prolock | 059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5

Analysis

max time kernel
346s
max time network
314s
platform
windows10_x64
resource
win10-en-20210920
submitted
20-10-2021 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
Size

28KB
MD5

90cd7b4a952a6c929bd006f74125fb8c
SHA1

827e2e64857d77c18d26980a69ab54683ec6e7de
SHA256

059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5
SHA512

3e8a6bf872900f8b2cdb395aa71ada4d7999e5e2f9717d5761c26fee41f8d686e8d171e210f2f4e2535eedcd9122e1e7ab5c31ead255c6950ed0f99d8b040a73

Score

10^/10

prolock ransomware spyware stealer

Malware Config

Extracted

Path

C:\[HOW TO RECOVER FILES].TXT

Family

prolock

Ransom Note

Your files have been encrypted by ProLock Ransomware using RSA-2048 algorithm. [.:Nothing personal just business:.] No one can help you to restore files without our special decryption tool. To get your files back you have to pay the decryption fee in BTC. The final price depends on how fast you write to us. 1. Download TOR browser: https://www.torproject.org/ 2. Install the TOR Browser. 3. Open the TOR Browser. 4. Open our website in the TOR browser: msaoyrayohnp32tcgwcanhjouetb5k54aekgnwg7dcvtgtecpumrxpqd.onion 5. Login using your ID D8756FE07320C1859F44 ***If you have any problems connecting or using TOR network: contact our support by email support981723721@protonmail.com [You'll receive instructions and price inside] The decryption keys will be stored for 1 month. We also have gathered your sensitive data. We would share it in case you refuse to pay. Decryption using third party software is impossible. Attempts to self-decrypting files will result in the loss of your data.

Emails

support981723721@protonmail.com

URLs

http://msaoyrayohnp32tcgwcanhjouetb5k54aekgnwg7dcvtgtecpumrxpqd.onion

Signatures

ProLock Ransomware
Rebranded update of PwndLocker first seen in March 2020.
ransomware prolock
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

Processes:

059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe

description	ioc	process
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\History\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Admin\Searches\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Admin\STARTM~1\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Default\SendTo\Desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\Office16\1033\DATASE~1\DESKTOP.INI	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\Startup\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Admin\DOWNLO~1\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Admin\SAVEDG~1\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Admin\STARTM~1\Programs\SYSTEM~1\Desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Default\STARTM~1\Programs\ACCESS~1\Desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~2\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Admin\STARTM~1\Programs\MAINTE~1\Desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Public\Desktop\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Public\DOCUME~1\MYMUSI~1\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\History\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Admin\DOCUME~1\MYMUSI~1\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Admin\DOCUME~1\MYPICT~1\CAMERA~1\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Admin\STARTM~1\Programs\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Public\DOWNLO~1\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Public\Videos\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Public\LIBRAR~1\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\ACCESS~1\Desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\ACCESS~2\SYSTEM~1\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Admin\SendTo\Desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Public\DOCUME~1\MYPICT~1\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\ACCESS~2\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\MAINTE~1\Desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Admin\DOCUME~1\MYVIDE~1\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Admin\OneDrive\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Admin\STARTM~1\Programs\ACCESS~2\Desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Default\STARTM~1\Programs\ACCESS~2\Desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Default\STARTM~1\Programs\MAINTE~1\Desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Public\DOCUME~1\MYVIDE~1\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\ACCESS~1\Desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\MAINTE~1\Desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Admin\STARTM~1\Programs\ACCESS~1\Desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\SYSTEM~1\Desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Admin\APPLIC~1\MICROS~1\INTERN~1\QUICKL~1\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\Startup\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\ACCESS~2\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Admin\Links\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Admin\FAVORI~1\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Admin\Recent\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Admin\STARTM~1\Programs\ADMINI~1\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Public\ACCOUN~1\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~1\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\ACCESS~2\SYSTEM~1\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Admin\Contacts\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Admin\Desktop\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Default\APPLIC~1\MICROS~1\INTERN~1\QUICKL~1\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\ADMINI~1\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\History\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Admin\DOCUME~1\MYPICT~1\SAVEDP~1\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Admin\STARTM~1\Programs\Startup\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Public\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Admin\DOCUME~1\MYPICT~1\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\DOCUME~1\Admin\FAVORI~1\Links\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\SYSTEM~1\Desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\ADMINI~1\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\History\desktop.ini	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe

Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

vssadmin.exevssadmin.exe

description ioc process

File opened (read-only) \??\D: vssadmin.exe
File opened (read-only) \??\D: vssadmin.exe

description	ioc	process
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe

Drops file in Program Files directory 64 IoCs

Processes:

059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe

description	ioc	process
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\DIAGNO~1\DOWNLO~1\WINDOWS.PERFTRACKPOINTDATA.xml.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~1\Java\JDK18~1.0_6\jre\lib\deploy\messages_zh_HK.properties	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~1\Java\JDK18~1.0_6\lib\visualvm\platform\modules\locale\org-openide-loaders_zh_CN.jar	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\TEMPLA~1\1033\TimelessLetter.dotx	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\191__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml.proLock.proLock.proLock	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\DEVICE~1\Device\{11352~1\superbar.png.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\131__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml.proLock.proLock.proLock	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\206__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml.proLock.proLock.proLock.proLock.proLock.proLock	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~1\Java\JDK18~1.0_6\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_ja.jar	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\LICENS~1\ProjectPro2019R_Retail-ppd.xrm-ms	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\LICENS~1\WordVL_MAK-pl.xrm-ms	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\Mozilla\updates\308046~1\update-config.json.proLock.proLock.proLock.proLock.proLock.proLock	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\300__Connections_Cellular_2degrees (New Zealand)_i0$(__MVID)@WAP.provxml.proLock.proLock.proLock.proLock.proLock.proLock.proLock	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~1\Java\JDK18~1.0_6\lib\MISSIO~1\plugins\org.eclipse.ui.forms.nl_zh_4.4.0.v20140623020002.jar	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\LICENS~1\O365HomePremDemoR_BypassTrial365-ul-oob.xrm-ms	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\153__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml.proLock.proLock	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\586__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml.proLock	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\693__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml.proLock	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\290__Connections_Cellular_KPN-Hi (Netherlands)_i8$(__MVID)@WAP.provxml.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~1\Google\Chrome\APPLIC~1\890438~1.114\Locales\gu.pak	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File created	C:\PROGRA~1\MICROS~2\root\Office16\FPA_f3\[HOW TO RECOVER FILES].TXT	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File created	C:\PROGRA~1\MICROS~2\root\vfs\PROGRA~1\MICROS~1\TRANSLAT\ENFR\[HOW TO RECOVER FILES].TXT	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File created	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\MY-COM~1\js\nls\nb-no\[HOW TO RECOVER FILES].TXT	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\228__Connections_Cellular_Zain (Jordan)_i1$(__MVID)@WAP.provxml.proLock.proLock.proLock.proLock.proLock.proLock.proLock	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\331__Connections_Cellular_Orange (Poland)_i0$(__MVID)@WAP.provxml.proLock.proLock.proLock.proLock.proLock.proLock.proLock	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\MICROS~1\AppV\Setup\OfficeIntegrator.ps1.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\vfs\PROGRA~1\MICROS~1\THEMES16\RMNSQUE\THMBNAIL.PNG	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\SEND-F~1\images\cloud_secured.png	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\USS-SE~1\js\nls\hu-hu\ui-strings.js	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\393__Connections_Cellular_T-Mobile (Slovakia)_i0$(__MVID)@WAP.provxml.proLock.proLock.proLock	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\450__Connections_Cellular_Turkcell (Turkey)_i0$(__MVID)@WAP.provxml.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\482__Connections_Cellular_Vodafone UK (United Kingdom)_i5$(__MVID)@WAP.provxml.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\85__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml.proLock.proLock	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\582__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\Network\DOWNLO~1\edb.log.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~1\Java\JDK18~1.0_6\lib\MISSIO~1\features\ORGECL~1.V20\epl-v10.html	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\LICENS~1\O365EduCloudEDUR_Subscription-pl.xrm-ms	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\LICENS~1\ProPlus2019MSDNR_Retail-ul-oob.xrm-ms	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~1\VideoLAN\VLC\lua\http\vlm.html	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\reviews\js\nls\nb-no\ui-strings.js	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\656__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml.proLock	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\SMSROU~1\MESSAG~1\edbtmp.log.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\MICROS~1\PROVIS~1\{1E05D~1\Prov\RunTime\0__Power_Controls.provxml.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\414__Connections_Cellular_Mobitel (Sri Lanka)_i0$(__MVID)@WAP.provxml.proLock.proLock.proLock.proLock.proLock	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~1\Java\JDK18~1.0_6\lib\MISSIO~1\features\ORGECL~1.V20\feature.properties	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\images\s_cancel_18.svg	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File created	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\SCAN-F~1\js\nls\nl-nl\[HOW TO RECOVER FILES].TXT	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\MAINTE~1\Desktop.ini.proLock.proLock.proLock	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\121__Connections_Cellular_Vodafone Fiji (Fiji)_i0$(__MVID)@WAP.provxml.proLock.proLock.proLock	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\127__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml.proLock.proLock.proLock.proLock.proLock.proLock	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\CLICKT~1\{9AC08~1\C2RManifest.office32ww.msi.16.x-none.xml.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\696__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\395__Connections_Cellular_Si.mobil (Slovenia)_i0$(__MVID)@WAP.provxml.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\LICENS~1\VisioPro2019R_Retail-ppd.xrm-ms	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File created	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\CREATE~1\js\nls\ca-es\[HOW TO RECOVER FILES].TXT	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File created	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\home\js\nls\fr-fr\[HOW TO RECOVER FILES].TXT	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\354__Connections_Cellular_Vodafone RO (Romania)_i1$(__MVID)@WAP.provxml	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\242__Connections_Cellular_Bitė Lietuva (Lithuania)_i0$(__MVID)@WAP.provxml	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{FC01E~1\MasterDatastore.xml.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\157__Connections_Cellular_Q-telecom (Greece)_i0$(__MVID)@WAP.provxml.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File created	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\core\dev\nls\uk-ua\[HOW TO RECOVER FILES].TXT	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\592__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\LICENS~1\O365ProPlusR_SubTrial4-pl.xrm-ms	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\images\themes\dark\s_closereview_18.svg	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

