22457bbeee5f0c20c4272b72c1d0d34991753d6d84802ba56cdd9d11155d043d

Analysis

max time kernel
143s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
26/09/2023, 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
Size

301KB
MD5

4ae8efc6c80fe086aa27117619718fc2
SHA1

09170b8fd03258b0deaa7b881c46180818b88381
SHA256

25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708
SHA512

31aacad5277a2a6f8199be9bd457749689d678ae74c5eefe26165c3f1f369ad579ee279d26d6460ebaf7ffaef12c1bb5b53294a9c3d724c6288a0b8da3d7b539
SSDEEP

6144:a9GxIp80vvgsYW0/kNAhHDQGsarUs7/TvgfBEwmXjAbImzFps1Se:aYI/6MN0jQjbs7cBEaJzk/

Score

10^/10

evasion ransomware

Malware Config

Extracted

Path

C:\Recovery\!LostTrustEncoded.txt

Ransom Note

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- .##........#######...######..########.########.########..##.....##..######..######## .##.......##.....##.##....##....##.......##....##.....##.##.....##.##....##....##... .##.......##.....##.##..........##.......##....##.....##.##.....##.##..........##... .##.......##.....##..######.....##.......##....########..##.....##..######.....##... .##.......##.....##.......##....##.......##....##...##...##.....##.......##....##... .##.......##.....##.##....##....##.......##....##....##..##.....##.##....##....##... .########..#######...######.....##.......##....##.....##..#######...######.....##... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- To the board of directors. Your network has been attacked through various vulnerabilities found in your system. We have gained full access to the entire network infrastructure. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Our team has an extensive background in legal and so called white hat hacking. However, clients usually considered the found vulnerabilities to be minor and poorly paid for our services. So we decided to change our business model. Now you understand how important it is to allocate a good budget for IT security. This is serious business for us and we really don't want to ruin your privacy, reputation and a company. We just want to get paid for our work whist finding vulnerabilities in various networks. Your files are currently encrypted with our tailor made state of the art algorithm. Don't try to terminate unknown processes, don't shutdown the servers, do not unplug drives, all this can lead to partial or complete data loss. We have also managed to download a large amount of various, crucial data from your network. A complete list of files and samples will be provided upon request. We can decrypt a couple of files for free. The size of each file must be no more than 5 megabytes. All your data will be successfully decrypted immediately after your payment. You will also receive a detailed list of vulnerabilities used to gain access to your network. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- If you refuse to cooperate with us, it will lead to the following consequences for your company: 1. All data downloaded from your network will be published for free or even sold 2. Your system will be re-attacked continuously, now that we know all your weak spots 3. We will also attack your partners and suppliers using info obtained from your network 4. It can lead to legal actions against you for data breaches +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- !!!!Instructions for contacting our team!!!! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- ---> Download and install TOR browser from this site : https://torproject.org ---> For contact us via LIVE CHAT open our website : http://hscr6cjzhgoybibuzn2xud7u4crehuoo4ykw3swut7m7irde74hdfzyd.onion/s/qnwbjsfd ---> If Tor is restricted in your area, use VPN ---> All your Data will be published in 3 Days if NO contact made ---> Your Decryption keys will be permanently destroyed in 3 Days if no contact made ---> Your Data will be published if you will hire third-party negotiators to contact us �

URLs

http://hscr6cjzhgoybibuzn2xud7u4crehuoo4ykw3swut7m7irde74hdfzyd.onion/s/qnwbjsfd

Signatures

Clears Windows event logs 1 TTPs 12 IoCs

evasion ransomware

Indicator Removal

T1070

pid	Process
2192	wevtutil.exe
2516	wevtutil.exe
3656	wevtutil.exe
2140	wevtutil.exe
4292	wevtutil.exe
2540	wevtutil.exe
3392	wevtutil.exe
1092	wevtutil.exe
1732	wevtutil.exe
5948	wevtutil.exe
2268	wevtutil.exe
5148	wevtutil.exe

Renames multiple (7474) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\!LostTrustEncoded.txt	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\!LostTrustEncoded.txt	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\!LostTrustEncoded.txt	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-tw\!LostTrustEncoded.txt	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-180.png.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress-indeterminate.gif.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File created	C:\Program Files\VideoLAN\VLC\skins\!LostTrustEncoded.txt	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\!LostTrustEncoded.txt	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\!LostTrustEncoded.txt	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\ui-strings.js.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\!LostTrustEncoded.txt	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\!LostTrustEncoded.txt	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-fr\ui-strings.js.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-phn.xrm-ms.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-pl.xrm-ms.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\as90.xsl.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\!LostTrustEncoded.txt	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\!LostTrustEncoded.txt	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ppd.xrm-ms.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.SF.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\!LostTrustEncoded.txt	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\collect_feedback\!LostTrustEncoded.txt	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ppd.xrm-ms.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-140.png.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-charts.jar.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hi\!LostTrustEncoded.txt	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity.png.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\example_icons.png.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_2019.305.632.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\!LostTrustEncoded.txt	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\!LostTrustEncoded.txt	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fi-fi\!LostTrustEncoded.txt	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-il\!LostTrustEncoded.txt	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\ui-strings.js.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.batik.util.gui_1.7.0.v200903091627.jar.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\ui-strings.js.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\vlc.mo.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\uk-ua\!LostTrustEncoded.txt	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\!LostTrustEncoded.txt	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\amd64\jvm.cfg.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help_3.6.0.v20130326-1254.jar.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\example_icons2x.png.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\!LostTrustEncoded.txt	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\ui-strings.js.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\tool-search.png.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_close2x.png.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\!LostTrustEncoded.txt	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-si\ui-strings.js.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\comment.svg.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\da-DK\View3d\!LostTrustEncoded.txt	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ul-oob.xrm-ms.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ppd.xrm-ms.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_zh_4.4.0.v20140623020002.jar.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ul-oob.xrm-ms.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-phn.xrm-ms.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\Cryptomining.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-oob.xrm-ms.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\ACADEMIC.ONE.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_highcontrast.png.losttrustencoded	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe

