prolock | 89887eed284bfd0444ab36df7302b5b5732898d1a32e11440ec39c059dba4e3d

Analysis

max time kernel
749s
max time network
1555s
platform
windows10_x64
resource
win10-en-20211014
submitted
27-10-2021 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe

Score

10^/10

prolock ransomware spyware stealer

Malware Config

Extracted

Path

C:\[HOW TO RECOVER FILES].TXT

Family

prolock

Ransom Note

Your files have been encrypted by ProLock Ransomware using RSA-2048 algorithm. [.:Nothing personal just business:.] No one can help you to restore files without our special decryption tool. To get your files back you have to pay the decryption fee in BTC. The final price depends on how fast you write to us. 1. Download TOR browser: https://www.torproject.org/ 2. Install the TOR Browser. 3. Open the TOR Browser. 4. Open our website in the TOR browser: msaoyrayohnp32tcgwcanhjouetb5k54aekgnwg7dcvtgtecpumrxpqd.onion 5. Login using your ID D8756FE07320C1859F44 ***If you have any problems connecting or using TOR network: contact our support by email support981723721@protonmail.com [You'll receive instructions and price inside] The decryption keys will be stored for 1 month. We also have gathered your sensitive data. We would share it in case you refuse to pay. Decryption using third party software is impossible. Attempts to self-decrypting files will result in the loss of your data.

Emails

support981723721@protonmail.com

URLs

http://msaoyrayohnp32tcgwcanhjouetb5k54aekgnwg7dcvtgtecpumrxpqd.onion

Signatures

ProLock Ransomware
Rebranded update of PwndLocker first seen in March 2020.
ransomware prolock
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 28 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\SuspendRegister.tiff.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\Users\Admin\Pictures\GetRestart.raw.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File renamed	C:\Users\Admin\Pictures\PushRemove.tif.proLock.proLock.proLock.proLock.proLock => C:\Users\Admin\Pictures\PushRemove.tif.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\Users\Admin\Pictures\WaitRestore.png.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\Users\Admin\Pictures\DisableApprove.png.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File renamed	C:\Users\Admin\Pictures\ImportSelect.png.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock => C:\Users\Admin\Pictures\ImportSelect.png.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File renamed	C:\Users\Admin\Pictures\DisableApprove.png.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock => C:\Users\Admin\Pictures\DisableApprove.png.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\Users\Admin\Pictures\PushRemove.tif.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File renamed	C:\Users\Admin\Pictures\SuspendRegister.tiff.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock => C:\Users\Admin\Pictures\SuspendRegister.tiff.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\Users\Admin\Pictures\SuspendRegister.tiff.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File renamed	C:\Users\Admin\Pictures\WaitRestore.png.proLock.proLock.proLock.proLock.proLock => C:\Users\Admin\Pictures\WaitRestore.png.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\Users\Admin\Pictures\PushRemove.tif.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\Users\Admin\Pictures\GetRestart.raw.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\Users\Admin\Pictures\GroupSearch.png.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File renamed	C:\Users\Admin\Pictures\ImportSelect.png.proLock.proLock.proLock.proLock.proLock => C:\Users\Admin\Pictures\ImportSelect.png.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File renamed	C:\Users\Admin\Pictures\GetRestart.raw.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock => C:\Users\Admin\Pictures\GetRestart.raw.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File renamed	C:\Users\Admin\Pictures\SuspendRegister.tiff.proLock.proLock.proLock.proLock.proLock => C:\Users\Admin\Pictures\SuspendRegister.tiff.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\Users\Admin\Pictures\WaitRestore.png.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File renamed	C:\Users\Admin\Pictures\GroupSearch.png.proLock.proLock.proLock.proLock.proLock => C:\Users\Admin\Pictures\GroupSearch.png.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File renamed	C:\Users\Admin\Pictures\PushRemove.tif.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock => C:\Users\Admin\Pictures\PushRemove.tif.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\Users\Admin\Pictures\DisableApprove.png.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File renamed	C:\Users\Admin\Pictures\DisableApprove.png.proLock.proLock.proLock.proLock.proLock => C:\Users\Admin\Pictures\DisableApprove.png.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\Users\Admin\Pictures\ImportSelect.png.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File renamed	C:\Users\Admin\Pictures\GroupSearch.png.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock => C:\Users\Admin\Pictures\GroupSearch.png.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\Users\Admin\Pictures\ImportSelect.png.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\Users\Admin\Pictures\GroupSearch.png.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File renamed	C:\Users\Admin\Pictures\GetRestart.raw.proLock.proLock.proLock.proLock.proLock => C:\Users\Admin\Pictures\GetRestart.raw.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File renamed	C:\Users\Admin\Pictures\WaitRestore.png.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock => C:\Users\Admin\Pictures\WaitRestore.png.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

