22457bbeee5f0c20c4272b72c1d0d34991753d6d84802ba56cdd9d11155d043d

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
26/09/2023, 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
Size

301KB
MD5

4ae8efc6c80fe086aa27117619718fc2
SHA1

09170b8fd03258b0deaa7b881c46180818b88381
SHA256

25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708
SHA512

31aacad5277a2a6f8199be9bd457749689d678ae74c5eefe26165c3f1f369ad579ee279d26d6460ebaf7ffaef12c1bb5b53294a9c3d724c6288a0b8da3d7b539
SSDEEP

6144:a9GxIp80vvgsYW0/kNAhHDQGsarUs7/TvgfBEwmXjAbImzFps1Se:aYI/6MN0jQjbs7cBEaJzk/

Score

10^/10

evasion ransomware

Malware Config

Extracted

Path

C:\Recovery\!LostTrustEncoded.txt

Ransom Note

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- .##........#######...######..########.########.########..##.....##..######..######## .##.......##.....##.##....##....##.......##....##.....##.##.....##.##....##....##... .##.......##.....##.##..........##.......##....##.....##.##.....##.##..........##... .##.......##.....##..######.....##.......##....########..##.....##..######.....##... .##.......##.....##.......##....##.......##....##...##...##.....##.......##....##... .##.......##.....##.##....##....##.......##....##....##..##.....##.##....##....##... .########..#######...######.....##.......##....##.....##..#######...######.....##... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- To the board of directors. Your network has been attacked through various vulnerabilities found in your system. We have gained full access to the entire network infrastructure. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Our team has an extensive background in legal and so called white hat hacking. However, clients usually considered the found vulnerabilities to be minor and poorly paid for our services. So we decided to change our business model. Now you understand how important it is to allocate a good budget for IT security. This is serious business for us and we really don't want to ruin your privacy, reputation and a company. We just want to get paid for our work whist finding vulnerabilities in various networks. Your files are currently encrypted with our tailor made state of the art algorithm. Don't try to terminate unknown processes, don't shutdown the servers, do not unplug drives, all this can lead to partial or complete data loss. We have also managed to download a large amount of various, crucial data from your network. A complete list of files and samples will be provided upon request. We can decrypt a couple of files for free. The size of each file must be no more than 5 megabytes. All your data will be successfully decrypted immediately after your payment. You will also receive a detailed list of vulnerabilities used to gain access to your network. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- If you refuse to cooperate with us, it will lead to the following consequences for your company: 1. All data downloaded from your network will be published for free or even sold 2. Your system will be re-attacked continuously, now that we know all your weak spots 3. We will also attack your partners and suppliers using info obtained from your network 4. It can lead to legal actions against you for data breaches +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- !!!!Instructions for contacting our team!!!! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- ---> Download and install TOR browser from this site : https://torproject.org ---> For contact us via LIVE CHAT open our website : http://hscr6cjzhgoybibuzn2xud7u4crehuoo4ykw3swut7m7irde74hdfzyd.onion/s/qnwbjsfd ---> If Tor is restricted in your area, use VPN ---> All your Data will be published in 3 Days if NO contact made ---> Your Decryption keys will be permanently destroyed in 3 Days if no contact made ---> Your Data will be published if you will hire third-party negotiators to contact us �

URLs

http://hscr6cjzhgoybibuzn2xud7u4crehuoo4ykw3swut7m7irde74hdfzyd.onion/s/qnwbjsfd

Signatures

Clears Windows event logs 1 TTPs 16 IoCs

evasion ransomware

Indicator Removal

T1070

pid	Process
2212	wevtutil.exe
2384	wevtutil.exe
2824	wevtutil.exe
2112	wevtutil.exe
904	wevtutil.exe
1972	wevtutil.exe
2248	wevtutil.exe
1932	wevtutil.exe
2688	wevtutil.exe
2512	wevtutil.exe
2792	wevtutil.exe
2236	wevtutil.exe
2492	wevtutil.exe
2036	wevtutil.exe
2144	wevtutil.exe
3068	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (7053) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Perspective.eftx.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0332268.WMF.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NAVBRPH2.POC.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_zh_4.4.0.v20140623020002.jar.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Kabul.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00544_.WMF.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00178_.WMF.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\cue.luac.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xml.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196358.WMF.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01840_.GIF.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18182_.WMF.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_zh_CN.jar.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00557_.WMF.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107458.WMF.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1036\MSO.ACL.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\MET.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File created	C:\Program Files\VideoLAN\VLC\locale\oc\!LostTrustEncoded.txt	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5EDT.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090089.WMF.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN102.XML.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Pushpin.thmx.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages.properties.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\!LostTrustEncoded.txt	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\!LostTrustEncoded.txt	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\!LostTrustEncoded.txt	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00267_.WMF.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0174315.WMF.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN110.XML.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Kaliningrad.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01138_.WMF.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01168_.WMF.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Fancy.dotx.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator_2.0.0.v20131217-1203.jar.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099150.JPG.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309480.JPG.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUB6INTL.REST.IDX_DLL.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana.css.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+12.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\!LostTrustEncoded.txt	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00601_.WMF.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101866.BMP.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01130_.WMF.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Eucla.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00902_.WMF.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_F_COL.HXK.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18246_.WMF.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.xml.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293236.WMF.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN011.XML.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt_3.103.1.v20140903-1938.jar.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01478U.BMP.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Dawson_Creek.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Warsaw.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0286068.WMF.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2724	sc.exe
2960	sc.exe
2100	sc.exe
2132	sc.exe
1244	sc.exe
1864	sc.exe
1124	sc.exe
1816	sc.exe
1472	sc.exe
2648	sc.exe
2896	sc.exe
2920	sc.exe
2568	sc.exe
2800	sc.exe
3016	sc.exe
1072	sc.exe
1476	sc.exe
3024	sc.exe
440	sc.exe
1616	sc.exe
1928	sc.exe
1072	sc.exe
2236	sc.exe
1880	sc.exe
2064	sc.exe
1596	sc.exe
2064	sc.exe
2940	sc.exe
868	sc.exe
2672	sc.exe
1272	sc.exe
2896	sc.exe
1192	sc.exe
2436	sc.exe
1576	sc.exe
2832	sc.exe
2100	sc.exe
2816	sc.exe
2648	sc.exe
2312	sc.exe
1480	sc.exe
2748	sc.exe
1944	sc.exe
544	sc.exe
1656	sc.exe
2496	sc.exe
2644	sc.exe
2596	sc.exe
2220	sc.exe
2300	sc.exe
2544	sc.exe
1636	sc.exe
2164	sc.exe
2760	sc.exe
2076	sc.exe
1408	sc.exe
2824	sc.exe
1084	sc.exe
2352	sc.exe
1632	sc.exe
2388	sc.exe
1648	sc.exe
2880	sc.exe
1756	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 4 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
440	vssadmin.exe
2532	vssadmin.exe
2668	vssadmin.exe
2032	vssadmin.exe