Launches sc.exe 50 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4220	sc.exe
1704	sc.exe
648	sc.exe
5740	sc.exe
6004	sc.exe
5836	sc.exe
1640	sc.exe
5372	sc.exe
4144	sc.exe
1836	sc.exe
5676	sc.exe
5048	sc.exe
1752	sc.exe
492	sc.exe
6104	sc.exe
1060	sc.exe
2304	sc.exe
5552	sc.exe
1164	sc.exe
4288	sc.exe
6124	sc.exe
4856	sc.exe
2276	sc.exe
1172	sc.exe
4084	sc.exe
5000	sc.exe
5216	sc.exe
5516	sc.exe
60	sc.exe
5772	sc.exe
4312	sc.exe
5676	sc.exe
4908	sc.exe
2656	sc.exe
3396	sc.exe
6132	sc.exe
2832	sc.exe
808	sc.exe
4784	sc.exe
2460	sc.exe
2172	sc.exe
2236	sc.exe
4752	sc.exe
5908	sc.exe
1588	sc.exe
6040	sc.exe
3788	sc.exe
5708	sc.exe
220	sc.exe
4120	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 8 IoCs

evasion

pid	Process
5376	taskkill.exe
5956	taskkill.exe
4524	taskkill.exe
4452	taskkill.exe
5320	taskkill.exe
1596	taskkill.exe
3952	taskkill.exe
4864	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1092	wevtutil.exe
Token: SeBackupPrivilege	1092	wevtutil.exe
Token: SeSecurityPrivilege	2192	wevtutil.exe
Token: SeBackupPrivilege	2192	wevtutil.exe
Token: SeSecurityPrivilege	2516	wevtutil.exe
Token: SeBackupPrivilege	2516	wevtutil.exe
Token: SeSecurityPrivilege	3656	wevtutil.exe
Token: SeBackupPrivilege	3656	wevtutil.exe
Token: SeIncreaseQuotaPrivilege	3200	WMIC.exe
Token: SeSecurityPrivilege	3200	WMIC.exe
Token: SeTakeOwnershipPrivilege	3200	WMIC.exe
Token: SeLoadDriverPrivilege	3200	WMIC.exe
Token: SeSystemProfilePrivilege	3200	WMIC.exe
Token: SeSystemtimePrivilege	3200	WMIC.exe
Token: SeProfSingleProcessPrivilege	3200	WMIC.exe
Token: SeIncBasePriorityPrivilege	3200	WMIC.exe
Token: SeCreatePagefilePrivilege	3200	WMIC.exe
Token: SeBackupPrivilege	3200	WMIC.exe
Token: SeRestorePrivilege	3200	WMIC.exe
Token: SeShutdownPrivilege	3200	WMIC.exe
Token: SeDebugPrivilege	3200	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3200	WMIC.exe
Token: SeRemoteShutdownPrivilege	3200	WMIC.exe
Token: SeUndockPrivilege	3200	WMIC.exe
Token: SeManageVolumePrivilege	3200	WMIC.exe
Token: 33	3200	WMIC.exe
Token: 34	3200	WMIC.exe
Token: 35	3200	WMIC.exe
Token: 36	3200	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3200	WMIC.exe
Token: SeSecurityPrivilege	3200	WMIC.exe
Token: SeTakeOwnershipPrivilege	3200	WMIC.exe
Token: SeLoadDriverPrivilege	3200	WMIC.exe
Token: SeSystemProfilePrivilege	3200	WMIC.exe
Token: SeSystemtimePrivilege	3200	WMIC.exe
Token: SeProfSingleProcessPrivilege	3200	WMIC.exe
Token: SeIncBasePriorityPrivilege	3200	WMIC.exe
Token: SeCreatePagefilePrivilege	3200	WMIC.exe
Token: SeBackupPrivilege	3200	WMIC.exe
Token: SeRestorePrivilege	3200	WMIC.exe
Token: SeShutdownPrivilege	3200	WMIC.exe
Token: SeDebugPrivilege	3200	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3200	WMIC.exe
Token: SeRemoteShutdownPrivilege	3200	WMIC.exe
Token: SeUndockPrivilege	3200	WMIC.exe
Token: SeManageVolumePrivilege	3200	WMIC.exe
Token: 33	3200	WMIC.exe
Token: 34	3200	WMIC.exe
Token: 35	3200	WMIC.exe
Token: 36	3200	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5944	WMIC.exe
Token: SeSecurityPrivilege	5944	WMIC.exe
Token: SeTakeOwnershipPrivilege	5944	WMIC.exe
Token: SeLoadDriverPrivilege	5944	WMIC.exe
Token: SeSystemProfilePrivilege	5944	WMIC.exe
Token: SeSystemtimePrivilege	5944	WMIC.exe
Token: SeProfSingleProcessPrivilege	5944	WMIC.exe
Token: SeIncBasePriorityPrivilege	5944	WMIC.exe
Token: SeCreatePagefilePrivilege	5944	WMIC.exe
Token: SeBackupPrivilege	5944	WMIC.exe
Token: SeRestorePrivilege	5944	WMIC.exe
Token: SeShutdownPrivilege	5944	WMIC.exe
Token: SeDebugPrivilege	5944	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5944	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 3760	2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	89
PID 2272 wrote to memory of 3760	2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	89
PID 2272 wrote to memory of 3760	2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	89
PID 3760 wrote to memory of 1092	3760	cmd.exe	91
PID 3760 wrote to memory of 1092	3760	cmd.exe	91
PID 3760 wrote to memory of 1092	3760	cmd.exe	91
PID 2272 wrote to memory of 4468	2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	92
PID 2272 wrote to memory of 4468	2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	92
PID 2272 wrote to memory of 4468	2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	92
PID 4468 wrote to memory of 2192	4468	cmd.exe	95
PID 4468 wrote to memory of 2192	4468	cmd.exe	95
PID 4468 wrote to memory of 2192	4468	cmd.exe	95
PID 2272 wrote to memory of 4668	2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	96
PID 2272 wrote to memory of 4668	2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	96
PID 2272 wrote to memory of 4668	2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	96
PID 4668 wrote to memory of 2516	4668	cmd.exe	98
PID 4668 wrote to memory of 2516	4668	cmd.exe	98
PID 4668 wrote to memory of 2516	4668	cmd.exe	98
PID 2272 wrote to memory of 776	2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	99
PID 2272 wrote to memory of 776	2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	99
PID 2272 wrote to memory of 776	2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	99
PID 776 wrote to memory of 3656	776	cmd.exe	101
PID 776 wrote to memory of 3656	776	cmd.exe	101
PID 776 wrote to memory of 3656	776	cmd.exe	101
PID 2272 wrote to memory of 3168	2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	102
PID 2272 wrote to memory of 3168	2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	102
PID 2272 wrote to memory of 3168	2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	102
PID 2272 wrote to memory of 4564	2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	104
PID 2272 wrote to memory of 4564	2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	104
PID 2272 wrote to memory of 4564	2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	104
PID 4564 wrote to memory of 3200	4564	cmd.exe	106
PID 4564 wrote to memory of 3200	4564	cmd.exe	106
PID 4564 wrote to memory of 3200	4564	cmd.exe	106
PID 2272 wrote to memory of 5204	2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	109
PID 2272 wrote to memory of 5204	2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	109
PID 2272 wrote to memory of 5204	2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	109
PID 5204 wrote to memory of 5944	5204	cmd.exe	111
PID 5204 wrote to memory of 5944	5204	cmd.exe	111
PID 5204 wrote to memory of 5944	5204	cmd.exe	111
PID 2272 wrote to memory of 4908	2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	129
PID 2272 wrote to memory of 4908	2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	129
PID 2272 wrote to memory of 4908	2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	129
PID 4908 wrote to memory of 4484	4908	Conhost.exe	115
PID 4908 wrote to memory of 4484	4908	Conhost.exe	115
PID 4908 wrote to memory of 4484	4908	Conhost.exe	115
PID 2272 wrote to memory of 5752	2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	116
PID 2272 wrote to memory of 5752	2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	116
PID 2272 wrote to memory of 5752	2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	116
PID 5752 wrote to memory of 1092	5752	cmd.exe	118
PID 5752 wrote to memory of 1092	5752	cmd.exe	118
PID 5752 wrote to memory of 1092	5752	cmd.exe	118
PID 2272 wrote to memory of 5804	2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	119
PID 2272 wrote to memory of 5804	2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	119
PID 2272 wrote to memory of 5804	2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	119
PID 5804 wrote to memory of 3820	5804	cmd.exe	121
PID 5804 wrote to memory of 3820	5804	cmd.exe	121
PID 5804 wrote to memory of 3820	5804	cmd.exe	121
PID 2272 wrote to memory of 5276	2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	122
PID 2272 wrote to memory of 5276	2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	122
PID 2272 wrote to memory of 5276	2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	122
PID 5276 wrote to memory of 3800	5276	cmd.exe	124
PID 5276 wrote to memory of 3800	5276	cmd.exe	124
PID 5276 wrote to memory of 3800	5276	cmd.exe	124
PID 2272 wrote to memory of 1796	2272	25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe	128