Processes:

dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe

description	ioc	process
File opened for modification	C:\DOCUME~1\Admin\Links\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\ACCESS~2\SYSTEM~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\Searches\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Public\DOCUME~1\MYMUSI~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\ADMINI~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\APPLIC~1\MICROS~1\INTERN~1\QUICKL~1\USERPI~1\TaskBar\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\FAVORI~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\STARTM~1\Programs\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Default\STARTM~1\Programs\SYSTEM~1\Desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Public\ACCOUN~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Default\STARTM~1\Programs\ACCESS~2\Desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~2\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\SYSTEM~1\Desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\SYSTEM~1\Desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\ADMINI~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\STARTM~1\Programs\ADMINI~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\STARTM~1\Programs\Startup\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Public\Desktop\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Public\LIBRAR~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\DOCUME~1\MYMUSI~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\DOCUME~1\MYPICT~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Public\DOCUME~1\MYVIDE~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Public\DOWNLO~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\Desktop\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\DOCUME~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\Recent\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Public\DOCUME~1\MYPICT~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\Startup\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\Office16\1033\DATASE~1\DESKTOP.INI	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\History\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\SAVEDG~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\STARTM~1\Programs\MAINTE~1\Desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Default\STARTM~1\Programs\ACCESS~1\Desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Public\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\DOCUME~1\MYVIDE~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\STARTM~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Public\Videos\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Public\DOCUME~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\ACCESS~2\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\MAINTE~1\Desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\FAVORI~1\Links\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\STARTM~1\Programs\ACCESS~1\Desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\STARTM~1\Programs\SYSTEM~1\Desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Default\SendTo\Desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\MAINTE~1\Desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\APPLIC~1\MICROS~1\INTERN~1\QUICKL~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\DOCUME~1\MYPICT~1\SAVEDP~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Default\STARTM~1\Programs\MAINTE~1\Desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\Contacts\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\DOCUME~1\MYPICT~1\CAMERA~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\ACCESS~1\Desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\Startup\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\ACCESS~2\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\STARTM~1\Programs\ACCESS~1\Desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\History\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\DOWNLO~1\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\OneDrive\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\SendTo\Desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe

Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

vssadmin.exevssadmin.exe

description ioc process

File opened (read-only) \??\D: vssadmin.exe
File opened (read-only) \??\D: vssadmin.exe

description	ioc	process
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe

Drops file in Program Files directory 64 IoCs

Processes:

dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe

description	ioc	process
File opened for modification	C:\PROGRA~1\Java\JDK18~1.0_6\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_ja.jar	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\images\s_ellipses_selected.svg.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\ON-BOA~1\js\nls\ru-ru\ui-strings.js.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\Java\JDK18~1.0_6\lib\MISSIO~1\plugins\org.eclipse.equinox.http.servlet_1.1.500.v20140318-1755.jar	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\SIGNAT~1\images\themes\dark\bun.png	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\UEV\INBOXT~1\MicrosoftLync2013Win64.xml.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\140__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\640__Connections_Cellular_AQL - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\Office16\BIBLIO~1\Style\ISO690Nmerical.XSL.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\131__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\Java\JDK18~1.0_6\lib\MISSIO~1\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_zh_4.4.0.v20140623020002.jar.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\LICENS~1\ProjectProO365R_SubTrial-pl.xrm-ms	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\DESKTO~2\js\plugin.js	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\385__Connections_Cellular_Singtel (Singapore)_i2$(__MVID)@WAP.provxml.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{23CB5~1\customizations.xml.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\home\images\themes\dark\icons_retina.png.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\Java\JDK18~1.0_6\lib\MISSIO~1\plugins\org.eclipse.osgi.nl_ja_4.4.0.v20140623020002.jar	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\Java\JDK18~1.0_6\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_zh_CN.jar	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\Office16\LOGOIM~1\PowerPntLogo.scale-80.png	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\VideoLAN\VLC\locale\fa\LC_MES~1\vlc.mo	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\ON-BOA~1\images\THEMEL~1\et_get.svg	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\241__Connections_Cellular_A1 Mobilkom (Liechtenstein)_i0$(__MVID)@WAP.provxml.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\LICENS~1\ProjectStd2019VL_KMS_Client_AE-ul.xrm-ms.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\Office16\BIBLIO~1\Style\GostName.XSL	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroApp\ENU\Edit_R_Exp_RHP.aapp	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\658__Connections_Cellular_Fido (Canada)_i1$(__MVID)@WAP.provxml.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\MICROS~1\Network\DOWNLO~1\qmgr.db.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\Java\JDK18~1.0_6\lib\MISSIO~1\plugins\ORGECL~2.V20\images\macGrey.png	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File created	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\OB-PRE~1\js\nls\ar-ae\[HOW TO RECOVER FILES].TXT	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\Java\JDK18~1.0_6\lib\MISSIO~1\plugins\org.eclipse.help.webapp.nl_ja_4.4.0.v20140623020002.jar.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\LICENS~1\AccessVL_MAK-ul-phn.xrm-ms.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\MICROS~1\UEV\INBOXT~1\MicrosoftSkypeForBusiness2016Win32.xml.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\Java\JDK18~1.0_6\lib\visualvm\visualvm\UPDATE~1\com-sun-tools-visualvm-host-views.xml	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\home\js\nls\fr-fr\ui-strings.js	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\DIAGNO~1\ETLLogs\SHUTDO~1\AutoLogger-Diagtrack-Listener.etl.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\Network\DOWNLO~1\edb.log.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\Java\JDK18~1.0_6\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-common.xml.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\LICENS~1\ProPlusVL_KMS_Client-ppd.xrm-ms.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\MICROS~1\UEV\INBOXT~1\MicrosoftOffice2016BackupWin32.xml.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\237__Connections_Cellular_Alfa (Lebanon)_i0$(__MVID)@WAP.provxml.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\Oracle\Java\INSTAL~1\baseimagefam8.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\315__Connections_Cellular_Mobilink GSM (Pakistan)_i1$(__MVID)@WAP.provxml.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\LICENS~1\VisioStdCO365R_SubTest-ppd.xrm-ms.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\Office16\1033\QUICKS~1\Classic.dotx.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\ON-BOA~1\images\THEMEL~1\da_get.svg.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\SIGNAT~1\images\share_icons.png.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\DIAGNO~1\DOWNLO~1\WINDOWS.PERFTRACKPOINTDATA.xml	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{7A30A~1\customizations.xml.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\349__Connections_Cellular_SFR (Réunion) (France)_i1$(__MVID)@WAP.provxml.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\105__Connections_Cellular_Mobinil (Egypt)_i0$(__MVID)@WAP.provxml.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File created	C:\PROGRA~1\VideoLAN\VLC\locale\gl\LC_MES~1\[HOW TO RECOVER FILES].TXT	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File created	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\APP-CE~1\js\nls\hu-hu\[HOW TO RECOVER FILES].TXT	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\374__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\DESKTO~2\js\nls\fr-ma\ui-strings.js.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\Office16\ODBCDR~1\SALESF~1\lib\cacerts.pem	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\Mozilla\updates\308046~1\update-config.json.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\STARTM~1\Programs\ACCESS~1\Desktop.ini.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\Java\JDK18~1.0_6\lib\MISSIO~1\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.800.v20140827-1444.jar	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~1\VideoLAN\VLC\lua\http\css\UI-LIG~1\images\ui-bg_highlight-soft_75_ffe45c_1x100.png	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{33D78~1\MasterDatastore.xml.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\PROVIS~1\{C8A32~1\Prov\RunTime\373__Connections_Cellular_Mobily (Saudi Arabia)_i1$(__MVID)@WAP.provxml.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\MICROS~1\CLICKT~1\{9AC08~1\C2RManifest.Proof.Culture.msi.16.es-es.xml.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock.proLock	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\ON-BOA~1\images\THEMEL~1\LOCALI~1\da-dk\AppStore_icon.svg	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File created	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\DEVICE~2\[HOW TO RECOVER FILES].TXT	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe

Drops file in Windows directory 2 IoCs

Processes:

taskmgr.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\1601268389\3068621934.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\1195458082.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	taskmgr.exe

Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

5100 net.exe
Interacts with shadow copies 2 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid process

