zeppelin | b8355b2216b7bb60a7d421a57de257fd251f0f7a20c861bf91693233117e5f2d

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
24-07-2023 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
Size

225KB
MD5

3882feced4dec87fbf8780c44d15ea5e
SHA1

b6b92728e0a0fb2d95bec468709c11c4c2faf9f4
SHA256

b8355b2216b7bb60a7d421a57de257fd251f0f7a20c861bf91693233117e5f2d
SHA512

9d0703bbe3aadc8bd88a4153c7b7f45dd5c599e45fa78b1c50576701497b86021bb87cb3a197883ca9e5973f08f3fa3ece75302d655eecb07355efee8b15f44d
SSDEEP

6144:YSK1AqRHi/EXtw+apQ3an64DQFu/U3buRKlemZ9DnGAeOhoHwN+c:YosHiGWRpQb4DQFu/U3buRKlemZ9DnGm

Score

10^/10

zeppelin evasion ransomware

Malware Config

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT

Ransom Note

!!! YOUR FILES HAVE BEEN ENCRYPTED !!! All your files, including documents, databases, and other crucial data, have been encrypted. I've uploaded some databases and important files from your computers to the cloud. You have 48 hours to get in touch with us and reach an agreement. If you don't contact us by the end of this period, I'll release your data publicly on the dark web. This could damage your company and your partners. We're the only ones capable of restoring your files. To prove that we have a functional decryption tool, we're offering you the chance to decrypt one file for free. You can reach out to us through an anonymous chat. Just follow the provided instructions. 1. Visit https://tox.chat/download.html 2. Download and install qTox on your computer. 3. Open it, click "New Profile," and create a new profile. 4. Press the + "Add to friends" button and enter my TOX ID DBA5908245E3067FDA9B0C0D6FEEADC3D3C965A29AC340CA14D539924700DC53948D5F860D7D 5. Click "Send friend request." 6. Keep qTox open and wait. In a few hours, I'll accept your request, and we can begin communicating. Your personal ID: B82-CAE-6A6

URLs

https://tox.chat/download.html

Signatures

Detects Zeppelin payload 20 IoCs

resource	yara_rule
behavioral1/memory/2880-57-0x0000000000040000-0x0000000000183000-memory.dmp	family_zeppelin
behavioral1/memory/2344-2069-0x0000000000040000-0x0000000000183000-memory.dmp	family_zeppelin
behavioral1/memory/2212-3381-0x0000000000040000-0x0000000000183000-memory.dmp	family_zeppelin
behavioral1/memory/2344-5745-0x0000000000040000-0x0000000000183000-memory.dmp	family_zeppelin
behavioral1/memory/2212-6453-0x0000000000040000-0x0000000000183000-memory.dmp	family_zeppelin
behavioral1/memory/2344-8437-0x0000000000040000-0x0000000000183000-memory.dmp	family_zeppelin
behavioral1/memory/2212-9464-0x0000000000040000-0x0000000000183000-memory.dmp	family_zeppelin
behavioral1/memory/2344-10602-0x0000000000040000-0x0000000000183000-memory.dmp	family_zeppelin
behavioral1/memory/2212-10903-0x0000000000040000-0x0000000000183000-memory.dmp	family_zeppelin
behavioral1/memory/2344-11988-0x0000000000040000-0x0000000000183000-memory.dmp	family_zeppelin
behavioral1/memory/2212-12634-0x0000000000040000-0x0000000000183000-memory.dmp	family_zeppelin
behavioral1/memory/2212-16451-0x0000000000040000-0x0000000000183000-memory.dmp	family_zeppelin
behavioral1/memory/2212-19949-0x0000000000040000-0x0000000000183000-memory.dmp	family_zeppelin
behavioral1/memory/2344-21788-0x0000000000040000-0x0000000000183000-memory.dmp	family_zeppelin
behavioral1/memory/2212-22903-0x0000000000040000-0x0000000000183000-memory.dmp	family_zeppelin
behavioral1/memory/2212-25858-0x0000000000040000-0x0000000000183000-memory.dmp	family_zeppelin
behavioral1/memory/2212-29164-0x0000000000040000-0x0000000000183000-memory.dmp	family_zeppelin
behavioral1/memory/2212-30425-0x0000000000040000-0x0000000000183000-memory.dmp	family_zeppelin
behavioral1/memory/2344-30454-0x0000000000040000-0x0000000000183000-memory.dmp	family_zeppelin
behavioral1/memory/2344-30455-0x0000000000040000-0x0000000000183000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (7443) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Deletes itself 1 IoCs

pid	Process
2720	notepad.exe

Enumerates connected drives 3 TTPs 32 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\G:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\N:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\J:	vssadmin.exe
File opened (read-only)	\??\O:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\H:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\X:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\T:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\K:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\M:	vssadmin.exe
File opened (read-only)	\??\Z:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\Y:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\V:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\U:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\J:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\Q:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\L:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\A:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\L:	vssadmin.exe
File opened (read-only)	\??\K:	sc.exe
File opened (read-only)	\??\W:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\S:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\M:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\I:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\E:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\P:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\N:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\B:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\H:	vssadmin.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WWINTL.DLL.IDX_DLL	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\ODBCR.SAM.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImagesMask.bmp.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\SpaceSelector.ico	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+1.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02252_.WMF	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File created	C:\Program Files\Microsoft Games\Purble Place\es-ES\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR44F.GIF.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_zh_CN.jar	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\en-US\FreeCell.exe.mui.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00252_.WMF.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state.nl_ja_4.4.0.v20140623020002.jar	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OMSINTL.DLL.IDX_DLL	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0222019.WMF	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0302827.JPG	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\New_Salem.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui_5.5.0.165303.jar.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\sunjce_provider.jar.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187849.WMF	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\pagecurl.png	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15020_.GIF	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings_0.10.200.v20140424-2042.jar.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Guatemala.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDRESTL.ICO.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\RELAY.CER	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-modules_ja.jar	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\EST5EDT	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02413_.WMF.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_right.gif	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\README.TXT	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench_1.1.0.v20140512-1820.jar	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\en-US\Hearts.exe.mui	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PSRETRO.WMF	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR3F.GIF.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WSSFilesToolIconImages.jpg	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Simferopol	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\extensions\VLSub.luac.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00135_.WMF.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02470U.BMP.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_OliveGreen.gif	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLADD.FAE	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sampler.jar	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LETTHEAD.XML.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01434_.WMF	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Merida	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\background.gif	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.h	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.services_1.2.1.v20140808-1251.jar.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Helsinki	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.IE.XML.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\play-static.png	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_SelectionSubpicture.png	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Qyzylorda	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\booklist.gif	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\VIEW.JS.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\header-background.png	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
952	sc.exe
2392	sc.exe
2524	sc.exe
2684	sc.exe
2900	sc.exe
1184	sc.exe
612	sc.exe
2516	sc.exe
2536	sc.exe
2628	sc.exe
2116	sc.exe
2636	sc.exe
1536	sc.exe
2324	sc.exe
2504	sc.exe
1640	sc.exe
2996	sc.exe
1904	sc.exe
1824	sc.exe
2720	sc.exe
2768	sc.exe
2744	sc.exe
320	sc.exe
688	sc.exe
1392	sc.exe
1216	sc.exe
1160	sc.exe
752	sc.exe
2696	sc.exe
2892	sc.exe
2300	sc.exe
2236	sc.exe
596	sc.exe
2256	sc.exe
1956	sc.exe
3068	sc.exe
1100	sc.exe
2044	sc.exe
2024	sc.exe
280	sc.exe
2644	sc.exe
2232	sc.exe
1920	sc.exe
1200	sc.exe
1100	sc.exe
2184	sc.exe
2324	sc.exe
2180	sc.exe
2696	sc.exe
2904	sc.exe
3020	sc.exe
2944	sc.exe
1692	sc.exe
2076	sc.exe
1488	sc.exe
1748	sc.exe
1624	sc.exe
3016	sc.exe
600	sc.exe
1000	sc.exe
876	sc.exe
860	sc.exe
2512	sc.exe
1012	sc.exe

Enumerates processes with tasklist 1 TTPs 6 IoCs

Process Discovery

T1057

pid	Process
2824	tasklist.exe
320	tasklist.exe
2208	tasklist.exe
2960	tasklist.exe
2500	tasklist.exe
2588	tasklist.exe

Interacts with shadow copies 2 TTPs 12 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
3056	vssadmin.exe
2744	vssadmin.exe
2424	vssadmin.exe
2392	vssadmin.exe
2204	vssadmin.exe
2184	vssadmin.exe
2824	vssadmin.exe
2712	vssadmin.exe
2764	vssadmin.exe
2192	vssadmin.exe
612	vssadmin.exe
2096	vssadmin.exe

