prolock | dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178

Analysis

max time kernel
386s
max time network
363s
platform
windows10_x64
resource
win10-en-20210920
submitted
20-10-2021 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
Size

14KB
MD5

3355ace345e98406bdb331ccad568386
SHA1

81d5888bb8d43d88315c040be1f51db6bb5cf64c
SHA256

dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178
SHA512

55223ee6f387252a401e62cd5b619afafcb3d63cb33cd1b9a12d782dadc9e68b95062363863f70f13eb28f751da710b78161f7efda464d66b1f98741e56f50e1

Score

10^/10

prolock ransomware spyware stealer

Malware Config

Extracted

Path

C:\[HOW TO RECOVER FILES].TXT

Family

prolock

Ransom Note

Your files have been encrypted by ProLock Ransomware using RSA-2048 algorithm. [.:Nothing personal just business:.] No one can help you to restore files without our special decryption tool. To get your files back you have to pay the decryption fee in BTC. The final price depends on how fast you write to us. 1. Download TOR browser: https://www.torproject.org/ 2. Install the TOR Browser. 3. Open the TOR Browser. 4. Open our website in the TOR browser: msaoyrayohnp32tcgwcanhjouetb5k54aekgnwg7dcvtgtecpumrxpqd.onion 5. Login using your ID D8756FE07320C1859F44 ***If you have any problems connecting or using TOR network: contact our support by email support981723721@protonmail.com [You'll receive instructions and price inside] The decryption keys will be stored for 1 month. We also have gathered your sensitive data. We would share it in case you refuse to pay. Decryption using third party software is impossible. Attempts to self-decrypting files will result in the loss of your data.

Emails

support981723721@protonmail.com

URLs

http://msaoyrayohnp32tcgwcanhjouetb5k54aekgnwg7dcvtgtecpumrxpqd.onion

Signatures

ProLock Ransomware
Rebranded update of PwndLocker first seen in March 2020.
ransomware prolock
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\CheckpointPush.crw.proLock.proLock.proLock.proLock.proLock => C:\Users\Admin\Pictures\CheckpointPush.crw.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\Users\Admin\Pictures\PublishApprove.tiff.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File renamed	C:\Users\Admin\Pictures\PublishApprove.tiff.proLock.proLock.proLock.proLock.proLock => C:\Users\Admin\Pictures\PublishApprove.tiff.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\Users\Admin\Pictures\SkipDismount.crw.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File renamed	C:\Users\Admin\Pictures\SkipDismount.crw.proLock.proLock.proLock.proLock.proLock => C:\Users\Admin\Pictures\SkipDismount.crw.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\Users\Admin\Pictures\SkipSplit.tiff.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File renamed	C:\Users\Admin\Pictures\SkipSplit.tiff.proLock.proLock.proLock.proLock.proLock => C:\Users\Admin\Pictures\SkipSplit.tiff.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\Users\Admin\Pictures\CheckpointPush.crw.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe

Drops startup file 3 IoCs

Processes:

taskmgr.exe

description	ioc	process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\[how to recover files].txt	taskmgr.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\desktop.ini.prolock	taskmgr.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\desktop.ini.prolock.prolock	taskmgr.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

Processes:

dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe

description	ioc	process
File opened for modification	C:\DOCUME~1\Admin\APPLIC~1\MICROS~1\INTERN~1\QUICKL~1\USERPI~1\TaskBar\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\SendTo\Desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\ACCESS~2\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\STARTM~1\Programs\ACCESS~2\Desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\STARTM~1\Programs\SYSTEM~1\Desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\STARTM~1\Programs\ADMINI~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Default\SendTo\Desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\STARTM~1\Programs\MAINTE~1\Desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Public\DOCUME~1\MYPICT~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\APPLIC~1\MICROS~1\INTERN~1\QUICKL~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\STARTM~1\Programs\ACCESS~1\Desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\STARTM~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Default\STARTM~1\Programs\ACCESS~1\Desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\ACCESS~2\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\Startup\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Public\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Public\Pictures\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Public\Videos\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\Office16\1033\DATASE~1\DESKTOP.INI	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\ADMINI~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\ACCESS~2\SYSTEM~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\Desktop\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\DOCUME~1\MYPICT~1\CAMERA~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Default\STARTM~1\Programs\SYSTEM~1\Desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Public\ACCOUN~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Public\DOCUME~1\MYMUSI~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Default\STARTM~1\Programs\MAINTE~1\Desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Public\DOCUME~1\MYVIDE~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\ACCESS~1\Desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\History\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\MAINTE~1\Desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\History\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\DOCUME~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\DOCUME~1\MYMUSI~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\DOCUME~1\MYPICT~1\SAVEDP~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\Links\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\STARTM~1\Programs\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Public\DOWNLO~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\SYSTEM~1\Desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\FAVORI~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\SAVEDG~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Public\Desktop\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\ACCESS~2\SYSTEM~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\Contacts\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\OneDrive\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\Recent\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~2\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\ADMINI~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Public\LIBRAR~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\MAINTE~1\Desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\Startup\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\History\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\DOWNLO~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\Searches\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\STARTM~1\Programs\Startup\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Default\STARTM~1\Programs\ACCESS~2\Desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\SYSTEM~1\Desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Default\APPLIC~1\MICROS~1\INTERN~1\QUICKL~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Public\DOCUME~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe

Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

vssadmin.exevssadmin.exe

description ioc process

File opened (read-only) \??\D: vssadmin.exe
File opened (read-only) \??\D: vssadmin.exe

description	ioc	process
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe

Drops file in Program Files directory 64 IoCs

Processes:

dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Tracker\reviews_super.gif	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\images\WIN8-S~1\arrow-left-pressed.gif	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\CLICKT~1\{9AC08~1\C2RManifest.officemui.msi.16.en-us.xml	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\UEV\TEMPLA~1\SettingsLocationTemplate2013.xsd.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\665__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\LICENS~1\ProPlus2019XC2RVL_MAKC2R-ul-phn.xrm-ms	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\Office16\LOGOIM~1\WinWordLogoSmall.scale-100.png	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File created	C:\PROGRA~1\MICROS~2\root\Office16\MSIPC\no\[HOW TO RECOVER FILES].TXT	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\Office16\PAGESIZE\PGLBL027.XML	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File created	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\app\dev\nls\ja-jp\[HOW TO RECOVER FILES].TXT	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\MF\Pending.GRL.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\246__Connections_Cellular_Tango (Luxembourg)_i0$(__MVID)@WAP.provxml.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\MICROS~1\DIAGNO~1\DOWNLO~1\WINDOWS.PERFTRACKESCALATIONS.xml.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\264__Connections_Cellular_Go Mobile (Malta)_i1$(__MVID)@WAP.provxml.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\Java\JDK18~1.0_6\include\win32\bridge\AccessBridgePackages.h	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\LICENS~1\MondoR_Grace-ul-oob.xrm-ms	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\585__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\715__Connections_Cellular_SoftBank (Japan)_i0$(__MVID)@WAP.provxml.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\717__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\UEV\INBOXT~1\MicrosoftOffice2016BackupWin32.xml.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\LICENS~1\HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\LICENS~1\PublisherR_OEM_Perp-ul-oob.xrm-ms	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\Office16\1033\QUICKS~1\Classic.dotx	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File created	C:\PROGRA~1\MICROS~2\root\Office16\sdxs\FA0000~1\cardview\[HOW TO RECOVER FILES].TXT	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\vfs\PROGRA~1\MICROS~1\THEMES16\ECHO\ECHO.ELM	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\app\dev\nls\ui-strings.js	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File created	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\CREATE~1\js\nls\he-il\[HOW TO RECOVER FILES].TXT	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\536__Connections_Cellular_Orange (Botswana)_i0$(__MVID)@WAP.provxml.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\images\s_checkbox_unselected_18.svg	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File created	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\fss\js\[HOW TO RECOVER FILES].TXT	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{7A30A~1\Prov\RunTime\1__Power_Policy.provxml.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\715__Connections_Cellular_SoftBank (Japan)_i0$(__MVID)@WAP.provxml	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\USERAC~1\user-48.png.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\710__DataMarketplace_PerSimSettings_$(__ICCID)_DataMarketplaceRoamingUIEnabled.provxml.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\Office16\PAGESIZE\PGLBL011.XML	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\Office16\PROOF\LTSHYPH_EN.LEX	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File created	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\digsig\js\nls\pl-pl\[HOW TO RECOVER FILES].TXT	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\490__Connections_Cellular_Plateau Wireless (United States)_i0$(__MVID)@WAP.provxml.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\357_nnections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i0$(__MVID)@WAP.provxml.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File created	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\reviews\js\nls\ru-ru\[HOW TO RECOVER FILES].TXT	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\386__Connections_Cellular_Singtel (Singapore)_i3$(__MVID)@WAP.provxml	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\12__Connections_Cellular_Optus (Australia)_i3$(__MVID)@WAP.provxml.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\155__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\708__Connections_Cellular_Transatel (Worldwide)_i0$(__MVID)@WAP.provxml.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\Java\JDK18~1.0_6\lib\visualvm\platform\modules\locale\org-netbeans-api-visual_ja.jar	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\LICENS~1\ProPlusR_Trial-ul-oob.xrm-ms	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\WALK-T~1\images\THEMEL~1\close.svg	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\CLICKT~1\{9AC08~1\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\181__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\Java\JDK18~1.0_6\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_zh_CN.jar	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File created	C:\PROGRA~1\MICROS~2\Updates\Apply\FILESI~1\[HOW TO RECOVER FILES].TXT	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File created	C:\PROGRA~1\VideoLAN\VLC\locale\lv\LC_MES~1\[HOW TO RECOVER FILES].TXT	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\VideoLAN\VLC\lua\http\css\UI-LIG~1\images\ui-icons_ffffff_256x240.png	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\MY-COM~2\images\themes\dark\virgo_mycomputer_folder_icon.svg	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\CLICKT~1\DeploymentConfig.0.xml.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\111__Connections_Cellular_Telefonica (El Salvador)_i0$(__MVID)@WAP.provxml.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\591__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\496__Connections_Cellular_T-Mobile USA_ IDT (United States)_i0$(__MVID)@WAP.provxml.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\645__Connections_Cellular_Macheen -3 (United Kingdom)_i0$(__MVID)@WAP.provxml.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\457__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\STARTM~1\Programs\desktop.ini.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File created	C:\PROGRA~1\VideoLAN\VLC\locale\hu\LC_MES~1\[HOW TO RECOVER FILES].TXT	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\SCAN-F~1\images\THEMEL~1\PLAYST~1\pt_get.svg	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\ACCESS~2\desktop.ini.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe

Drops file in Windows directory 2 IoCs

Processes:

taskmgr.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\4183903823\1195458082.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3068621934.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	taskmgr.exe

Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

1620 net.exe
Interacts with shadow copies 2 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid process

3460 vssadmin.exe
2960 vssadmin.exe
1856 vssadmin.exe
2960 vssadmin.exe
752 vssadmin.exe
3468 vssadmin.exe
Runs net.exe

pid	process
1620	net.exe

pid	process
3460	vssadmin.exe
2960	vssadmin.exe
1856	vssadmin.exe
2960	vssadmin.exe
752	vssadmin.exe
3468	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exetaskmgr.exe

pid	process
2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exetaskmgr.exe

pid process

2412 dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
1876 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exetaskmgr.exevssvc.exe

description	pid	process
Token: SeSecurityPrivilege	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
Token: SeTakeOwnershipPrivilege	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
Token: SeBackupPrivilege	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
Token: SeRestorePrivilege	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
Token: SeManageVolumePrivilege	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
Token: SeDebugPrivilege	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
Token: SeDebugPrivilege	1876	taskmgr.exe
Token: SeSystemProfilePrivilege	1876	taskmgr.exe
Token: SeCreateGlobalPrivilege	1876	taskmgr.exe
Token: SeBackupPrivilege	1680	vssvc.exe
Token: SeRestorePrivilege	1680	vssvc.exe
Token: SeAuditPrivilege	1680	vssvc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe
1876	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2412 wrote to memory of 3440	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 2412 wrote to memory of 3440	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 2412 wrote to memory of 3440	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 3440 wrote to memory of 1152	3440	net.exe	net1.exe
PID 3440 wrote to memory of 1152	3440	net.exe	net1.exe
PID 3440 wrote to memory of 1152	3440	net.exe	net1.exe
PID 2412 wrote to memory of 416	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 2412 wrote to memory of 416	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 2412 wrote to memory of 416	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 416 wrote to memory of 1332	416	net.exe	net1.exe
PID 416 wrote to memory of 1332	416	net.exe	net1.exe
PID 416 wrote to memory of 1332	416	net.exe	net1.exe
PID 2412 wrote to memory of 4056	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 2412 wrote to memory of 4056	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 2412 wrote to memory of 4056	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 4056 wrote to memory of 656	4056	net.exe	net1.exe
PID 4056 wrote to memory of 656	4056	net.exe	net1.exe
PID 4056 wrote to memory of 656	4056	net.exe	net1.exe
PID 2412 wrote to memory of 864	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 2412 wrote to memory of 864	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 2412 wrote to memory of 864	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 864 wrote to memory of 3952	864	net.exe	net1.exe
PID 864 wrote to memory of 3952	864	net.exe	net1.exe
PID 864 wrote to memory of 3952	864	net.exe	net1.exe
PID 2412 wrote to memory of 3948	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 2412 wrote to memory of 3948	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 2412 wrote to memory of 3948	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 3948 wrote to memory of 2180	3948	net.exe	net1.exe
PID 3948 wrote to memory of 2180	3948	net.exe	net1.exe
PID 3948 wrote to memory of 2180	3948	net.exe	net1.exe
PID 2412 wrote to memory of 920	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 2412 wrote to memory of 920	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 2412 wrote to memory of 920	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 920 wrote to memory of 3520	920	net.exe	net1.exe
PID 920 wrote to memory of 3520	920	net.exe	net1.exe
PID 920 wrote to memory of 3520	920	net.exe	net1.exe
PID 2412 wrote to memory of 3964	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 2412 wrote to memory of 3964	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 2412 wrote to memory of 3964	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 3964 wrote to memory of 604	3964	net.exe	net1.exe
PID 3964 wrote to memory of 604	3964	net.exe	net1.exe
PID 3964 wrote to memory of 604	3964	net.exe	net1.exe
PID 2412 wrote to memory of 888	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 2412 wrote to memory of 888	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 2412 wrote to memory of 888	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 888 wrote to memory of 4016	888	net.exe	net1.exe
PID 888 wrote to memory of 4016	888	net.exe	net1.exe
PID 888 wrote to memory of 4016	888	net.exe	net1.exe
PID 2412 wrote to memory of 3252	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 2412 wrote to memory of 3252	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 2412 wrote to memory of 3252	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 3252 wrote to memory of 3984	3252	net.exe	net1.exe
PID 3252 wrote to memory of 3984	3252	net.exe	net1.exe
PID 3252 wrote to memory of 3984	3252	net.exe	net1.exe
PID 2412 wrote to memory of 1780	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 2412 wrote to memory of 1780	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 2412 wrote to memory of 1780	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 1780 wrote to memory of 3704	1780	net.exe	net1.exe
PID 1780 wrote to memory of 3704	1780	net.exe	net1.exe
PID 1780 wrote to memory of 3704	1780	net.exe	net1.exe
PID 2412 wrote to memory of 2748	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 2412 wrote to memory of 2748	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 2412 wrote to memory of 2748	2412	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 2748 wrote to memory of 2536	2748	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
"C:\Users\Admin\AppData\Local\Temp\dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "CSFalconService" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3440