4304 vssadmin.exe
1344 vssadmin.exe
1728 vssadmin.exe
2132 vssadmin.exe
2964 vssadmin.exe
908 vssadmin.exe
Runs net.exe

pid	process
5100	net.exe

pid	process
4304	vssadmin.exe
1344	vssadmin.exe
1728	vssadmin.exe
2132	vssadmin.exe
2964	vssadmin.exe
908	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exetaskmgr.exe

pid	process
4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe

pid process

4400 dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exevssvc.exetaskmgr.exe

description	pid	process
Token: SeSecurityPrivilege	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
Token: SeTakeOwnershipPrivilege	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
Token: SeBackupPrivilege	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
Token: SeRestorePrivilege	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
Token: SeManageVolumePrivilege	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
Token: SeDebugPrivilege	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
Token: SeBackupPrivilege	2060	vssvc.exe
Token: SeRestorePrivilege	2060	vssvc.exe
Token: SeAuditPrivilege	2060	vssvc.exe
Token: SeDebugPrivilege	3008	taskmgr.exe
Token: SeSystemProfilePrivilege	3008	taskmgr.exe
Token: SeCreateGlobalPrivilege	3008	taskmgr.exe
Token: 33	3008	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3008	taskmgr.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

taskmgr.exe

pid	process
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe

Suspicious use of SendNotifyMessage 36 IoCs

Processes:

taskmgr.exe

pid	process
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe
3008	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 4400 wrote to memory of 4480	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 4400 wrote to memory of 4480	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 4400 wrote to memory of 4480	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 4400 wrote to memory of 4432	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 4400 wrote to memory of 4432	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 4400 wrote to memory of 4432	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 4480 wrote to memory of 4576	4480	net.exe	net1.exe
PID 4480 wrote to memory of 4576	4480	net.exe	net1.exe
PID 4480 wrote to memory of 4576	4480	net.exe	net1.exe
PID 4432 wrote to memory of 4632	4432	net.exe	net1.exe
PID 4432 wrote to memory of 4632	4432	net.exe	net1.exe
PID 4432 wrote to memory of 4632	4432	net.exe	net1.exe
PID 4400 wrote to memory of 4540	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 4400 wrote to memory of 4540	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 4400 wrote to memory of 4540	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 4540 wrote to memory of 360	4540	net.exe	net1.exe
PID 4540 wrote to memory of 360	4540	net.exe	net1.exe
PID 4540 wrote to memory of 360	4540	net.exe	net1.exe
PID 4400 wrote to memory of 4668	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 4400 wrote to memory of 4668	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 4400 wrote to memory of 4668	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 4668 wrote to memory of 660	4668	net.exe	net1.exe
PID 4668 wrote to memory of 660	4668	net.exe	net1.exe
PID 4668 wrote to memory of 660	4668	net.exe	net1.exe
PID 4400 wrote to memory of 872	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 4400 wrote to memory of 872	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 4400 wrote to memory of 872	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 872 wrote to memory of 1028	872	net.exe	net1.exe
PID 872 wrote to memory of 1028	872	net.exe	net1.exe
PID 872 wrote to memory of 1028	872	net.exe	net1.exe
PID 4400 wrote to memory of 1132	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 4400 wrote to memory of 1132	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 4400 wrote to memory of 1132	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 1132 wrote to memory of 1420	1132	net.exe	net1.exe
PID 1132 wrote to memory of 1420	1132	net.exe	net1.exe
PID 1132 wrote to memory of 1420	1132	net.exe	net1.exe
PID 4400 wrote to memory of 1564	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 4400 wrote to memory of 1564	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 4400 wrote to memory of 1564	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 1564 wrote to memory of 1816	1564	net.exe	net1.exe
PID 1564 wrote to memory of 1816	1564	net.exe	net1.exe
PID 1564 wrote to memory of 1816	1564	net.exe	net1.exe
PID 4400 wrote to memory of 1884	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 4400 wrote to memory of 1884	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 4400 wrote to memory of 1884	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 1884 wrote to memory of 2432	1884	net.exe	net1.exe
PID 1884 wrote to memory of 2432	1884	net.exe	net1.exe
PID 1884 wrote to memory of 2432	1884	net.exe	net1.exe
PID 4400 wrote to memory of 2560	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 4400 wrote to memory of 2560	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 4400 wrote to memory of 2560	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 2560 wrote to memory of 2840	2560	net.exe	net1.exe
PID 2560 wrote to memory of 2840	2560	net.exe	net1.exe
PID 2560 wrote to memory of 2840	2560	net.exe	net1.exe
PID 4400 wrote to memory of 3112	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 4400 wrote to memory of 3112	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 4400 wrote to memory of 3112	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 3112 wrote to memory of 3888	3112	net.exe	net1.exe
PID 3112 wrote to memory of 3888	3112	net.exe	net1.exe
PID 3112 wrote to memory of 3888	3112	net.exe	net1.exe
PID 4400 wrote to memory of 3220	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 4400 wrote to memory of 3220	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 4400 wrote to memory of 3220	4400	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 3220 wrote to memory of 4684	3220	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
"C:\Users\Admin\AppData\Local\Temp\dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "CSFalconService" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4480