3908 net.exe
Interacts with shadow copies 2 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid process

1272 vssadmin.exe
1076 vssadmin.exe
776 vssadmin.exe
2636 vssadmin.exe
1616 vssadmin.exe
1272 vssadmin.exe
Runs net.exe

pid	process
3908	net.exe

pid	process
1272	vssadmin.exe
1076	vssadmin.exe
776	vssadmin.exe
2636	vssadmin.exe
1616	vssadmin.exe
1272	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe

pid	process
2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe

pid process

2120 059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exevssvc.exe

description	pid	process
Token: SeSecurityPrivilege	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
Token: SeTakeOwnershipPrivilege	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
Token: SeBackupPrivilege	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
Token: SeRestorePrivilege	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
Token: SeManageVolumePrivilege	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
Token: SeDebugPrivilege	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
Token: SeBackupPrivilege	436	vssvc.exe
Token: SeRestorePrivilege	436	vssvc.exe
Token: SeAuditPrivilege	436	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2120 wrote to memory of 1392	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe	net.exe
PID 2120 wrote to memory of 1392	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe	net.exe
PID 2120 wrote to memory of 1392	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe	net.exe
PID 1392 wrote to memory of 3960	1392	net.exe	net1.exe
PID 1392 wrote to memory of 3960	1392	net.exe	net1.exe
PID 1392 wrote to memory of 3960	1392	net.exe	net1.exe
PID 2120 wrote to memory of 2888	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe	net.exe
PID 2120 wrote to memory of 2888	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe	net.exe
PID 2120 wrote to memory of 2888	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe	net.exe
PID 2888 wrote to memory of 1916	2888	net.exe	net1.exe
PID 2888 wrote to memory of 1916	2888	net.exe	net1.exe
PID 2888 wrote to memory of 1916	2888	net.exe	net1.exe
PID 2120 wrote to memory of 616	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe	net.exe
PID 2120 wrote to memory of 616	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe	net.exe
PID 2120 wrote to memory of 616	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe	net.exe
PID 616 wrote to memory of 628	616	net.exe	net1.exe
PID 616 wrote to memory of 628	616	net.exe	net1.exe
PID 616 wrote to memory of 628	616	net.exe	net1.exe
PID 2120 wrote to memory of 1452	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe	net.exe
PID 2120 wrote to memory of 1452	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe	net.exe
PID 2120 wrote to memory of 1452	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe	net.exe
PID 1452 wrote to memory of 2056	1452	net.exe	net1.exe
PID 1452 wrote to memory of 2056	1452	net.exe	net1.exe
PID 1452 wrote to memory of 2056	1452	net.exe	net1.exe
PID 2120 wrote to memory of 412	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe	net.exe
PID 2120 wrote to memory of 412	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe	net.exe
PID 2120 wrote to memory of 412	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe	net.exe
PID 412 wrote to memory of 964	412	net.exe	net1.exe
PID 412 wrote to memory of 964	412	net.exe	net1.exe
PID 412 wrote to memory of 964	412	net.exe	net1.exe
PID 2120 wrote to memory of 3604	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe	net.exe
PID 2120 wrote to memory of 3604	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe	net.exe
PID 2120 wrote to memory of 3604	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe	net.exe
PID 3604 wrote to memory of 1456	3604	net.exe	net1.exe
PID 3604 wrote to memory of 1456	3604	net.exe	net1.exe
PID 3604 wrote to memory of 1456	3604	net.exe	net1.exe
PID 2120 wrote to memory of 2388	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe	net.exe
PID 2120 wrote to memory of 2388	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe	net.exe
PID 2120 wrote to memory of 2388	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe	net.exe
PID 2388 wrote to memory of 1760	2388	net.exe	net1.exe
PID 2388 wrote to memory of 1760	2388	net.exe	net1.exe
PID 2388 wrote to memory of 1760	2388	net.exe	net1.exe
PID 2120 wrote to memory of 1980	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe	net.exe
PID 2120 wrote to memory of 1980	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe	net.exe
PID 2120 wrote to memory of 1980	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe	net.exe
PID 1980 wrote to memory of 2060	1980	net.exe	net1.exe
PID 1980 wrote to memory of 2060	1980	net.exe	net1.exe
PID 1980 wrote to memory of 2060	1980	net.exe	net1.exe
PID 2120 wrote to memory of 2136	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe	net.exe
PID 2120 wrote to memory of 2136	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe	net.exe
PID 2120 wrote to memory of 2136	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe	net.exe
PID 2136 wrote to memory of 2648	2136	net.exe	net1.exe
PID 2136 wrote to memory of 2648	2136	net.exe	net1.exe
PID 2136 wrote to memory of 2648	2136	net.exe	net1.exe
PID 2120 wrote to memory of 3632	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe	net.exe
PID 2120 wrote to memory of 3632	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe	net.exe
PID 2120 wrote to memory of 3632	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe	net.exe
PID 3632 wrote to memory of 988	3632	net.exe	net1.exe
PID 3632 wrote to memory of 988	3632	net.exe	net1.exe
PID 3632 wrote to memory of 988	3632	net.exe	net1.exe
PID 2120 wrote to memory of 3780	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe	net.exe
PID 2120 wrote to memory of 3780	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe	net.exe
PID 2120 wrote to memory of 3780	2120	059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe	net.exe
PID 3780 wrote to memory of 1116	3780	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe
"C:\Users\Admin\AppData\Local\Temp\059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "CSFalconService" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "CSFalconService" /y
3⤵
PID:3960