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "CSFalconService" /y
3⤵
PID:1152

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "McAfeeFramework" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:416

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "McAfeeFramework" /y
3⤵
PID:1332

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Alerter" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Alerter" /y
3⤵
PID:656

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "AcronisAgent" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "AcronisAgent" /y
3⤵
PID:3952

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
3⤵
PID:2180

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BackupExecAgentAccelerator" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecAgentAccelerator" /y
3⤵
PID:3520

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BackupExecDeviceMediaService" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecDeviceMediaService" /y
3⤵
PID:604

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BackupExecJobEngine" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecJobEngine" /y
3⤵
PID:4016

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BackupExecManagementService" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3252

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecManagementService" /y
3⤵
PID:3984

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BackupExecRPCService" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecRPCService" /y
3⤵
PID:3704

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BackupExecVSSProvider" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecVSSProvider" /y
3⤵
PID:2536

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "DFSR" /y
2⤵
PID:1684

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "DFSR" /y
3⤵
PID:2080

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "EPIntegrationService" /y
2⤵
PID:1928

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EPIntegrationService" /y
3⤵
PID:4004

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "EPProtectedService" /y
2⤵
PID:2492

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EPProtectedService" /y
3⤵
PID:4068

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "EPSecurityService" /y
2⤵
PID:3228

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EPSecurityService" /y
3⤵
PID:2236

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "EPUpdateService" /y
2⤵
PID:2936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EPUpdateService" /y
3⤵
PID:3196

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MB3Service" /y
2⤵
PID:2024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MB3Service" /y
3⤵
PID:3796

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MBAMService" /y
2⤵
PID:3552

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MBAMService" /y
3⤵
PID:2900

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MBEndpointAgent" /y
2⤵
PID:1816

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MBEndpointAgent" /y
3⤵
PID:420

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeES" /y
2⤵
PID:1424

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeES" /y
3⤵
PID:1156

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeMGMT" /y
2⤵
PID:1176

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeMGMT" /y
3⤵
PID:1108

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeMTA" /y
2⤵
PID:816

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeMTA" /y
3⤵
PID:3960

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeSA" /y
2⤵
PID:3972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeSA" /y
3⤵
PID:3636

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeSRS" /y
2⤵
PID:2180

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeSRS" /y
3⤵
PID:1636

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeADTopology" /y
2⤵
PID:3520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeADTopology" /y
3⤵
PID:1940

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeDelivery" /y
2⤵
PID:604

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeDelivery" /y
3⤵
PID:3760

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeDiagnostics" /y
2⤵
PID:404

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeDiagnostics" /y
3⤵
PID:1084

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeEdgeSync" /y
2⤵
PID:2764

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeEdgeSync" /y
3⤵
PID:1220

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeHM" /y
2⤵
PID:828

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeHM" /y
3⤵
PID:3988

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeHMRecovery" /y
2⤵
PID:1120

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeHMRecovery" /y
3⤵
PID:1952

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeIS" /y
2⤵
PID:1700

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeIS" /y
3⤵
PID:2212

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeMailboxReplication" /y
2⤵
PID:2128

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeMailboxReplication" /y
3⤵
PID:3000

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeRPC" /y
2⤵
PID:3476

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeRPC" /y
3⤵
PID:3468

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeRepl" /y
2⤵
PID:1640

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeRepl" /y
3⤵
PID:3228

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeServiceHost" /y
2⤵
PID:1976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeServiceHost" /y
3⤵
PID:1584