C:\Users\Admin\AppData\Local\Temp\25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe
"C:\Users\Admin\AppData\Local\Temp\25a906877af7aed44c21b4c947a34666c3480629a929a227b67b273245ee3708.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil cl Application
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3760
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil cl Application
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:1092
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil cl security
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4468
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil cl security
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:2192
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil cl setup
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil cl setup
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:2516
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil cl system
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:776
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil cl system
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:3656
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  PID:3168
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL STOPSERVICE
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL STOPSERVICE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3200
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL STOPSERVICE
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5204
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL STOPSERVICE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5944
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL STOPSERVICE
  2⤵
  PID:4908
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL STOPSERVICE
    3⤵
    PID:4484
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL STOPSERVICE
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5752
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL STOPSERVICE
    3⤵
    PID:1092
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%SQL%'" CALL STOPSERVIC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5804
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%SQL%'" CALL STOPSERVIC
    3⤵
    PID:3820
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%Exchange%'" CALL STOPSERVICE
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5276
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%Exchange%'" CALL STOPSERVICE
    3⤵
    PID:3800
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%wsbex%'" CALL STOPSERVICE
  2⤵
  PID:1796
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4908
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%wsbex%'" CALL STOPSERVICE
    3⤵
    PID:4804
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%postgresql%'" CALL STOPSERVICE
  2⤵
  PID:5780
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%postgresql%'" CALL STOPSERVICE
    3⤵
    PID:5808
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%BACKP%'" CALL STOPSERVICE
  2⤵
  PID:808
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%BACKP%'" CALL STOPSERVICE
    3⤵
    PID:4696
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%tomcat%'" CALL STOPSERVICE
  2⤵
  PID:6032
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%tomcat%'" CALL STOPSERVICE
    3⤵
    PID:5536
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%SharePoint%'" CALL STOPSERVICE
  2⤵
  PID:1536
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%SharePoint%'" CALL STOPSERVICE
    3⤵
    PID:4616
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%SBS%'" CALL STOPSERVICE
  2⤵
  PID:1172
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%SBS%'" CALL STOPSERVICE
    3⤵
    PID:5756
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:3204
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:2844
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:4120
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:3896
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%SQL%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:224
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%SQL%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:60
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%Exchange%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:4168
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%Exchange%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:5424
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%wsbex%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:5864
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%wsbex%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:5504
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%postgresql%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:5460
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%postgresql%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:5640
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%BACKP%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:1072
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%BACKP%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:3396
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%tomcat%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:5172
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%tomcat%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:3252
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%SharePoint%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:5060
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%SharePoint%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:5736
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%SBS%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:4248
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%SBS%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:5988
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config FirebirdServerDefaultInstance start= disabled
  2⤵
  PID:2340
- - C:\Windows\SysWOW64\sc.exe
    sc config FirebirdServerDefaultInstance start= disabled
    3⤵
    - Launches sc.exe
    PID:2304
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config FirebirdServerDefaultInstance start= disabled
  2⤵
  PID:680
- - C:\Windows\SysWOW64\sc.exe
    sc config FirebirdServerDefaultInstance start= disabled
    3⤵
    - Launches sc.exe
    PID:5216
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /IM fb_inet_server.exe /F
  2⤵
  PID:4312
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM fb_inet_server.exe /F
    3⤵
    - Kills process with taskkill
    PID:4864
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /IM fb_inet_server.exe /F
  2⤵
  PID:5768
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM fb_inet_server.exe /F
    3⤵
    - Kills process with taskkill
    PID:5376
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop FirebirdServerDefaultInstance
  2⤵
  PID:3364
- - C:\Windows\SysWOW64\net.exe
    net stop FirebirdServerDefaultInstance
    3⤵
    PID:5268
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop FirebirdServerDefaultInstance
      4⤵
      PID:1060
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Windows\system32\net1 stop FirebirdServerDefaultInstance
  2⤵
  PID:5288
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop FirebirdServerDefaultInstance
    3⤵
    PID:2432
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /IM sqlservr.exe /F
  2⤵
  PID:2648
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM sqlservr.exe /F
    3⤵
    - Kills process with taskkill
    PID:5956
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSSQLSERVER start= disabled
  2⤵
  PID:3800
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLSERVER start= disabled
    3⤵
    - Launches sc.exe
    PID:5552
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSSQL$SQLEXPRESS start= disabled
  2⤵
  PID:6100
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQL$SQLEXPRESS start= disabled
    3⤵
    - Launches sc.exe
    PID:1836
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSSQLSERVER
  2⤵
  PID:220
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:1896
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:6068
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Windows\system32\net1 stop MSSQLSERVER
  2⤵
  PID:3808
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLSERVER
    3⤵
    PID:4064
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSSQL$SQLEXPRESS
  2⤵
  PID:3596
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$SQLEXPRESS
    3⤵
    PID:1536
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
      4⤵
      PID:5624
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSSQL$SQLEXPRESS
  2⤵
  PID:2732
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$SQLEXPRESS
    3⤵
    PID:1196
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
      4⤵
      PID:2924
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
  2⤵
  PID:5756
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
    3⤵
    PID:5968
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /IM pg_ctl.exe /F
  2⤵
  PID:4024
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM pg_ctl.exe /F
    3⤵
    - Kills process with taskkill
    PID:4524
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config postgresql-9.0 start= disabled
  2⤵
  PID:5892
- - C:\Windows\SysWOW64\sc.exe
    sc config postgresql-9.0 start= disabled
    3⤵
    - Launches sc.exe
    PID:5516
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop postgresql-9.0
  2⤵
  PID:5248
- - C:\Windows\SysWOW64\net.exe
    net stop postgresql-9.0
    3⤵
    PID:5044
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop postgresql-9.0
      4⤵
      PID:5612
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeAB start= disabled
  2⤵
  PID:5080
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeAB start= disabled
    3⤵
    - Launches sc.exe
    PID:6040
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeAntispamUpdate start= disabled
  2⤵
  PID:5160
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeAntispamUpdate start= disabled
    3⤵
    - Launches sc.exe
    PID:60
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeEdgeSync start= disabled
  2⤵
  PID:1784
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeEdgeSync start= disabled
    3⤵
    - Launches sc.exe
    PID:3788
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeFDS start= disabled
  2⤵
  PID:5744
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeFDS start= disabled
    3⤵
    - Launches sc.exe
    PID:1164
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeFBA start= disabled
  2⤵
  PID:5760