Kills process with taskkill 25 IoCs

evasion

pid	Process
2736	taskkill.exe
2888	taskkill.exe
3064	taskkill.exe
752	taskkill.exe
2316	taskkill.exe
2904	taskkill.exe
2372	taskkill.exe
2656	taskkill.exe
2256	taskkill.exe
784	taskkill.exe
1920	taskkill.exe
2340	taskkill.exe
2056	taskkill.exe
2112	taskkill.exe
2268	taskkill.exe
108	taskkill.exe
1572	taskkill.exe
2396	taskkill.exe
2456	taskkill.exe
1184	taskkill.exe
688	taskkill.exe
1788	taskkill.exe
2528	taskkill.exe
2116	taskkill.exe
2976	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2908	WMIC.exe
Token: SeSecurityPrivilege	2908	WMIC.exe
Token: SeTakeOwnershipPrivilege	2908	WMIC.exe
Token: SeLoadDriverPrivilege	2908	WMIC.exe
Token: SeSystemProfilePrivilege	2908	WMIC.exe
Token: SeSystemtimePrivilege	2908	WMIC.exe
Token: SeProfSingleProcessPrivilege	2908	WMIC.exe
Token: SeIncBasePriorityPrivilege	2908	WMIC.exe
Token: SeCreatePagefilePrivilege	2908	WMIC.exe
Token: SeBackupPrivilege	2908	WMIC.exe
Token: SeRestorePrivilege	2908	WMIC.exe
Token: SeShutdownPrivilege	2908	WMIC.exe
Token: SeDebugPrivilege	2908	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2908	WMIC.exe
Token: SeRemoteShutdownPrivilege	2908	WMIC.exe
Token: SeUndockPrivilege	2908	WMIC.exe
Token: SeManageVolumePrivilege	2908	WMIC.exe
Token: 33	2908	WMIC.exe
Token: 34	2908	WMIC.exe
Token: 35	2908	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2760	WMIC.exe
Token: SeSecurityPrivilege	2760	WMIC.exe
Token: SeTakeOwnershipPrivilege	2760	WMIC.exe
Token: SeLoadDriverPrivilege	2760	WMIC.exe
Token: SeSystemProfilePrivilege	2760	WMIC.exe
Token: SeSystemtimePrivilege	2760	WMIC.exe
Token: SeProfSingleProcessPrivilege	2760	WMIC.exe
Token: SeIncBasePriorityPrivilege	2760	WMIC.exe
Token: SeCreatePagefilePrivilege	2760	WMIC.exe
Token: SeBackupPrivilege	2760	WMIC.exe
Token: SeRestorePrivilege	2760	WMIC.exe
Token: SeShutdownPrivilege	2760	WMIC.exe
Token: SeDebugPrivilege	2760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2760	WMIC.exe
Token: SeRemoteShutdownPrivilege	2760	WMIC.exe
Token: SeUndockPrivilege	2760	WMIC.exe
Token: SeManageVolumePrivilege	2760	WMIC.exe
Token: 33	2760	WMIC.exe
Token: 34	2760	WMIC.exe
Token: 35	2760	WMIC.exe
Token: SeBackupPrivilege	832	vssvc.exe
Token: SeRestorePrivilege	832	vssvc.exe
Token: SeAuditPrivilege	832	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2760	WMIC.exe
Token: SeSecurityPrivilege	2760	WMIC.exe
Token: SeTakeOwnershipPrivilege	2760	WMIC.exe
Token: SeLoadDriverPrivilege	2760	WMIC.exe
Token: SeSystemProfilePrivilege	2760	WMIC.exe
Token: SeSystemtimePrivilege	2760	WMIC.exe
Token: SeProfSingleProcessPrivilege	2760	WMIC.exe
Token: SeIncBasePriorityPrivilege	2760	WMIC.exe
Token: SeCreatePagefilePrivilege	2760	WMIC.exe
Token: SeBackupPrivilege	2760	WMIC.exe
Token: SeRestorePrivilege	2760	WMIC.exe
Token: SeShutdownPrivilege	2760	WMIC.exe
Token: SeDebugPrivilege	2760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2760	WMIC.exe
Token: SeRemoteShutdownPrivilege	2760	WMIC.exe
Token: SeUndockPrivilege	2760	WMIC.exe
Token: SeManageVolumePrivilege	2760	WMIC.exe
Token: 33	2760	WMIC.exe
Token: 34	2760	WMIC.exe
Token: 35	2760	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2908	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 1280	2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	28
PID 2344 wrote to memory of 1280	2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	28
PID 2344 wrote to memory of 1280	2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	28
PID 2344 wrote to memory of 1280	2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	28
PID 2344 wrote to memory of 1740	2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	29
PID 2344 wrote to memory of 1740	2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	29
PID 2344 wrote to memory of 1740	2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	29
PID 2344 wrote to memory of 1740	2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	29
PID 2344 wrote to memory of 756	2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	31
PID 2344 wrote to memory of 756	2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	31
PID 2344 wrote to memory of 756	2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	31
PID 2344 wrote to memory of 756	2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	31
PID 2344 wrote to memory of 3028	2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	33
PID 2344 wrote to memory of 3028	2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	33
PID 2344 wrote to memory of 3028	2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	33
PID 2344 wrote to memory of 3028	2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	33
PID 2344 wrote to memory of 1388	2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	34
PID 2344 wrote to memory of 1388	2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	34
PID 2344 wrote to memory of 1388	2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	34
PID 2344 wrote to memory of 1388	2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	34
PID 2344 wrote to memory of 2412	2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	35
PID 2344 wrote to memory of 2412	2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	35
PID 2344 wrote to memory of 2412	2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	35
PID 2344 wrote to memory of 2412	2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	35
PID 2344 wrote to memory of 2212	2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	37
PID 2344 wrote to memory of 2212	2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	37
PID 2344 wrote to memory of 2212	2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	37
PID 2344 wrote to memory of 2212	2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	37
PID 2344 wrote to memory of 2880	2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	38
PID 2344 wrote to memory of 2880	2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	38
PID 2344 wrote to memory of 2880	2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	38
PID 2344 wrote to memory of 2880	2344	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	38
PID 1388 wrote to memory of 2764	1388	cmd.exe	44
PID 1388 wrote to memory of 2764	1388	cmd.exe	44
PID 1388 wrote to memory of 2764	1388	cmd.exe	44
PID 1388 wrote to memory of 2764	1388	cmd.exe	44
PID 2412 wrote to memory of 2908	2412	cmd.exe	43
PID 2412 wrote to memory of 2908	2412	cmd.exe	43
PID 2412 wrote to memory of 2908	2412	cmd.exe	43
PID 2412 wrote to memory of 2908	2412	cmd.exe	43
PID 1280 wrote to memory of 2760	1280	cmd.exe	42
PID 1280 wrote to memory of 2760	1280	cmd.exe	42
PID 1280 wrote to memory of 2760	1280	cmd.exe	42
PID 1280 wrote to memory of 2760	1280	cmd.exe	42
PID 2412 wrote to memory of 2424	2412	cmd.exe	47
PID 2412 wrote to memory of 2424	2412	cmd.exe	47
PID 2412 wrote to memory of 2424	2412	cmd.exe	47
PID 2412 wrote to memory of 2424	2412	cmd.exe	47
PID 2412 wrote to memory of 2392	2412	cmd.exe	48
PID 2412 wrote to memory of 2392	2412	cmd.exe	48
PID 2412 wrote to memory of 2392	2412	cmd.exe	48
PID 2412 wrote to memory of 2392	2412	cmd.exe	48
PID 2412 wrote to memory of 2204	2412	cmd.exe	49
PID 2412 wrote to memory of 2204	2412	cmd.exe	49
PID 2412 wrote to memory of 2204	2412	cmd.exe	49
PID 2412 wrote to memory of 2204	2412	cmd.exe	49
PID 2412 wrote to memory of 2184	2412	cmd.exe	50
PID 2412 wrote to memory of 2184	2412	cmd.exe	50
PID 2412 wrote to memory of 2184	2412	cmd.exe	50
PID 2412 wrote to memory of 2184	2412	cmd.exe	50
PID 2412 wrote to memory of 2824	2412	cmd.exe	51
PID 2412 wrote to memory of 2824	2412	cmd.exe	51
PID 2412 wrote to memory of 2824	2412	cmd.exe	51
PID 2412 wrote to memory of 2824	2412	cmd.exe	51

