zeppelin | c367db84b024c1ca76cf66b046acad61c5a8d79398e8aba1a7f18af60eb38dc0

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-02-2025 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-12_2429157f5f912cf24d894658961686e8_zeppelin.exe
Size

218KB
MD5

2429157f5f912cf24d894658961686e8
SHA1

e2a06afcaaa6962166d829207d3bff3bfc699d05
SHA256

c367db84b024c1ca76cf66b046acad61c5a8d79398e8aba1a7f18af60eb38dc0
SHA512

6782ce79484bcea4c931df2bee0903c96cace844de5726e78823e60a42310901985a75cdec70c81aa3ca130429b09f5163289e2ee6abd16aea17423d8ecfbadd
SSDEEP

6144:HC61i972rJmciP98f2H64DQFu/U3buRKlemZ9DnGAe/IxU+:HK972I/Gf2a4DQFu/U3buRKlemZ9DnGu

Score

10^/10

zeppelin defense_evasion discovery execution impact persistence ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\HOW_TO_RECOVER_DATA.hta

Ransom Note

<html> <head> <style> body { background-color: #000000 } </style> <title>ORCA HELP</title> </head> <body> <h1 style="margin: 7px 352px; color: Crimson"><strong>🔒 YOUR FILES HAVE BEEN ENCRYPTED 🔒</strong></h1> <h2 style="margin: 7px 464px; color: Wheat">Your ID to decrypt: <font color="white">899-710-994</font></h2> <h2 style="margin: 20px 270px; color: Wheat"> Contact us: <font color="Goldenrod">[email protected]</font> | <font color="Goldenrod">[email protected]</font> </h2> <center><div style="color: SkyBlue; width: 70%; height: 50px; border:2px solid; margin:auto"></center> <div style="font-size: 18px; color: red; margin: 3px 0px 3px 6px">Unfortunately for you, due to a serious vulnerability in IT security, you are vulnerable to attacks!<br /> To decrypt files, you need to get a private key.<br /> The only copy of the secret key that can be used to decrypt files is on a private server.<br /> The server will destroy the key within <font color="white">72h</font> after the encryption is completed.<br /> To save the key for a longer period, you can contact us and provide your ID!</div></div> <div style="margin: 5px 0px;"></div> <center><div style="color: SkyBlue; width: 70%; height: 50px; border:2px solid; margin:auto"></center> <div style="font-size: 18px; color: red; margin: 3px 0px 3px 6px">In addition, we collect strictly confidential/personal data.<br /> This data is also stored on a private server.<br /> Your data will be deleted only after payment!<br /> If you decide not to pay, we will publish your data to everyone or resellers.<br /> So you can expect your data to become publicly available in the near future!</div></div> <div style="font-size: 20px; color: LemonChiffon; margin: 20px 30px 0px 220px"> It's just a business and we only care about making a profit!<br /> The only way to get your files back is to contact us for further instructions!<br /> <strong>To establish a trust relationship, you can send 1 file for test decryption (no more than 5 MB)</strong> <div</div> <h1 style="margin: 7px 353px; color: Yellow"><strong>&dArr; &dArr; &dArr; &dArr; &dArr; &dArr; &dArr; &dArr;</strong></h1> <ul style="list-style-type: square; color: Tomato; margin: 5px 17px 1px 17px"> <li>Do not waste your time searching for other decryption methods - THERE ARE NONE, you will pay more for your time!</li> <li>Every day the price of decryption increases!</li> <li>Do not rename encrypted files.</li> <li>Do not use third-party programs to decrypt files - they can only do harm!</li> <li>After payment, you get a decoder (.exe), you only need to run it, and it will do everything by itself.</li> <li>I only accept Bitcoins! You can learn how to buy them on the Internet.</li> </ul> </ul> </body> </html>

Emails

color="Goldenrod">[email protected]</font>

Signatures

Detects Zeppelin payload 9 IoCs

resource	yara_rule
behavioral1/files/0x000d000000012268-4.dat	family_zeppelin
behavioral1/memory/2144-20-0x0000000000AE0000-0x0000000000C22000-memory.dmp	family_zeppelin
behavioral1/memory/3044-45-0x00000000002E0000-0x0000000000422000-memory.dmp	family_zeppelin
behavioral1/memory/2948-5961-0x00000000002E0000-0x0000000000422000-memory.dmp	family_zeppelin
behavioral1/memory/2184-12218-0x00000000002E0000-0x0000000000422000-memory.dmp	family_zeppelin
behavioral1/memory/2948-18202-0x00000000002E0000-0x0000000000422000-memory.dmp	family_zeppelin
behavioral1/memory/2184-23570-0x00000000002E0000-0x0000000000422000-memory.dmp	family_zeppelin
behavioral1/memory/2184-30566-0x00000000002E0000-0x0000000000422000-memory.dmp	family_zeppelin
behavioral1/memory/2948-30607-0x00000000002E0000-0x0000000000422000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Zeppelin family
zeppelin
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (7402) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2776	notepad.exe