Kills process with taskkill 12 IoCs

evasion

pid	Process
1200	taskkill.exe
2092	taskkill.exe
2260	taskkill.exe
1616	taskkill.exe
3036	taskkill.exe
2668	taskkill.exe
1804	taskkill.exe
2100	taskkill.exe
1752	taskkill.exe
1896	taskkill.exe
2032	taskkill.exe
2152	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2456	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
2456	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
2456	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
2456	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2456	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	904	wevtutil.exe
Token: SeBackupPrivilege	904	wevtutil.exe
Token: SeSecurityPrivilege	2384	wevtutil.exe
Token: SeBackupPrivilege	2384	wevtutil.exe
Token: SeSecurityPrivilege	1972	wevtutil.exe
Token: SeBackupPrivilege	1972	wevtutil.exe
Token: SeSecurityPrivilege	2036	wevtutil.exe
Token: SeBackupPrivilege	2036	wevtutil.exe
Token: SeBackupPrivilege	1036	vssvc.exe
Token: SeRestorePrivilege	1036	vssvc.exe
Token: SeAuditPrivilege	1036	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2600	WMIC.exe
Token: SeSecurityPrivilege	2600	WMIC.exe
Token: SeTakeOwnershipPrivilege	2600	WMIC.exe
Token: SeLoadDriverPrivilege	2600	WMIC.exe
Token: SeSystemProfilePrivilege	2600	WMIC.exe
Token: SeSystemtimePrivilege	2600	WMIC.exe
Token: SeProfSingleProcessPrivilege	2600	WMIC.exe
Token: SeIncBasePriorityPrivilege	2600	WMIC.exe
Token: SeCreatePagefilePrivilege	2600	WMIC.exe
Token: SeBackupPrivilege	2600	WMIC.exe
Token: SeRestorePrivilege	2600	WMIC.exe
Token: SeShutdownPrivilege	2600	WMIC.exe
Token: SeDebugPrivilege	2600	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2600	WMIC.exe
Token: SeRemoteShutdownPrivilege	2600	WMIC.exe
Token: SeUndockPrivilege	2600	WMIC.exe
Token: SeManageVolumePrivilege	2600	WMIC.exe
Token: 33	2600	WMIC.exe
Token: 34	2600	WMIC.exe
Token: 35	2600	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2600	WMIC.exe
Token: SeSecurityPrivilege	2600	WMIC.exe
Token: SeTakeOwnershipPrivilege	2600	WMIC.exe
Token: SeLoadDriverPrivilege	2600	WMIC.exe
Token: SeSystemProfilePrivilege	2600	WMIC.exe
Token: SeSystemtimePrivilege	2600	WMIC.exe
Token: SeProfSingleProcessPrivilege	2600	WMIC.exe
Token: SeIncBasePriorityPrivilege	2600	WMIC.exe
Token: SeCreatePagefilePrivilege	2600	WMIC.exe
Token: SeBackupPrivilege	2600	WMIC.exe
Token: SeRestorePrivilege	2600	WMIC.exe
Token: SeShutdownPrivilege	2600	WMIC.exe
Token: SeDebugPrivilege	2600	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2600	WMIC.exe
Token: SeRemoteShutdownPrivilege	2600	WMIC.exe
Token: SeUndockPrivilege	2600	WMIC.exe
Token: SeManageVolumePrivilege	2600	WMIC.exe
Token: 33	2600	WMIC.exe
Token: 34	2600	WMIC.exe
Token: 35	2600	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2300	WMIC.exe
Token: SeSecurityPrivilege	2300	WMIC.exe
Token: SeTakeOwnershipPrivilege	2300	WMIC.exe
Token: SeLoadDriverPrivilege	2300	WMIC.exe
Token: SeSystemProfilePrivilege	2300	WMIC.exe
Token: SeSystemtimePrivilege	2300	WMIC.exe
Token: SeProfSingleProcessPrivilege	2300	WMIC.exe
Token: SeIncBasePriorityPrivilege	2300	WMIC.exe
Token: SeCreatePagefilePrivilege	2300	WMIC.exe
Token: SeBackupPrivilege	2300	WMIC.exe
Token: SeRestorePrivilege	2300	WMIC.exe
Token: SeShutdownPrivilege	2300	WMIC.exe
Token: SeDebugPrivilege	2300	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 484	2456	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	29
PID 2456 wrote to memory of 484	2456	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	29
PID 2456 wrote to memory of 484	2456	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	29
PID 2456 wrote to memory of 484	2456	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	29
PID 484 wrote to memory of 904	484	cmd.exe	31
PID 484 wrote to memory of 904	484	cmd.exe	31
PID 484 wrote to memory of 904	484	cmd.exe	31
PID 484 wrote to memory of 904	484	cmd.exe	31
PID 2456 wrote to memory of 2504	2456	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	32
PID 2456 wrote to memory of 2504	2456	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	32
PID 2456 wrote to memory of 2504	2456	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	32
PID 2456 wrote to memory of 2504	2456	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	32
PID 2504 wrote to memory of 2384	2504	cmd.exe	34
PID 2504 wrote to memory of 2384	2504	cmd.exe	34
PID 2504 wrote to memory of 2384	2504	cmd.exe	34
PID 2504 wrote to memory of 2384	2504	cmd.exe	34
PID 2456 wrote to memory of 832	2456	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	35
PID 2456 wrote to memory of 832	2456	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	35
PID 2456 wrote to memory of 832	2456	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	35
PID 2456 wrote to memory of 832	2456	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	35
PID 832 wrote to memory of 1972	832	cmd.exe	37
PID 832 wrote to memory of 1972	832	cmd.exe	37
PID 832 wrote to memory of 1972	832	cmd.exe	37
PID 832 wrote to memory of 1972	832	cmd.exe	37
PID 2456 wrote to memory of 2560	2456	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	38
PID 2456 wrote to memory of 2560	2456	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	38
PID 2456 wrote to memory of 2560	2456	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	38
PID 2456 wrote to memory of 2560	2456	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	38
PID 2560 wrote to memory of 2036	2560	cmd.exe	40
PID 2560 wrote to memory of 2036	2560	cmd.exe	40
PID 2560 wrote to memory of 2036	2560	cmd.exe	40
PID 2560 wrote to memory of 2036	2560	cmd.exe	40
PID 2456 wrote to memory of 1632	2456	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	42
PID 2456 wrote to memory of 1632	2456	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	42
PID 2456 wrote to memory of 1632	2456	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	42
PID 2456 wrote to memory of 1632	2456	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	42
PID 1632 wrote to memory of 440	1632	cmd.exe	44
PID 1632 wrote to memory of 440	1632	cmd.exe	44
PID 1632 wrote to memory of 440	1632	cmd.exe	44
PID 1632 wrote to memory of 440	1632	cmd.exe	44
PID 2456 wrote to memory of 2712	2456	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	46
PID 2456 wrote to memory of 2712	2456	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	46
PID 2456 wrote to memory of 2712	2456	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	46
PID 2456 wrote to memory of 2712	2456	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	46
PID 2712 wrote to memory of 2600	2712	cmd.exe	48
PID 2712 wrote to memory of 2600	2712	cmd.exe	48
PID 2712 wrote to memory of 2600	2712	cmd.exe	48
PID 2712 wrote to memory of 2600	2712	cmd.exe	48
PID 2456 wrote to memory of 1628	2456	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	50
PID 2456 wrote to memory of 1628	2456	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	50
PID 2456 wrote to memory of 1628	2456	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	50
PID 2456 wrote to memory of 1628	2456	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	50
PID 1628 wrote to memory of 2300	1628	cmd.exe	52
PID 1628 wrote to memory of 2300	1628	cmd.exe	52
PID 1628 wrote to memory of 2300	1628	cmd.exe	52
PID 1628 wrote to memory of 2300	1628	cmd.exe	52
PID 2456 wrote to memory of 2536	2456	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	53
PID 2456 wrote to memory of 2536	2456	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	53
PID 2456 wrote to memory of 2536	2456	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	53
PID 2456 wrote to memory of 2536	2456	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	53
PID 2536 wrote to memory of 2824	2536	cmd.exe	55
PID 2536 wrote to memory of 2824	2536	cmd.exe	55
PID 2536 wrote to memory of 2824	2536	cmd.exe	55
PID 2536 wrote to memory of 2824	2536	cmd.exe	55