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
"C:\Users\Admin\AppData\Local\Temp\2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe"
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
  2⤵
  PID:1740
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:756
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  PID:3028
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2764
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2908
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2424
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:2392
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe resize shadowstorage /for=D: /on=D: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2204
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe resize shadowstorage /for=F: /on=F: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2184
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe resize shadowstorage /for=G: /on=G: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2824
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe resize shadowstorage /for=H: /on=H: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2192
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe resize shadowstorage /for=J: /on=J: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:612
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe resize shadowstorage /for=K: /on=K: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:2712
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe resize shadowstorage /for=L: /on=L: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3056
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe resize shadowstorage /for=M: /on=M: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2744
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe resize shadowstorage /for=N: /on=N: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2096
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC.exe shadowcopy delete /nointeractive
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLFDLauncher$CITRIX
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLFDLauncher$CITRIX start=disabled
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLFDLauncher
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLFDLauncher start=disabled
    3⤵
    - Launches sc.exe
    PID:2696
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQL$CITRIX
    3⤵
    PID:1088
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQL$CITRIX start=disabled
    3⤵
    PID:1316
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLSERVER
    3⤵
    - Launches sc.exe
    PID:2076
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLSERVER start=disabled
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLSERVERAGENT
    3⤵
    - Launches sc.exe
    PID:1392
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "IBM Domino Server (CProgramFilesIBMDominodata)"
      4⤵
      PID:1892
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLSERVERAGENT start=disabled
    3⤵
    PID:1632
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSOLAP$CITRIX
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\sc.exe
    sc config MSOLAP$CITRIX start=disabled
    3⤵
    - Enumerates connected drives
    PID:2712
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLBrowser
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLBrowser start=disabled
    3⤵
    PID:2904
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLWriter
    3⤵
    PID:596
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLWriter start=disabled
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQL$SQLEXPRESS
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQL$SQLEXPRESS start=disabled
    3⤵
    - Launches sc.exe
    PID:2536
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLSERVER
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLSERVER start=disabled
    3⤵
    PID:808
- - C:\Windows\SysWOW64\sc.exe
    sc stop postgresql-9.5
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\sc.exe
    sc config postgresql-9.5 start=disabled
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\sc.exe
    sc stop fsdevcon
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\sc.exe
    sc config fsdevcon start=disabled
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\sc.exe
    sc stop fshoster
    3⤵
    PID:1000
- - C:\Windows\SysWOW64\sc.exe
    sc config fshoster start=disabled
    3⤵
    - Launches sc.exe
    PID:2324
- - C:\Windows\SysWOW64\sc.exe
    sc stop fsnethoster
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\sc.exe
    sc config fsnethoster start=disabled
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\sc.exe
    sc stop fsulhoster
    3⤵
    - Launches sc.exe
    PID:1216
- - C:\Windows\SysWOW64\sc.exe
    sc config fsulhoster start=disabled
    3⤵
    PID:876
- - C:\Windows\SysWOW64\sc.exe
    sc stop fsulnethoster
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\sc.exe
    sc config fsulnethoster start=disabled
    3⤵
    PID:3036
- - C:\Windows\SysWOW64\sc.exe
    sc stop fsulorsp
    3⤵
    - Launches sc.exe
    PID:2768
- - C:\Windows\SysWOW64\sc.exe
    sc config fsulorsp start=disabled
    3⤵
    - Launches sc.exe
    PID:2904
- - C:\Windows\SysWOW64\sc.exe
    sc stop fsulprothoster
    3⤵
    - Launches sc.exe
    PID:280
- - C:\Windows\SysWOW64\sc.exe
    sc config fsulprothoster start=disabled
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\sc.exe
    sc stop FSAUS
    3⤵
    PID:3060
- - C:\Windows\SysWOW64\sc.exe
    sc config FSAUS start=disabled
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\sc.exe
    sc stop fsms
    3⤵
    PID:2328
- - C:\Windows\SysWOW64\sc.exe
    sc config fsms start=disabled
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamAWSSvc
    3⤵
    - Launches sc.exe
    PID:2184
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamAWSSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:1160
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamAzureSvc
    3⤵
    PID:108
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamAzureSvc start=disabled
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamEnterpriseManagerSvc
    3⤵
    PID:1260
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamEnterpriseManagerSvc start=disabled
    3⤵
    PID:772
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamBackupRESTSvc
    3⤵
    PID:2364
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamBackupRESTSvc start=disabled
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamBackupSvc
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamBackupSvc start=disabled
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamFilesysVssSvc
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamFilesysVssSvc start=disabled
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamBrokerSvc
    3⤵
    - Launches sc.exe
    PID:2900
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamBrokerSvc start=disabled
    3⤵
    PID:2096
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamBackupCdpSvc
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamBackupCdpSvc start=disabled
    3⤵
    PID:2756
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamCloudSvc
    3⤵
    PID:1028
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamCloudSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:596
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamTransportSvc
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamTransportSvc start=disabled
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamDistributionSvc
    3⤵
    PID:524
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamDistributionSvc start=disabled
    3⤵
    PID:2556
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamExplorersRecoverySvc
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamExplorersRecoverySvc start=disabled
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamGCPSvc
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamGCPSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:752
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamGuestHelper
    3⤵
    - Launches sc.exe
    PID:2644
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamGuestHelper start=disabled
    3⤵
    PID:1368
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamCatalogSvc
    3⤵
    PID:2332
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamCatalogSvc start=disabled
    3⤵
    PID:2068
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamHvIntegrationSvc
    3⤵
    - Launches sc.exe
    PID:1624
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamHvIntegrationSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:2744
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamDeploySvc
    3⤵
    PID:1204
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamDeploySvc start=disabled
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamMountSvc
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamMountSvc start=disabled
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamRESTSvc
    3⤵
    - Launches sc.exe
    PID:1100
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamRESTSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:2504
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamNFSSvc
    3⤵
    - Launches sc.exe
    PID:3020
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamNFSSvc start=disabled
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamVssProviderSvc
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamVssProviderSvc start=disabled
    3⤵
    PID:2540
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLFDLauncher$CITRIX
    3⤵
    - Launches sc.exe
    PID:2256
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLFDLauncher$CITRIX start= disabled
    3⤵
    - Launches sc.exe
    PID:2628
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQL$VEEAMSQL2016
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQL$VEEAMSQL2016 start=disabled
    3⤵
    - Launches sc.exe
    PID:2116
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLBrowser
    3⤵
    - Launches sc.exe
    PID:1184
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLBrowser start=disabled
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLTELEMETRY$VEEAMSQL2016
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLTELEMETRY$VEEAMSQL2016 start=disabled
    3⤵
    - Launches sc.exe
    PID:2636
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLWriter
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLWriter start=disabled
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\sc.exe
    sc stop SageMySQL
    3⤵
    PID:640
- - C:\Windows\SysWOW64\sc.exe
    sc config SageMySQL start=disabled
    3⤵
    - Launches sc.exe
    PID:1488
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLTELEMETRY$VEEAMSQL2016
    3⤵
    - Launches sc.exe
    PID:3016
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLTELEMETRY$VEEAMSQL2016 start=disabled
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\sc.exe
    sc stop ReportServer$V4SQLEXPRESS
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\sc.exe
    sc config ReportServer$V4SQLEXPRESS start=disabled
    3⤵
    - Launches sc.exe
    PID:1536
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLTELEMETRY$SDPRO_V4_SQL
    3⤵
    PID:2208
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLTELEMETRY$SDPRO_V4_SQL start=disabled
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQL$MICROSOFT##WID
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQL$MICROSOFT##WID start=disabled
    3⤵
    PID:952
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLServerOLAPService
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLServerOLAPService start=disabled
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLFDLauncher
    3⤵
    - Launches sc.exe
    PID:2944
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLFDLauncher start=disabled
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLSERVERAGENT
    3⤵
    PID:2904
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLSERVERAGENT start=disabled
    3⤵
    PID:2304
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLSERVER
    3⤵
    - Launches sc.exe
    PID:1956
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLSERVER start=disabled
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLTELEMETRY
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLTELEMETRY start=disabled
    3⤵
    - Launches sc.exe
    PID:2696
- - C:\Windows\SysWOW64\sc.exe
    sc stop MsDtsServer130
    3⤵
    - Launches sc.exe
    PID:1824
- - C:\Windows\SysWOW64\sc.exe
    sc config MsDtsServer130 start=disabled
    3⤵
    - Launches sc.exe
    PID:320
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLTELEMETRY$BVMS
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLTELEMETRY$BVMS start=disabled
    3⤵
    - Launches sc.exe
    PID:952
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQL$SQLEXPRESS2014
    3⤵
    PID:2076
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQL$SQLEXPRESS2014 start=disabled
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLSERVER
    3⤵
    PID:2312
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLSERVER start=disabled
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmickvpexchange"
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmicguestinterface"
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmicshutdown"
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmicheartbeat"
    3⤵
    - Launches sc.exe
    PID:2232
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmicrdv"
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\sc.exe
    sc delete "storflt"
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmictimesync"
    3⤵
    - Launches sc.exe
    PID:2892
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmicvss"
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\sc.exe
    sc delete "hvdsvc"
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\sc.exe
    sc delete "nvspwmi"
    3⤵
    - Launches sc.exe
    PID:3068
- - C:\Windows\SysWOW64\sc.exe
    sc delete "wmms"
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\sc.exe
    sc delete "AvgAdminServer"
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\sc.exe
    sc delete "AVG Antivirus"
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\sc.exe
    sc delete "avgAdminClient"
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SAVService"
    3⤵
    - Launches sc.exe
    PID:860
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SAVAdminService"
    3⤵
    PID:1088
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos AutoUpdate Service"
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Clean Service"
    3⤵
    PID:1644
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"
      4⤵
      PID:1244
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Device Control Service"
    3⤵
    - Launches sc.exe
    PID:1640
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Endpoint Defense Service"
    3⤵
    PID:2748
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos File Scanner Service"
    3⤵
    PID:2588
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Health Service"
    3⤵
    - Launches sc.exe
    PID:2996
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos MCS Agent"
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos MCS Client"
    3⤵
    PID:2660
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SntpService"
    3⤵
    PID:548
- - C:\Windows\SysWOW64\sc.exe
    sc delete "swc_service"
    3⤵
    - Launches sc.exe
    PID:612
- - C:\Windows\SysWOW64\sc.exe
    sc delete "swi_service"
    3⤵
    PID:2780
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos UI"
    3⤵
    PID:2376
- - C:\Windows\SysWOW64\sc.exe
    sc delete "swi_update"
    3⤵
    PID:640
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Web Control Service"
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos System Protection Service"
    3⤵
    PID:564
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Safestore Service"
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\sc.exe
    sc delete "hmpalertsvc"
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\sc.exe
    sc delete "RpcEptMapper"
    3⤵
    PID:2560
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Endpoint Defense Service"
    3⤵
    - Launches sc.exe
    PID:1692
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$MSFW
      4⤵
      PID:884
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SophosFIM"
    3⤵
    - Launches sc.exe
    PID:1100
- - C:\Windows\SysWOW64\sc.exe
    sc delete "swi_filter"
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\sc.exe
    sc delete "FirebirdGuardianDefaultInstance"
    3⤵
    PID:860
- - C:\Windows\SysWOW64\sc.exe
    sc delete "FirebirdServerDefaultInstance"
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQLFDLauncher"
    3⤵
    PID:2908
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQLSERVER"
    3⤵
    - Launches sc.exe
    PID:1748
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLSERVERAGENT"
    3⤵
    PID:2892
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLBrowser"
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLTELEMETRY"
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MsDtsServer130"
    3⤵
    - Launches sc.exe
    PID:1920
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SSISTELEMETRY130"
    3⤵
    - Launches sc.exe
    PID:2512
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLWriter"
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQL$VEEAMSQL2012"
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLAgent$VEEAMSQL2012"
    3⤵
    PID:2972
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQL"
    3⤵
    PID:1780
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLAgent"
    3⤵
    - Launches sc.exe
    PID:1012
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQLServerADHelper100"
    3⤵
    - Launches sc.exe
    PID:2516
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQLServerOLAPService"
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MsDtsServer100"
    3⤵
    - Launches sc.exe
    PID:688
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ReportServer"
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLTELEMETRY$HL"
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TMBMServer"
    3⤵
    PID:1196
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQL$PROGID"
    3⤵
    - Launches sc.exe
    PID:1200
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQL$WOLTERSKLUWER"
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLAgent$PROGID"
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLAgent$WOLTERSKLUWER"
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQLFDLauncher$OPTIMA"
    3⤵
    - Launches sc.exe
    PID:2392
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQL$OPTIMA"
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLAgent$OPTIMA"
    3⤵
    PID:580
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ReportServer$OPTIMA"
    3⤵
    PID:2960
- - C:\Windows\SysWOW64\sc.exe
    sc delete "msftesql$SQLEXPRESS"
    3⤵
    - Launches sc.exe
    PID:2300
- - C:\Windows\SysWOW64\sc.exe
    sc delete "postgresql-x64-9.4"
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\sc.exe
    sc delete "WRSVC"
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ekrn"
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ekrnEpsw"
    3⤵
    PID:1336
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klim6"
    3⤵
    PID:1832
- - C:\Windows\SysWOW64\sc.exe
    sc delete "AVP18.0.0"
    3⤵
    PID:2268
- - C:\Windows\SysWOW64\sc.exe
    sc delete "KLIF"
    3⤵
    - Launches sc.exe
    PID:2236
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klpd"
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klflt"
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klbackupdisk"
    3⤵
    PID:1064
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klbackupflt"
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klkbdflt"
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klmouflt"
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klhk"
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\sc.exe
    sc delete "KSDE1.0.0"
    3⤵
    PID:1368
- - C:\Windows\SysWOW64\sc.exe
    sc delete "kltap"
    3⤵
    - Launches sc.exe
    PID:1000
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ScSecSvc"
    3⤵
    PID:1012
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Core Mail Protection"
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Core Scanning Server"
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Core Scanning ServerEx"
    3⤵
    PID:2144
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Online Protection System"
    3⤵
    PID:2072
- - C:\Windows\SysWOW64\sc.exe
    sc delete "RepairService"
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Core Browsing Protection"
    3⤵
    - Launches sc.exe
    PID:2324
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Quick Update Service"
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\sc.exe
    sc delete "McAfeeFramework"
    3⤵
    - Launches sc.exe
    PID:2044
- - C:\Windows\SysWOW64\sc.exe
    sc delete "macmnsvc"
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\sc.exe
    sc delete "masvc"
    3⤵
    PID:908
- - C:\Windows\SysWOW64\sc.exe
    sc delete "mfemms"
    3⤵
    PID:2660
- - C:\Windows\SysWOW64\sc.exe
    sc delete "mfevtp"
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TmFilter"
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TMLWCSService"
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\sc.exe
    sc delete "tmusa"
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TmPreFilter"
    3⤵
    - Launches sc.exe
    PID:2524
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TMSmartRelayService"
    3⤵
    PID:2480
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TMiCRCScanService"
    3⤵
    - Launches sc.exe
    PID:600
- - C:\Windows\SysWOW64\sc.exe
    sc delete "VSApiNt"
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TmCCSF"
    3⤵
    - Launches sc.exe
    PID:2720
- - C:\Windows\SysWOW64\sc.exe
    sc delete "tmlisten"
    3⤵
    - Launches sc.exe
    PID:2180
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TmProxy"
    3⤵
    - Launches sc.exe
    PID:2024
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ntrtscan"
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ofcservice"
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TmPfw"
    3⤵
    - Launches sc.exe
    PID:2684
- - C:\Windows\SysWOW64\sc.exe
    sc delete "PccNTUpd"
    3⤵
    PID:2208
- - C:\Windows\SysWOW64\sc.exe
    sc delete "PandaAetherAgent"
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\sc.exe
    sc delete "PSUAService"
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\sc.exe
    sc delete "NanoServiceMain"
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\sc.exe
    sc delete "EPIntegrationService"
    3⤵
    - Launches sc.exe
    PID:1904
- - C:\Windows\SysWOW64\sc.exe
    sc delete "EPProtectedService"
    3⤵
    PID:2072
- - C:\Windows\SysWOW64\sc.exe
    sc delete "EPRedline"
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\sc.exe
    sc delete "EPSecurityService"
    3⤵
    - Launches sc.exe
    PID:876
- - C:\Windows\SysWOW64\sc.exe
    sc delete "EPUpdateService"
    3⤵
    PID:2660
- - C:\Windows\SysWOW64\sc.exe
    sc delete "UniFi"
    3⤵
    PID:1196
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im PccNTMon.exe
    3⤵
    - Kills process with taskkill
    PID:2396
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im NTRtScan.exe
    3⤵
    - Kills process with taskkill
    PID:2528
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TmListen.exe
    3⤵
    - Kills process with taskkill
    PID:752
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TmCCSF.exe
    3⤵
    - Kills process with taskkill
    PID:2340
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TmProxy.exe
    3⤵
    - Kills process with taskkill
    PID:2116
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TMBMSRV.exe
    3⤵
    - Kills process with taskkill
    PID:2316
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TMBMSRV.exe
    3⤵
    - Kills process with taskkill
    PID:2056
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TmPfw.exe
    3⤵
    - Kills process with taskkill
    PID:2112
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im CNTAoSMgr.exe
    3⤵
    - Kills process with taskkill
    PID:2456
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:2332
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im sqlbrowser.exe
    3⤵
    - Kills process with taskkill
    PID:1184
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im sqlwriter.exe
    3⤵
    - Kills process with taskkill
    PID:2372
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im sqlservr.exe
    3⤵
    - Kills process with taskkill
    PID:2976
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im msmdsrv.exe
    3⤵
    - Kills process with taskkill
    PID:2904
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Kills process with taskkill
    PID:2268
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im sqlceip.exe
    3⤵
    - Kills process with taskkill
    PID:2656
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QBPOSDBServiceV12
      4⤵
      PID:556
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im fdlauncher.exe
    3⤵
    - Kills process with taskkill
    PID:2256
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im Ssms.exe
    3⤵
    - Kills process with taskkill
    PID:688
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im SQLAGENT.EXE
    3⤵
    - Kills process with taskkill
    PID:2736
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im fdhost.exe
    3⤵
    - Kills process with taskkill
    PID:2888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im fdlauncher.exe
    3⤵
    - Kills process with taskkill
    PID:1788
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im sqlservr.exe
    3⤵
    - Kills process with taskkill
    PID:108
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im ReportingServicesService.exe
    3⤵
    - Kills process with taskkill
    PID:784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im msftesql.exe
    3⤵
    - Kills process with taskkill
    PID:3064
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im pg_ctl.exe
    3⤵
    - Kills process with taskkill
    PID:1920
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im postgres.exe
    3⤵
    - Kills process with taskkill
    PID:1572
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLServerADHelper100
    3⤵
    PID:1632
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper100
      4⤵
      PID:548
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$ISARS
    3⤵
    PID:2848
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$ISARS
      4⤵
      PID:2392
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$MSFW
    3⤵
    PID:3068
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$MSFW
      4⤵
      PID:2032
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$ISARS
    3⤵
    PID:676
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$MSFW
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\net.exe
    net stop ReportServer$ISARS
    3⤵
    PID:2120
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ReportServer$ISARS
      4⤵
      PID:1144
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    PID:2404
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:2084
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    PID:2096
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      PID:2932
- - C:\Windows\SysWOW64\net.exe
    net stop mr2kserv
    3⤵
    PID:2940
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop mr2kserv
      4⤵
      PID:3004
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeADTopology
    3⤵
    PID:2756
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeADTopology
      4⤵
      PID:2300
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeFBA
    3⤵
    PID:2788
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeFBA
      4⤵
      PID:2020
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeIS
    3⤵
    PID:896
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeIS
      4⤵
      PID:1072
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop QuickBooksDB3
        5⤵
        