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeTransport" /y
2⤵
PID:1480

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeTransport" /y
3⤵
PID:3600

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeUM" /y
2⤵
PID:3604

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeUM" /y
3⤵
PID:2900

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeUMCR" /y
2⤵
PID:3064

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeUMCR" /y
3⤵
PID:1252

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSOLAP$*" /y
2⤵
PID:3928

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$*" /y
3⤵
PID:948

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLSERVER" /y
2⤵
PID:1284

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLSERVER" /y
3⤵
PID:860

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MsDtsServer" /y
2⤵
PID:1028

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MsDtsServer" /y
3⤵
PID:1176

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MySQL57" /y
2⤵
PID:1340

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MySQL57" /y
3⤵
PID:2344

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "OSearch15" /y
2⤵
PID:2684

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "OSearch15" /y
3⤵
PID:1568

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "OracleClientCache80" /y
2⤵
PID:660

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "OracleClientCache80" /y
3⤵
PID:3628

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "QuickBooksDB25" /y
2⤵
PID:3616

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "QuickBooksDB25" /y
3⤵
PID:1556

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SPAdminV4" /y
2⤵
PID:2864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SPAdminV4" /y
3⤵
PID:3068

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SPSearchHostController" /y
2⤵
PID:1144

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SPSearchHostController" /y
3⤵
PID:3760

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SPTraceV4" /y
2⤵
PID:3508

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SPTraceV4" /y
3⤵
PID:4016

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SPUserCodeV4" /y
2⤵
PID:3252

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SPUserCodeV4" /y
3⤵
PID:3744

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SPWriterV4" /y
2⤵
PID:3480

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SPWriterV4" /y
3⤵
PID:1172

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLBrowser" /y
2⤵
PID:1204

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLBrowser" /y
3⤵
PID:2216

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLSafeOLRService" /y
2⤵
PID:1120

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLSafeOLRService" /y
3⤵
PID:2212

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y
2⤵
PID:3032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
3⤵
PID:3008

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLSERVERAGENT" /y
2⤵
PID:2132

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLSERVERAGENT" /y
3⤵
PID:1236

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLTELEMETRY" /y
2⤵
PID:3044

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLTELEMETRY" /y
3⤵
PID:2292

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLBackups" /y
2⤵
PID:3756

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLBackups" /y
3⤵
PID:2424

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$*" /y
2⤵
PID:3060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$*" /y
3⤵
PID:3796

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$*" /y
2⤵
PID:1880

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$*" /y
3⤵
PID:1884

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSMQ" /y
2⤵
PID:708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSMQ" /y
3⤵
PID:860

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "ReportServer" /y
2⤵
PID:3440

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer" /y
3⤵
PID:1168

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "ReportServer$*" /y
2⤵
PID:1256

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer$*" /y
3⤵
PID:1340

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLWriter" /y
2⤵
PID:3944

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLWriter" /y
3⤵
PID:3296

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLBackupAgent" /y
2⤵
PID:3976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLBackupAgent" /y
3⤵
PID:660

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y
2⤵
PID:3972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Symantec System Recovery" /y
3⤵
PID:2180

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SyncoveryVSSService" /y
2⤵
PID:2116

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SyncoveryVSSService" /y
3⤵
PID:1240

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamBackupSvc" /y
2⤵
PID:920

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamBackupSvc" /y
3⤵
PID:2152

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamCatalogSvc" /y
2⤵
PID:1856

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamCatalogSvc" /y
3⤵
PID:1672

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamCloudSvc" /y
2⤵
PID:1036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamCloudSvc" /y
3⤵
PID:3252

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamEndpointBackupSvc" /y
2⤵
PID:1064

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamEndpointBackupSvc" /y
3⤵
PID:2328

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamEnterpriseManagerSvc" /y
2⤵
PID:1172

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc" /y
3⤵
PID:1204

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamMountSvc" /y
2⤵
PID:2748

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamMountSvc" /y
3⤵
PID:1120

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamNFSSvc" /y
2⤵
PID:1684

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamNFSSvc" /y
3⤵
PID:1800

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamRESTSvc" /y
2⤵
PID:3468

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamRESTSvc" /y
3⤵
PID:1960

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamTransportSvc /y
2⤵
PID:312

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamTransportSvc /y
3⤵
PID:2292

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y
2⤵
PID:1088

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
3⤵
PID:3660

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "epag" /y
2⤵
PID:3168

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "epag" /y
3⤵
PID:1600

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "epredline" /y
2⤵
PID:1292

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "epredline" /y
3⤵
PID:708

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "mozyprobackup" /y
2⤵
PID:3856

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "mozyprobackup" /y
3⤵
PID:316

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "masvc" /y
2⤵
PID:812

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "masvc" /y
3⤵
PID:1256

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "macmnsvc" /y
2⤵
PID:1108

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "macmnsvc" /y
3⤵
PID:3944

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "mfemms" /y
2⤵
PID:3692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "mfemms" /y
3⤵
PID:1020

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "McAfeeDLPAgentService" /y
2⤵
PID:1400

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "McAfeeDLPAgentService" /y
3⤵
PID:1032

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "psqlWGE" /y
2⤵
PID:2752

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "psqlWGE" /y
3⤵
PID:2172

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "swprv" /y
2⤵
PID:1092

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "swprv" /y
3⤵
PID:2572

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "wsbexchange" /y
2⤵
PID:2252