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "CSFalconService" /y
3⤵
PID:4576

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "McAfeeFramework" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4432

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "McAfeeFramework" /y
3⤵
PID:4632

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Alerter" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Alerter" /y
3⤵
PID:360

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "AcronisAgent" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4668

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "AcronisAgent" /y
3⤵
PID:660

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
3⤵
PID:1028

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BackupExecAgentAccelerator" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecAgentAccelerator" /y
3⤵
PID:1420

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BackupExecDeviceMediaService" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecDeviceMediaService" /y
3⤵
PID:1816

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BackupExecJobEngine" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecJobEngine" /y
3⤵
PID:2432

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BackupExecManagementService" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecManagementService" /y
3⤵
PID:2840

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BackupExecRPCService" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3112

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecRPCService" /y
3⤵
PID:3888

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BackupExecVSSProvider" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3220

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecVSSProvider" /y
3⤵
PID:4684

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "DFSR" /y
2⤵
PID:4268

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "DFSR" /y
3⤵
PID:4908

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "EPIntegrationService" /y
2⤵
PID:4968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EPIntegrationService" /y
3⤵
PID:1160

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "EPProtectedService" /y
2⤵
PID:5076

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EPProtectedService" /y
3⤵
PID:4836

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "EPSecurityService" /y
2⤵
PID:2216

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EPSecurityService" /y
3⤵
PID:5024

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "EPUpdateService" /y
2⤵
PID:5008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EPUpdateService" /y
3⤵
PID:3480

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MB3Service" /y
2⤵
PID:4036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MB3Service" /y
3⤵
PID:3852

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MBAMService" /y
2⤵
PID:4756

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MBAMService" /y
3⤵
PID:2772

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MBEndpointAgent" /y
2⤵
PID:1196

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MBEndpointAgent" /y
3⤵
PID:2172

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeES" /y
2⤵
PID:368

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeES" /y
3⤵
PID:4940

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeMGMT" /y
2⤵
PID:1048

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeMGMT" /y
3⤵
PID:952

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeMTA" /y
2⤵
PID:700

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeMTA" /y
3⤵
PID:1488

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeSA" /y
2⤵
PID:4680

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeSA" /y
3⤵
PID:1608

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeSRS" /y
2⤵
PID:2300

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeSRS" /y
3⤵
PID:1956

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeADTopology" /y
2⤵
PID:3332

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeADTopology" /y
3⤵
PID:2148

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeDelivery" /y
2⤵
PID:2344

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeDelivery" /y
3⤵
PID:2968

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeDiagnostics" /y
2⤵
PID:2964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeDiagnostics" /y
3⤵
PID:4828

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeEdgeSync" /y
2⤵
PID:3784

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeEdgeSync" /y
3⤵
PID:3944

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeHM" /y
2⤵
PID:3244

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeHM" /y
3⤵
PID:2880

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeHMRecovery" /y
2⤵
PID:3560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeHMRecovery" /y
3⤵
PID:4348

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeIS" /y
2⤵
PID:4528

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeIS" /y
3⤵
PID:1064

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeMailboxReplication" /y
2⤵
PID:1604

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeMailboxReplication" /y
3⤵
PID:4012

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeRPC" /y
2⤵
PID:4996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeRPC" /y
3⤵
PID:1716

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeRepl" /y
2⤵
PID:3444

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeRepl" /y
3⤵
PID:2864

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeServiceHost" /y
2⤵
PID:5028

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeServiceHost" /y
3⤵
PID:4924

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeTransport" /y
2⤵
PID:1068

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeTransport" /y
3⤵
PID:5084

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeUM" /y
2⤵
PID:2340

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeUM" /y
3⤵
PID:4256

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeUMCR" /y
2⤵
PID:1028

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeUMCR" /y
3⤵
PID:1832

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSOLAP$*" /y
2⤵
PID:4940

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$*" /y
3⤵
PID:4560

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLSERVER" /y
2⤵
PID:760

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLSERVER" /y
3⤵
PID:3360

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MsDtsServer" /y
2⤵
PID:4932

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MsDtsServer" /y
3⤵
PID:4620

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MySQL57" /y
2⤵
PID:4124

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MySQL57" /y
3⤵
PID:908

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "OSearch15" /y
2⤵
PID:3708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "OSearch15" /y
3⤵
PID:1120