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "McAfeeFramework" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "McAfeeFramework" /y
3⤵
PID:1916

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Alerter" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Alerter" /y
3⤵
PID:628

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "AcronisAgent" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "AcronisAgent" /y
3⤵
PID:2056

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:412

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
3⤵
PID:964

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BackupExecAgentAccelerator" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3604

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecAgentAccelerator" /y
3⤵
PID:1456

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BackupExecDeviceMediaService" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecDeviceMediaService" /y
3⤵
PID:1760

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BackupExecJobEngine" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecJobEngine" /y
3⤵
PID:2060

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BackupExecManagementService" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecManagementService" /y
3⤵
PID:2648

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BackupExecRPCService" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3632

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecRPCService" /y
3⤵
PID:988

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BackupExecVSSProvider" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3780

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecVSSProvider" /y
3⤵
PID:1116

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "DFSR" /y
2⤵
PID:2744

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "DFSR" /y
3⤵
PID:3572

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "EPIntegrationService" /y
2⤵
PID:3556

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EPIntegrationService" /y
3⤵
PID:3116

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "EPProtectedService" /y
2⤵
PID:2220

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EPProtectedService" /y
3⤵
PID:1400

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "EPSecurityService" /y
2⤵
PID:3768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EPSecurityService" /y
3⤵
PID:3336

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "EPUpdateService" /y
2⤵
PID:652

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EPUpdateService" /y
3⤵
PID:604

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MB3Service" /y
2⤵
PID:1916

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MB3Service" /y
3⤵
PID:1920

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MBAMService" /y
2⤵
PID:2888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MBAMService" /y
3⤵
PID:448

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MBEndpointAgent" /y
2⤵
PID:612

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MBEndpointAgent" /y
3⤵
PID:3744

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeES" /y
2⤵
PID:1656

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeES" /y
3⤵
PID:3292

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeMGMT" /y
2⤵
PID:2496

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeMGMT" /y
3⤵
PID:1596

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeMTA" /y
2⤵
PID:1348

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeMTA" /y
3⤵
PID:1720

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeSA" /y
2⤵
PID:1856

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeSA" /y
3⤵
PID:776

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeSRS" /y
2⤵
PID:4012

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeSRS" /y
3⤵
PID:3848

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeADTopology" /y
2⤵
PID:1924

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeADTopology" /y
3⤵
PID:2196

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeDelivery" /y
2⤵
PID:3788

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeDelivery" /y
3⤵
PID:1568

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeDiagnostics" /y
2⤵
PID:1032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeDiagnostics" /y
3⤵
PID:3584

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeEdgeSync" /y
2⤵
PID:2840

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeEdgeSync" /y
3⤵
PID:3172

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeHM" /y
2⤵
PID:3180

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeHM" /y
3⤵
PID:3784

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeHMRecovery" /y
2⤵
PID:1520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeHMRecovery" /y
3⤵
PID:3420

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeIS" /y
2⤵
PID:3608

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeIS" /y
3⤵
PID:1864

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeMailboxReplication" /y
2⤵
PID:328

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeMailboxReplication" /y
3⤵
PID:1872

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeRPC" /y
2⤵
PID:8

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeRPC" /y
3⤵
PID:1272

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeRepl" /y
2⤵
PID:1084

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeRepl" /y
3⤵
PID:668

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeServiceHost" /y
2⤵
PID:2056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeServiceHost" /y
3⤵
PID:712