Executes dropped EXE 3 IoCs

pid	Process
2948	spoolsv.exe
2184	spoolsv.exe
3044	spoolsv.exe

Loads dropped DLL 4 IoCs

pid	Process
2144	2025-02-12_2429157f5f912cf24d894658961686e8_zeppelin.exe
2144	2025-02-12_2429157f5f912cf24d894658961686e8_zeppelin.exe
2948	spoolsv.exe
2948	spoolsv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\spoolsv.exe\" -start"	2025-02-12_2429157f5f912cf24d894658961686e8_zeppelin.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	spoolsv.exe
File opened (read-only)	\??\L:	spoolsv.exe
File opened (read-only)	\??\K:	spoolsv.exe
File opened (read-only)	\??\G:	spoolsv.exe
File opened (read-only)	\??\W:	spoolsv.exe
File opened (read-only)	\??\T:	spoolsv.exe
File opened (read-only)	\??\S:	spoolsv.exe
File opened (read-only)	\??\P:	spoolsv.exe
File opened (read-only)	\??\E:	spoolsv.exe
File opened (read-only)	\??\A:	spoolsv.exe
File opened (read-only)	\??\I:	spoolsv.exe
File opened (read-only)	\??\X:	spoolsv.exe
File opened (read-only)	\??\V:	spoolsv.exe
File opened (read-only)	\??\O:	spoolsv.exe
File opened (read-only)	\??\J:	spoolsv.exe
File opened (read-only)	\??\H:	spoolsv.exe
File opened (read-only)	\??\Z:	spoolsv.exe
File opened (read-only)	\??\Y:	spoolsv.exe
File opened (read-only)	\??\Q:	spoolsv.exe
File opened (read-only)	\??\M:	spoolsv.exe
File opened (read-only)	\??\U:	spoolsv.exe
File opened (read-only)	\??\R:	spoolsv.exe
File opened (read-only)	\??\B:	spoolsv.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\LICENSE.ORCA.899-710-994	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application-views.jar	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00397_.WMF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0290548.WMF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313970.JPG.ORCA.899-710-994	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01491_.WMF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Flow.xml	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Mawson.ORCA.899-710-994	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_zh_4.4.0.v20140623020002.jar.ORCA.899-710-994	spoolsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\status.json	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216570.WMF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCAL.DPV	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBBTN.DPV.ORCA.899-710-994	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_es.jar	spoolsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\vlc.mo.ORCA.899-710-994	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.resources_3.9.1.v20140825-1431.jar.ORCA.899-710-994	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107742.WMF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00555_.WMF.ORCA.899-710-994	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18214_.WMF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18220_.WMF.ORCA.899-710-994	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR44F.GIF	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html.ORCA.899-710-994	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152898.WMF.ORCA.899-710-994	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00018_.WMF.ORCA.899-710-994	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\RTF_BOLD.GIF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_italic.gif.ORCA.899-710-994	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-awt_ja.jar.ORCA.899-710-994	spoolsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\vlc.mo.ORCA.899-710-994	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14867_.GIF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\INFOML.ICO.ORCA.899-710-994	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WSSFilesToolIconImagesMask.bmp	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Nairobi.ORCA.899-710-994	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115844.GIF	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-search.jar	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-execution.jar.ORCA.899-710-994	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02115_.WMF.ORCA.899-710-994	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103262.WMF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02291U.BMP.ORCA.899-710-994	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Distinctive.dotx.ORCA.899-710-994	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Dawson	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml.ORCA.899-710-994	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185670.WMF.ORCA.899-710-994	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742U.BMP.ORCA.899-710-994	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OMSINTL.DLL.IDX_DLL.ORCA.899-710-994	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\TAB_OFF.GIF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE.ORCA.899-710-994	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV_COL.HXC	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME36.CSS.ORCA.899-710-994	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileOffMask.bmp.ORCA.899-710-994	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00068_.WMF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0251871.WMF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Wordcnvpxy.cnv.ORCA.899-710-994	spoolsv.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\WhiteDot.png	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Budapest.ORCA.899-710-994	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Thimphu.ORCA.899-710-994	spoolsv.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_scrapbook_Thumbnail.bmp	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mauritius	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21299_.GIF.ORCA.899-710-994	spoolsv.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\HOW_TO_RECOVER_DATA.hta	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-12_2429157f5f912cf24d894658961686e8_zeppelin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2264	vssadmin.exe
2336	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2144	2025-02-12_2429157f5f912cf24d894658961686e8_zeppelin.exe
Token: SeDebugPrivilege	2144	2025-02-12_2429157f5f912cf24d894658961686e8_zeppelin.exe
Token: SeIncreaseQuotaPrivilege	1088	WMIC.exe
Token: SeSecurityPrivilege	1088	WMIC.exe
