
3ac0df691ae915db82f7bf1e32595a6c

SHA1
de8d431a96af7ecb49d24f03056545ec41af14f8

SHA256
9e4b0395070964fd16d3b688600105eeae7a391407d927281bc1f28a2d76bc49

SHA512
7c9361868fc9ae02e971d68753985ddf79e6af9138e8177f0d4521b891b3680a3e63ceafa37cbf5123ac4ad07025c6b705a8cf9bee8743329bfcb495726de6e6

Download Submit
C:\Windows\assembly\tmp\DMH538RO\Zulu.Interop.ZuluComNetOcx.dll

Filesize
84KB

MD5
66a8bd670eef00dc2732ded1b9154121

SHA1
fd275ab6bdb7743b8f0261d8453ace1b88c4c703

SHA256
c76b09833733f3c2ff0d159157e025c7684f076b07ed9450b077071c60f647e3

SHA512
4fc2fc445d9c064c8c86b13e88ef3b59fc7e44432ba681873669382bc103a50655c3dbbc5508e57d0a67ab565240af7c818e4f6e19d7985d973ae52a436c9e09

Download Submit
C:\Windows\assembly\tmp\EZLLD6G0\Zulu.Interop.Zb.dll

Filesize
76KB

MD5
5278e3ec65ec6c6cd1c029bc62adae9e

SHA1
0f08543f8a2f5ab54c52c3cdaae57e6bb40dff16

SHA256
9b6b7ce66bfe3076934ecdde813ffb8618ed5a61a900b436c9cfab429dc92af0

SHA512
d0c5eff0ac3c1093be35aa20a53940deeef0134d785b2ae1fbbf783bd6e8398e135661f6981c506f96034f7e72ca71d1b958f3cf785a05a2b5308dd5b7e7e1e3

Download Submit
C:\Windows\assembly\tmp\GBLCV2US\Zulu.Interop.Zulu.dll

Filesize
32KB

MD5
5d601b84fd9e27b31bd7979650913ed2

SHA1
d74761ce67158c4a35e49428e75cc47e6a96b3ea

SHA256
eeea6a6ba538e1705339d39afd9040b3f3c563cd3b4990e9d3888345b14ed05e

SHA512
17710910aa25d7a0ee36b0813e246c6dab341577cafba6376c1a7588161b3f981f071eedfd86025f95aa9351c64cd392c53de0389e7e61e29ecbabe27951aab2

Download Submit
C:\Windows\assembly\tmp\OJSILBDY\Zulu.Interop.ZuluOcx.dll

Filesize
67KB

MD5
6d6dfa10c4ba7d96e933f47d411cbb13

SHA1
89e44b76fdd1a9406bb5c7770932523201e7c3e1

SHA256
dea36a4ef6e791a973c1af902113e5f68ed406d3b0d55d8f07861a0910378199

SHA512
d8a64bb965135c1f80d34191db7050c822463b5e1b381df66f5edc4657708ff51e0cf2ac9d688be478bbc33afc5ed06d746da606315c8743f441a31c218d5769

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
7cfa57489362716a3c11a8bc8d916138

SHA1
ab3b8e3358b22ca782c48c566accdae6069ff953

SHA256
0b34cfbf16419a7485ed9e830226ee5078933d8965f827e1278ed14a9fa62c25

SHA512
76daf28fc874918dc7e26a9e313fe169303694fd3edf00363f4b96afdf9a015ab57695a9ca8f8647a4837aa3f3805c8e38d3413fa651b389147d261011ae6bca

Download Submit
\??\Volume{b97ed4d9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{37c853d0-58d0-45d0-8dac-915a06706286}_OnDiskSnapshotProp

Filesize
6KB

MD5
37cfa44a4335c56f21f5df0d5cdf38c5

SHA1
a37a4db08ee00f8d5cd3b1b4f0185f3fbdaced4a

SHA256
dceb38d716ca0e603399f39c3fbd86fb718fc10093c6af781963e60a5b2c0a58

SHA512
419a65494ac2acbcd9278d9e0628e0ff9b59f9631e2f033fc658d738d7c5cdbe8a876d3443948e147b4580280d28fec922b68cbbd2666790c027e686557f3136

Download Submit
memory/1296-1144-0x00000252A66F0000-0x00000252A6706000-memory.dmp

Filesize
88KB

Download
memory/1296-1129-0x00000252A6470000-0x00000252A648A000-memory.dmp

Filesize
104KB

Download
memory/1296-1132-0x00000252A6460000-0x00000252A646E000-memory.dmp

Filesize
56KB

Download
memory/1296-1135-0x00000252A66B0000-0x00000252A66CC000-memory.dmp

Filesize
112KB

Download
memory/1296-1138-0x00000252A6720000-0x00000252A676A000-memory.dmp

Filesize
296KB

Download
memory/1296-1141-0x00000252A66D0000-0x00000252A66E8000-memory.dmp

Filesize
96KB

Download