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeTransport" /y
2⤵
PID:1040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeTransport" /y
3⤵
PID:2440

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeUM" /y
2⤵
PID:1476

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeUM" /y
3⤵
PID:2496

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeUMCR" /y
2⤵
PID:912

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeUMCR" /y
3⤵
PID:1908

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSOLAP$*" /y
2⤵
PID:1348

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$*" /y
3⤵
PID:776

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLSERVER" /y
2⤵
PID:2172

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLSERVER" /y
3⤵
PID:2636

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MsDtsServer" /y
2⤵
PID:2732

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MsDtsServer" /y
3⤵
PID:988

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MySQL57" /y
2⤵
PID:2196

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MySQL57" /y
3⤵
PID:2996

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "OSearch15" /y
2⤵
PID:1220

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "OSearch15" /y
3⤵
PID:3632

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "OracleClientCache80" /y
2⤵
PID:3708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "OracleClientCache80" /y
3⤵
PID:3284

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "QuickBooksDB25" /y
2⤵
PID:2744

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "QuickBooksDB25" /y
3⤵
PID:2400

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SPAdminV4" /y
2⤵
PID:1956

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SPAdminV4" /y
3⤵
PID:2896

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SPSearchHostController" /y
2⤵
PID:2188

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SPSearchHostController" /y
3⤵
PID:516

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SPTraceV4" /y
2⤵
PID:1520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SPTraceV4" /y
3⤵
PID:408

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SPUserCodeV4" /y
2⤵
PID:444

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SPUserCodeV4" /y
3⤵
PID:1184

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SPWriterV4" /y
2⤵
PID:2424

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SPWriterV4" /y
3⤵
PID:448

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLBrowser" /y
2⤵
PID:1392

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLBrowser" /y
3⤵
PID:3488

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLSafeOLRService" /y
2⤵
PID:1196

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLSafeOLRService" /y
3⤵
PID:1784

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y
2⤵
PID:3044

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
3⤵
PID:1288

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLSERVERAGENT" /y
2⤵
PID:3900

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLSERVERAGENT" /y
3⤵
PID:1500

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLTELEMETRY" /y
2⤵
PID:1584

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLTELEMETRY" /y
3⤵
PID:1724

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLBackups" /y
2⤵
PID:2372

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLBackups" /y
3⤵
PID:2080

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$*" /y
2⤵
PID:2084

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$*" /y
3⤵
PID:3852

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$*" /y
2⤵
PID:3084

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$*" /y
3⤵
PID:992

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSMQ" /y
2⤵
PID:2060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSMQ" /y
3⤵
PID:2436

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "ReportServer" /y
2⤵
PID:2376

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer" /y
3⤵
PID:1344

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "ReportServer$*" /y
2⤵
PID:3792

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer$*" /y
3⤵
PID:3584

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLWriter" /y
2⤵
PID:3416

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLWriter" /y
3⤵
PID:3036

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLBackupAgent" /y
2⤵
PID:3100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLBackupAgent" /y
3⤵
PID:2932

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y
2⤵
PID:2000

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Symantec System Recovery" /y
3⤵
PID:2900

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SyncoveryVSSService" /y
2⤵
PID:2240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SyncoveryVSSService" /y
3⤵
PID:3336

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamBackupSvc" /y
2⤵
PID:3768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamBackupSvc" /y
3⤵
PID:1872

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamCatalogSvc" /y
2⤵
PID:520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamCatalogSvc" /y
3⤵
PID:416

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamCloudSvc" /y
2⤵
PID:652

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamCloudSvc" /y
3⤵
PID:660

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamEndpointBackupSvc" /y
2⤵
PID:436

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamEndpointBackupSvc" /y
3⤵
PID:976

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamEnterpriseManagerSvc" /y
2⤵
PID:3676

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc" /y
3⤵
PID:2440

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamMountSvc" /y
2⤵
PID:616

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamMountSvc" /y
3⤵
PID:2496

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamNFSSvc" /y
2⤵
PID:1264

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamNFSSvc" /y
3⤵
PID:1908

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamRESTSvc" /y
2⤵
PID:1352

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamRESTSvc" /y
3⤵
PID:776

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamTransportSvc /y
2⤵
PID:1320

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamTransportSvc /y
3⤵
PID:2636

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y
2⤵
PID:1764

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
3⤵
PID:988

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "epag" /y
2⤵
PID:1980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "epag" /y
3⤵
PID:2996

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "epredline" /y
2⤵
PID:2848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "epredline" /y
3⤵
PID:3632

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "mozyprobackup" /y
2⤵
PID:2196

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "mozyprobackup" /y
3⤵
PID:3284