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "OracleClientCache80" /y
2⤵
PID:596

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "OracleClientCache80" /y
3⤵
PID:2956

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "QuickBooksDB25" /y
2⤵
PID:2832

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "QuickBooksDB25" /y
3⤵
PID:1304

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SPAdminV4" /y
2⤵
PID:4236

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SPAdminV4" /y
3⤵
PID:4036

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SPSearchHostController" /y
2⤵
PID:3036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SPSearchHostController" /y
3⤵
PID:1356

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SPTraceV4" /y
2⤵
PID:4436

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SPTraceV4" /y
3⤵
PID:1300

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SPUserCodeV4" /y
2⤵
PID:1272

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SPUserCodeV4" /y
3⤵
PID:5048

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SPWriterV4" /y
2⤵
PID:1884

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SPWriterV4" /y
3⤵
PID:4444

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLBrowser" /y
2⤵
PID:3748

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLBrowser" /y
3⤵
PID:4304

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLSafeOLRService" /y
2⤵
PID:1688

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLSafeOLRService" /y
3⤵
PID:4460

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y
2⤵
PID:1684

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
3⤵
PID:4524

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLSERVERAGENT" /y
2⤵
PID:4456

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLSERVERAGENT" /y
3⤵
PID:2328

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLTELEMETRY" /y
2⤵
PID:1376

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLTELEMETRY" /y
3⤵
PID:2520

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLBackups" /y
2⤵
PID:2164

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLBackups" /y
3⤵
PID:2200

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$*" /y
2⤵
PID:2292

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$*" /y
3⤵
PID:3120

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$*" /y
2⤵
PID:2132

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$*" /y
3⤵
PID:3008

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSMQ" /y
2⤵
PID:3856

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSMQ" /y
3⤵
PID:2720

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "ReportServer" /y
2⤵
PID:4116

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer" /y
3⤵
PID:3352

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "ReportServer$*" /y
2⤵
PID:3776

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer$*" /y
3⤵
PID:3720

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLWriter" /y
2⤵
PID:3936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLWriter" /y
3⤵
PID:2244

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLBackupAgent" /y
2⤵
PID:3216

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLBackupAgent" /y
3⤵
PID:2320

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y
2⤵
PID:4084

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Symantec System Recovery" /y
3⤵
PID:1064

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SyncoveryVSSService" /y
2⤵
PID:436

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SyncoveryVSSService" /y
3⤵
PID:4292

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamBackupSvc" /y
2⤵
PID:2860

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamBackupSvc" /y
3⤵
PID:3160

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamCatalogSvc" /y
2⤵
PID:1496

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamCatalogSvc" /y
3⤵
PID:5044

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamCloudSvc" /y
2⤵
PID:3272

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamCloudSvc" /y
3⤵
PID:1036

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamEndpointBackupSvc" /y
2⤵
PID:4956

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamEndpointBackupSvc" /y
3⤵
PID:1044

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamEnterpriseManagerSvc" /y
2⤵
PID:2816

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc" /y
3⤵
PID:4088

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamMountSvc" /y
2⤵
PID:3912

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamMountSvc" /y
3⤵
PID:316

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamNFSSvc" /y
2⤵
PID:4692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamNFSSvc" /y
3⤵
PID:1028

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamRESTSvc" /y
2⤵
PID:2836

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamRESTSvc" /y
3⤵
PID:1160

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamTransportSvc /y
2⤵
PID:4936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamTransportSvc /y
3⤵
PID:1492

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y
2⤵
PID:944

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
3⤵
PID:4576

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "epag" /y
2⤵
PID:3108

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "epag" /y
3⤵
PID:4752

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "epredline" /y
2⤵
PID:520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "epredline" /y
3⤵
PID:4892

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "mozyprobackup" /y
2⤵
PID:2796

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "mozyprobackup" /y
3⤵
PID:1336

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "masvc" /y
2⤵
PID:4248

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "masvc" /y
3⤵
PID:2900

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "macmnsvc" /y
2⤵
PID:2620

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "macmnsvc" /y
3⤵
PID:4488

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "mfemms" /y
2⤵
PID:368

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "mfemms" /y
3⤵
PID:4656

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "McAfeeDLPAgentService" /y
2⤵
PID:4980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "McAfeeDLPAgentService" /y
3⤵
PID:4572