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeFBA start= disabled
    3⤵
    - Launches sc.exe
    PID:4288
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeImap4 start= disabled
  2⤵
  PID:5972
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeImap4 start= disabled
    3⤵
    - Launches sc.exe
    PID:5676
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeImap4 start= disabled
  2⤵
  PID:5312
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeImap4 start= disabled
    3⤵
    - Launches sc.exe
    PID:5772
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeIS start= disabled
  2⤵
  PID:5416
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeIS start= disabled
    3⤵
    - Launches sc.exe
    PID:3396
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeMailSubmission start= disabled
  2⤵
  PID:5700
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeMailSubmission start= disabled
    3⤵
    - Launches sc.exe
    PID:4220
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeMailboxAssistants start= disabled
  2⤵
  PID:4732
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeMailboxAssistants start= disabled
    3⤵
    - Launches sc.exe
    PID:5048
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeMailboxReplication start= disabled
  2⤵
  PID:5912
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeMailboxReplication start= disabled
    3⤵
    - Launches sc.exe
    PID:5740
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeMonitoring start= disabled
  2⤵
  PID:5732
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeMonitoring start= disabled
    3⤵
    - Launches sc.exe
    PID:6132
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangePop3 start= disabled
  2⤵
  PID:5016
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangePop3 start= disabled
    3⤵
    - Launches sc.exe
    PID:2832
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeProtectedServiceHost start= disabled
  2⤵
  PID:1940
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeProtectedServiceHost start= disabled
    3⤵
    - Launches sc.exe
    PID:1752
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeRPC start= disabled
  2⤵
  PID:4252
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeRPC start= disabled
    3⤵
    - Launches sc.exe
    PID:6124
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeSearch start= disable
  2⤵
  PID:3884
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeSearch start= disable
    3⤵
    - Launches sc.exe
    PID:4856
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config wsbexchange start= disabled
  2⤵
  PID:5216
- - C:\Windows\SysWOW64\sc.exe
    sc config wsbexchange start= disabled
    3⤵
    - Launches sc.exe
    PID:808
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeSA start= disabled
  2⤵
  PID:5660
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeSA start= disabled
    3⤵
    - Launches sc.exe
    PID:4312
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeThrottling start= disabled
  2⤵
  PID:5828
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeThrottling start= disabled
    3⤵
    - Launches sc.exe
    PID:6104
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeTransportLogSearch start= disabled
  2⤵
  PID:5768
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeTransportLogSearch start= disabled
    3⤵
    - Launches sc.exe
    PID:1060
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSExchangeAB
  2⤵
  PID:3200
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeAB
    3⤵
    PID:1092
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeAB
      4⤵
      PID:2808
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSExchangeAntispamUpdate
  2⤵
  PID:1640
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeAntispamUpdate
    3⤵
    PID:4400
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeAntispamUpdate
      4⤵
      PID:180
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSExchangeEdgeSync
  2⤵
  PID:5824
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeEdgeSync
    3⤵
    PID:2800
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeEdgeSync
      4⤵
      PID:5704
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSExchangeImap4
  2⤵
  PID:5228
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeImap4
    3⤵
    PID:2752
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeImap4
      4⤵
      PID:4784
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSExchangeMailboxReplication
  2⤵
  PID:632
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeMailboxReplication
    3⤵
    PID:1896
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeMailboxReplication
      4⤵
      PID:664
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSExchangeProtectedServiceHost
  2⤵
  PID:4596
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeProtectedServiceHost
    3⤵
    PID:4804
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeProtectedServiceHost
      4⤵
      PID:2972
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil cl Application
  2⤵
  PID:5720
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil cl Application
    3⤵
    - Clears Windows event logs
    PID:1732
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil cl security
  2⤵
  PID:2584
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil cl security
    3⤵
    - Clears Windows event logs
    PID:2140
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil cl setup
  2⤵
  PID:2732
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil cl setup
    3⤵
    - Clears Windows event logs
    PID:4292
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil cl system
  2⤵
  PID:3724
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil cl system
    3⤵
    - Clears Windows event logs
    PID:5948
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  PID:4524
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL STOPSERVICE
  2⤵
  PID:3820
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL STOPSERVICE
    3⤵
    PID:4692
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL STOPSERVICE
  2⤵
  PID:2252
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL STOPSERVICE
    3⤵
    PID:5184
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL STOPSERVICE
  2⤵
  PID:1184
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL STOPSERVICE
    3⤵
    PID:60
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL STOPSERVICE
  2⤵
  PID:1728
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL STOPSERVICE
    3⤵
    PID:1456
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%SQL%'" CALL STOPSERVIC
  2⤵
  PID:1596
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%SQL%'" CALL STOPSERVIC
    3⤵
    PID:1480
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%Exchange%'" CALL STOPSERVICE
  2⤵
  PID:2076
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%Exchange%'" CALL STOPSERVICE
    3⤵
    PID:1944
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%wsbex%'" CALL STOPSERVICE
  2⤵
  PID:3340
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%wsbex%'" CALL STOPSERVICE
    3⤵
    PID:5344
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%postgresql%'" CALL STOPSERVICE
  2⤵
  PID:3732
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%postgresql%'" CALL STOPSERVICE
    3⤵
    PID:5700
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%BACKP%'" CALL STOPSERVICE
  2⤵
  PID:5480
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%BACKP%'" CALL STOPSERVICE
    3⤵
    PID:5476
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%tomcat%'" CALL STOPSERVICE
  2⤵
  PID:5492
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%tomcat%'" CALL STOPSERVICE
    3⤵
    PID:2612
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%SharePoint%'" CALL STOPSERVICE
  2⤵
  PID:4592
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%SharePoint%'" CALL STOPSERVICE
    3⤵
    PID:5020
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%SBS%'" CALL STOPSERVICE
  2⤵
  PID:2340
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%SBS%'" CALL STOPSERVICE
    3⤵
    PID:5780
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:6024
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:3172
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:2276
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:5712
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%SQL%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:3932
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%SQL%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:1092
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%Exchange%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:2096
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%Exchange%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:1548
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%wsbex%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:4224
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%wsbex%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:3668
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%postgresql%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:5132
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%postgresql%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:3208
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%BACKP%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:4968
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%BACKP%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:4208
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%tomcat%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:5264
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%tomcat%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:3020
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%SharePoint%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:4616
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%SharePoint%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:1088
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%SBS%'" CALL ChangeStartMode 'Disabled'
  2⤵
  PID:1076
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%SBS%'" CALL ChangeStartMode 'Disabled'
    3⤵
    PID:3636
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config FirebirdServerDefaultInstance start= disabled
  2⤵
  PID:5688
- - C:\Windows\SysWOW64\sc.exe
    sc config FirebirdServerDefaultInstance start= disabled
    3⤵
    - Launches sc.exe
    PID:2172
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config FirebirdServerDefaultInstance start= disabled
  2⤵
  PID:4524
- - C:\Windows\SysWOW64\sc.exe
    sc config FirebirdServerDefaultInstance start= disabled
    3⤵
    - Launches sc.exe