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "masvc" /y
2⤵
PID:3592

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "masvc" /y
3⤵
PID:2400

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "macmnsvc" /y
2⤵
PID:3552

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "macmnsvc" /y
3⤵
PID:2896

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "mfemms" /y
2⤵
PID:2928

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "mfemms" /y
3⤵
PID:516

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "McAfeeDLPAgentService" /y
2⤵
PID:3784

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "McAfeeDLPAgentService" /y
3⤵
PID:1092

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "psqlWGE" /y
2⤵
PID:3468

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "psqlWGE" /y
3⤵
PID:1688

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "swprv" /y
2⤵
PID:604

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "swprv" /y
3⤵
PID:896

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "wsbexchange" /y
2⤵
PID:4040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "wsbexchange" /y
3⤵
PID:4044

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "WinVNC4" /y
2⤵
PID:448

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "WinVNC4" /y
3⤵
PID:1452

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "TMBMServer" /y
2⤵
PID:1272

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "TMBMServer" /y
3⤵
PID:1664

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "tmccsf" /y
2⤵
PID:2888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "tmccsf" /y
3⤵
PID:964

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "tmlisten" /y
2⤵
PID:612

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "tmlisten" /y
3⤵
PID:1296

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VSNAPVSS" /y
2⤵
PID:1512

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VSNAPVSS" /y
3⤵
PID:1576

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "stc_endpt_svc" /y
2⤵
PID:1724

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "stc_endpt_svc" /y
3⤵
PID:2860

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "wbengine" /y
2⤵
PID:2080

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
3⤵
PID:324

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "bbagent" /y
2⤵
PID:2084

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "bbagent" /y
3⤵
PID:3232

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "NasPmService" /y
2⤵
PID:2388

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "NasPmService" /y
3⤵
PID:2244

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BASupportExpressStandaloneService_N_Central" /y
2⤵
PID:2732

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BASupportExpressStandaloneService_N_Central" /y
3⤵
PID:3284

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BASupportExpressSrvcUpdater_N_Central" /y
2⤵
PID:1924

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BASupportExpressSrvcUpdater_N_Central" /y
3⤵
PID:2400

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "hasplms" /y
2⤵
PID:3000

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "hasplms" /y
3⤵
PID:3416

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "EqlVss" /y
2⤵
PID:3552

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EqlVss" /y
3⤵
PID:2744

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "EqlReqService" /y
2⤵
PID:3116

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EqlReqService" /y
3⤵
PID:1088

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "RapidRecoveryAgent" /y
2⤵
PID:2368

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "RapidRecoveryAgent" /y
3⤵
PID:2904

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "YTBackup" /y
2⤵
PID:2384

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "YTBackup" /y
3⤵
PID:2724

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "vhdsvc" /y
2⤵
PID:1792

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "vhdsvc" /y
3⤵
PID:1864

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "TeamViewer" /y
2⤵
- Discovers systems in the same network
PID:3908

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "TeamViewer" /y
3⤵
PID:2420

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSOLAP$SQL_2008" /y
2⤵
PID:2868

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$SQL_2008" /y
3⤵
PID:2728

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSOLAP$SYSTEM_BGC" /y
2⤵
PID:436

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC" /y
3⤵
PID:428

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSOLAP$TPS" /y
2⤵
PID:2444

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$TPS" /y
3⤵
PID:2316

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSOLAP$TPSAMA" /y
2⤵
PID:612

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$TPSAMA" /y
3⤵
PID:3900

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$BKUPEXEC" /y
2⤵
PID:924

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$BKUPEXEC" /y
3⤵
PID:3848

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$ECWDB2" /y
2⤵
PID:412

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$ECWDB2" /y
3⤵
PID:1292

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$PRACTICEMGT" /y
2⤵
PID:912

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT" /y
3⤵
PID:2308

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$PRACTTICEBGC" /y
2⤵
PID:2492

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC" /y
3⤵
PID:2244

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$PROD" /y
2⤵
PID:2328

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PROD" /y
3⤵
PID:2648

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$PROFXENGAGEMENT" /y
2⤵
PID:2136

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT" /y
3⤵
PID:2836

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$SBSMONITORING" /y
2⤵
PID:2840

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SBSMONITORING" /y
3⤵
PID:1788

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$SHAREPOINT" /y
2⤵
PID:3580

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SHAREPOINT" /y
3⤵
PID:3160

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$SOPHOS" /y
2⤵
PID:3192

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SOPHOS" /y
3⤵
PID:2000

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$SQL_2008" /y
2⤵
PID:1092

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SQL_2008" /y
3⤵
PID:3336

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$SQLEXPRESS" /y
2⤵
PID:1688

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS" /y
3⤵
PID:1872

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$SYSTEM_BGC" /y
2⤵
PID:416

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC" /y
3⤵
PID:3488

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$TPS" /y
2⤵
PID:4044

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$TPS" /y
3⤵
PID:2880

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$TPSAMA" /y
2⤵
PID:1452

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$TPSAMA" /y
3⤵
PID:976

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$VEEAMSQL2008R2" /y
2⤵
PID:1664