        PID:2848
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeSA
    3⤵
    PID:2848
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSA
      4⤵
      PID:524
- - C:\Windows\SysWOW64\net.exe
    net stop ShadowProtectSvc
    3⤵
    PID:2964
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ShadowProtectSvc
      4⤵
      PID:564
- - C:\Windows\SysWOW64\net.exe
    net stop SPAdminV4
    3⤵
    PID:1096
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPAdminV4
      4⤵
      PID:2288
- - C:\Windows\SysWOW64\net.exe
    net stop SPTimerV4
    3⤵
    PID:572
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPTimerV4
      4⤵
      PID:612
- - C:\Windows\SysWOW64\net.exe
    net stop SPTraceV4
    3⤵
    PID:2472
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPTraceV4
      4⤵
      PID:2752
- - C:\Windows\SysWOW64\net.exe
    net stop SPUserCodeV4
    3⤵
    PID:2316
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPUserCodeV4
      4⤵
      PID:1172
- - C:\Windows\SysWOW64\net.exe
    net stop SPWriterV4
    3⤵
    PID:1560
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPWriterV4
      4⤵
      PID:2124
- - C:\Windows\SysWOW64\net.exe
    net stop SPSearch4
    3⤵
    PID:2536
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPSearch4
      4⤵
      PID:2040
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLServerADHelper100
    3⤵
    PID:2396
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper100
      4⤵
      PID:1112
- - C:\Windows\SysWOW64\net.exe
    net stop IISADMIN
    3⤵
    PID:2372
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop IISADMIN
      4⤵
      PID:2500
- - C:\Windows\SysWOW64\net.exe
    net stop firebirdguardiandefaultinstance
    3⤵
    PID:2420
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop firebirdguardiandefaultinstance
      4⤵
      PID:3016
- - C:\Windows\SysWOW64\net.exe
    net stop ibmiasrw
    3⤵
    PID:2772
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ibmiasrw
      4⤵
      PID:2524
- - C:\Windows\SysWOW64\net.exe
    net stop QBCFMonitorService
    3⤵
    PID:676
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QBCFMonitorService
      4⤵
      PID:2624
- - C:\Windows\SysWOW64\net.exe
    net stop QBVSS
    3⤵
    PID:2228
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QBVSS
      4⤵
      PID:2988
- - C:\Windows\SysWOW64\net.exe
    net stop QBPOSDBServiceV12
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\net.exe
    net stop "IBM Domino Server (CProgramFilesIBMDominodata)"
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\net.exe
    net stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\net.exe
    net stop IISADMIN
    3⤵
    PID:876
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop IISADMIN
      4⤵
      PID:1596
- - C:\Windows\SysWOW64\net.exe
    net stop "Simply Accounting Database Connection Manager"
    3⤵
    PID:2092
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Simply Accounting Database Connection Manager"
      4⤵
      PID:472
- - C:\Windows\SysWOW64\net.exe
    net stop QuickBooksDB1
    3⤵
    PID:2548
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QuickBooksDB1
      4⤵
      PID:3036
- - C:\Windows\SysWOW64\net.exe
    net stop QuickBooksDB2
    3⤵
    PID:304
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QuickBooksDB2
      4⤵
      PID:692
- - C:\Windows\SysWOW64\net.exe
    net stop QuickBooksDB3
    3⤵
    PID:1072
- - C:\Windows\SysWOW64\net.exe
    net stop QuickBooksDB4
    3⤵
    PID:760
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QuickBooksDB4
      4⤵
      PID:2420
- - C:\Windows\SysWOW64\net.exe
    net stop QuickBooksDB5
    3⤵
    PID:1988
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QuickBooksDB5
      4⤵
      PID:3012
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq MsMpEng.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:2208
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq ntrtscan.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:2960
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq avp.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:2500
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:484
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq WRSA.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:2588
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq egui.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:2824
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:2904
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq AvastUI.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:320
- C:\Users\Admin\AppData\Local\Temp\2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
  "C:\Users\Admin\AppData\Local\Temp\2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe" -agent 0
  2⤵
  - Drops file in Program Files directory
  PID:2212
- C:\Users\Admin\AppData\Local\Temp\2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
  "C:\Users\Admin\AppData\Local\Temp\2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe" -agent 1
  2⤵
  PID:2880
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  PID:2720