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "wsbexchange" /y
3⤵
PID:1856

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "WinVNC4" /y
2⤵
PID:672

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "WinVNC4" /y
3⤵
PID:1036

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "TMBMServer" /y
2⤵
PID:684

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "TMBMServer" /y
3⤵
PID:1064

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "tmccsf" /y
2⤵
PID:904

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "tmccsf" /y
3⤵
PID:2960

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "tmlisten" /y
2⤵
PID:1204

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "tmlisten" /y
3⤵
PID:2748

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VSNAPVSS" /y
2⤵
PID:956

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VSNAPVSS" /y
3⤵
PID:1744

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "stc_endpt_svc" /y
2⤵
PID:3208

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "stc_endpt_svc" /y
3⤵
PID:3468

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "wbengine" /y
2⤵
PID:1236

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
3⤵
PID:2680

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "bbagent" /y
2⤵
PID:312

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "bbagent" /y
3⤵
PID:1640

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "NasPmService" /y
2⤵
PID:1088

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "NasPmService" /y
3⤵
PID:1480

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BASupportExpressStandaloneService_N_Central" /y
2⤵
PID:3672

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BASupportExpressStandaloneService_N_Central" /y
3⤵
PID:2688

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BASupportExpressSrvcUpdater_N_Central" /y
2⤵
PID:1332

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BASupportExpressSrvcUpdater_N_Central" /y
3⤵
PID:916

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "hasplms" /y
2⤵
PID:1296

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "hasplms" /y
3⤵
PID:1256

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "EqlVss" /y
2⤵
PID:2196

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EqlVss" /y
3⤵
PID:3944

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "EqlReqService" /y
2⤵
PID:3376

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EqlReqService" /y
3⤵
PID:1568

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "RapidRecoveryAgent" /y
2⤵
PID:1572

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "RapidRecoveryAgent" /y
3⤵
PID:340

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "YTBackup" /y
2⤵
PID:1400

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "YTBackup" /y
3⤵
PID:1456

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "vhdsvc" /y
2⤵
PID:2752

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "vhdsvc" /y
3⤵
PID:1656

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "TeamViewer" /y
2⤵
- Discovers systems in the same network
PID:1620

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "TeamViewer" /y
3⤵
PID:4016

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSOLAP$SQL_2008" /y
2⤵
PID:1672

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$SQL_2008" /y
3⤵
PID:2764

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSOLAP$SYSTEM_BGC" /y
2⤵
PID:4088

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC" /y
3⤵
PID:944

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSOLAP$TPS" /y
2⤵
PID:2332

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$TPS" /y
3⤵
PID:1664

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSOLAP$TPSAMA" /y
2⤵
PID:2216

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$TPSAMA" /y
3⤵
PID:1120

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$BKUPEXEC" /y
2⤵
PID:1732

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$BKUPEXEC" /y
3⤵
PID:2100

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$ECWDB2" /y
2⤵
PID:1800

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$ECWDB2" /y
3⤵
PID:3916

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$PRACTICEMGT" /y
2⤵
PID:3208

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT" /y
3⤵
PID:1236

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$PRACTTICEBGC" /y
2⤵
PID:2492

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC" /y
3⤵
PID:3980

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$PROD" /y
2⤵
PID:3496

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PROD" /y
3⤵
PID:1088

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$PROFXENGAGEMENT" /y
2⤵
PID:1284

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT" /y
3⤵
PID:3672

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$SBSMONITORING" /y
2⤵
PID:3588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SBSMONITORING" /y
3⤵
PID:3928

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$SHAREPOINT" /y
2⤵
PID:1332

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SHAREPOINT" /y
3⤵
PID:3856

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$SOPHOS" /y
2⤵
PID:640

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SOPHOS" /y
3⤵
PID:1448

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$SQL_2008" /y
2⤵
PID:4056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SQL_2008" /y
3⤵
PID:2684

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$SQLEXPRESS" /y
2⤵
PID:296

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS" /y
3⤵
PID:3692

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$SYSTEM_BGC" /y
2⤵
PID:660

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC" /y
3⤵
PID:2116

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$TPS" /y
2⤵
PID:3516

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$TPS" /y
3⤵
PID:3948

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$TPSAMA" /y
2⤵
PID:2172

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$TPSAMA" /y
3⤵
PID:1376

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$VEEAMSQL2008R2" /y
2⤵
PID:2152

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y
3⤵
PID:1672

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$VEEAMSQL2012" /y
2⤵
PID:3984

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012" /y
3⤵
PID:828

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher" /y
2⤵
PID:980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher" /y
3⤵
PID:1952

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y
2⤵
PID:1172

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y
3⤵
PID:2208

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$SBSMONITORING" /y
2⤵
PID:1504

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING" /y
3⤵
PID:1720

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$SHAREPOINT" /y
2⤵
PID:3524

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT" /y
3⤵
PID:2136

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$SQL_2008" /y
2⤵
PID:3032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008" /y
3⤵
PID:3044