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "psqlWGE" /y
2⤵
PID:1300

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "psqlWGE" /y
3⤵
PID:696

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "swprv" /y
2⤵
PID:2240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "swprv" /y
3⤵
PID:2096

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "wsbexchange" /y
2⤵
PID:4804

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "wsbexchange" /y
3⤵
PID:4916

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "WinVNC4" /y
2⤵
PID:1796

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "WinVNC4" /y
3⤵
PID:1600

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "TMBMServer" /y
2⤵
PID:4032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "TMBMServer" /y
3⤵
PID:3196

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "tmccsf" /y
2⤵
PID:5052

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "tmccsf" /y
3⤵
PID:3096

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "tmlisten" /y
2⤵
PID:700

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "tmlisten" /y
3⤵
PID:1188

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VSNAPVSS" /y
2⤵
PID:4680

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VSNAPVSS" /y
3⤵
PID:2296

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "stc_endpt_svc" /y
2⤵
PID:2072

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "stc_endpt_svc" /y
3⤵
PID:2300

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "wbengine" /y
2⤵
PID:2176

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
3⤵
PID:2132

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "bbagent" /y
2⤵
PID:4608

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "bbagent" /y
3⤵
PID:3856

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "NasPmService" /y
2⤵
PID:2968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "NasPmService" /y
3⤵
PID:4116

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BASupportExpressStandaloneService_N_Central" /y
2⤵
PID:744

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BASupportExpressStandaloneService_N_Central" /y
3⤵
PID:3776

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BASupportExpressSrvcUpdater_N_Central" /y
2⤵
PID:3896

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BASupportExpressSrvcUpdater_N_Central" /y
3⤵
PID:3936

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "hasplms" /y
2⤵
PID:3204

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "hasplms" /y
3⤵
PID:3216

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "EqlVss" /y
2⤵
PID:2880

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EqlVss" /y
3⤵
PID:4084

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "EqlReqService" /y
2⤵
PID:4076

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EqlReqService" /y
3⤵
PID:436

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "RapidRecoveryAgent" /y
2⤵
PID:4528

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "RapidRecoveryAgent" /y
3⤵
PID:2860

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "YTBackup" /y
2⤵
PID:3184

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "YTBackup" /y
3⤵
PID:1496

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "vhdsvc" /y
2⤵
PID:5000

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "vhdsvc" /y
3⤵
PID:3272

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "TeamViewer" /y
2⤵
- Discovers systems in the same network
PID:5100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "TeamViewer" /y
3⤵
PID:4956

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSOLAP$SQL_2008" /y
2⤵
PID:1016

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$SQL_2008" /y
3⤵
PID:3760

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSOLAP$SYSTEM_BGC" /y
2⤵
PID:5096

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC" /y
3⤵
PID:3912

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSOLAP$TPS" /y
2⤵
PID:1952

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$TPS" /y
3⤵
PID:4692

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSOLAP$TPSAMA" /y
2⤵
PID:4252

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$TPSAMA" /y
3⤵
PID:2836

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$BKUPEXEC" /y
2⤵
PID:4644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$BKUPEXEC" /y
3⤵
PID:4936

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$ECWDB2" /y
2⤵
PID:4188

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$ECWDB2" /y
3⤵
PID:944

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$PRACTICEMGT" /y
2⤵
PID:4132

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT" /y
3⤵
PID:3108

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$PRACTTICEBGC" /y
2⤵
PID:408

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC" /y
3⤵
PID:520

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$PROD" /y
2⤵
PID:592

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PROD" /y
3⤵
PID:2796

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$PROFXENGAGEMENT" /y
2⤵
PID:2820

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT" /y
3⤵
PID:4248

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$SBSMONITORING" /y
2⤵
PID:404

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SBSMONITORING" /y
3⤵
PID:4036

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$SHAREPOINT" /y
2⤵
PID:4488

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SHAREPOINT" /y
3⤵
PID:1508

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$SOPHOS" /y
2⤵
PID:1432

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SOPHOS" /y
3⤵
PID:1132

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$SQL_2008" /y
2⤵
PID:1792

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SQL_2008" /y
3⤵
PID:320

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$SQLEXPRESS" /y
2⤵
PID:3844

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS" /y
3⤵
PID:2240

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$SYSTEM_BGC" /y
2⤵
PID:60

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC" /y
3⤵
PID:4716

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$TPS" /y
2⤵
PID:4480

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$TPS" /y
3⤵
PID:1564

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$TPSAMA" /y
2⤵
PID:1196

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$TPSAMA" /y
3⤵
PID:2076

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$VEEAMSQL2008R2" /y
2⤵
PID:1488