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
"C:\Users\Admin\AppData\Local\Temp\25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil cl Application
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:484
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil cl Application
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:904
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil cl security
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil cl security
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:2384
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil cl setup
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil cl setup
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:1972
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil cl system
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil cl system
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:2036
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:440
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL STOPSERVICE
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL STOPSERVICE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2600
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL STOPSERVICE
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL STOPSERVICE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2300
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL STOPSERVICE
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL STOPSERVICE
    3⤵
    PID:2824
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL STOPSERVICE
  2⤵
  PID:2420
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL STOPSERVICE
    3⤵
    PID:2692
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%SQL%'" CALL STOPSERVIC
  2⤵
  PID:2016
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%SQL%'" CALL STOPSERVIC
    3⤵
    PID:2012
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%Exchange%'" CALL STOPSERVICE
  2⤵
  PID:2104
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%Exchange%'" CALL STOPSERVICE
    3⤵
    PID:1968
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%wsbex%'" CALL STOPSERVICE
  2⤵
  PID:1488
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%wsbex%'" CALL STOPSERVICE
    3⤵
    PID:892
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%postgresql%'" CALL STOPSERVICE
  2⤵
  PID:2296
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%postgresql%'" CALL STOPSERVICE
    3⤵
    PID:2940
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%BACKP%'" CALL STOPSERVICE
  2⤵
  PID:2228
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%BACKP%'" CALL STOPSERVICE
    3⤵
    PID:2516
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%tomcat%'" CALL STOPSERVICE
  2⤵
  PID:2832
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%tomcat%'" CALL STOPSERVICE
    3⤵
    PID:2076
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%SharePoint%'" CALL STOPSERVICE
  2⤵
  PID:2644
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%SharePoint%'" CALL STOPSERVICE
    3⤵
    PID:1496
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%SBS%'" CALL STOPSERVICE
  2⤵
  PID:2260
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%SBS%'" CALL STOPSERVICE
    3⤵
    PID:1472
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:1092
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:1976
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:1600
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:440
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%SQL%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:2080
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%SQL%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:2876
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%Exchange%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:1084
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%Exchange%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:1660
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%wsbex%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:2788
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%wsbex%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:2764
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%postgresql%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:440
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%postgresql%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:2420
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%BACKP%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:2788
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%BACKP%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:2996
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%tomcat%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:2992
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%tomcat%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:2748
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%SharePoint%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:1572
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%SharePoint%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:2848
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%SBS%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:2980
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%SBS%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:892
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config FirebirdServerDefaultInstance start= disabled
  2⤵
  PID:1144
- - C:\Windows\SysWOW64\sc.exe
    sc config FirebirdServerDefaultInstance start= disabled
    3⤵
    - Launches sc.exe
    PID:1656
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config FirebirdServerDefaultInstance start= disabled
  2⤵
  PID:2072
- - C:\Windows\SysWOW64\sc.exe
    sc config FirebirdServerDefaultInstance start= disabled
    3⤵
    - Launches sc.exe
    PID:2100
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /IM fb_inet_server.exe /F
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM fb_inet_server.exe /F
    3⤵
    - Kills process with taskkill
    PID:1200
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /IM fb_inet_server.exe /F
  2⤵
  PID:2504
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM fb_inet_server.exe /F
    3⤵
    - Kills process with taskkill
    PID:2092
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop FirebirdServerDefaultInstance
  2⤵
  PID:1960
- - C:\Windows\SysWOW64\net.exe
    net stop FirebirdServerDefaultInstance
    3⤵
    PID:2164
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop FirebirdServerDefaultInstance
      4⤵
      PID:1060
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Windows\system32\net1 stop FirebirdServerDefaultInstance
  2⤵
  PID:600
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop FirebirdServerDefaultInstance
    3⤵
    PID:2976
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /IM sqlservr.exe /F
  2⤵
  PID:1528
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM sqlservr.exe /F
    3⤵
    - Kills process with taskkill
    PID:1896
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSSQLSERVER start= disabled
  2⤵
  PID:2660
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLSERVER start= disabled
    3⤵
    PID:900
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSSQL$SQLEXPRESS start= disabled
  2⤵
  PID:2508
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQL$SQLEXPRESS start= disabled
    3⤵
    - Launches sc.exe
    PID:1756
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSSQLSERVER
  2⤵
  PID:1592
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:2540
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:2704
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Windows\system32\net1 stop MSSQLSERVER
  2⤵
  PID:1080
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLSERVER
    3⤵
    PID:1140
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSSQL$SQLEXPRESS
  2⤵
  PID:2824
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$SQLEXPRESS
    3⤵
    PID:2004
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
      4⤵
      PID:2768
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSSQL$SQLEXPRESS
  2⤵
  PID:2720
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$SQLEXPRESS
    3⤵
    PID:2564
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
      4⤵
      PID:2580
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
  2⤵
  PID:2112
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
    3⤵
    PID:2608
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /IM pg_ctl.exe /F
  2⤵
  PID:2140
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM pg_ctl.exe /F
    3⤵
    - Kills process with taskkill
    PID:2032
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config postgresql-9.0 start= disabled
  2⤵
  PID:1680
- - C:\Windows\SysWOW64\sc.exe
    sc config postgresql-9.0 start= disabled
    3⤵
    - Launches sc.exe
    PID:2724
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop postgresql-9.0
  2⤵
  PID:1892
- - C:\Windows\SysWOW64\net.exe
    net stop postgresql-9.0
    3⤵
    PID:2728
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop postgresql-9.0
      4⤵
      PID:3012
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeAB start= disabled
  2⤵
  PID:2680
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeAB start= disabled
    3⤵
    - Launches sc.exe
    PID:1072
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeAntispamUpdate start= disabled
  2⤵
  PID:2476
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeAntispamUpdate start= disabled
    3⤵
    PID:1660
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeEdgeSync start= disabled
  2⤵
  PID:2040
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeEdgeSync start= disabled
    3⤵
    - Launches sc.exe
    PID:3016
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeFDS start= disabled
  2⤵
  PID:2012
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeFDS start= disabled
    3⤵
    - Launches sc.exe
    PID:2496
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeFBA start= disabled
  2⤵
  PID:2968
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeFBA start= disabled
    3⤵
    - Launches sc.exe
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeImap4 start= disabled
  2⤵
  PID:1632
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeImap4 start= disabled
    3⤵
    - Launches sc.exe
    PID:1864
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeImap4 start= disabled
  2⤵
  PID:1576
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeImap4 start= disabled
    3⤵
    - Launches sc.exe
    PID:2816
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeIS start= disabled
  2⤵
  PID:3056
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeIS start= disabled
    3⤵
    - Launches sc.exe
    PID:2648
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeMailSubmission start= disabled
  2⤵
  PID:2000
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeMailSubmission start= disabled
    3⤵
    PID:2008
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeMailboxAssistants start= disabled
  2⤵
  PID:2832
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeMailboxAssistants start= disabled
    3⤵
    - Launches sc.exe
    PID:2960
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeMailboxReplication start= disabled
  2⤵
  PID:1184
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeMailboxReplication start= disabled
    3⤵
    - Launches sc.exe
    PID:2236
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeMonitoring start= disabled
  2⤵
  PID:744
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeMonitoring start= disabled
    3⤵
    - Launches sc.exe
    PID:1272