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y
3⤵
PID:3676

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$VEEAMSQL2012" /y
2⤵
PID:2496

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012" /y
3⤵
PID:3760

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher" /y
2⤵
PID:2320

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher" /y
3⤵
PID:852

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y
2⤵
PID:2056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y
3⤵
PID:2336

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$SBSMONITORING" /y
2⤵
PID:3852

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING" /y
3⤵
PID:1800

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$SHAREPOINT" /y
2⤵
PID:1320

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT" /y
3⤵
PID:1764

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$SQL_2008" /y
2⤵
PID:1044

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008" /y
3⤵
PID:1568

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$SYSTEM_BGC" /y
2⤵
PID:4012

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC" /y
3⤵
PID:940

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$TPS" /y
2⤵
PID:1444

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS" /y
3⤵
PID:2404

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$TPSAMA" /y
2⤵
PID:2848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA" /y
3⤵
PID:3592

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLSERVER" /y
2⤵
PID:1676

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLSERVER" /y
3⤵
PID:3764

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLServerADHelper" /y
2⤵
PID:2932

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLServerADHelper" /y
3⤵
PID:408

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLServerADHelper100" /y
2⤵
PID:1932

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLServerADHelper100" /y
3⤵
PID:3944

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLServerOLAPService" /y
2⤵
PID:3100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLServerOLAPService" /y
3⤵
PID:1148

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$BKUPEXEC" /y
2⤵
PID:3752

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC" /y
3⤵
PID:520

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$CITRIX_METAFRAME" /y
2⤵
PID:2240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME" /y
3⤵
PID:1784

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$CXDB" /y
2⤵
PID:3768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$CXDB" /y
3⤵
PID:1304

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$ECWDB2" /y
2⤵
PID:3908

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$ECWDB2" /y
3⤵
PID:3748

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$PRACTTICEBGC" /y
2⤵
PID:2192

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC" /y
3⤵
PID:712

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$PRACTTICEMGT" /y
2⤵
PID:3292

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT" /y
3⤵
PID:1928

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$PROD" /y
2⤵
PID:3044

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$PROD" /y
3⤵
PID:1352

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$PROFXENGAGEMENT" /y
2⤵
PID:1656

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT" /y
3⤵
PID:3548

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$SBSMONITORING" /y
2⤵
PID:924

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING" /y
3⤵
PID:1116

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$SHAREPOINT" /y
2⤵
PID:412

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT" /y
3⤵
PID:2244

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$SOPHOS" /y
2⤵
PID:980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SOPHOS" /y
3⤵
PID:3788

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$SQL_2008" /y
2⤵
PID:1616

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SQL_2008" /y
3⤵
PID:2400

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$SQLEXPRESS" /y
2⤵
PID:2004

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS" /y
3⤵
PID:1788

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$SYSTEM_BGC" /y
2⤵
PID:3572

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC" /y
3⤵
PID:1256

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$TPS" /y
2⤵
PID:3720

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$TPS" /y
3⤵
PID:2000

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$TPSAMA" /y
2⤵
PID:1088

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$TPSAMA" /y
3⤵
PID:3336

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$VEEAMSQL2008R2" /y
2⤵
PID:3560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y
3⤵
PID:1872

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$VEEAMSQL2012" /y
2⤵
PID:3804

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012" /y
3⤵
PID:1684

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "ReportServer$SQL_2008" /y
2⤵
PID:1508

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer$SQL_2008" /y
3⤵
PID:2420

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "ReportServer$SYSTEM_BGC" /y
2⤵
PID:3468

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC" /y
3⤵
PID:1288

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "ReportServer$TPS" /y
2⤵
PID:604

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer$TPS" /y
3⤵
PID:2564

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "ReportServer$TPSAMA" /y
2⤵
PID:1452

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer$TPSAMA" /y
3⤵
PID:448

C:\Windows\SysWOW64\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:1272

C:\Windows\SysWOW64\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" resize shadowstorage /for=D: /on=D: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1076

C:\Windows\SysWOW64\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" resize shadowstorage /for=D: /on=D: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:776

C:\Windows\SysWOW64\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:2636

C:\Windows\SysWOW64\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" resize shadowstorage /for=C: /on=C: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:1616

C:\Windows\SysWOW64\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" resize shadowstorage /for=C: /on=C: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:1272

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\[HOW TO RECOVER FILES].TXT
1⤵
PID:3172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Desktop\[HOW TO RECOVER FILES].TXT
MD5
ceb027fc77c8dcb9379d8c820a17f057