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y
3⤵
PID:4512

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$VEEAMSQL2012" /y
2⤵
PID:1772

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012" /y
3⤵
PID:1476

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher" /y
2⤵
PID:1908

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher" /y
3⤵
PID:1800

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y
2⤵
PID:2284

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y
3⤵
PID:3120

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$SBSMONITORING" /y
2⤵
PID:2532

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING" /y
3⤵
PID:2148

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$SHAREPOINT" /y
2⤵
PID:2924

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT" /y
3⤵
PID:2720

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$SQL_2008" /y
2⤵
PID:980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008" /y
3⤵
PID:3352

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$SYSTEM_BGC" /y
2⤵
PID:3784

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC" /y
3⤵
PID:3720

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$TPS" /y
2⤵
PID:3264

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS" /y
3⤵
PID:3232

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$TPSAMA" /y
2⤵
PID:3244

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA" /y
3⤵
PID:3664

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLSERVER" /y
2⤵
PID:3224

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLSERVER" /y
3⤵
PID:4536

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLServerADHelper" /y
2⤵
PID:912

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLServerADHelper" /y
3⤵
PID:4292

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLServerADHelper100" /y
2⤵
PID:436

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLServerADHelper100" /y
3⤵
PID:2352

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLServerOLAPService" /y
2⤵
PID:2860

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLServerOLAPService" /y
3⤵
PID:3184

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$BKUPEXEC" /y
2⤵
PID:1040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC" /y
3⤵
PID:5000

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$CITRIX_METAFRAME" /y
2⤵
PID:1324

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME" /y
3⤵
PID:5100

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$CXDB" /y
2⤵
PID:812

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$CXDB" /y
3⤵
PID:1700

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$ECWDB2" /y
2⤵
PID:3760

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$ECWDB2" /y
3⤵
PID:5096

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$PRACTTICEBGC" /y
2⤵
PID:1516

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC" /y
3⤵
PID:1952

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$PRACTTICEMGT" /y
2⤵
PID:4592

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT" /y
3⤵
PID:1856

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$PROD" /y
2⤵
PID:1664

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$PROD" /y
3⤵
PID:1492

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$PROFXENGAGEMENT" /y
2⤵
PID:4936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT" /y
3⤵
PID:4188

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$SBSMONITORING" /y
2⤵
PID:2772

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING" /y
3⤵
PID:4132

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$SHAREPOINT" /y
2⤵
PID:4704

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT" /y
3⤵
PID:408

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$SOPHOS" /y
2⤵
PID:524

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SOPHOS" /y
3⤵
PID:1336

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$SQL_2008" /y
2⤵
PID:1288

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SQL_2008" /y
3⤵
PID:2820

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$SQLEXPRESS" /y
2⤵
PID:4272

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS" /y
3⤵
PID:404

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$SYSTEM_BGC" /y
2⤵
PID:3348

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC" /y
3⤵
PID:4488

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$TPS" /y
2⤵
PID:5004

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$TPS" /y
3⤵
PID:4436

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$TPSAMA" /y
2⤵
PID:4580

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$TPSAMA" /y
3⤵
PID:320

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$VEEAMSQL2008R2" /y
2⤵
PID:2192

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y
3⤵
PID:1884

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$VEEAMSQL2012" /y
2⤵
PID:2784

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012" /y
3⤵
PID:3748

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "ReportServer$SQL_2008" /y
2⤵
PID:3472

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer$SQL_2008" /y
3⤵
PID:2460

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "ReportServer$SYSTEM_BGC" /y
2⤵
PID:1600

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC" /y
3⤵
PID:4452

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "ReportServer$TPS" /y
2⤵
PID:4284

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer$TPS" /y
3⤵
PID:4468

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "ReportServer$TPSAMA" /y
2⤵
PID:3096

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer$TPSAMA" /y
3⤵
PID:1888

C:\Windows\SysWOW64\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:1344

C:\Windows\SysWOW64\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" resize shadowstorage /for=D: /on=D: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1728

C:\Windows\SysWOW64\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" resize shadowstorage /for=D: /on=D: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2132

C:\Windows\SysWOW64\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:2964

C:\Windows\SysWOW64\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" resize shadowstorage /for=C: /on=C: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:908

C:\Windows\SysWOW64\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" resize shadowstorage /for=C: /on=C: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:4304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\DFBD62~1.EXE >> NUL
2⤵
PID:3444

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3644

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3008