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ISARS
1⤵
PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.lng

Filesize
23KB

MD5
fb237f03e4e08f21c1135ed73cd0d636

SHA1
890749908950c23b32aff4521ff5b50890c0aeb8

SHA256
72f2aada72b23c652682aafb95522744112ac8d7c27d13b4b2d0f07a9c980fa0

SHA512
0dccaf3fffca05df1a1b3bd8dc7d1faca41513b1983674008fc8001313ec16172c1360f0b9c2c4a4452741e1039b19c5f311f0498626e5e2b2cec33cace1c896

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt

Filesize
29KB

MD5
dedea7893065b72257fcd7b8a82aa582

SHA1
dafcdafe6922347ef01ec67ba7a5ce9114547fc1

SHA256
0779bca44ba8bd14c89a455e87552f96ecf6c0fabc5ebf953ff92d9c419fe4a7

SHA512
52ce20ff0687692a5ea5b85b6f315b0b3fc15ce7ad4164d3da783aa26f82d3f1b4fd361aacefce33b131d8c39b370c89878d590ab0a336052ca3dbbed3ca854b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME39.CSS

Filesize
122KB

MD5
c87434a5bf4c32bbe5631ba699124552

SHA1
884b8419d2cc2f08db182f4f724f915ebf4acc51

SHA256
87f2c4a4ecef0bf7527cd12505cf8636bd6fc37b97dd5c6283917c5a91d15754

SHA512
0ba5420e2260391d252a41851468eb7caa2e9d61bcd69dcda15f229f16ec3540e9eb95b743ae4ee1af65a2b0680c00e4855fecc223c6719473000d0bb81d1307