Token: SeTakeOwnershipPrivilege	1088	WMIC.exe
Token: SeLoadDriverPrivilege	1088	WMIC.exe
Token: SeSystemProfilePrivilege	1088	WMIC.exe
Token: SeSystemtimePrivilege	1088	WMIC.exe
Token: SeProfSingleProcessPrivilege	1088	WMIC.exe
Token: SeIncBasePriorityPrivilege	1088	WMIC.exe
Token: SeCreatePagefilePrivilege	1088	WMIC.exe
Token: SeBackupPrivilege	1088	WMIC.exe
Token: SeRestorePrivilege	1088	WMIC.exe
Token: SeShutdownPrivilege	1088	WMIC.exe
Token: SeDebugPrivilege	1088	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1088	WMIC.exe
Token: SeRemoteShutdownPrivilege	1088	WMIC.exe
Token: SeUndockPrivilege	1088	WMIC.exe
Token: SeManageVolumePrivilege	1088	WMIC.exe
Token: 33	1088	WMIC.exe
Token: 34	1088	WMIC.exe
Token: 35	1088	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1740	WMIC.exe
Token: SeSecurityPrivilege	1740	WMIC.exe
Token: SeTakeOwnershipPrivilege	1740	WMIC.exe
Token: SeLoadDriverPrivilege	1740	WMIC.exe
Token: SeSystemProfilePrivilege	1740	WMIC.exe
Token: SeSystemtimePrivilege	1740	WMIC.exe
Token: SeProfSingleProcessPrivilege	1740	WMIC.exe
Token: SeIncBasePriorityPrivilege	1740	WMIC.exe
Token: SeCreatePagefilePrivilege	1740	WMIC.exe
Token: SeBackupPrivilege	1740	WMIC.exe
Token: SeRestorePrivilege	1740	WMIC.exe
Token: SeShutdownPrivilege	1740	WMIC.exe
Token: SeDebugPrivilege	1740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1740	WMIC.exe
Token: SeRemoteShutdownPrivilege	1740	WMIC.exe
Token: SeUndockPrivilege	1740	WMIC.exe
Token: SeManageVolumePrivilege	1740	WMIC.exe
Token: 33	1740	WMIC.exe
Token: 34	1740	WMIC.exe
Token: 35	1740	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1088	WMIC.exe
Token: SeSecurityPrivilege	1088	WMIC.exe
Token: SeTakeOwnershipPrivilege	1088	WMIC.exe
Token: SeLoadDriverPrivilege	1088	WMIC.exe
Token: SeSystemProfilePrivilege	1088	WMIC.exe
Token: SeSystemtimePrivilege	1088	WMIC.exe
Token: SeProfSingleProcessPrivilege	1088	WMIC.exe
Token: SeIncBasePriorityPrivilege	1088	WMIC.exe
Token: SeCreatePagefilePrivilege	1088	WMIC.exe
Token: SeBackupPrivilege	1088	WMIC.exe
Token: SeRestorePrivilege	1088	WMIC.exe
Token: SeShutdownPrivilege	1088	WMIC.exe
Token: SeDebugPrivilege	1088	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1088	WMIC.exe
Token: SeRemoteShutdownPrivilege	1088	WMIC.exe
Token: SeUndockPrivilege	1088	WMIC.exe
Token: SeManageVolumePrivilege	1088	WMIC.exe
Token: 33	1088	WMIC.exe
Token: 34	1088	WMIC.exe
Token: 35	1088	WMIC.exe
Token: SeBackupPrivilege	748	vssvc.exe
Token: SeRestorePrivilege	748	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2948	2144	2025-02-12_2429157f5f912cf24d894658961686e8_zeppelin.exe	30
PID 2144 wrote to memory of 2948	2144	2025-02-12_2429157f5f912cf24d894658961686e8_zeppelin.exe	30
PID 2144 wrote to memory of 2948	2144	2025-02-12_2429157f5f912cf24d894658961686e8_zeppelin.exe	30
PID 2144 wrote to memory of 2948	2144	2025-02-12_2429157f5f912cf24d894658961686e8_zeppelin.exe	30
PID 2144 wrote to memory of 2776	2144	2025-02-12_2429157f5f912cf24d894658961686e8_zeppelin.exe	31
PID 2144 wrote to memory of 2776	2144	2025-02-12_2429157f5f912cf24d894658961686e8_zeppelin.exe	31
PID 2144 wrote to memory of 2776	2144	2025-02-12_2429157f5f912cf24d894658961686e8_zeppelin.exe	31
PID 2144 wrote to memory of 2776	2144	2025-02-12_2429157f5f912cf24d894658961686e8_zeppelin.exe	31
PID 2144 wrote to memory of 2776	2144	2025-02-12_2429157f5f912cf24d894658961686e8_zeppelin.exe	31
PID 2144 wrote to memory of 2776	2144	2025-02-12_2429157f5f912cf24d894658961686e8_zeppelin.exe	31
PID 2144 wrote to memory of 2776	2144	2025-02-12_2429157f5f912cf24d894658961686e8_zeppelin.exe	31
PID 2948 wrote to memory of 2684	2948	spoolsv.exe	32
PID 2948 wrote to memory of 2684	2948	spoolsv.exe	32
PID 2948 wrote to memory of 2684	2948	spoolsv.exe	32
PID 2948 wrote to memory of 2684	2948	spoolsv.exe	32
PID 2948 wrote to memory of 1992	2948	spoolsv.exe	33
PID 2948 wrote to memory of 1992	2948	spoolsv.exe	33
PID 2948 wrote to memory of 1992	2948	spoolsv.exe	33
PID 2948 wrote to memory of 1992	2948	spoolsv.exe	33
PID 2948 wrote to memory of 2740	2948	spoolsv.exe	35
PID 2948 wrote to memory of 2740	2948	spoolsv.exe	35
PID 2948 wrote to memory of 2740	2948	spoolsv.exe	35
PID 2948 wrote to memory of 2740	2948	spoolsv.exe	35
PID 2948 wrote to memory of 2580	2948	spoolsv.exe	37
PID 2948 wrote to memory of 2580	2948	spoolsv.exe	37
PID 2948 wrote to memory of 2580	2948	spoolsv.exe	37
PID 2948 wrote to memory of 2580	2948	spoolsv.exe	37
PID 2948 wrote to memory of 2620	2948	spoolsv.exe	39
PID 2948 wrote to memory of 2620	2948	spoolsv.exe	39
PID 2948 wrote to memory of 2620	2948	spoolsv.exe	39
PID 2948 wrote to memory of 2620	2948	spoolsv.exe	39
PID 2948 wrote to memory of 2248	2948	spoolsv.exe	41
PID 2948 wrote to memory of 2248	2948	spoolsv.exe	41
PID 2948 wrote to memory of 2248	2948	spoolsv.exe	41
PID 2948 wrote to memory of 2248	2948	spoolsv.exe	41
PID 2948 wrote to memory of 2184	2948	spoolsv.exe	43
PID 2948 wrote to memory of 2184	2948	spoolsv.exe	43
PID 2948 wrote to memory of 2184	2948	spoolsv.exe	43
PID 2948 wrote to memory of 2184	2948	spoolsv.exe	43
PID 2948 wrote to memory of 3044	2948	spoolsv.exe	44
PID 2948 wrote to memory of 3044	2948	spoolsv.exe	44
PID 2948 wrote to memory of 3044	2948	spoolsv.exe	44
PID 2948 wrote to memory of 3044	2948	spoolsv.exe	44
PID 2684 wrote to memory of 1088	2684	cmd.exe	46
PID 2684 wrote to memory of 1088	2684	cmd.exe	46
PID 2684 wrote to memory of 1088	2684	cmd.exe	46
PID 2684 wrote to memory of 1088	2684	cmd.exe	46
PID 2620 wrote to memory of 2264	2620	cmd.exe	47
PID 2620 wrote to memory of 2264	2620	cmd.exe	47
PID 2620 wrote to memory of 2264	2620	cmd.exe	47
PID 2620 wrote to memory of 2264	2620	cmd.exe	47
PID 2248 wrote to memory of 1740	2248	cmd.exe	48
PID 2248 wrote to memory of 1740	2248	cmd.exe	48
PID 2248 wrote to memory of 1740	2248	cmd.exe	48
PID 2248 wrote to memory of 1740	2248	cmd.exe	48
PID 2248 wrote to memory of 2336	2248	cmd.exe	51
PID 2248 wrote to memory of 2336	2248	cmd.exe	51
PID 2248 wrote to memory of 2336	2248	cmd.exe	51
PID 2248 wrote to memory of 2336	2248	cmd.exe	51
PID 2948 wrote to memory of 2792	2948	spoolsv.exe	52
PID 2948 wrote to memory of 2792	2948	spoolsv.exe	52
PID 2948 wrote to memory of 2792	2948	spoolsv.exe	52
PID 2948 wrote to memory of 2792	2948	spoolsv.exe	52
PID 2948 wrote to memory of 2792	2948	spoolsv.exe	52