    PID:6004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /IM fb_inet_server.exe /F
  2⤵
  PID:4908
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM fb_inet_server.exe /F
    3⤵
    - Kills process with taskkill
    PID:4452
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /IM fb_inet_server.exe /F
  2⤵
  PID:5960
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM fb_inet_server.exe /F
    3⤵
    - Kills process with taskkill
    PID:5320
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop FirebirdServerDefaultInstance
  2⤵
  PID:748
- - C:\Windows\SysWOW64\net.exe
    net stop FirebirdServerDefaultInstance
    3⤵
    PID:4484
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop FirebirdServerDefaultInstance
      4⤵
      PID:5256
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Windows\system32\net1 stop FirebirdServerDefaultInstance
  2⤵
  PID:1456
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop FirebirdServerDefaultInstance
    3⤵
    PID:1164
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /IM sqlservr.exe /F
  2⤵
  PID:4768
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM sqlservr.exe /F
    3⤵
    - Kills process with taskkill
    PID:1596
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSSQLSERVER start= disabled
  2⤵
  PID:744
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLSERVER start= disabled
    3⤵
    - Launches sc.exe
    PID:5676
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSSQL$SQLEXPRESS start= disabled
  2⤵
  PID:1944
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQL$SQLEXPRESS start= disabled
    3⤵
    - Launches sc.exe
    PID:492
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSSQLSERVER
  2⤵
  PID:5460
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:4340
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:3396
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Windows\system32\net1 stop MSSQLSERVER
  2⤵
  PID:5832
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLSERVER
    3⤵
    PID:5700
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSSQL$SQLEXPRESS
  2⤵
  PID:2268
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$SQLEXPRESS
    3⤵
    PID:4564
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
      4⤵
      PID:5584
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSSQL$SQLEXPRESS
  2⤵
  PID:4732
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$SQLEXPRESS
    3⤵
    PID:2540
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
      4⤵
      PID:3432
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
  2⤵
  PID:6052
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
    3⤵
    PID:5016
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /IM pg_ctl.exe /F
  2⤵
  PID:4508
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM pg_ctl.exe /F
    3⤵
    - Kills process with taskkill
    PID:3952
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config postgresql-9.0 start= disabled
  2⤵
  PID:1080
- - C:\Windows\SysWOW64\sc.exe
    sc config postgresql-9.0 start= disabled
    3⤵
    - Launches sc.exe
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop postgresql-9.0
  2⤵
  PID:1344
- - C:\Windows\SysWOW64\net.exe
    net stop postgresql-9.0
    3⤵
    PID:3832
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop postgresql-9.0
      4⤵
      PID:5984
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeAB start= disabled
  2⤵
  PID:6048
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeAB start= disabled
    3⤵
    - Launches sc.exe
    PID:5836
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeAntispamUpdate start= disabled
  2⤵
  PID:5284
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeAntispamUpdate start= disabled
    3⤵
    - Launches sc.exe
    PID:2276
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeEdgeSync start= disabled
  2⤵
  PID:3760
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeEdgeSync start= disabled
    3⤵
    - Launches sc.exe
    PID:5708
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeFDS start= disabled
  2⤵
  PID:3200
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeFDS start= disabled
    3⤵
    - Launches sc.exe
    PID:2236
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeFBA start= disabled
  2⤵
  PID:4040
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeFBA start= disabled
    3⤵
    - Launches sc.exe
    PID:1640
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeImap4 start= disabled
  2⤵
  PID:1628
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeImap4 start= disabled
    3⤵
    - Launches sc.exe
    PID:4784
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeImap4 start= disabled
  2⤵
  PID:5876
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeImap4 start= disabled
    3⤵
    - Launches sc.exe
    PID:4084
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeIS start= disabled
  2⤵
  PID:3768
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeIS start= disabled
    3⤵
    - Launches sc.exe
    PID:220
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeMailSubmission start= disabled
  2⤵
  PID:3208
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeMailSubmission start= disabled
    3⤵
    - Launches sc.exe
    PID:4752
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeMailboxAssistants start= disabled
  2⤵
  PID:2912
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeMailboxAssistants start= disabled
    3⤵
    - Launches sc.exe
    PID:5908
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeMailboxReplication start= disabled
  2⤵
  PID:4968
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeMailboxReplication start= disabled
    3⤵
    - Launches sc.exe
    PID:2460
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeMonitoring start= disabled
  2⤵
  PID:3020
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeMonitoring start= disabled
    3⤵
    - Launches sc.exe
    PID:2656
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangePop3 start= disabled
  2⤵
  PID:3100
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangePop3 start= disabled
    3⤵
    - Launches sc.exe
    PID:5372
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeProtectedServiceHost start= disabled
  2⤵
  PID:4616
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeProtectedServiceHost start= disabled
    3⤵
    - Launches sc.exe
    PID:1172
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeRPC start= disabled
  2⤵
  PID:3636
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeRPC start= disabled
    3⤵
    - Launches sc.exe
    PID:4144
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeSearch start= disable
  2⤵
  PID:2172
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeSearch start= disable
    3⤵
    - Launches sc.exe
    PID:5000
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config wsbexchange start= disabled
  2⤵
  PID:4124
- - C:\Windows\SysWOW64\sc.exe
    sc config wsbexchange start= disabled
    3⤵
    - Launches sc.exe
    PID:1588
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeSA start= disabled
  2⤵
  PID:5892
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeSA start= disabled
    3⤵
    - Launches sc.exe
    PID:4908
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeThrottling start= disabled
  2⤵
  PID:2312
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeThrottling start= disabled
    3⤵
    - Launches sc.exe
    PID:648
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config MSExchangeTransportLogSearch start= disabled
  2⤵
  PID:5452
- - C:\Windows\SysWOW64\sc.exe
    sc config MSExchangeTransportLogSearch start= disabled
    3⤵
    - Launches sc.exe
    PID:4120
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSExchangeAB
  2⤵
  PID:5296
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeAB
    3⤵
    PID:2232
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeAB
      4⤵
      PID:3904
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSExchangeAntispamUpdate
  2⤵
  PID:5896
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeAntispamUpdate
    3⤵
    PID:5884
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeAntispamUpdate
      4⤵
      PID:1796
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSExchangeEdgeSync
  2⤵
  PID:3556
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeEdgeSync
    3⤵
    PID:4744
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeEdgeSync
      4⤵
      PID:3940
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSExchangeImap4
  2⤵
  PID:1304
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeImap4
    3⤵
    PID:5800
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeImap4
      4⤵
      PID:2640
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSExchangeMailboxReplication
  2⤵
  PID:4212
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeMailboxReplication
    3⤵
    PID:4132
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeMailboxReplication
      4⤵
      PID:5972
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop MSExchangeProtectedServiceHost
  2⤵
  PID:3792
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeProtectedServiceHost
    3⤵
    PID:5404
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeProtectedServiceHost
      4⤵
      PID:4492
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil cl Application
  2⤵
  PID:5048
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil cl Application
    3⤵
    - Clears Windows event logs
    PID:2268
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil cl security
  2⤵
  PID:4976
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil cl security
    3⤵
    - Clears Windows event logs
    PID:2540
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil cl setup
  2⤵
  PID:1792
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil cl setup
    3⤵
    - Clears Windows event logs
    PID:3392
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil cl system
  2⤵
  PID:4928
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil cl system
    3⤵
    - Clears Windows event logs
    PID:5148
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  PID:2832
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL STOPSERVICE
  2⤵
  PID:5336
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL STOPSERVICE
    3⤵
    PID:680
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL STOPSERVICE
  2⤵
  PID:5044
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL STOPSERVICE
    3⤵
    PID:4388
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL STOPSERVICE
  2⤵
  PID:3172
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL STOPSERVICE
    3⤵
    PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.losttrustencoded