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME54.CSS

Filesize
125KB

MD5
e1b33259b6807563767f47565d176764

SHA1
78a8e2e649c4ed6f8d36a595668d3c005e18cd46

SHA256
953773fdac2da08ac329c571912b3bfe0988d39c6a508af745d8c46d6d04347c

SHA512
657479a44e61a0ab05ad79acc457148efaf9e3980c78bf52ab414cf79d9a542c0494c9e271726eb0170b3fb7476a88ff2d362d97de6aca009fdbab03ac4c606d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\ISO690.XSL

Filesize
258KB

MD5
266b0a08e763ad1f381b9beb2f4e3061

SHA1
a4705ba62b09b8befeb5a39c3bf4323f4ba16163

SHA256
9c9d2c6638b7cbd131d91773734c367793b8c63232597b8b9abfe55e6773f203

SHA512
460cf8fea409d6e194af61217c6b290e3d071c409be2ae7a09af5d4174c51e55cc88ddcf2d4200c970fabaff032f451e42feaa2549ca0a7a179e87a70b30539f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImages.jpg

Filesize
7KB

MD5
04f14b26ac8489f36e79b02885875eba

SHA1
5f0e50b658030b54706bc5063165fe1cc020f258

SHA256
aadb98d79f5784f62776ff047ba94d6b3bc827e9519f37fcddad200a0540a1b7

SHA512
956f5730946630989d8e0b48f0b6f389199f7c3f0c1cd2a4bff94dcb10b9b11ba72dbf5051daa4561b8baad2a852fcda01cfafbbd0c0c052dbcb7220c9f395d3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_OffMask.bmp

Filesize
8KB

MD5
a99e5333b11673200eec0a4bcd5400e3

SHA1
259f99b6ea25c8589a8b3187554f11df9a01d7cb

SHA256
cfb3e414197a0330c9d4ac4f10adfd25566066c914b88d86843823d78dfad906

SHA512
9d2788812fcc91031e89d21da6c6aab2b508d97d087b250183ddeac9963e5f7a09cebe75db73b2a9af1bda1d41565fc4f278d2d760c964d782bed9619fc5631a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml

Filesize
249KB

MD5
dfad81c5e46aa5f5c3c73340dd9f7369

SHA1
e9cd1b3cefddbe4a4ff78912abd0cc48b56fc04b

SHA256
7b0d1e9c8800fb92a5cd242676156b28a4ef1c4b37e72e5476d193ab02cc6949

SHA512
9aa0427ee4fd633e3d319692f9d8bf5a298fa2c7b383615d36267599760439b0fe8d5d963c3a82af12609c0b5cc6da18593a515418cb33c31c7d88bfbc6041e8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OLKIRMV.XML

Filesize
78KB

MD5
be1e35a50e81cce95838b20509ac7936

SHA1
2502bcf2d1ff7310ecff60ae7df057a20b28ff82

SHA256
cc3152365f0f3aea5970389de0df9876a47b443dc8f1b1f32c80af6122983323

SHA512
38f664f8bcfccb395d4db7b3f3e925fe069122a9840c3fe09eb1cb2d13f39518a7ede790adc36cf4c95dfd11297f12af37ac981892bbf1185e35aaaf867dde7a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\WORDIRMV.XML

Filesize
78KB

MD5
9cc9b146eaf665d689bd505c4df39794

SHA1
578241db99e548259442c7f55f7bee47e42b939f

SHA256
cef34f23e34a4051755b2d7d0c4511643899752d310e452104345a2751461546

SHA512
5ae16b1ea9036a9fad07d210f12796ccbf8d75ba723d50af0446bfd1b6b7ddd1e92675fa2587ca56a36ffdc85ba8869f9cb6f1b143d45321ea2cc953b93c8a28

Download Submit
C:\Program Files\Java\jdk1.7.0_80\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT

Filesize
1KB

MD5
142407824c2119f5817265b00e17d3d2

SHA1
752f18a36a46c93b93ef32b8027122882d4b33b4

SHA256
3ef2a6239d21146ab55ec92b928375935f7516875bb1c5093afc97f5408a0942

SHA512
59b578bdb9ec957eb1bbe595d1010b89b4895c1f8cc25582c0966ed3a89f24d31ededa36dbe09feaba0fd50fa723f08bb8f2d78ede73bd7f56c2e1d70ca7d972

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg

Filesize
22KB

MD5
29439b5817af6b8c6dbb257cbd9cc47d

SHA1
c5cb4bab216dad1e8cc2685c2881ae3ade94ff87

SHA256
670e5c7e8587ca53e7ff9a9a5458fc24ea0467f20feffad2f7734e0f7bc4cbf5

SHA512
3a05bea8249474dee188f55204c7d2434c10ac4185ef395e24c26ceb59cc6bb6f8ce71243b89cfd4f828fc0b474cd54a44e0c5af0fa98c9a184155ff5456b882

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html

Filesize
17KB

MD5
c3a7137a10fda1d7c38f06e1cb6d8d19

SHA1
325ba74599fce233e048d8acd0c3562ad84a320c

SHA256
8d672c9b7da2573e53967e38c1b6cdb7264edf9e6041d7211540ddecc609d040

SHA512
2a4cd08ab88abc5c1874d8178ba58e05cbfb77fd03e114e8e0c6a8fb01b6510410fa4dcb40f91380654e133f0d4fcafbc6600e9bc4ad99f7cfb249fc2314d023

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html

Filesize
13KB

MD5
5e1c8b0b22d309b779d8543923cff119

SHA1
0ce536226c03f75dd800d1d3a9c485af2661f29f

SHA256
fd1833ecdd2d900bc7567045b2f300680d62fbc42fed27aa618edcab31f538bc

SHA512
8db046cf8e302123c7e75028ed9d4e09b8221646b34dbac2527782a7844b97a948c26f4ddc58c64282e0efc02c32684df957424ddb5db0d1caa89c9623fb83ec

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
10KB

MD5
afb776b7ed9c375e1824f68abafe7ed6

SHA1
a73ce7f5df71799341326af85ec65ee2abc64b8d

SHA256
192b8308f42783efbe122a4328eab2e4cd8f164a7fcd36679c6b34ad96a8deea

SHA512
1527c6e816ebf60a598b0fc366ec22d3df3a9a3669fee7fcbc98184f1ef4e6f40881225d1f359e87cb00d0cb3c00e7247f0326680e1b829faeb0ca3b5f4476ea

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html

Filesize
10KB

MD5
8750e3c671916ffcd1ddf03496a687fd

SHA1
ec9cad54fdd1c1bea5b47cba5f4059370bc4d72d

SHA256
1b6f9d1012ff9c5b10887762684dd0d04efe6e42f2f51fbc77006d568ddabcbd

SHA512
d95d31fff474b0795d275146cf6b05c8718fc3a0fb0676a459850bbce9fb361f59145ef813ef3ab49f888213eaee3261a2f114fe8c4b80fb2ab144ca0e4ea25b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html

Filesize
10KB

MD5
0995d743de0801e94653163648b2b825

SHA1
a8b86d7041fcd3043fbf5bbd3545c521dfed763f

SHA256
03a3483f0c882a3fe155b812c645cbef85cb6e48455fbc9af3b5ee7a6988d457

SHA512
54b21934b4117d6a1b4da5fb716feead669dab8255c7a4b96bee47fef422a26cc01381efbaeba172bc2d6e5c0319090448cc0630c999f3fba2040db56844c166

Download Submit
C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

Filesize
609KB

MD5
8a30eab6cbedbe89f77c64c956e93bb1

SHA1
b5c2b273fbd8a5f7ee3eaf32de0364ad8d45c6f3

SHA256
4c965dd154d2f7801bf21b2f0171a78342617407892db44648ad820265c5aed1

SHA512
ca0e98a84539e0fb480e1521c97220e25c663da3ef3391fd622ea05680c5e0766723708418dae930d96fa6202a9b59898a3b98996db2407cf86a816d5ef8e56c

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\vlc.mo

Filesize
610KB

MD5
ed4c4cc3927cc16c68fc8c17571ad72f

SHA1
8b101bafbd8e8322c72a5aa3f84dbb8f95e7f28b

SHA256
954630be5e47fa4eff2acfc5630b00d9d186a70428c81cd206368f8b6c165a24

SHA512
e99f7099163fcafceab88a863a3785e2039d1c91bd05739671a4e9ef97eee46a1196009b16ff9d2640d405898de50cb5bef09f6c1fb1c3bcd27741827799aa1e

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\vlc.mo

Filesize
571KB

MD5
8a5fdb6abace0995693351f8634ab74c

SHA1
cfed219ea7f2c0af4dee18e08ab6fcd15a7c48a7

SHA256
15554a331dcfd2ae3639877028085855b73767afb5852ff01b78a0df67fd4d27

SHA512
42a824659e3c7e9833ade71b54724b3d5c058226f0d66ccd68d9e116a901d528663e6c0893282143935e93cc93ba821f66d5010117cf6e36f1250f14353d0c74