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangePop3 start= disabled
  2⤵
  PID:1496
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangePop3 start= disabled
    3⤵
    PID:2212
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeProtectedServiceHost start= disabled
  2⤵
  PID:2668
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeProtectedServiceHost start= disabled
    3⤵
    PID:1760
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeRPC start= disabled
  2⤵
  PID:1684
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeRPC start= disabled
    3⤵
    - Launches sc.exe
    PID:2300
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeSearch start= disable
  2⤵
  PID:1508
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeSearch start= disable
    3⤵
    - Launches sc.exe
    PID:2896
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config wsbexchange start= disabled
  2⤵
  PID:2016
- - C:\Windows\SysWOW64\sc.exe
    sc config wsbexchange start= disabled
    3⤵
    - Launches sc.exe
    PID:2920
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeSA start= disabled
  2⤵
  PID:2348
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeSA start= disabled
    3⤵
    - Launches sc.exe
    PID:1596
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeThrottling start= disabled
  2⤵
  PID:1808
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeThrottling start= disabled
    3⤵
    - Launches sc.exe
    PID:1636
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeTransportLogSearch start= disabled
  2⤵
  PID:2024
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeTransportLogSearch start= disabled
    3⤵
    - Launches sc.exe
    PID:2164
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSExchangeAB
  2⤵
  PID:2416
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeAB
    3⤵
    PID:600
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeAB
      4⤵
      PID:1440
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSExchangeAntispamUpdate
  2⤵
  PID:2664
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeAntispamUpdate
    3⤵
    PID:1896
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeAntispamUpdate
      4⤵
      PID:2584
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSExchangeEdgeSync
  2⤵
  PID:2264
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeEdgeSync
    3⤵
    PID:1676
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeEdgeSync
      4⤵
      PID:2660
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSExchangeImap4
  2⤵
  PID:796
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeImap4
    3⤵
    PID:2908
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeImap4
      4⤵
      PID:2984
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSExchangeMailboxReplication
  2⤵
  PID:2436
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeMailboxReplication
    3⤵
    PID:1816
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeMailboxReplication
      4⤵
      PID:1592
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSExchangeProtectedServiceHost
  2⤵
  PID:2492
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeProtectedServiceHost
    3⤵
    PID:1080
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeProtectedServiceHost
      4⤵
      PID:1764
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil cl Application
  2⤵
  PID:2964
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil cl Application
    3⤵
    - Clears Windows event logs
    PID:2824
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil cl security
  2⤵
  PID:1604
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil cl security
    3⤵
    - Clears Windows event logs
    PID:2512
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil cl setup
  2⤵
  PID:3060
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil cl setup
    3⤵
    - Clears Windows event logs
    PID:2112
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil cl system
  2⤵
  PID:3024
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil cl system
    3⤵
    - Clears Windows event logs
    PID:2792
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  PID:2140
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2532
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL STOPSERVICE
  2⤵
  PID:772
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL STOPSERVICE
    3⤵
    PID:2132
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL STOPSERVICE
  2⤵
  PID:1160
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL STOPSERVICE
    3⤵
    PID:2280
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL STOPSERVICE
  2⤵
  PID:2352
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL STOPSERVICE
    3⤵
    PID:1616
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL STOPSERVICE
  2⤵
  PID:2620
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL STOPSERVICE
    3⤵
    PID:2156
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%SQL%'" CALL STOPSERVIC
  2⤵
  PID:3040
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%SQL%'" CALL STOPSERVIC
    3⤵
    PID:2172
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%Exchange%'" CALL STOPSERVICE
  2⤵
  PID:776
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%Exchange%'" CALL STOPSERVICE
    3⤵
    PID:2484
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%wsbex%'" CALL STOPSERVICE
  2⤵
  PID:2956
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%wsbex%'" CALL STOPSERVICE
    3⤵
    PID:2756
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%postgresql%'" CALL STOPSERVICE
  2⤵
  PID:1212
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%postgresql%'" CALL STOPSERVICE
    3⤵
    PID:616
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%BACKP%'" CALL STOPSERVICE
  2⤵
  PID:2236
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%BACKP%'" CALL STOPSERVICE
    3⤵
    PID:2556
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%tomcat%'" CALL STOPSERVICE
  2⤵
  PID:1352
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%tomcat%'" CALL STOPSERVICE
    3⤵
    PID:2212
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%SharePoint%'" CALL STOPSERVICE
  2⤵
  PID:3048
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%SharePoint%'" CALL STOPSERVICE
    3⤵
    PID:2736
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%SBS%'" CALL STOPSERVICE
  2⤵
  PID:1572
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%SBS%'" CALL STOPSERVICE
    3⤵
    PID:2884
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:2920
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:2100
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:1464
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%SQL%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:1580
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%SQL%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:2976
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%Exchange%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:1476
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%Exchange%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:1896
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%wsbex%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:2660
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%wsbex%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:2344
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%postgresql%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:1640
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%postgresql%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:2144
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%BACKP%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:400
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%BACKP%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:1404
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%tomcat%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:2824
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%tomcat%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:2700
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%SharePoint%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:2608
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%SharePoint%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:3060
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%SBS%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:3024
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%SBS%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:1912
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config FirebirdServerDefaultInstance start= disabled
  2⤵
  PID:2940
- - C:\Windows\SysWOW64\sc.exe
    sc config FirebirdServerDefaultInstance start= disabled
    3⤵
    PID:864
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config FirebirdServerDefaultInstance start= disabled
  2⤵
  PID:2132
- - C:\Windows\SysWOW64\sc.exe
    sc config FirebirdServerDefaultInstance start= disabled
    3⤵
    - Launches sc.exe
    PID:1072
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /IM fb_inet_server.exe /F
  2⤵
  PID:2676
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM fb_inet_server.exe /F
    3⤵
    - Kills process with taskkill
    PID:2260
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /IM fb_inet_server.exe /F
  2⤵
  PID:2116
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM fb_inet_server.exe /F
    3⤵
    - Kills process with taskkill
    PID:1616
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop FirebirdServerDefaultInstance
  2⤵
  PID:1620
- - C:\Windows\SysWOW64\net.exe
    net stop FirebirdServerDefaultInstance
    3⤵
    PID:2068
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop FirebirdServerDefaultInstance
      4⤵
      PID:2012
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Windows\system32\net1 stop FirebirdServerDefaultInstance
  2⤵
  PID:1600
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop FirebirdServerDefaultInstance
    3⤵
    PID:1864
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /IM sqlservr.exe /F
  2⤵
  PID:2732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM sqlservr.exe /F
    3⤵
    - Kills process with taskkill
    PID:3036
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSSQLSERVER start= disabled
  2⤵
  PID:2484
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLSERVER start= disabled
    3⤵
    - Launches sc.exe
    PID:2648
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSSQL$SQLEXPRESS start= disabled
  2⤵
  PID:2880
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQL$SQLEXPRESS start= disabled
    3⤵
    - Launches sc.exe
    PID:2760
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSSQLSERVER
  2⤵
  PID:3056
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:2832
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1504
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Windows\system32\net1 stop MSSQLSERVER
  2⤵
  PID:788
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLSERVER
    3⤵
    PID:1064
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSSQL$SQLEXPRESS
  2⤵
  PID:1272
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$SQLEXPRESS
    3⤵
    PID:2904
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
      4⤵
      PID:2860
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSSQL$SQLEXPRESS
  2⤵
  PID:2176
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$SQLEXPRESS
    3⤵
    PID:1496
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
      4⤵
      PID:2212
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
  2⤵
  PID:1352
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
    3⤵
    PID:1684
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /IM pg_ctl.exe /F