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-02-12_2429157f5f912cf24d894658961686e8_zeppelin.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-12_2429157f5f912cf24d894658961686e8_zeppelin.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -start
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1088
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1992
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2264
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1740
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2336
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:2184
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -agent 1
    3⤵
    - Executes dropped EXE
    PID:3044
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2792
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2776

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\HOW_TO_RECOVER_DATA.hta

Filesize
2KB

MD5
d7a8e3f296f306a63f74c8fb52fa4e87

SHA1
a3f6d01a0680eb1c998cc715f24cba001b2902a6

SHA256
8a1450d9f3beb55524334a35cba1d9453e86b13166b71195dae6b75f24b10fc4

SHA512
a6e3eb4684fcff8a5ed955d49dd79b0e3f4028e3b3109d9e4f6eb4bb69c2f99b2c467da413f409b5e2774b178666dcdae23eee4a061044514980ddaedc0c4533

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.lng

Filesize
23KB

MD5
62ff9f0f7b7254d36d470b162795003a

SHA1
a4d5ab1f6a2448d8e4aceaf499d12c0599cf4556

SHA256
40099ab47e33ddbf80464d0ae3362a20b6461da7a2ce65875d579ba5ee63fe21

SHA512
3dfbe55f0362a60377859ab8c391ffdf75996644967b625e3cc40d70241a0e20fe216d11748088b5f16c9bafc56206cb6d06178e4ec6e88198546e6f194be66c

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt

Filesize
29KB

MD5
3c28f7c56a948ffab5f4595c7b41f61e

SHA1
6c0405db0ee48abdd8740bb7eccfaf3efa6ee608

SHA256
6e83f0374bcfb445662263a21e29ea0805940e8726e9a8a2c5dbbc8780f37445

SHA512
244cc43ddc8fbfde634d076e2bcbea3ae8d23e529aa700995b31a21805ea79b13257f6408856e942a5fd97b539e09786319fbc57d77ff4acb4819b52febb5e91

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME39.CSS

Filesize
122KB

MD5
f0d59b408dc658d1e0cd022dee5d4653

SHA1
934068929b088622a649b2a55086cb238fde8ff1

SHA256
3e469ede57e8332b518dc9e0f3f7c1d9b6fdb28aae60ab3fc6af96e900d2983e

SHA512
0c7519a03d2871efd346b785cef79b2f7c067caca3b222614efce2939723bd10b570260c24b7ba23fa5202f909563c88ad173bf70e3ed0276536b983a6d5545c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME54.CSS

Filesize
125KB

MD5
b92d74b0a1ff255e689b9c52b75e8f65

SHA1
a80da04efaab9799aabfbb1e2880cae7551a1008

SHA256
564c625bddfae564a8ae7897d7cb46a53157254792f798e1f356a4005cb481e9

SHA512
82f139bf58f2ff099603c33d5bd90a5924efa207d67726403a6ca3514d9958a354857caaa5edd77a8ee2759d7069c0d50bd5141c9d2861dbc7bc9b429aee81ea

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\ISO690.XSL

Filesize
258KB

MD5
e9f68cf066f8790fd0c4c59aff0c5593

SHA1
e8ae56c47b566cddb1ce46734045fa6b2c77445f

SHA256
70b185ed3a171c2c4dbcd3daab166aacab9d3abf11e4a3bde65240d5c767d7f5

SHA512
562fa09468cfd6e6830dc458056b5591f7cdf2a193d5318db27e250dba07c247cc6c66f6b00ea27378d589108d59a2040b141006ce379357fd1fd3ddffbcd188

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImages.jpg

Filesize
7KB

MD5
d0febb8adf82a40c52a62b8be237412c

SHA1
76d2a8c10bae15b4aad29e1027074663c39ed5a9

SHA256
310498ee93f77f673b8075365a6dc6fc08b5494377796f9b1e7c26069cefd27c

SHA512
e0cc7a431ea6fbce2635e20a0f09fa439cfb5b3866f390f8782d6807c4d0291b00383a932062f58a2de8feae02e7d9cfc7f3a6e2cd8af7851a26c745d31e56d1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_OffMask.bmp

Filesize
8KB

MD5
e6bba4be0e1c3b2a36468c1d74e275d0

SHA1
eb1df92f22c0ac4a93f194928f090faf6b15602a

SHA256
967ab07b5d47eddcbd3b963278c8c971d187a68eb8c6c383359d75007e4fc6c0

SHA512
4c25b6b0ee5b6ca99afd5318dc1242235b571d14be9660059be7d715cbdb1beb5bd0fb7eff3b0c1d6530be7c7e686a2958fb9c83755190d1000fcade29cf5555

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml

Filesize
249KB

MD5
0a51824858c33a7c5c67779dfe47f00b

SHA1
536a7222d09fc1c6f22b06e68b6b28d1368d0976

SHA256
5430e85bacba55d7cfa078a8baad2d5ccbafe89dadfffa1eccfda00330276b84

SHA512
ee5292644a1392f0a62cb2030e03e3a96e7426a3e374bd98e6c26489b797df69822a16ce27f297cc2045c9a0bf03f7ad9ed935aa387e02862322a6b5136a1818

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OLKIRMV.XML

Filesize
78KB

MD5
3defb6b4a40de9368ceea6ad7ca9b2bf

SHA1
61a099ddbfa6ae01b6a6c687d225b4dff1e00764

SHA256
5b4fb3d072bb2197628dddced1ac143c5d8202e52a84591eabebb043354db7e2

SHA512
67b0e6f91ea959ac63510b45c9a78379daadd18070a4cae3c8b913afcaf605e2f68c6bc5a4b483960cec7d0ea5d25b13348af32613f8e2861478e5c7e4863e56

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\WORDIRMV.XML

Filesize
78KB

MD5
2a91d42b169ad8337b5e23be49bdcee1

SHA1
fe88f2a2e377c16315b0f732febbefb430ede99c

SHA256
864cfb22c7b45be1a31902d02a2063089d98a664ea6b4bfde0a13a26a4352205

SHA512
64ab214cdc2a2cf1df8d4db97df65da1d39f8d6a0bbef72d83d43bbd8a50760f9637b8d1e45f3fd4f4a73284f59f8b465c3178ab9ac651bee5302f21612d500c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html

Filesize
10KB

MD5
baf9b22e404f7e5f8152825a3b008ec0

SHA1
74da5e7a0d875f909067ac23783b6ac6f8b89e3d

SHA256
dcff7d582bd474627095dae0a727ebebceb3c5d279918d0fb25d6991e257cef2

SHA512
f24f27af7e12cd040815da3b7f220ba69350c88bba83ab9a6fb45f5025903195c2f7c2096bb6f93f92e2068b34d52150850690f4b5ecd5dcb303deb3f0293092

Download Submit
C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\vlc.mo

Filesize
609KB

MD5
4f1ece308b88d326fbbf03b0c40ff597

SHA1
f1ea8a265f8645ecb3ae6016007360f954dbfed5

SHA256
c2faa75eddc42e86ee82f611bb559e96f05d98bf7fe8d3ec67e1bbd2b8f46a85

SHA512
043063b555a7a39cbcc9429664a9598b01c3f22ec62b6aefa9c5c63114957b6db8a872c1de9e5b430042aca5fa99a972464b767b87ee535a88c50aa130e2b120