Filesize
701B

MD5
c169a9605e7524c21ef586210068518a

SHA1
a1d6b9c2cf3c1e18c9a1fb682a608764878a1775

SHA256
bbf59c703b8a60fb4e0b1905b53e1901ffdb37bf6be48ed9f1ad3350b085a12e

SHA512
e60232194ad20f7dd96c6eb75b5af1117f38fe797ceee2325e0677e0a8bfc891dd42ae6e543457a40ccce07062a92f6bb397d5405666a9662417799e50d5a931

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.losttrustencoded

Filesize
867B

MD5
161f8937042909e98d6998f9eab885f0

SHA1
0fd2e4a917b4d4436a104f0976a66c6ea87ae9d6

SHA256
bfa125f8300b937a7c645b4eb9f55192b4acea96ff2747fff7caa198b47322b3

SHA512
e5a03950b7f8b3c056a8f21d44bc99f93db4f66f00bd8e464857ede1fbfd06a424d1f4171684ccdf34d7ed48538a8d1bdef990aa208c763f45429297eb3e45af

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.losttrustencoded

Filesize
644B

MD5
b397d7502bf435ead336bd60309ef8f2

SHA1
1cfd527050866633619f65c0ff6674e9c68337bc

SHA256
58a3f6b8799242c4d4a5b6160d1dbf7fe543057681b33e3e2f5737ec95e10188

SHA512
bfd8f3014838a3f4e63958c5f2275570c812ca5b5c20e420ac9e4bbbf204f81757b2afd1a1d62173353d77d1a9bb3028c381f9f4a27ec57a3ee919cd2a95de91

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.losttrustencoded

Filesize
644B

MD5
d527440955714b692ff50baaf7289939

SHA1
d059bd9421e9e8b23ee54bb6640903480bea9065

SHA256
aebab4eedbf703270eff8fa4fbdedaa27805beca55f5fb32165524280d702d05

SHA512
862382b63b545c4c862a8b0a881c69943380459f02c0bb014ffb8f63c159d89e3ff7c0d4bee769670bfdd474b33c90886b3d40b96e8d332ca320d9450591c701

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.losttrustencoded

Filesize
808B

MD5
95f4c8e83738731c164a12611ce36577

SHA1
75bc60a87dad3390f495146cb5efe249b33d5107

SHA256
d7f1e06421cb98060d9b63b4e13d3bc71eb79b02c55d9c62806cd2b4aca184c2

SHA512
e8fae47f1059dd2fd7d44c409e2633dfc678dbf119abd6c1746f9381831f795176e22b01f0bdd1d48cc05d371d78f3c1556c40df3822480fb43110c38e2f9328

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.losttrustencoded

Filesize
644B

MD5
aed628464d0d9006f2768962c60812d3

SHA1
f2b4e9aa85c6225e6141768a03498823fb76906b

SHA256
97a2fc20a9015ffb7543e925f79da6de8ce124a43c1dd275e5a7369262983573

SHA512
52afbe3c07532f83672e21285c30802b8757898f185baac58c6f728bc93040da00c68d367b6d0f84ca9ec50f8b0fe24165c584114095cc3137e8db1dd711bbb9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.losttrustencoded

Filesize
808B

MD5
6854e9b3b48ebfcfa55dafde902cc712

SHA1
f6f2664d6d215c83bd4d7e690d937c47126d6aaf

SHA256
568cd594b75cd0ae2efcea3f7495f21bd797d48ea52c081fc80bdf938a536bd4

SHA512
61de26763b5a73f92c861753aad68fbac512ad4d3d04a48260ca3682e4a1ea71e1666fe3ba58194d638840cf3a1e20222144c736023b6c1e3efd35dcaef447f5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons.png.losttrustencoded