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$SYSTEM_BGC" /y
2⤵
PID:2284

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC" /y
3⤵
PID:2184

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$TPS" /y
2⤵
PID:832

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS" /y
3⤵
PID:1152

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$TPSAMA" /y
2⤵
PID:3060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA" /y
3⤵
PID:2236

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLSERVER" /y
2⤵
PID:512

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLSERVER" /y
3⤵
PID:1312

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLServerADHelper" /y
2⤵
PID:708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLServerADHelper" /y
3⤵
PID:916

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLServerADHelper100" /y
2⤵
PID:416

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLServerADHelper100" /y
3⤵
PID:640

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLServerOLAPService" /y
2⤵
PID:3952

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLServerOLAPService" /y
3⤵
PID:1568

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$BKUPEXEC" /y
2⤵
PID:2592

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC" /y
3⤵
PID:2868

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$CITRIX_METAFRAME" /y
2⤵
PID:3052

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME" /y
3⤵
PID:1456

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$CXDB" /y
2⤵
PID:1032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$CXDB" /y
3⤵
PID:3964

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$ECWDB2" /y
2⤵
PID:2572

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$ECWDB2" /y
3⤵
PID:3508

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$PRACTTICEBGC" /y
2⤵
PID:1868

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC" /y
3⤵
PID:1620

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$PRACTTICEMGT" /y
2⤵
PID:4016

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT" /y
3⤵
PID:3992

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$PROD" /y
2⤵
PID:2764

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$PROD" /y
3⤵
PID:980

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$PROFXENGAGEMENT" /y
2⤵
PID:2536

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT" /y
3⤵
PID:1172

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$SBSMONITORING" /y
2⤵
PID:1972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING" /y
3⤵
PID:1504

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$SHAREPOINT" /y
2⤵
PID:1528

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT" /y
3⤵
PID:2088

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$SOPHOS" /y
2⤵
PID:2136

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SOPHOS" /y
3⤵
PID:1236

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$SQL_2008" /y
2⤵
PID:3044

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SQL_2008" /y
3⤵
PID:2300

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$SQLEXPRESS" /y
2⤵
PID:1584

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS" /y
3⤵
PID:1088

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$SYSTEM_BGC" /y
2⤵
PID:2264

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC" /y
3⤵
PID:2544

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$TPS" /y
2⤵
PID:1288

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$TPS" /y
3⤵
PID:584

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$TPSAMA" /y
2⤵
PID:3788

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$TPSAMA" /y
3⤵
PID:2688

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$VEEAMSQL2008R2" /y
2⤵
PID:1660

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y
3⤵
PID:3640

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$VEEAMSQL2012" /y
2⤵
PID:3976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012" /y
3⤵
PID:388

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "ReportServer$SQL_2008" /y
2⤵
PID:296

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer$SQL_2008" /y
3⤵
PID:3692

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "ReportServer$SYSTEM_BGC" /y
2⤵
PID:660

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC" /y
3⤵
PID:3616

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "ReportServer$TPS" /y
2⤵
PID:3516

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer$TPS" /y
3⤵
PID:604

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "ReportServer$TPSAMA" /y
2⤵
PID:2172

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer$TPSAMA" /y
3⤵
PID:1248

C:\Windows\SysWOW64\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:1856

C:\Windows\SysWOW64\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" resize shadowstorage /for=D: /on=D: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2960

C:\Windows\SysWOW64\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" resize shadowstorage /for=D: /on=D: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:752

C:\Windows\SysWOW64\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:3468

C:\Windows\SysWOW64\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" resize shadowstorage /for=C: /on=C: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:3460

C:\Windows\SysWOW64\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" resize shadowstorage /for=C: /on=C: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:2960

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops startup file
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1876

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\[HOW TO RECOVER FILES].TXT
1⤵
PID:920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\[HOW TO RECOVER FILES].TXT
MD5
ceb027fc77c8dcb9379d8c820a17f057

SHA1
f25fe6da7e299e071b87b3ef220155034c965595

SHA256
1149ecae869f38c37cba49cb92227d5cdf6dd00679ba4ed6d31eb354e783b6da

SHA512
5535b8f9bc0ed4062a7e98eb567967bf43702560a193d4289caec43c63d5e2594872a89b5ce9e45cb3947ab5a0e2685e3a8fb83d09d7ba62eb2b1d423062d83a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\[HOW TO RECOVER FILES].TXT
MD5
ceb027fc77c8dcb9379d8c820a17f057

SHA1
f25fe6da7e299e071b87b3ef220155034c965595

SHA256
1149ecae869f38c37cba49cb92227d5cdf6dd00679ba4ed6d31eb354e783b6da

SHA512
5535b8f9bc0ed4062a7e98eb567967bf43702560a193d4289caec43c63d5e2594872a89b5ce9e45cb3947ab5a0e2685e3a8fb83d09d7ba62eb2b1d423062d83a

Download Submit
C:\Users\Public\Desktop\[HOW TO RECOVER FILES].TXT
MD5
ceb027fc77c8dcb9379d8c820a17f057