Download Submit
C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo

Filesize
615KB

MD5
de8dd9357960d8b6bceef8d3314dd03c

SHA1
b042256fee2853eb994fdbcfde119e84e86020d7

SHA256
010d15a0fe73affc346fc6d2fb240c2dc8961ec029b15164f0f21aedc3a0c9c0

SHA512
17210bf7d939f297acaf3659b8d35d1370ba2db0e03976a909791ede72b389ea9eea83d98f56ca4131ab68532ea2979fe5ad763eb654169bef669ed57e3b5c7f

Download Submit
C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\vlc.mo

Filesize
612KB

MD5
ef352e6337d7bcdca4ecce12b9cc5b9b

SHA1
ba9a47c65d5fea349e70d9da16565dccdf04af47

SHA256
5818fbe3e41737951868103dd305fd99b6224153b8d64488283c2ff49dd98030

SHA512
63148c8f3974c5caed6e185278221e7a280f3a97b8e4775650975f9635e268fa6cc5fd08925ec4e339e28d581bcc1dbc3e990a23696d762d91b548ad68dc126a

Download Submit
C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\vlc.mo

Filesize
613KB

MD5
cea9235dd12fc7dd9e9d3628176a4769

SHA1
ed717343e4d91c2286732440e6c02227882fe12d

SHA256
7746158af9324de5abf56a0f40c50e35b83f91979a77c6d38b886f1037c60d0e

SHA512
0950bc1c39fbf4bb631f0cbb31350d6770390254331e1054cec37ac1c1f56fd287f21714d288c64d9bf0f478bbbd6f9515832d9273eae1cf60b9ba258af208be

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\vlc.mo

Filesize
579KB

MD5
81f5f0a610b87190a4fef630feb08df6

SHA1
24d9e635884bd8b43d7cae57a561f51578a1b184

SHA256
38af15b7d23c2f50f99fded45d7d5af59abc5be4dbdfe1ea868a9764646fc97c

SHA512
1b7ac9d7e04ea9a42533ede72cc01b017009e8e540522c9930a48c667dbd8cd3bd6809943ef97144a7005cea310ab34989eb51c50cab9974aff130a65a00eec0

Download Submit
C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\vlc.mo

Filesize
615KB

MD5
438e4b834fa63e49d97a38e1f3cf61e4

SHA1
69a5cc5b0d1cb5ac0607e43f3af7aca8c356d01c

SHA256
d48cafc236049653891f5a1fb60aca8b17ae76b5913dee3709624b93caf42005

SHA512
8cbb91398a32a5f65a6001a7b6a87b25bd4288eb1775f00aacf2eaccb134614417ea335b73e0f9e42becd867ea7729e092b53ab66b1088b1db32281a121ba859

Download Submit
C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\vlc.mo

Filesize
552KB

MD5
a94f9a80c93471fa29a3fe4b52272d28

SHA1
132ea59d6cc125e3956e146c548834debf057195

SHA256
837a813b12a7360677cb486e37b1f1d1498836e93ee60cc412f4cdf34139c016

SHA512
7c56798db4ec50857512cad63313646f67f0abe9fc58ecfa59c207be4c33ccebf2f6b127c9d6d0d90e466f9c9051fb2ead119fa4245a29fc618b7bb88106c66f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

Filesize
521B

MD5
5c70b3bfb558be59b19cd5545b383455

SHA1
ce6d7cc54c6b34828772ec59a40bf424b7685c91

SHA256
28c7c34e8a0c658a1089ee2c7c5190c98e6e0ec9a6ebdd1c5535e0d37b48c079

SHA512
48dd2b9ac4463296da65553d7bdfc072f0e399bd3485d69dbc5ddfa42f858dae32b496c79cdde13d119954bf2a3e2842bd703e367e7755a773f9e6b0178a5844

Download Submit
C:\Users\Admin\Desktop\ApproveUnregister.xml.ORCA.899-710-994

Filesize
181KB

MD5
946859f83a7d15cc8e98c28d1bba4523

SHA1
19070aaa8c516f25d497201a9cea0854d572e391

SHA256
6c9d85b325b925e6d6877030b52ca131fb8ea9dcd8d464fd7c3ce23ad014970e

SHA512
33fc27b21545cfb3d84a4ef6df81d87acfb991d1fa777f5a1391aa898a7a5ed63e2dfb372475d44b2c726d656ffbc7956efcf07dbf066c8ee97e6455d3274f16

Download Submit
C:\Users\Admin\Desktop\CompareRemove.bmp.ORCA.899-710-994

Filesize
348KB

MD5
9ce05d555c30b9341105da5c0a7b5335

SHA1
211ab6b1315cad1706ab5137fc0766de45c0a896

SHA256
67fad8a6c9596fe220ffaa18ee90368b02bd39a3f8b371ac4f8c2170087996ec

SHA512
141d115fd29742f57ecbaf1f285702dbcdf02fd5d87dd57d14e0c44999ce9c425a349224028876db73eb594ec6bb2663954d16b57ed109b20a2d238885b8244e

Download Submit
C:\Users\Admin\Desktop\CompressOut.docx.ORCA.899-710-994

Filesize
22KB

MD5
38fa3be8e6dc953a18421f1371ad28a0

SHA1
9f1361a135cd16579dae83abdd6c6edb5cf2ea73

SHA256
6b9e36fe339ec33e57e0153eff177a8e04725586dcac509c5e35b1439eb6cd2c

SHA512
dacdb0a936931604c5e7a52d787d4fb8f3ad32e060d2873beb52d15c44fc15c87d38198e97b8585bcbc731ad07dd0a2d4904c400342e5877864f09ed56f0817a

Download Submit
C:\Users\Admin\Desktop\ConvertFromDisable.ocx.ORCA.899-710-994

Filesize
95KB

MD5
9aae04bcb0c603ed5a2f152a48b42f84

SHA1
b6fd77b7059deac54874d3b2a92382371fe79412

SHA256
e5d9b3a14761668729b9e972de50e670209f4b7268c76fa361ed5437605cb6b0

SHA512
31a4e10f745c783d2dcb150cf62589c71d165d981f1833f16f38ca1275623b4b8ae25223aee87fe24b0269ac2f2c8ee0566833fa85e26da178069580ecd45fd5

Download Submit
C:\Users\Admin\Desktop\DisableConnect.xlsx.ORCA.899-710-994

Filesize
15KB

MD5
f55e7255b87762821a0f44ec99a8b40c

SHA1
432e6a8bb180bcd440dedb7f135c34968efb3fd8

SHA256
f75e9c998aae74f6d411b13c7ab11272a5d0d0793120abeca9a191492163147a

SHA512
814e5c3062a4c70b2325940ea175f6b6a407b664f1d9c3cd3dc2efa68026f86673c4fd396ba516dc6a86badd4e0ef102c1bf76681d9f57736f5518740db1c0ce