  2⤵
  PID:2516
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM pg_ctl.exe /F
    3⤵
    - Kills process with taskkill
    PID:2668
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config postgresql-9.0 start= disabled
  2⤵
  PID:1492
- - C:\Windows\SysWOW64\sc.exe
    sc config postgresql-9.0 start= disabled
    3⤵
    - Launches sc.exe
    PID:2896
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop postgresql-9.0
  2⤵
  PID:2780
- - C:\Windows\SysWOW64\net.exe
    net stop postgresql-9.0
    3⤵
    PID:1000
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop postgresql-9.0
      4⤵
      PID:2364
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeAB start= disabled
  2⤵
  PID:1996
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeAB start= disabled
    3⤵
    - Launches sc.exe
    PID:2064
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeAntispamUpdate start= disabled
  2⤵
  PID:1808
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeAntispamUpdate start= disabled
    3⤵
    - Launches sc.exe
    PID:2100
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeEdgeSync start= disabled
  2⤵
  PID:1060
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeEdgeSync start= disabled
    3⤵
    - Launches sc.exe
    PID:2312
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeFDS start= disabled
  2⤵
  PID:2708
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeFDS start= disabled
    3⤵
    - Launches sc.exe
    PID:1124
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeFBA start= disabled
  2⤵
  PID:2788
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeFBA start= disabled
    3⤵
    - Launches sc.exe
    PID:1476
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeImap4 start= disabled
  2⤵
  PID:900
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeImap4 start= disabled
    3⤵
    - Launches sc.exe
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeImap4 start= disabled
  2⤵
  PID:2264
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeImap4 start= disabled
    3⤵
    - Launches sc.exe
    PID:2436
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeIS start= disabled
  2⤵
  PID:2036
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeIS start= disabled
    3⤵
    PID:1640
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeMailSubmission start= disabled
  2⤵
  PID:1764
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeMailSubmission start= disabled
    3⤵
    - Launches sc.exe
    PID:2644
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeMailboxAssistants start= disabled
  2⤵
  PID:1140
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeMailboxAssistants start= disabled
    3⤵
    - Launches sc.exe
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeMailboxReplication start= disabled
  2⤵
  PID:1876
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeMailboxReplication start= disabled
    3⤵
    - Launches sc.exe
    PID:2824
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeMonitoring start= disabled
  2⤵
  PID:2112
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeMonitoring start= disabled
    3⤵
    - Launches sc.exe
    PID:2544
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangePop3 start= disabled
  2⤵
  PID:2592
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangePop3 start= disabled
    3⤵
    - Launches sc.exe
    PID:1480
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeProtectedServiceHost start= disabled
  2⤵
  PID:2464
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeProtectedServiceHost start= disabled
    3⤵
    - Launches sc.exe
    PID:3024
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeRPC start= disabled
  2⤵
  PID:2552
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeRPC start= disabled
    3⤵
    - Launches sc.exe
    PID:2940
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeSearch start= disable
  2⤵
  PID:772
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeSearch start= disable
    3⤵
    - Launches sc.exe
    PID:2132
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config wsbexchange start= disabled
  2⤵
  PID:1660
- - C:\Windows\SysWOW64\sc.exe
    sc config wsbexchange start= disabled
    3⤵
    - Launches sc.exe
    PID:1244
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeSA start= disabled
  2⤵
  PID:2676
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeSA start= disabled
    3⤵
    - Launches sc.exe
    PID:2076
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeThrottling start= disabled
  2⤵
  PID:2372
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeThrottling start= disabled
    3⤵
    PID:904
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeTransportLogSearch start= disabled
  2⤵
  PID:2652
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeTransportLogSearch start= disabled
    3⤵
    - Launches sc.exe
    PID:440
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSExchangeAB
  2⤵
  PID:2548
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeAB
    3⤵
    PID:1672
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeAB
      4⤵
      PID:2172
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSExchangeAntispamUpdate
  2⤵
  PID:1964
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeAntispamUpdate
    3⤵
    PID:2864
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeAntispamUpdate
      4⤵
      PID:2732
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSExchangeEdgeSync
  2⤵
  PID:1576
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeEdgeSync
    3⤵
    PID:1400
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeEdgeSync
      4⤵
      PID:2816
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSExchangeImap4
  2⤵
  PID:1868
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeImap4
    3⤵
    PID:2880
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeImap4
      4⤵
      PID:2008
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSExchangeMailboxReplication
  2⤵
  PID:1328
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeMailboxReplication
    3⤵
    PID:616
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeMailboxReplication
      4⤵
      PID:1488
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSExchangeProtectedServiceHost
  2⤵
  PID:1624
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeProtectedServiceHost
    3⤵
    PID:1536
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeProtectedServiceHost
      4⤵
      PID:1064
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil cl Application
  2⤵
  PID:852
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil cl Application
    3⤵
    - Clears Windows event logs
    PID:2236
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil cl security
  2⤵
  PID:1272
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil cl security
    3⤵
    - Clears Windows event logs
    PID:2212
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil cl setup
  2⤵
  PID:2944
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil cl setup
    3⤵
    - Clears Windows event logs
    PID:2248
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil cl system
  2⤵
  PID:1108
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil cl system
    3⤵
    - Clears Windows event logs
    PID:1932
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  PID:1144
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2668
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL STOPSERVICE
  2⤵
  PID:544
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL STOPSERVICE
    3⤵
    PID:892
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL STOPSERVICE
  2⤵
  PID:2920
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL STOPSERVICE
    3⤵
    PID:940
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL STOPSERVICE
  2⤵
  PID:1332
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL STOPSERVICE
    3⤵
    PID:1060
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL STOPSERVICE
  2⤵
  PID:1528
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL STOPSERVICE
    3⤵
    PID:2936
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%SQL%'" CALL STOPSERVIC
  2⤵
  PID:2808
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%SQL%'" CALL STOPSERVIC
    3⤵
    PID:2568
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%Exchange%'" CALL STOPSERVICE
  2⤵
  PID:1756
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%Exchange%'" CALL STOPSERVICE
    3⤵
    PID:2144
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%wsbex%'" CALL STOPSERVICE
  2⤵
  PID:1860
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%wsbex%'" CALL STOPSERVICE
    3⤵
    PID:1092
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%postgresql%'" CALL STOPSERVICE
  2⤵
  PID:2512
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%postgresql%'" CALL STOPSERVICE
    3⤵
    PID:1188
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%BACKP%'" CALL STOPSERVICE
  2⤵
  PID:1876
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%BACKP%'" CALL STOPSERVICE
    3⤵
    PID:3060
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%tomcat%'" CALL STOPSERVICE
  2⤵
  PID:1368
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%tomcat%'" CALL STOPSERVICE
    3⤵
    PID:2592
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%SharePoint%'" CALL STOPSERVICE
  2⤵
  PID:2296
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%SharePoint%'" CALL STOPSERVICE
    3⤵
    PID:2080
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%SBS%'" CALL STOPSERVICE
  2⤵
  PID:2324
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%SBS%'" CALL STOPSERVICE
    3⤵
    PID:772
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:344
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:3016
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:1776
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:2372
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%SQL%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:1972
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%SQL%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:2244
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%Exchange%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:1968
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%Exchange%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:3036
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%wsbex%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:2484
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%wsbex%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:2000
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%postgresql%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:2956
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%postgresql%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:1516
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%BACKP%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:2948
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%BACKP%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:1536
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%tomcat%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:2844
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%tomcat%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:2868
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%SharePoint%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:852
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%SharePoint%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:2224
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%SBS%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:332