SHA1
f25fe6da7e299e071b87b3ef220155034c965595

SHA256
1149ecae869f38c37cba49cb92227d5cdf6dd00679ba4ed6d31eb354e783b6da

SHA512
5535b8f9bc0ed4062a7e98eb567967bf43702560a193d4289caec43c63d5e2594872a89b5ce9e45cb3947ab5a0e2685e3a8fb83d09d7ba62eb2b1d423062d83a

Download Submit
memory/404-167-0x0000000000000000-mapping.dmp

Download
memory/416-117-0x0000000000000000-mapping.dmp

Download
memory/420-152-0x0000000000000000-mapping.dmp

Download
memory/604-165-0x0000000000000000-mapping.dmp

Download
memory/604-128-0x0000000000000000-mapping.dmp

Download
memory/656-120-0x0000000000000000-mapping.dmp

Download
memory/816-157-0x0000000000000000-mapping.dmp

Download
memory/828-171-0x0000000000000000-mapping.dmp

Download
memory/864-121-0x0000000000000000-mapping.dmp

Download
memory/888-129-0x0000000000000000-mapping.dmp

Download
memory/920-125-0x0000000000000000-mapping.dmp

Download
memory/1084-168-0x0000000000000000-mapping.dmp

Download
memory/1108-156-0x0000000000000000-mapping.dmp

Download
memory/1120-173-0x0000000000000000-mapping.dmp

Download
memory/1152-116-0x0000000000000000-mapping.dmp

Download
memory/1156-154-0x0000000000000000-mapping.dmp

Download
memory/1176-155-0x0000000000000000-mapping.dmp

Download
memory/1220-170-0x0000000000000000-mapping.dmp

Download
memory/1332-118-0x0000000000000000-mapping.dmp

Download
memory/1424-153-0x0000000000000000-mapping.dmp

Download
memory/1636-162-0x0000000000000000-mapping.dmp

Download
memory/1684-137-0x0000000000000000-mapping.dmp

Download
memory/1700-175-0x0000000000000000-mapping.dmp

Download
memory/1780-133-0x0000000000000000-mapping.dmp

Download
memory/1816-151-0x0000000000000000-mapping.dmp

Download
memory/1928-139-0x0000000000000000-mapping.dmp

Download
memory/1940-164-0x0000000000000000-mapping.dmp

Download
memory/1952-174-0x0000000000000000-mapping.dmp

Download
memory/2024-147-0x0000000000000000-mapping.dmp

Download
memory/2080-138-0x0000000000000000-mapping.dmp

Download
memory/2128-177-0x0000000000000000-mapping.dmp

Download
memory/2180-124-0x0000000000000000-mapping.dmp

Download
memory/2180-161-0x0000000000000000-mapping.dmp

Download
memory/2212-176-0x0000000000000000-mapping.dmp

Download
memory/2236-144-0x0000000000000000-mapping.dmp

Download
memory/2492-141-0x0000000000000000-mapping.dmp

Download
memory/2536-136-0x0000000000000000-mapping.dmp

Download
memory/2748-135-0x0000000000000000-mapping.dmp

Download
memory/2764-169-0x0000000000000000-mapping.dmp

Download
memory/2900-150-0x0000000000000000-mapping.dmp

Download
memory/2936-145-0x0000000000000000-mapping.dmp

Download
memory/3000-178-0x0000000000000000-mapping.dmp

Download
memory/3196-146-0x0000000000000000-mapping.dmp

Download
memory/3228-143-0x0000000000000000-mapping.dmp

Download
memory/3252-131-0x0000000000000000-mapping.dmp

Download
memory/3440-115-0x0000000000000000-mapping.dmp

Download
memory/3520-163-0x0000000000000000-mapping.dmp

Download
memory/3520-126-0x0000000000000000-mapping.dmp

Download
memory/3552-149-0x0000000000000000-mapping.dmp

Download
memory/3636-160-0x0000000000000000-mapping.dmp

Download
memory/3704-134-0x0000000000000000-mapping.dmp

Download
memory/3760-166-0x0000000000000000-mapping.dmp

Download
memory/3796-148-0x0000000000000000-mapping.dmp

Download
memory/3948-123-0x0000000000000000-mapping.dmp

Download
memory/3952-122-0x0000000000000000-mapping.dmp

Download
memory/3960-158-0x0000000000000000-mapping.dmp

Download
memory/3964-127-0x0000000000000000-mapping.dmp

Download
memory/3972-159-0x0000000000000000-mapping.dmp

Download
memory/3984-132-0x0000000000000000-mapping.dmp

Download
memory/3988-172-0x0000000000000000-mapping.dmp

Download
memory/4004-140-0x0000000000000000-mapping.dmp

Download
memory/4016-130-0x0000000000000000-mapping.dmp

Download
memory/4056-119-0x0000000000000000-mapping.dmp

Download
memory/4068-142-0x0000000000000000-mapping.dmp

Download