Download Submit
C:\Users\Admin\Desktop\EnableUnblock.ico.ORCA.899-710-994

Filesize
150KB

MD5
6c8668edb75757b8fb7a72efcdda426e

SHA1
b8bf52c432f8f571f9a640754e4c794a58a671fd

SHA256
da7edcbe4bcd40bdb7f82f5959dc0752cec16c75248da569c53555611b826099

SHA512
ce7eadf053ecb391f5e4b820c53918c0c387923ea20c814df5e2a6838456bee0721e82b1c27ad498c6894c2d01a1076d1b782e18b120ab43f7d795398f5b3c3b

Download Submit
C:\Users\Admin\Desktop\EnterPing.xlsx.ORCA.899-710-994

Filesize
14KB

MD5
eabb5a40ade77f9928fa27972f1a436d

SHA1
acc728cf0fddb02ad3edeb95350c9dd0c9ca0d7f

SHA256
0d22c191a5f3d24be638bbb8e0a632a352d9f51c727b8d4a68a53725556d3049

SHA512
6b7db4299bf919eb6586d653e15ade3fc4b86efef228e1c67ea7c4a487cfa011e6ab34a2b5b07e4aaa1f4408344e005e9cb6e470971a2a53ed9cef806974f747

Download Submit
C:\Users\Admin\Desktop\ExitInvoke.wdp.ORCA.899-710-994

Filesize
199KB

MD5
3b6b38f5063c88662de29ab1bdcce710

SHA1
adc11644b79ef9cfed9b35294f0a9945fa86d245

SHA256
aa45f0315960463025d216120254f494324e709dcd7fc8eb58902cacd04a973a

SHA512
81b3e9640115531c4f42116f19372f1da493baadadc38765fb00f4d7188e7d5afe7585de2e13a01e5fc39c414cfbfe8aaf87c666e0268f37645bee8cd163cb4a

Download Submit
C:\Users\Admin\Desktop\HideApprove.css.ORCA.899-710-994

Filesize
108KB

MD5
84b212be9b4e5fbb33f637eb677e01c8

SHA1
e0341ecd78cf5b4637f7a82f78f7e20f9ff8063f

SHA256
daf63d674411b71cde1a6f5be15cfb8820c3578d9245625a394f750f10ee90ed

SHA512
4c119e69a5c3fcf5528407516296ab06b3f2cf65814eb929d39d759ef36e9ece82d147c32e391af791c5d333c1e93bfc8be0a2b165c78394e31fa1624723b271

Download Submit
C:\Users\Admin\Desktop\JoinAssert.ex_.ORCA.899-710-994

Filesize
254KB

MD5
1bed365ff0298fa2d5f14e9d895b2d53

SHA1
f6e0105fb1226d2ce3cddc6664801f86d6437016

SHA256
421ddf6282e014dbc9f5fe48e20683ebb4edc2b4d4d0955b262e8f0583d14011

SHA512
092c179b4175b91ec899ce75dcba04846218793d2908013f5666f9f392a0f8003b178c7d0f45b687244dd698f7b8bdbe77be90631f5b4de85e3c463b4f4ede21

Download Submit
C:\Users\Admin\Desktop\JoinUnblock.tmp.ORCA.899-710-994

Filesize
168KB

MD5
ce1961035d65569f03bc2b9ad472f7a4

SHA1
ec11ad5d23f8f8fb4aa8016f161e54855b6e9bf5

SHA256
61b7c61696bbcde46d62ae137cf12083406c39d14b96f887e6a7236740674985

SHA512
4bb3bdb35b493e925041b1dd449ae54add3b1ebef6930eb9d6949cb19fa2b34977144a788d9a8ed8e19f59ea363390946b0a23d49a36cebd7afca98d044e9e6b

Download Submit
C:\Users\Admin\Desktop\MeasureEdit.i64.ORCA.899-710-994

Filesize
223KB

MD5
8acd16e93822038c343038a3e2a84eba

SHA1
26f4f87216d19644b21772ee7c5bd0f90a831e3b

SHA256
f797e22af1be23bb674e9b14ce45063b7bcc1993a0de7a6954a926c62325dc25

SHA512
88cd40e5d3edc893e856858d8ebb61fe38049c4b61dc5cce341e7c23978349208beeebdacc765fe219d0e1f4cd8696c38e3d4b29553b3e31492dfb55f9097966

Download Submit
C:\Users\Admin\Desktop\PopPublish.wma.ORCA.899-710-994

Filesize
132KB

MD5
1c864c47a5243b78a362f0dcf437237a

SHA1
81dc15cd8084b137236d9a563227d7438cfa491e

SHA256
5dc78647f7c710c50c28f4420bab4e46812db4e1f4a4754351b15b1f0476dc13

SHA512
01c9ebcc6658a64133409fc655b6a9b2910249c6f776fd56fdb14cff5c58e246830e4429f65c3dd15db0d590fc775020ad807049d5637b296cf087b9cf4c2df9

Download Submit
C:\Users\Admin\Desktop\ProtectSubmit.ico.ORCA.899-710-994

Filesize
144KB

MD5
33b7276a75126cae51261219cff6e683

SHA1
5fa3a8cba5a14c1a5daec49f033f8e5757c8da97

SHA256
d0a00eaf95c88eea887fda760400b613319ec3c9ae3ea4fc5eefb70290a46378

SHA512
c60b7f9539971f290ad1d0802eed942417aee156c5796e46451823559788ad98a6366dd8e835fd5c36263c0d382e490ffe0b93a16d5c12b4a90337d26cb8c46b

Download Submit
C:\Users\Admin\Desktop\ReadMount.ppsx.ORCA.899-710-994

Filesize
242KB

MD5
125b419c73a361c29a50b78ab457be32

SHA1
c6180fbb5c099bc7adfddb659d81294d0f0a9b67

SHA256
920cd21af9b0c34b11d2825e54bb3068fbb3ccca1b50e223ba513fdc3be211f9

SHA512
0d7f268d96dac2de8c069199c8653b4114582954e76c02e82f292fb4a2d830483b0eb57337bff043e8419ae251f6dbca60c285587a38a74739e3a626c05207e4

Download Submit
C:\Users\Admin\Desktop\ReceiveUnprotect.zip.ORCA.899-710-994

Filesize
229KB

MD5
f62a899d1da0f97542c2db439f909b81

SHA1
34c8189e17417a328520af6b62fdcb9bac73d761

SHA256
3810fd8cb50802dfe7b2824434c202c433011794777a9c3b6e703d7f31ad9b97

SHA512
cb4334ab7f02d44786ef86e596165be66ae38f4db10ff80fd90d958b898c0ddc617b173b4600fdaf55539d60dca5bd456c2531fe1493083f8208a0eac06cd5d7

