medusaransomware | 4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6

Resubmissions

13/11/2024, 12:17

241113-pgf4qs1mdz 10

13/11/2024, 12:17

241113-pf2n2s1mds 10

Analysis

max time kernel
50s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
13/11/2024, 12:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

babylockerkz.exe
Size

624KB
MD5

84b88ac81e4872ff3bf15c72f431d101
SHA1

0823d067541de16325e5454a91b57262365a0705
SHA256

4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6
SHA512

185691b0103669c5aa25b22c36f29ddb66f074e0f2e3ae6a36ed8917c35f1fba71fba65c11c3211ce64f6c5919ac879ce0fdcc4dddae420cbecf40711dff1860
SSDEEP

12288:V4eCA30wfnlxvaUwZNf6qYID7ZJuIQOsknZh20QyCkje0ZM7qgbGKTO7muYpralU:3C8valgsDyfSBKXyMUkW2LILGBm3IzPB

Score

10^/10

medusaransomware discovery execution ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\!!!READ_ME_MEDUSA!!!.txt

Ransom Note

$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ $$$\ $$$ |$$ _____|$$ __$$\ $$ | $$ |$$ __$$\ $$ __$$\ $$$$\ $$$$ |$$ | $$ | $$ |$$ | $$ |$$ / \__|$$ / $$ | $$\$$\$$ $$ |$$$$$\ $$ | $$ |$$ | $$ |\$$$$$$\ $$$$$$$$ | $$ \$$$ $$ |$$ __| $$ | $$ |$$ | $$ | \____$$\ $$ __$$ | $$ |\$ /$$ |$$ | $$ | $$ |$$ | $$ |$$\ $$ |$$ | $$ | $$ | \_/ $$ |$$$$$$$$\ $$$$$$$ |\$$$$$$ |\$$$$$$ |$$ | $$ | \__| \__|\________|\_______/ \______/ \______/ \__| \__| -----------------------------[ Hello, Acemicromatic group !!! ]-------------------------- WHAT HAPPEND? ------------------------------------------------------------ 1. We have PENETRATE your network and COPIED data. * We have penetrated entire network and researched all about your data. * And we have extracted all of your important and valuable data and copied them to private cloud storage. 2. We have ENCRYPTED your files. While you are reading this message, it means all of your files and data has been ENCRYPTED by world's strongest ransomware. All files have encrypted with new military-grade encryption algorithm and you can not decrypt your files. But don't worry, we can decrypt your files. There is only one possible way to get back your computers and servers - CONTACT us via LIVE CHAT and pay for the special MEDUSA DECRYPTOR and DECRYPTION KEYs. This MEDUSA DECRYPTOR will restore your entire network, This will take less than 1 business day. WHAT GUARANTEES? --------------------------------------------------------------- We can post your data to the public and send emails to your customers. We have professional OSINTs and media team for leak data to telegram, facebook, twitter channels and top news websites. You can easily search about us. You can suffer significant problems due disastrous consequences, leading to loss of valuable intellectual property and other sensitive information, costly incident response efforts, information misuse/abuse, loss of customer trust, brand and reputational damage, legal and regulatory issues. After paying for the data breach and decryption, we guarantee that your data will never be leaked and this is also for our reputation. YOU should be AWARE! --------------------------------------------------------------- We will speak only with an authorized person. It can be the CEO, top management, etc. In case you ar not such a person - DON'T CONTACT US! Your decisions and action can result in serious harm to your company! Inform your supervisors and stay calm! If you do not contact us within 3 days, We will start publish your case to our official blog and everybody will start notice your incident! --------------------[ Official blog tor address ]-------------------- Using TOR Browser(https://www.torproject.org/download/): http://medusaxko7jxtrojdkxo66j7ck4q5tgktf7uqsqyfry4ebnxlcbkccyd.onion/ CONTACT US! ----------------------[ Your company live chat address ]--------------------------- Using TOR Browser(https://www.torproject.org/download/): http://medusakxxtp3uo7vusntvubnytaph4d3amxivbggl3hnhpk2nmus34yd.onion/227098164ef1fdb119ef537986bbdf24 Or Use Tox Chat Program(https://utox.org/uTox_win64.exe) Add user with our tox ID : 4AE245548F2A225882951FB14E9BF87EE01A0C10AE159B99D1EA62620D91A372205227254A9F Our support email: ( [email protected] ) Company identification hash: b2ea6d709c99093d01c8cb31ee91895ac1ce70b85cc8212780687f75a93c4e77