SHA1
f25fe6da7e299e071b87b3ef220155034c965595

SHA256
1149ecae869f38c37cba49cb92227d5cdf6dd00679ba4ed6d31eb354e783b6da

SHA512
5535b8f9bc0ed4062a7e98eb567967bf43702560a193d4289caec43c63d5e2594872a89b5ce9e45cb3947ab5a0e2685e3a8fb83d09d7ba62eb2b1d423062d83a

Download Submit
memory/328-177-0x0000000000000000-mapping.dmp

Download
memory/412-123-0x0000000000000000-mapping.dmp

Download
memory/448-150-0x0000000000000000-mapping.dmp

Download
memory/604-146-0x0000000000000000-mapping.dmp

Download
memory/612-151-0x0000000000000000-mapping.dmp

Download
memory/616-119-0x0000000000000000-mapping.dmp

Download
memory/628-120-0x0000000000000000-mapping.dmp

Download
memory/652-145-0x0000000000000000-mapping.dmp

Download
memory/776-160-0x0000000000000000-mapping.dmp

Download
memory/964-124-0x0000000000000000-mapping.dmp

Download
memory/988-134-0x0000000000000000-mapping.dmp

Download
memory/1032-167-0x0000000000000000-mapping.dmp

Download
memory/1116-136-0x0000000000000000-mapping.dmp

Download
memory/1348-157-0x0000000000000000-mapping.dmp

Download
memory/1392-115-0x0000000000000000-mapping.dmp

Download
memory/1400-142-0x0000000000000000-mapping.dmp

Download
memory/1452-121-0x0000000000000000-mapping.dmp

Download
memory/1456-126-0x0000000000000000-mapping.dmp

Download
memory/1520-173-0x0000000000000000-mapping.dmp

Download
memory/1568-166-0x0000000000000000-mapping.dmp

Download
memory/1596-156-0x0000000000000000-mapping.dmp

Download
memory/1656-153-0x0000000000000000-mapping.dmp

Download
memory/1720-158-0x0000000000000000-mapping.dmp

Download
memory/1760-128-0x0000000000000000-mapping.dmp

Download
memory/1856-159-0x0000000000000000-mapping.dmp

Download
memory/1864-176-0x0000000000000000-mapping.dmp

Download
memory/1872-178-0x0000000000000000-mapping.dmp

Download
memory/1916-118-0x0000000000000000-mapping.dmp

Download
memory/1916-147-0x0000000000000000-mapping.dmp

Download
memory/1920-148-0x0000000000000000-mapping.dmp

Download
memory/1924-163-0x0000000000000000-mapping.dmp

Download
memory/1980-129-0x0000000000000000-mapping.dmp

Download
memory/2056-122-0x0000000000000000-mapping.dmp

Download
memory/2060-130-0x0000000000000000-mapping.dmp

Download
memory/2136-131-0x0000000000000000-mapping.dmp

Download
memory/2196-164-0x0000000000000000-mapping.dmp

Download
memory/2220-141-0x0000000000000000-mapping.dmp

Download
memory/2388-127-0x0000000000000000-mapping.dmp

Download
memory/2496-155-0x0000000000000000-mapping.dmp

Download
memory/2648-132-0x0000000000000000-mapping.dmp

Download
memory/2744-137-0x0000000000000000-mapping.dmp

Download
memory/2840-169-0x0000000000000000-mapping.dmp

Download
memory/2888-117-0x0000000000000000-mapping.dmp

Download
memory/2888-149-0x0000000000000000-mapping.dmp

Download
memory/3116-140-0x0000000000000000-mapping.dmp

Download
memory/3172-170-0x0000000000000000-mapping.dmp

Download
memory/3180-171-0x0000000000000000-mapping.dmp

Download
memory/3292-154-0x0000000000000000-mapping.dmp

Download
memory/3336-144-0x0000000000000000-mapping.dmp

Download
memory/3420-174-0x0000000000000000-mapping.dmp

Download
memory/3556-139-0x0000000000000000-mapping.dmp

Download
memory/3572-138-0x0000000000000000-mapping.dmp

Download
memory/3584-168-0x0000000000000000-mapping.dmp

Download
memory/3604-125-0x0000000000000000-mapping.dmp

Download
memory/3608-175-0x0000000000000000-mapping.dmp

Download
memory/3632-133-0x0000000000000000-mapping.dmp

Download
memory/3744-152-0x0000000000000000-mapping.dmp

Download
memory/3768-143-0x0000000000000000-mapping.dmp

Download
memory/3780-135-0x0000000000000000-mapping.dmp

Download
memory/3784-172-0x0000000000000000-mapping.dmp

Download
memory/3788-165-0x0000000000000000-mapping.dmp

Download
memory/3848-162-0x0000000000000000-mapping.dmp

Download
memory/3960-116-0x0000000000000000-mapping.dmp

Download
memory/4012-161-0x0000000000000000-mapping.dmp

Download