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%SBS%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:2468
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config FirebirdServerDefaultInstance start= disabled
  2⤵
  PID:1108
- - C:\Windows\SysWOW64\sc.exe
    sc config FirebirdServerDefaultInstance start= disabled
    3⤵
    - Launches sc.exe
    PID:1880
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config FirebirdServerDefaultInstance start= disabled
  2⤵
  PID:2516
- - C:\Windows\SysWOW64\sc.exe
    sc config FirebirdServerDefaultInstance start= disabled
    3⤵
    PID:1144
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /IM fb_inet_server.exe /F
  2⤵
  PID:1508
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM fb_inet_server.exe /F
    3⤵
    - Kills process with taskkill
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /IM fb_inet_server.exe /F
  2⤵
  PID:2504
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM fb_inet_server.exe /F
    3⤵
    - Kills process with taskkill
    PID:2100
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop FirebirdServerDefaultInstance
  2⤵
  PID:1232
- - C:\Windows\SysWOW64\net.exe
    net stop FirebirdServerDefaultInstance
    3⤵
    PID:2656
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop FirebirdServerDefaultInstance
      4⤵
      PID:2028
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Windows\system32\net1 stop FirebirdServerDefaultInstance
  2⤵
  PID:1440
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop FirebirdServerDefaultInstance
    3⤵
    PID:2528
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /IM sqlservr.exe /F
  2⤵
  PID:2664
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM sqlservr.exe /F
    3⤵
    - Kills process with taskkill
    PID:1752
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSSQLSERVER start= disabled
  2⤵
  PID:2540
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLSERVER start= disabled
    3⤵
    - Launches sc.exe
    PID:2568
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSSQL$SQLEXPRESS start= disabled
  2⤵
  PID:1192
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQL$SQLEXPRESS start= disabled
    3⤵
    - Launches sc.exe
    PID:1816
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSSQLSERVER
  2⤵
  PID:2704
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:2264
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1872
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Windows\system32\net1 stop MSSQLSERVER
  2⤵
  PID:3068
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLSERVER
    3⤵
    PID:1404
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSSQL$SQLEXPRESS
  2⤵
  PID:2644
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$SQLEXPRESS
    3⤵
    PID:2768
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
      4⤵
      PID:2700
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSSQL$SQLEXPRESS
  2⤵
  PID:1188
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$SQLEXPRESS
    3⤵
    PID:2932
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
      4⤵
      PID:752
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
  2⤵
  PID:324
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
    3⤵
    PID:2060
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /IM pg_ctl.exe /F
  2⤵
  PID:552
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM pg_ctl.exe /F
    3⤵
    - Kills process with taskkill
    PID:2152
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config postgresql-9.0 start= disabled
  2⤵
  PID:2104
- - C:\Windows\SysWOW64\sc.exe
    sc config postgresql-9.0 start= disabled
    3⤵
    PID:2552
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop postgresql-9.0
  2⤵
  PID:2876
- - C:\Windows\SysWOW64\net.exe
    net stop postgresql-9.0
    3⤵
    PID:2560
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop postgresql-9.0
      4⤵
      PID:2132
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeAB start= disabled
  2⤵
  PID:2280
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeAB start= disabled
    3⤵
    - Launches sc.exe
    PID:868
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeAntispamUpdate start= disabled
  2⤵
  PID:2444
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeAntispamUpdate start= disabled
    3⤵
    - Launches sc.exe
    PID:1084
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeEdgeSync start= disabled
  2⤵
  PID:3016
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeEdgeSync start= disabled
    3⤵
    - Launches sc.exe
    PID:2352
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeFDS start= disabled
  2⤵
  PID:1620
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeFDS start= disabled
    3⤵
    - Launches sc.exe
    PID:1616
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeFBA start= disabled
  2⤵
  PID:1356
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeFBA start= disabled
    3⤵
    - Launches sc.exe
    PID:1632
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeImap4 start= disabled
  2⤵
  PID:1600
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeImap4 start= disabled
    3⤵
    - Launches sc.exe
    PID:2388
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeImap4 start= disabled
  2⤵
  PID:2640
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeImap4 start= disabled
    3⤵
    - Launches sc.exe
    PID:2220
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeIS start= disabled
  2⤵
  PID:1968
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeIS start= disabled
    3⤵
    - Launches sc.exe
    PID:2880
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeMailSubmission start= disabled
  2⤵
  PID:2612
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeMailSubmission start= disabled
    3⤵
    - Launches sc.exe
    PID:1576
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeMailboxAssistants start= disabled
  2⤵
  PID:2420
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeMailboxAssistants start= disabled
    3⤵
    - Launches sc.exe
    PID:2832
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeMailboxReplication start= disabled
  2⤵
  PID:2956
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeMailboxReplication start= disabled
    3⤵
    - Launches sc.exe
    PID:2800
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeMonitoring start= disabled
  2⤵
  PID:1624
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeMonitoring start= disabled
    3⤵
    PID:744
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangePop3 start= disabled
  2⤵
  PID:2236
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangePop3 start= disabled
    3⤵
    - Launches sc.exe
    PID:1408
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeProtectedServiceHost start= disabled
  2⤵
  PID:568
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeProtectedServiceHost start= disabled
    3⤵
    - Launches sc.exe
    PID:1928
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeRPC start= disabled
  2⤵
  PID:2556
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeRPC start= disabled
    3⤵
    - Launches sc.exe
    PID:2748
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeSearch start= disable
  2⤵
  PID:1932
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeSearch start= disable
    3⤵
    - Launches sc.exe
    PID:1944
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config wsbexchange start= disabled
  2⤵
  PID:2176
- - C:\Windows\SysWOW64\sc.exe
    sc config wsbexchange start= disabled
    3⤵
    - Launches sc.exe
    PID:1472
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeSA start= disabled
  2⤵
  PID:1108
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeSA start= disabled
    3⤵
    - Launches sc.exe
    PID:1648
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeThrottling start= disabled
  2⤵
  PID:2516
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeThrottling start= disabled
    3⤵
    - Launches sc.exe
    PID:544
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeTransportLogSearch start= disabled
  2⤵
  PID:3032
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeTransportLogSearch start= disabled
    3⤵
    - Launches sc.exe
    PID:2064
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSExchangeAB
  2⤵
  PID:1464
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeAB
    3⤵
    PID:1300
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeAB
      4⤵
      PID:2504
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSExchangeAntispamUpdate
  2⤵
  PID:2920
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeAntispamUpdate
    3⤵
    PID:2024
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeAntispamUpdate
      4⤵
      PID:1232
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSExchangeEdgeSync
  2⤵
  PID:1060
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeEdgeSync
    3⤵
    PID:1440
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeEdgeSync
      4⤵
      PID:1332
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSExchangeImap4
  2⤵
  PID:2988
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeImap4
    3⤵
    PID:2708
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeImap4
      4⤵
      PID:2936
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSExchangeMailboxReplication
  2⤵
  PID:2664
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeMailboxReplication
    3⤵
    PID:2568
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeMailboxReplication
      4⤵
      PID:900
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSExchangeProtectedServiceHost
  2⤵
  PID:2540
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeProtectedServiceHost
    3⤵
    PID:2524
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeProtectedServiceHost
      4⤵
      PID:1192
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil cl Application
  2⤵
  PID:2660
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil cl Application
    3⤵
    - Clears Windows event logs
    PID:2144
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil cl security
  2⤵
  PID:1916
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil cl security
    3⤵
    - Clears Windows event logs
    PID:3068
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil cl setup
  2⤵
  PID:400
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil cl setup
    3⤵
    - Clears Windows event logs
    PID:2492
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil cl system
  2⤵
  PID:1936
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil cl system
    3⤵
    - Clears Windows event logs
    PID:2688
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  PID:2596
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2032
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL STOPSERVICE
  2⤵
  PID:2592
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL STOPSERVICE
    3⤵
    PID:3024
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL STOPSERVICE
  2⤵
  PID:640
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL STOPSERVICE
    3⤵
    PID:2296
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL STOPSERVICE
  2⤵
  PID:868
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL STOPSERVICE
    3⤵
    PID:2740
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL STOPSERVICE
  2⤵
  PID:1708
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL STOPSERVICE
    3⤵
    PID:1548
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%SQL%'" CALL STOPSERVIC
  2⤵
  PID:2372
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%SQL%'" CALL STOPSERVIC
    3⤵
    PID:2828
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%Exchange%'" CALL STOPSERVICE
  2⤵
  PID:1672
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%Exchange%'" CALL STOPSERVICE
    3⤵
    PID:2172