Download Submit
C:\Users\Admin\Desktop\RedoUpdate.mp4.ORCA.899-710-994

Filesize
175KB

MD5
9b205fc6a1433bb7a8467d0675ba494f

SHA1
f22fc9abf3afeba18b5b53d5e4c223dbf07ef81a

SHA256
3f286969370ea41c111c7f23909f9b76014294525bbc94ea59b14a19153c0ce4

SHA512
2c2ffb77aa85faaa748f52a752b6ee42fc89c4e162eb0b982b5a8522f155428453adb298549982578cab25879403e6bbaf9f47187bc54e92be948fa9b69cac3d

Download Submit
C:\Users\Admin\Desktop\RestartSync.wvx.ORCA.899-710-994

Filesize
114KB

MD5
0e86b81359604b3c88304f97d248607d

SHA1
b330d29e47a345f5dbc01f2858bdf019f2ab4677

SHA256
94a15984c4962d92a630b230b4a960a428d7ce59c59afda168ca667ba7288e11

SHA512
f517e37b5b9f148d906289566b311c4e0aba4c8cf2cd48b1b3046130cd6c42c0ccf7761d88431e5b87aa44791cd5a26c910ff8e4d797e8be9643c6383da4f387

Download Submit
C:\Users\Admin\Desktop\RevokeUnregister.xlsx.ORCA.899-710-994

Filesize
14KB

MD5
7a80e5745b8435730d04992688806247

SHA1
bd1a325cead743c1677d8afdb4ae3221e749829b

SHA256
32276e218177e23e34ed02d3a0f33a07ad3161d970fc320278f1807807916afa

SHA512
14aeafbcab20c881d06009dc1f98b2af942f06c162c7c3a0fed1a5457e562841bb816e731515180b2d5c1e05313fbceafc6e63fe1256bf5acdd4f2ac37685ff1

Download Submit
C:\Users\Admin\Desktop\SendHide.vsw.ORCA.899-710-994

Filesize
235KB

MD5
bf1fd8452ecb95697da08eb2a41ac7a1

SHA1
10bf0678a4ce9addb69eaeeec1939bafed8c61bb

SHA256
efba18065b5aff19f7db897b068110fea05515ad180152d7f7cf2d68d4926c3c

SHA512
8ce1074c7a324c1f2e52a9fc4fbbe2bfcad3f84cf876c0cd78e465f6d5184d9b66406c1bcf4385c90ec42249ac5d77ef34fca743f9700931d4984c2122fb21a4

Download Submit
C:\Users\Admin\Desktop\SendReceive.ods.ORCA.899-710-994

Filesize
126KB

MD5
a893fcc8ac69e458b726a247147c7618

SHA1
5215b747f161b9ab004fa4771262c259bf2e594f

SHA256
06562f4befa7062a12f7cdd94b659eefd945f04c61e042bc42da204b21d60615

SHA512
8b49e343685a87ff35dd2baa26041f6d56c389e0824b625424bbd1525f57e5194839bb9c39babe0f650b4debe3751607953b023a3b190e3e80f70542a5fe54a1

Download Submit
C:\Users\Admin\Desktop\SplitConfirm.xlsx.ORCA.899-710-994

Filesize
248KB

MD5
82831dfa3063c452392ca3e193fe01ee

SHA1
20b7db61cf187c8d3d7b345e4c70d2d6ea84b117

SHA256
b8fca9c1a4ec4884e28d24ef048483942476c2ccec5eec70837c3010f3a2ded6

SHA512
4c53dc848edcf8dbf50b122db87412db7c22304bd625b05bf9d14678cae4a6869ada3d002ece08c79229493db29af5145150f8a84b687effde56cb45740c87c5

Download Submit
C:\Users\Admin\Desktop\StepDisable.xlsx.ORCA.899-710-994

Filesize
138KB

MD5
9110859bf229e01b5f12483cc9ae9ddc

SHA1
b5cdd5fc57c6dc62134f1f63d83731b28fc07150

SHA256
5cf40f27005d86da331b8221410a7f04f3c55ff58bd03c26da12d4383e7512d4

SHA512
f7671ec8c64d943201448a2cdaec52620ffad30ce72473f56b03e5faafced285745dfdf610f1e047a047dc21154eed3e66dbe2c35582a2941937c998546724d2

Download Submit
C:\Users\Admin\Desktop\SwitchConvert.png.ORCA.899-710-994

Filesize
120KB

MD5
8dccea0ed81491d963e20cf81a52364a

SHA1
09093cdbca0952c21267c51830b3cc4122d22484

SHA256
839553c77ba46adea44dc45a912c0f9eed59276f0c049b577ee745f559c2c550

SHA512
8bd9325d4e573e0de4433600d3b5d8b11e0cfdfcf480d4492571a6f5ce3451ade3eb9588b3b57c68c72dc164fccf6e2c9845af07a4ae45a1d636552a5493b3c2

Download Submit
C:\Users\Admin\Desktop\SwitchWatch.cab.ORCA.899-710-994

Filesize
89KB

MD5
2c4e45fc505510db925f2db9409c1326

SHA1
2d8668abc8de23451c9afece4396395e98a8ee7e

SHA256
a04b972b4a51efbd1a56f2cfb457a656eb556a6d0613cca9f0d48971fd0514c5

SHA512
6bceee2f331501c8a8be2349e0ea3901e04f0890f196aec6f8f8de51cdeea1d993c897f8f7a89819ee544b347d078e8b21cb705050a8a70cb814913dc355d7b1

Download Submit
C:\Users\Admin\Desktop\TraceRestore.clr.ORCA.899-710-994

Filesize
156KB

MD5
d5e690c120b8ad15236381ea9bfbd53b

SHA1
3c0c3574998cbe93d0ce6830538e08f961fda97f

SHA256
89b45f0a74e04dbbf750efc33d1915a78f810bcbb20828d128ca7c0ab4621ae2

SHA512
c3ad1f2bf5e311ae7431086ae241e07075968f6c871c217fd7d142c756b24ddc6d357da9445dca957e5dc4289259fb6152d02d85e8a75d8b81ec9fcca8405053

Download Submit
C:\Users\Admin\Desktop\UnblockClear.mp2.ORCA.899-710-994

Filesize
205KB

MD5
ea5a3c6e5683e796c20c1cfaefab4f12

SHA1
881dd98f1a978d54007ab89caf52470c2425efbd

SHA256
8c67950341685ab292a43912faa0c83d391635fbc7410b33d30e44ee36102c0b

SHA512
1d54db314bac889aa390ea15218fc122c43b7db95cabc56545e0131144af9d148867953e9db3ebb9862cdfa6ae7ae7991a0f435b8ef2c1185da5ddfe87dfa790