Filesize
939B

MD5
f85bfc3280e103ca6bee7d95c5f69aa8

SHA1
0caafc932173861790781a0453248fab8bb46309

SHA256
1fc1a9d4b56799e30a7c08c39b7bc0c96f321c8a062b83f1a871846f59df23c9

SHA512
49fe7934c6e266ddda67c21cf2d7310587b1a76c37aca31a391cc0ed55de69af17761cfece8987b4e01f82bd7bd1456ace47b5916b6379324b12101904171a79

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons2x.png.losttrustencoded

Filesize
1KB

MD5
e1cd41ed16c32a868308066251f9abb6

SHA1
7465c31075b2ee9b06754f3ce43d19f8037ba47d

SHA256
b5ed1d7b3ba29107deee45aa5fe4a1723aee45a66f8f563e90cbf71ff7c43bad

SHA512
e3f1392e1dfed99d951aa0fa85b972bdc87a62a59114b0c14a5e3573527a97abe24938e343d2c115eff4afa868c2dbebc9adc24f4854e36c5b1a4cc6f076046d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_hover_2x.png.losttrustencoded

Filesize
808B

MD5
0001fe306926d78a848be0d58cebcb45

SHA1
a058a45274f707f8c54df156e3b6ab2c9f454548

SHA256
92f5ec118a7b50c34742f496765414e2919da269c17f81bb558a34f6d02579cb

SHA512
31617fd4897976911533a452b1743b592b4d867e402fe0f9b675ad189e886a56936d34ac820ccf7d3af8fded594e1f73da4a22a4dd9edae5323a60ba3286e2bc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\example_icons.png.losttrustencoded

Filesize
939B

MD5
75fd865d84998c28e4c57a5f58ec003c

SHA1
d55ea3140dd48b82077145b9730fc10c78ab392b

SHA256
5e574dc271926b80c846623eccfff4e90d677ce6bbd213e0861b9c9238161be7

SHA512
e8f98609233331e0ef24768bdc338cf95edb9b69ebd080fab5016c74dfaf015ece95d3fec654736b941c28ea5b83de7a5bc64fce0e8a25f811da17d2b51f7552

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\example_icons2x.png.losttrustencoded

Filesize
1KB

MD5
397986f40f46244a0482bd4117bdb90b

SHA1
01f6d871fde9ecaf9e3e59419ad610f16c282415

SHA256
6652e29114c9d7565ec7333fe747bdde0df48e787f2238c47a24f28a7d95ed5e

SHA512
fca2a5bfcd14c967f4c100b820ce9e6ee944d2c561c2142f647963a1611627d28dc24ea993527a252d3da0e9c4926133480e11654f1c20e8e03f3cda3257ff69

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-gb\ui-strings.js.losttrustencoded

Filesize
1KB

MD5
6ce4c87a29236a6a9cec25b29143d9a9

SHA1
2cf91791ce5ff660d25c49005287b97b63a8c270

SHA256
eb12cdd253bbb9ebbb9a9430b7788491a66671b25f3625a679f11e986c035750

SHA512
ce8effdc654cacc58d85a0440236ea77a3536f34c0e64833a4e3306c094c48ca4ecf4f34aea1a9775a59ae29e7ee6da9d9ccd28dd9a402de478444a0a82cec7b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.losttrustencoded

Filesize
1KB

MD5
5d5e20452343de6ddf053b54d54352bc

SHA1
af45d1378452103e9c35d140205a52c022cdebad

SHA256
72dffd5a998ba0f0c68d58aa3851ba1b9864a2383944348528cd539877ac651d

SHA512
05ea888a1fad0927444f5c890fdbda1a697da474652399aa459901665de6b75f025f475e7c51b88749904ba524ebc586328ae4f2403d3216e61b67bbb1295e06

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.losttrustencoded

Filesize
1KB

MD5
1824c2bab16cdd04ccabe2409ac3e7a2

SHA1
c966e8bc5396305086016ceee13a5bf2225fd0dd

SHA256
07da514017c0d000826a465aec83b08448e72de8c7cf7bcbde3da3b6f9052415

SHA512
08208c8c0d44f6b1e232717d9c46ac844047f65b71e6a6d43d2d22030a4a0ce7cd9db9fe4cf0479096f7ca92561483039a1e34f570c34c930226badd6ce3d66a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\fi-fi\ui-strings.js.losttrustencoded

Filesize
1KB

MD5
0eed75967e5a5e9aa4d1ba5ccb560553

SHA1
45d46ff33201a414d9ef748f35a1f35d865a9b26

SHA256
c9b8e3c5de116435117e1ccca81c7d3a617778cf09d790da41c64ff8cca5e7da

SHA512
120687c4832c4fdcb8fdbbccb4d352526dfbb644730a1a0056ee1518d3c5dd8b9092193afde4439b620c5592a64fae6318838cfa2c3ce9f6abe06b39e7ee5a58

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.losttrustencoded

Filesize
1KB

MD5
8500aaf036a00f1e942e30135f534c06

SHA1
45f0e06b74c7d367fae1588d2b378457426d10e6

SHA256
18047ba9a8ea0534747b5aa6c722820ebc1dbe2ac4c5067dc490f833eb42b4bd

SHA512
d4ede2e49c74faededac6432c82c5be803f1cb1d9a904e2dc2518b9965fd99bd8b90e57753001d378e70af5877365c524af15df75bce2a055db6e4386a86914b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\css\main-selector.css.losttrustencoded

Filesize
1KB

MD5
b3b4da9b036e05413e104f44a1ba3839

SHA1
037c417e09978ee92f4701020883d7ffdd0194f7

SHA256
68737beaad1ed5473730bef7bd2bbc3cd7a97d802d9ee786b732a1dd92922163

SHA512
5214f823b128fefe1ea22e15a8865114219fced1ba4c2e8e1ccd7e5d5ae360d0aa0669f69ff7d2c7b85c0e1d89a7af387fd80df5c2b8bcce6059b9a410f3e01a

Download Submit
C:\Program Files\Java\jdk1.8.0_66\db\bin\sysinfo.losttrustencoded

Filesize
5KB

MD5
88ecc2c3a0ac45340c0b5fc4eb096226

SHA1
368a2e3b6db600309c74e3a9fb13c1d3017ac6ba

SHA256
9fa6dc7718395e896a3660f057b98558d2b448837a471871e3f23bd0ebaed6be

SHA512
1a2b7ba01f98958341c04944c03c2eb1c8192b1c58258bf16666e2724880dda936c1388800c410b61847c43cf7f7bf5f8edd62a3871822e64de616b0a4b6552f

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.losttrustencoded

Filesize
12KB

MD5
5cf8b40e77f1f9a821038aa37ac6b762

SHA1
9c0f2a306b32838534ebe78825c9776004e88949

SHA256
7ed50b71d61a7efea24a8d8a39e6de37890291bb654612864ba578d8c5c72267

SHA512
3521c6d7f00dca10870787c22155a3e55037b807bf996ab4490bf8649274b74916fa7297a7438c9cfdcf6f8a2328afaffa8e9f87fb858591ffd047f11378c082