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.losttrustencoded

Filesize
27KB

MD5
d14aa42e206fac8a74db97000f5252e7

SHA1
b32082f2a723dc53e8224eea3111307a2ada03fa

SHA256
1c83216d4a563c279b5cb767675da35bd8bb24b6add0bb822a29eb9cbe7d4a90

SHA512
34d7e534626df47233f660532cb2b380419614a88fc86f48defce8232c2d7ef715f1c2cb26f81312d285a180013cb3ad900bc228e054776422f20e121a3f805a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\TAB_OFF.GIF.losttrustencoded

Filesize
597B

MD5
9576cb48374eb3e358c61a3ed6e65580

SHA1
d6c6173de6b3fdd8aa158844922f20799642d0b5

SHA256
6e0fd4f95d9e3c1e93a0f54145e251e48a2ac10fa7ab34cb026529c8d5f1ab36

SHA512
650017eaced4b2a18bbbffc9a9e87e1d56a7445c743e1754f0f5dbcb6374129debfdd77d4ba8b9d7df86a0e58fb8221ceef7b6e70b264c539c2c80561bf1e382

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\TAB_ON.GIF.losttrustencoded

Filesize
478B

MD5
eeb66397f869dae711b26444fe59f34a

SHA1
2012b7a274ac88dd7b9418fa221054f1aa9996be

SHA256
7a1365b2925be6e45319f913f50bcd16fd19baf4f9ce695b3f53d174889dd480

SHA512
4c4d55e83b3cf31b40fa8e4b533b5f24e0c81bb15ff3f98566e83e44dbfff023912ed8cf112b9c203c2a81880cb2cd7bdd62decb1104e3b8bb6a9ebcf3e63a99

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK.losttrustencoded

Filesize
370B

MD5
8c6654a3a4735f7797a5d42655472edb

SHA1
ae9dc81d69816ee4eba1e64fb3eeeaa702b0fb3d

SHA256
d4e12a87c2b50e1f940b8fe78f0e7198ca095436ff80c5decfa08f076c506902

SHA512
38c45c4af34b641c34ea112bca1917028eb3a88f5c88fa37a501789568911d6ccfb6756ec4724b99e4d9d8db474d3b073608c5f7d7a5e9af18a930b4398adc1b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_K_COL.HXK.losttrustencoded

Filesize
369B

MD5
4261ab883b643d4b60ee3af72951e1c8

SHA1
ad2b8ecf1fc7c4ea70549a7b186b1a3175e2d8f9

SHA256
8b6b660f5fef03e397f47ee703ac746605a6351302198aeb7d8fdb08b387ad44

SHA512
0615022820880862d66b2174fda76e93393098dd487f67091b97a3e5fc613e650f0a4da0824f20fdf65b35be24565845f9b938c46bade6140a311fa1fb6a8865

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\tab_on.gif.losttrustencoded

Filesize
478B

MD5
9d7e2c86ca54fce6d0d6d430df8ff5c3

SHA1
24ab5b67cc743b892511110ef90e874faec5ed98

SHA256
c9b88c4a5d3e44596b346a80ce542a973addba27640c143ca865e7ba27e04f21

SHA512
50d8f51bad5fd69314292269eacfd3272b93e9ea98a71b752c00acba979cbb38556e5217e808beae66a5b95cfb8eda3e6246b6948d39d058eb79c1dc889270a7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\TAB_OFF.GIF.losttrustencoded