Download Submit
C:\Users\Admin\Desktop\UninstallGet.dotx.ORCA.899-710-994

Filesize
211KB

MD5
e618bb01643ccb0bf031ea81519dfed3

SHA1
05909d5db24b18f007f8352b661ecc23ff2bd0da

SHA256
1a5ed5f6009f3718160b2ca5abd9badd9757f3e924fae32125427e17bce551ab

SHA512
176c9bd8171a137f2c0e6bba8bf1a095830cb85c5c23f62f43f52cfe592738ac16f095be136e7b08a2ddf30ded3161a29591c3f5a677dbfa3001f489120135f7

Download Submit
C:\Users\Admin\Desktop\UnprotectImport.3gpp.ORCA.899-710-994

Filesize
193KB

MD5
0d03082484f01d804fd98a0401354793

SHA1
a6c5c120e136415e5104a86f6208065427c5804f

SHA256
18961380b7e40fd00d86c93560468d64eb45c87cd07911ebc3cbffada2bc01c9

SHA512
41334c8acc68b73fc738fcffd8c3b528ee7869a8c57811e5925bdc0e2696d1ec56b6e28112c7189191dd904df2b6403e392bbfbe0ff73a43bcbabeebad0721d9

Download Submit
C:\Users\Admin\Desktop\UnregisterFormat.php.ORCA.899-710-994

Filesize
217KB

MD5
21e9e8b3139ab7919f24b4fab5f5b09d

SHA1
54d453a46a1e729ff1c45e6ee79517024d1cbde9

SHA256
f0c0b417f2433ac097c2818fccc455c7ec126b82104fc3e4dba0b0969daa76a1

SHA512
30aa75256d898d051d9f236a2e37801bede4c1591045855da40814c0f883076081c25cd00a166628565b5a9fe711419e337a9e3108ab85d2723609d173dd69b8

Download Submit
C:\Users\Admin\Desktop\WatchExpand.htm.ORCA.899-710-994

Filesize
162KB

MD5
ed098aac740a719e87232b085e72cda1

SHA1
44537a19cca406766740db769446f4ff8b461820

SHA256
4104b2689db133e9cb770db056f072d59fdd658615e9bbdff396f6e73675167e

SHA512
f17cc3fec4bd5f258a9a52f420475dd07aabbf908841ae1a678223f2e8868aa0a6b4b16ea55ea96aadcdd97c6c01790dfc676471769962fafd90c8c27f35b223

Download Submit
C:\Users\Admin\Desktop\WatchStart.jpeg.ORCA.899-710-994

Filesize
102KB

MD5
27d794418cc8e7c455cd3e9d08d20d03

SHA1
f2bf600151e3b075586f77c71e611d503112a897

SHA256
0719105d5c3c6f9c101add6ca99f9ba7560f8c4c3e771e9d59624a286e7e70f4

SHA512
62148a57b3652438f38f42311f911f083f4be7740b08f242bade13c51a5fe757b333ac22e6dc38abcf27a5976fdb28737c84c5839ddff53d17263f7cd01a50bf

Download Submit
C:\Users\Admin\Desktop\WriteClear.xltm.ORCA.899-710-994

Filesize
187KB

MD5
6f3981176e364fda7215ac5bb801fa2e

SHA1
5c9ad0681fa62e14bd7ab2ffed70cb5a7a9ee3a5

SHA256
84c67a8f3cddc23570ce304acbe44f27b3494b6548417fc3987c5a7714391319

SHA512
44be30fee33ddbabbc34e7ec36cfc88263c3e5bdff3bceef100d489b93b5e11cc8e982718a8e4882f98367aa82b2dc50ca998f3a903ee3f581da6e20df68bf57

Download Submit
C:\vcredist2010_x86.log.html

Filesize
82KB

MD5
20d420c15bb99d609c0c753e900ecfda

SHA1
183a573aa0ebb416edc0ddc4ebf751a1fba64980

SHA256
32f96341d0f5183d010c2e4ff58fc550e66638534a19b408c65daa1c5dd3c858

SHA512
5fb3aad4031242f2403f0919994d4273a7ce0cd76d0204197a0b4657528832f248cd7c4d7ad3c6e67b8e72f95ce6bf4fdb8221770815341e6bf7966890cfae23

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1000\.Zeppelin

Filesize
513B

MD5
5c28c47f3bfed42be4598353c37b09e7

SHA1
ba812147087474e80f619c52e5dc1270e0cdaff6

SHA256
d019029034c1e18a571b7847c7b937339adb4c6f6fe0524afb10ea98bfc525d5

SHA512
b71da960a550007f2ad7d664b093c186d1ee8e8c3bf0fa85f45c9e0ec051dc6e68f85bbc1d01f908616052e949f2e9e104b2b875bcddef9772c86ddd66fff3b9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe

Filesize
218KB

MD5
2429157f5f912cf24d894658961686e8

SHA1
e2a06afcaaa6962166d829207d3bff3bfc699d05

SHA256
c367db84b024c1ca76cf66b046acad61c5a8d79398e8aba1a7f18af60eb38dc0

SHA512
6782ce79484bcea4c931df2bee0903c96cace844de5726e78823e60a42310901985a75cdec70c81aa3ca130429b09f5163289e2ee6abd16aea17423d8ecfbadd

Download Submit
memory/2144-20-0x0000000000AE0000-0x0000000000C22000-memory.dmp

Filesize
1.3MB

Download
memory/2184-23570-0x00000000002E0000-0x0000000000422000-memory.dmp

Filesize
1.3MB

Download
memory/2184-30566-0x00000000002E0000-0x0000000000422000-memory.dmp

Filesize
1.3MB

Download
memory/2184-12218-0x00000000002E0000-0x0000000000422000-memory.dmp

Filesize
1.3MB

Download
memory/2776-17-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2776-11-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2792-30606-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2948-18202-0x00000000002E0000-0x0000000000422000-memory.dmp

Filesize
1.3MB

Download
memory/2948-5961-0x00000000002E0000-0x0000000000422000-memory.dmp

Filesize
1.3MB

Download
memory/2948-30607-0x00000000002E0000-0x0000000000422000-memory.dmp

Filesize
1.3MB

Download
memory/3044-45-0x00000000002E0000-0x0000000000422000-memory.dmp

Filesize
1.3MB

Download