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.losttrustencoded

Filesize
9KB

MD5
d3f802ccfdc5a0f6b8a7e3882305089f

SHA1
e7173a31c9ec2c88a679c31a4c28590b2d784dbe

SHA256
0fead55840ebe3da6323d4a9f8ba440dd55de17cbddcea539371dbfa3f368c62

SHA512
10c253ccf4c74ed08ce0577e44269e72f4377a24100ffeb9e9ae5831050f5be568fac862d04cfed55d570ec59115f427bd7519c6db3abebd9d06d80803b41e71

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.RSA.losttrustencoded

Filesize
7KB

MD5
3ec622ec54dd1d5e11ede732b0b32c96

SHA1
45058baf8e6dbf44bbc832564f32d53edf1fa5f1

SHA256
3810c7351201cc220fe33df222f3687dabd12d7f4fdd2be6c53ee12483a77669

SHA512
26f6cf579c6f90b829bb2853193ef6543802cc5a0add9da08a25f29b998c9c161f8e46bad368bff9f0dbb7a25e21284525fa1a2b5f7735d4623aa953c36375ed

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXK.losttrustencoded

Filesize
370B

MD5
ef495279adba5aded63cb9ba1b24121d

SHA1
538839030164dbdd682e9c648bb3f1907ecd7442

SHA256
bb2b8b76809157bcd76d5b54aadd02e015211424758d7aaf1210c6424a8972ad

SHA512
e2a2263e807a5deaea48437dba141037ccf17c3ee6377abeb9a409fb3b9487b5ae6c04b970a2fd80f38a706c2d93f65dac8a394f5567ed45fd7f8ae4b6037af6

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK.losttrustencoded

Filesize
369B

MD5
5567e173bec88fd44ca2afb55389338b

SHA1
3578d984c03adf7d0753b597a6805a0dc3806ed2

SHA256
32afb70e5d7bacaf544866568c24240c902be17cc9417ed44420084a4d4d5cb7

SHA512
88ffc9a38a1f0a653b73ef850ea800a6e98d2be1f8e5cfc0836daa37a630999514b6cfd77acd37b98dfdef26b5a8f828906e87baef0521ff64c8ad9a2ab76e61

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\vlc.mo.losttrustencoded

Filesize
665KB

MD5
a7410d30a5ec711f9dd74ad25d1c04d6

SHA1
7654b12a2ad8d42c40c05670090f6c1063051259

SHA256
c965a2568cc570671561a9097fbf2695921c406ef487021b07209abcc37ecd76

SHA512
f396d95fe5be9ab419af676fe4e91709d3cc832344fdc1c421b576f6111cacd682f176564d3f7bedf989fa3e95e4fcda50d7480a7cdf86fb1098f2a1da9471d1

Download Submit
C:\Recovery\!LostTrustEncoded.txt

Filesize
3KB

MD5
d2e1713d4eb25a7d99db8d5562abff20

SHA1
cffc422db053f4d3e365ea8349c65a2a64f8a086

SHA256
03bd58013d50f3edb0a3d60dab984ab194bb8e826dd2dea419ef4c57965de9b6

SHA512
537b53ce6f030dcb5292c7dd5958e0b5945ff446af209d83098adb007ca196ba18642d1169994302c85a5ad8f47008f57fb57e764095c79e9c1e023b0120c9bd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\Settings\settings.dat.losttrustencoded

Filesize
8KB

MD5
3809a4c357933fd6bba98a1524663df6

SHA1
4bd4647a673029943c067cb5a05446099e284945

SHA256
3cccce5b0cabdd214925e129bcb9d43d8fa06d369c1a7d579c6cd84b236472e8

SHA512
f88595115d7e23d7fbc51a8ff3b74ec2eee6ef26c779e2b0a4a0989454882ac2e18469f32962e39990578e6938846270e2ba395911d5eda3092cb39e6e4223d5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\http___java_com_help.losttrustencoded

Filesize
36KB

MD5
cf8665213bc36e69e9758161349d2d48

SHA1
741a3c6a36bc3fcae46cb0c985582360ca126af6

SHA256
60bf577781d9c4baff7cba2f61396f0d56a697035fba0b5fb4e8094fbf444d39

SHA512
4c597fa08eb325b0895f35bc14a2c9d3c3b2c1f78fbbb40a652528803e8d57c5fc74e354d626adc58ff5ad6133acc2f7785f049f3b02595234b5bfe8bbe4f263

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WindowsPowerShell_v1_0_powershell_exe.losttrustencoded

Filesize
36KB

MD5
d2d46f0b60a324e9687c01848c44e1ce

SHA1
f0c34d18a6ad43c2722d31bef5942d8641794a85

SHA256
edd2129bed36cb470bc50d2bfa10989437397f358e870afb2378758db6dbf011

SHA512
2c9ab03dbc0cdc2edf8530188bc9b185510a6d4f667923b56c59c6f8d60bbbee16634b599adb5a9ac7714e94d2733bc6109fb50350f79a943c1ecfd1fc857d1a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133392321550497323.txt.losttrustencoded

Filesize
48KB

MD5
9d897203907354e0beae91bd860ee459

SHA1
4c655929467b1d2420d2bf6194063e72c488de85

SHA256
bc613d6d79b4116a97363aac19fce31260280e0adfa8f2e842b2818023a447b5

SHA512
fd879dde0c906214df0b5d2f05136fc0f35a52c598804b3c5fa545738471ba05e168539afbfdfc2bcc3f7f19025d26d95b2a5bebacec25346a7e375516b55df6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133392332751081503.txt.losttrustencoded

Filesize
64KB

MD5
72e55ee39acd2a7248ea04b6c60855e4

SHA1
e7eba2f7a316a07b1d116476f023c98d79cf57a1

SHA256
98a667ab4cea44a4093700d36d1c8e1121f58baf6f208d8af75d0eabaff85558

SHA512
64e0fa4a517ff982dbce7b624e9800e5619e0af1e3649c069d472ea24441ced5f4a8078128dc857288fd319310200b3700bdd29400b6048d998615838086f987

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133392351520456721.txt.losttrustencoded

Filesize
76KB

MD5
990449b4f88da4797d4a6954a050c92d

SHA1
5886225ec96c7591ae7b82edba05fb889bfe710e

SHA256
f9721333b74789d5b333a79495911327fef43e19d72667c1168361b2e1da2c73

SHA512
fb92a19af3b6e0ade85e66b6f8d7c1458186e2e3e5863559e679184a5ff761e835a73f2df9081c238737756cd444e02aa6e113e2e922187ca58b10fb91b10be9

Download Submit