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\vlc.mo

Filesize
764KB

MD5
7f35859070b1fcae9dbe80b8aae962cf

SHA1
ff303e690a1cb64a90d78b38d9ab10365ef15821

SHA256
5c29b26e92ba08d26e4023966ad3bee0562262c5ca196b6f5ca5106f2bd421ff

SHA512
b20d25437c7598924e6302dc751abdfa2611f4c34e8dce246f33cddc0ac4686ad13a7849a55183e6e929baca8d6116b51294d2cf15e2f7a7d6acab81e00e23fb

Download Submit
C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\vlc.mo

Filesize
545KB

MD5
a150473baccae2c51a6a1fbc798df771

SHA1
a87810e3e34b7dbf3f2e089a20b9c3a9e6b531bf

SHA256
570b4b19d6a6c8ade21d05d111a3fe474685b9b35ba72b4fb0016b01159b9ca4

SHA512
fa049b3d2221d7a8284166586b95875773f74371a1993826601340f4005fedc8595771b12dadc42e0963530a11f26697e4abeef85aef8f66a45f1029abc93ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

Filesize
10KB

MD5
0d0bd9b3d068d303baace9d289906182

SHA1
15e9b273494cd57a8e5b12b8f821019a49bcf983

SHA256
779735a7b4cab272dde5f971d743d7ac9c6925b437dba5f6478757f696958d1e

SHA512
76d96eb2aec728acb8f401532964346f82c4e0cf250dbac25485839e75fdab790be877fdf2f734c3acff8aa4e830efb4960cddf7490e75749ee09afeaa629325

Download Submit
C:\Users\Admin\Desktop\AssertResume.pptm.B82-CAE-6A6

Filesize
597KB

MD5
6bef0e221004d3c595bdbae0a8a167dd

SHA1
8b5e88b384bbe2aea7938ddb73696531a0ba12ed

SHA256
c318e876378c1391ab0e3af4221040c568226482291c6f804436a3bc16a8a545

SHA512
b7b7a6d792d4359c9d0439a36fb5de2a33112a7250bc9de8f8652bffcb102e1f52a1d1bfe2e39d16e0ec2b9baa6e7864112b31c117b68dd1dbe684ef3f44300d

Download Submit
C:\Users\Admin\Desktop\ClosePublish.js.B82-CAE-6A6

Filesize
618KB

MD5
c4a461564842e0abf9fc63e4e7ac851b

SHA1
d60565f4a9aafb912469f74ed57a8504b33c5805

SHA256
421629bf5cead09c07085272a05d8de589e919807ec93b45eab91c154776059c

SHA512
394461694c791b428824eee8229ca7423e35092a8e5d78b2de5e3db63c0c6c8f4f8bcae6b966ab294a89a9ef49172893262a90ec2e52f4618455564a22285991

Download Submit
C:\Users\Admin\Desktop\CompareComplete.jpe.B82-CAE-6A6

Filesize
555KB

MD5
079acc8c2faa4f14f726ac80f7e4e763

SHA1
6057270acebc569297143fb962d334e5bfdf6378

SHA256
dbc30ca105f35e48827c3a28dc0ddf2efdaab4de2d2fcdd451e3e3ed88e17ff8

SHA512
0e17407b666899caf56a49816e89c993f0cc5a9e5e5a6017b90de5570976ab1cd5b9f45a194f0154d2b5b446a72675b3a913edd3abe2bc0389f1b1c20b7f57c8

Download Submit
C:\Users\Admin\Desktop\CopyStart.css.B82-CAE-6A6

Filesize
283KB

MD5
c474cb5592e41d1d4d61ef40fbce5695

SHA1
9259e356081cb2a2d8879e65dfa0f15998b9e795

SHA256
aa633b97999028d8be9c6b9614e90b355be44ac1f338b84d8dfdb381ce1638fe

SHA512
075913aecda8e6251708eb497b7a9bd7158d3443a7b35fd73caf7c392a05b4a636206879ea3b4722fdcd97695c038fdd768f32ef0aaacb0a137eb42e34508227

Download Submit
C:\Users\Admin\Desktop\DebugApprove.avi.B82-CAE-6A6

Filesize
367KB

MD5
d41db3700ecf8b4f5b646eb6b30ff0ff

SHA1
817bdf2ea91044ac86c66a04f21eb19bfdcd3b1b

SHA256
a616a8688b454c526fd8574b827fad03192c2a6d68db69ef1d26b40483917aca

SHA512
7a631bfe705588a9c02f8bd7dbab88fbf0d939eb21cc108a4582bc3c0accfcb8696e28e7e84bfba8d3ccbdadd4cc3e4b075c10ddadf879c2b7556fdea9355757

Download Submit
C:\Users\Admin\Desktop\EnableTrace.htm.B82-CAE-6A6

Filesize
388KB

MD5
3e9f7e4fe27f0305022331595861cb53

SHA1
083cd5478057277a089e621aa27db029e3ef1abb

SHA256
25d50d7de2096975ad44d59357268bff3bea739ec10d499a9e79255848608f83

SHA512
9ed85a16c1708872e4ddff43eb9e1458a4d36cbfd0664199bae7ccfa50199550523a08c85cfb418c59cfa2585ec49cb2c57a8660a7b555537012086fbcf0fee0

Download Submit
C:\Users\Admin\Desktop\ExpandWait.php.B82-CAE-6A6

Filesize
492KB

MD5
3dc7022927b6a983ca0513c6c3a06dd8

SHA1
4516ccaabeb813442a810998215ed967ceb84937

SHA256
6cf2aa4993598f88d8d3f125df92773f8f80ce8fcb8232eaac201045147a4de1

SHA512
17be53794984a2e5f45675f2b71648753a8ca6434f53784138d3141160612869d92162a0eb7476d7e1ade6c24964c6081a760b7f80f0237c1a50bffb480aae42

Download Submit
C:\Users\Admin\Desktop\GetExpand.xps.B82-CAE-6A6

Filesize
325KB

MD5
6590de0ca7c53f6d6d16222422954bff

SHA1
51d781734270ab493b1077ce5ac6739359378f4a

SHA256
06222373780bb8257d70be09b0311a7df0baed8192946527d2b89f4ed3dbd45b

SHA512
cea6ebb1f53fa0b325ba0b7c8dbf741d82c3c031ffc44514cecf8dd3dc2893202a3322d229c35cbd5e929d1bdb88280d7947d74cf6661896e346afae6054098c

Download Submit
C:\Users\Admin\Desktop\GrantShow.3gpp.B82-CAE-6A6

Filesize
346KB

MD5
d68f8c2839058b7bbb54ccf43144e53c

SHA1
c7afbd8da2b35f50c6ddbd9a7e1f2b52a101e145

SHA256
5e7ca3aeb93aa952b7a3e8643dff9ef8b1466d65ff582a4d712edead0456021c

SHA512
205c6ad955c620d99b464e54b151239c828733de544996b896efa52526f255db1413cbb41595f889cbfaced49a972db0f6add083e7f9de9f3b37171f183531f5

Download Submit
C:\Users\Admin\Desktop\HideConvertFrom.kix.B82-CAE-6A6

Filesize
241KB

MD5
571abfb0c6a0f3033c10354141e71e82

SHA1
e53226fe808af9a7b27a6adb5bfa354186c25775

SHA256
dee35ad038c4cbac98e310ebda173b4de57661277eba79a6f4f1d47aa5abf6f3

SHA512
3712eab5f71587d4068a98981b20799a89fc94ff1bebfe80b57d64002af8d797f33add37ffd8f1dbd86ec01c8a890f8e28b536465253a13637f022ebbe49c4fd

Download Submit
C:\Users\Admin\Desktop\HideRequest.tmp.B82-CAE-6A6

Filesize
534KB

MD5
da346914f0568c87f8ba59d38fffdafa

SHA1
7a0cc839e996c1b575f13fde2cd5e25f9e58caea

SHA256
cfcfe88f61cca167cae8d37502ee2284cf19a21c8f338f5d1b89c71b3f3759a0

SHA512
770383e8203f54c55ef54ce1de917f972a2204d73f21b54acb0acde5ab24e30d89129831a32140bb9da43811b438cdd9984ccc57b187778c664596702791e9dc

Download Submit
C:\Users\Admin\Desktop\InvokeComplete.mpe.B82-CAE-6A6

Filesize
430KB

MD5
535aa34a189bc58a55d4591baa9ba84b

SHA1
fdf003f0029bc5f024e10831eda01bc41809bb0b

SHA256
0e9ca1db828fe8e619d35767dfbd4c6c49fb5f4198732bb503e23710106be475

SHA512
590521fceb876ef63ac195fda140ac4c93ef25db150e90c06c1191ca9bf130e611cab2c3b5d603dc6b0eca48442ff4a31419443f52d7d2ddda7ef6b1b94ad9c5