Filesize
597B

MD5
c4d38a5153993cc60b6ebab2990c954f

SHA1
7494aa1825accd6f85f1b02d6bc305662b7a8d34

SHA256
142277b1a1b8975cc0ee0fc496b163764f3ceb58e1f52496835bdbd53daf34a8

SHA512
6a43e4737742c59bf98c034aa53ac4e56e0128d329760739b2eb0ac4fa26ffe9c69333d94d91859c6e13ed469846351e15c84084da340375bddc197e0458118e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.SE.XML.losttrustencoded

Filesize
1KB

MD5
84d32f4a966e04bb3a390180aafee3e5

SHA1
4af0c83f0cd6542b3a54a216289b1c652978b787

SHA256
a0d2971ec5747776c380e496e627134394c55ea82d4ac9c5b86b6e2689e132c9

SHA512
7456a38df3d8930f8da7b02effdee8a21e8ba60f417865e875c6dcb2a23b1dd322c21105ab0169de151488c49f7cd28b042c8d7fb9014a5800e51dea1e1fc06a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.losttrustencoded

Filesize
5KB

MD5
ab50293ea51f3b35085cf1e801d9cf8e

SHA1
6a41a6857f36ef6c592c9074cd0fd020887ba727

SHA256
0f31a897e5e2546b4cf4129bd86dd527cf1cc8ac860972a69abc1a412de355fa

SHA512
69d9c509923c9197cdc1709f9ce46603a5e2b9795dcd2857d3bb3d8eb68872dfe8023c459b6181e9e462c1564511ba8e3b1ece0e56cc3a4385335d39daf2c0e7

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.losttrustencoded

Filesize
409B

MD5
68f5037442783548bdc814f79301302f

SHA1
febb9eb1a9e58d9e7a13b9042f7d341026ead96a

SHA256
1b63f70080bd3c81586b6d291fa64ca9949f4bbb819572ef49e9742b292168aa

SHA512
8cedb8c9592c7941632af940a8ad9899ccde29fa51ca0fd8d45ac8d4a391b422a8fcf99c444acf5879a34d71c5b1551afed44cdfff13f974d70c3ef940f7ffc1

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+10.losttrustencoded

Filesize
283B

MD5
c698751c6bde5c22764ef58f063e8710

SHA1
ec41eba2cf0932a0ac984a049b6895643e72ceb1

SHA256
42cabb27bc9d913f99acca78c259ca594aad8ae0b9f31d852971b999b7a800f1

SHA512
2454542a904b13fddf11e9306b025bb8e3a1550ebb9bbdf4dbb58e5d160d5ff3f5c84c5de4ce4e6919af7a260435d68484c89a0785e1d3dd2ddd40da610cf1ab

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+5.losttrustencoded

Filesize
283B

MD5
888886cd818bbc67e3c276f940089431

SHA1
0466f0d5d5785c0af4ec7455e678067be8fb87fa

SHA256
64a49272576fc13dc05b3d3e41b91de476a4734d004bdab481e746ee314c09de

SHA512
2022a9a5f3b5e5218253597030c505356ad6dd8ad0f900e846a8c8e52450d048614528d7cc4d5f86cf3647471516c37b9e2446679f434a95fece28398a8edd60

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+7.losttrustencoded

Filesize
283B

MD5
0a1d1ae9708c128bfbcae713903457d8

SHA1
b6c13c078cf8189c68590043ac4cb37bfc1055c4

SHA256
d40091b5493f283aebf091ac4bdfb36f8d3cec238e0e76e4bcadcfa60f5fcb92

SHA512
33f93a39aef33fda3a8b87e8c6ebec51b708cd3709b93feb5e4e16be1ee23fad014cb7b4fc999fc7004a9bdec6292fec9aeb9d6852781ff00827108fbb3383f3

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.losttrustencoded

Filesize
12KB

MD5
34d62455cdd9ad35d763659bb21d2900

SHA1
36a9bf7a786129c16fce4f2f17f0aed881a9470d

SHA256
5c4ca0c54c83cab93e9a69325163a8377b6f249542fd156b3cee90564a37bea5

SHA512
666bde2017bdd0c589f8b58550c1c3b750c4a2ced0a697366080f3e22b4b32f597c8716c0c452809670334e13a32771f302eb19f005a5c4c7b43a011f4563042

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html.losttrustencoded

Filesize
9KB

MD5
a2dceb0929eab4eb4f31fb5f6f7d4add

SHA1
049f1cb478b1617e599d6bf8b0a8b38d9a3e69b5

SHA256
5e92f27083be265bd76be57b019550f797b55248be207c4b77701ff9155810fd

SHA512
80bb502d6b60bb932ede05442a658165eba11a0c39f44f3a864b80dce6d8a17e5ac452cf30d281d97dc71011ff4a93ba4845cc0a4fc2f08a98b0fca88a23ee7e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.losttrustencoded

Filesize
7KB

MD5
40eee0371c1150cae3f261f5a2549048

SHA1
0ecea6407cd242f56fc992d87ed8c5d94a31c40b

SHA256
1d1613b264c15afb770e79f50728f62096505193179ef7a609adb733fd5fd574

SHA512
b5ee962679b4db37de547e5b0a0988b99922126b94262af1f607d3fc47ac9cf588e5f1d46c2098373fbd632a41e93968c23a19a1c8047fe983ee20b7007e8f40

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\UCT.losttrustencoded

Filesize
283B

MD5
30e50d402f2a9969d434304aa2a70253

SHA1
10b00f866756b2a8890cce442c278b9a36894321

SHA256
7fb1ea5fc6be1e5cb24fcffa6c6d1105cd367f47385ebcfc3b7dc5b32b1f1278

SHA512
a64fb98d859ccf815d4091f98fc6c5eb2b71c9d59e06e3aa6e377a62cc7c01876fc53956e8a3b0ed3d3cfd86f684f1d1ae2c5920dccc9c0e06a44909170269da

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\vlc.mo.losttrustencoded

Filesize
608KB

MD5
c141b2ac26c5f90c0f294bdc09ddaa98

SHA1
dce73f900c35682402a4d4996ddab59830ba3b61

SHA256
07be1be72fd530a43bb2dc4c16401a6527081f8a67bd83aaffbbac63e81cd9a7

SHA512
7312cda91a46cd5f30cc164c29d80511d93e3f9e7c97b56fc766da214d07210135cf00f0962d8bc5914ac88be945dd955d8d53938f6abf399cc4a0fcd7c2f859

Download Submit
C:\Recovery\!LostTrustEncoded.txt

Filesize
3KB

MD5
d2e1713d4eb25a7d99db8d5562abff20

SHA1
cffc422db053f4d3e365ea8349c65a2a64f8a086

SHA256
03bd58013d50f3edb0a3d60dab984ab194bb8e826dd2dea419ef4c57965de9b6

SHA512
537b53ce6f030dcb5292c7dd5958e0b5945ff446af209d83098adb007ca196ba18642d1169994302c85a5ad8f47008f57fb57e764095c79e9c1e023b0120c9bd

Download Submit