Download Submit
C:\Users\Admin\Desktop\InvokeRemove.xla.B82-CAE-6A6

Filesize
450KB

MD5
59c445cec2468191bb4eb2e60e8fcc44

SHA1
60d87945ee33530d672d62f51241605f83d2da60

SHA256
94ffdfdc4c04bb55a87358d923382b127f0d13e20bc08167a08cfa6f242af5c0

SHA512
fd3a92072589cf382dee56966f6d29442eca11aa08f1a4c4e8c57a50cb959ee6ed4c5168847980fcca150399f4c4452d29c8e4b5d29f656f0a0ebf638e42fb6f

Download Submit
C:\Users\Admin\Desktop\PopRemove.au.B82-CAE-6A6

Filesize
858KB

MD5
2bd20d7e283e96b986f96eadf155b7f5

SHA1
5cdb7f81d727fddee6380c6d1cd467ceedbc1c20

SHA256
4be37f0bb926360fc09d44f17fd96a71bb1a46d4d07767e737df77aa97a21a5e

SHA512
aad6aa79858ff0f4e13c06a7bfa009d5eb71711304d733976de87e1d918d423e35a2c772c422e7a57e11b81dc1b45c1adfd3915342f05cb02bd93e11f591fe26

Download Submit
C:\Users\Admin\Desktop\RemoveAssert.xlsx.B82-CAE-6A6

Filesize
576KB

MD5
038e73e9d7fb1b5a1443bfdaaa103d57

SHA1
8b96b1c249b4151d83d5c97a7745b07f1cb7dc74

SHA256
4f48b0b7eb789af0d49e23520b287b73d2ec2671ef92bae59dbe0945fabfbd47

SHA512
cf9fcd161e5baf1a0b6355524c438749c512cab381ddc2fd757aa3d8142dfa07cc14282312bb45c8501ccb19c5f2bc632831f8cced178c6479864a87a2d32918

Download Submit
C:\Users\Admin\Desktop\RemoveLimit.dot.B82-CAE-6A6

Filesize
304KB

MD5
b589eaf81394114b16b078621b058105

SHA1
b6dd8308f9475c92011763d095184dc899943151

SHA256
5d7900efd0142222aa8bb3da3036d29de4ae1498fd043619d8ff2f8b0aecc002

SHA512
624a64645e6f818a9343fdf12f2befb569f69e8402ec65341c4959b6ad6c9b8219e1b7fb3048c7e8d7237a0c0a48e75997e30b55323e9717e2fd5082d95c0e0d

Download Submit
C:\Users\Admin\Desktop\ResumeApprove.emz.B82-CAE-6A6

Filesize
471KB

MD5
9788546c2b07eb66fda8626ed825b665

SHA1
827beec43c442b7e33302b44ab16991430fc1aad

SHA256
3bf0cd641ca0fd3ecf0df124eb53800d8454135d04cc5623e3cb512c34237ff8

SHA512
f24b0a411b1699b49938cefac7f71eb0bbc1d9bcc953efffe2765bacd95576e4c81c8f4c81834d808e757401b823f95b02c1d2802b827444f870df6a8f1db65a

Download Submit
C:\Users\Admin\Desktop\ShowPublish.wax.B82-CAE-6A6

Filesize
221KB

MD5
a59268daa58ae170fe75e47d86a52a32

SHA1
7d487a025cb3bc9cd6ee990855822be316340181

SHA256
dfa536bd5eb7f52413507eed99599c1e20356f8df755dec2504d2daf211f3bd0

SHA512
b3d57e375c7f08beaa89a72772e2b0ec9b444276c038230cdce3bd30733f5d5bfcc6ac0756af0fb23371302f8b172786a0165564507282f2869c9f975d085dfe

Download Submit
C:\Users\Admin\Desktop\StartShow.m1v.B82-CAE-6A6

Filesize
513KB

MD5
e0f7f9bd078453c8bcd1dc02d1610f63

SHA1
0bfe0ec9fdcd713a4d2146363644f668ba50f6fd

SHA256
026cfb67d09d20894bb62e61389d7f010b39edaff0302bd5e385103b4f677af6

SHA512
acd45cddbf7e7831aff2ad5509a1d3c345ace66756dbe70843f5f616715d18bc9714b9ed78c6dad4eb44a9904882f4c5d9ed173c4f86e6c47af19575d2756458

Download Submit
C:\Users\Admin\Desktop\UnblockSelect.exe.B82-CAE-6A6

Filesize
409KB

MD5
e7da64619b9535e88704cf6bd366ed62

SHA1
722602eab0256cbe5b16e315b360c82400887998

SHA256
996ecf447e627995fe25609d32c0f964f0a57c8e38391b5227c63bab25a30d71

SHA512
5f3f8478ddd1afaad753dfb6cb35ce6c058b59c80303a1f2a003ba13fc1116561d307c3c72cf5a33697fb137369d9d8866b0ac411869b5d6f2985b724bf65350

Download Submit
C:\Users\Admin\Desktop\WatchConnect.aiff.B82-CAE-6A6

Filesize
262KB

MD5
d70261c875abfdd49f05bec67ccd7f06

SHA1
1054c537206d35bbdee87bdec917fb98c26d3157

SHA256
62b5941ed0ec720302c8fc470bd6c0e54384ce5cbd623d116435c34c5e12f59d

SHA512
684fd093cefaa7146c536f70f4151ef27a9848eab4b4e4aec5b175334977fd8733a07a641830cc98c9b7678a4d417ef21dfa35bec06fc00e0eb494a9d165f113

Download Submit
C:\vcredist2010_x86.log.html

Filesize
82KB

MD5
33de973c24002caacc714cd40de844d7

SHA1
1f96c4584eff6f9fa407a1776ea16f74994f3879

SHA256
afbc7292fc4ce491918f557b9264696afd67f5812f4405ce7038a3806020adff

SHA512
ba4c2739b858bf6577e7c195ce1d248d093420140170ea0cda446af151bbf1c3375ca7f4ae5be1b624ed18de4ff92ef0b632da2d671f9fde742a133f50bf0279

Download Submit
memory/2212-6453-0x0000000000040000-0x0000000000183000-memory.dmp

Filesize
1.3MB

Download
memory/2212-30425-0x0000000000040000-0x0000000000183000-memory.dmp

Filesize
1.3MB

Download
memory/2212-29164-0x0000000000040000-0x0000000000183000-memory.dmp

Filesize
1.3MB

Download
memory/2212-22903-0x0000000000040000-0x0000000000183000-memory.dmp

Filesize
1.3MB

Download
memory/2212-19949-0x0000000000040000-0x0000000000183000-memory.dmp

Filesize
1.3MB

Download
memory/2212-16451-0x0000000000040000-0x0000000000183000-memory.dmp

Filesize
1.3MB

Download
memory/2212-12634-0x0000000000040000-0x0000000000183000-memory.dmp

Filesize
1.3MB

Download
memory/2212-25858-0x0000000000040000-0x0000000000183000-memory.dmp

Filesize
1.3MB

Download
memory/2212-10903-0x0000000000040000-0x0000000000183000-memory.dmp

Filesize
1.3MB

Download
memory/2212-3381-0x0000000000040000-0x0000000000183000-memory.dmp

Filesize
1.3MB

Download
memory/2212-9464-0x0000000000040000-0x0000000000183000-memory.dmp

Filesize
1.3MB

Download
memory/2344-11988-0x0000000000040000-0x0000000000183000-memory.dmp

Filesize
1.3MB

Download
memory/2344-8437-0x0000000000040000-0x0000000000183000-memory.dmp

Filesize
1.3MB

Download
memory/2344-5745-0x0000000000040000-0x0000000000183000-memory.dmp

Filesize
1.3MB

Download
memory/2344-10602-0x0000000000040000-0x0000000000183000-memory.dmp

Filesize
1.3MB

Download
memory/2344-2069-0x0000000000040000-0x0000000000183000-memory.dmp

Filesize
1.3MB

Download
memory/2344-21788-0x0000000000040000-0x0000000000183000-memory.dmp

Filesize
1.3MB

Download
memory/2344-30454-0x0000000000040000-0x0000000000183000-memory.dmp

Filesize
1.3MB

Download
memory/2344-30455-0x0000000000040000-0x0000000000183000-memory.dmp

Filesize
1.3MB

Download
memory/2720-30447-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2720-30453-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2880-57-0x0000000000040000-0x0000000000183000-memory.dmp

Filesize
1.3MB

Download