Emails

[email protected]

URLs

http://medusaxko7jxtrojdkxo66j7ck4q5tgktf7uqsqyfry4ebnxlcbkccyd.onion/

http://medusakxxtp3uo7vusntvubnytaph4d3amxivbggl3hnhpk2nmus34yd.onion/227098164ef1fdb119ef537986bbdf24

Signatures

Medusa Ransomware
Ransomware first identified in 2022 that is distinct from the similarly named ransomware family MedusaLocker.
ransomware medusaransomware
Medusaransomware family
medusaransomware
Renames multiple (3237) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	babylockerkz.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\!!!READ_ME_MEDUSA!!!.txt	babylockerkz.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\APPLAUSE.WAV	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WordInterProviderRanker.bin	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BSSYM7.TTF	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Inset.eftx	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-pl.xrm-ms	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ul-oob.xrm-ms	babylockerkz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\icu.md	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\comments.win32.tpn	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\MCABOUT.HTM	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-pl.xrm-ms	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ppd.xrm-ms	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODATA.DLL	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\ECLIPSE.INF	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	babylockerkz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\santuario.md	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic.xml	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ul-oob.xrm-ms	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ppd.xrm-ms	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ppd.xrm-ms	babylockerkz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\bcel.md	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-pl.xrm-ms	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-phn.xrm-ms	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ppd.xrm-ms	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ul-phn.xrm-ms	babylockerkz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cldr.md	babylockerkz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\cmm\GRAY.pf	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Graph.exe.manifest	babylockerkz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ppd.xrm-ms	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\msipc.dll.mui	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MUAUTH.CAB	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-phn.xrm-ms	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-phn.xrm-ms	babylockerkz.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\!!!READ_ME_MEDUSA!!!.txt	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-phn.xrm-ms	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\TimelessLetter.dotx	babylockerkz.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	babylockerkz.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\!!!READ_ME_MEDUSA!!!.txt	babylockerkz.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.deps.json	babylockerkz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\public_suffix_list.dat	babylockerkz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\cryptix.md	babylockerkz.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\!!!READ_ME_MEDUSA!!!.txt	babylockerkz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunmscapi.jar	babylockerkz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml	babylockerkz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\icu_web.md	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-phn.xrm-ms	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\PUSH.WAV	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOPRIV.DLL	babylockerkz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ul-oob.xrm-ms	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.DLL	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-140.png	babylockerkz.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu\!!!READ_ME_MEDUSA!!!.txt	babylockerkz.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\!!!READ_ME_MEDUSA!!!.txt	babylockerkz.exe
File created	C:\Program Files\Internet Explorer\en-US\!!!READ_ME_MEDUSA!!!.txt	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul-oob.xrm-ms	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ul-oob.xrm-ms	babylockerkz.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-140.png	babylockerkz.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\el-GR\!!!READ_ME_MEDUSA!!!.txt	babylockerkz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\currency.data	babylockerkz.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2024	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Kills process with taskkill 44 IoCs

evasion

pid	Process
5624	taskkill.exe
5564	taskkill.exe
5272	taskkill.exe
5468	taskkill.exe
5688	taskkill.exe
5608	taskkill.exe
5968	taskkill.exe
3844	taskkill.exe
3568	taskkill.exe
6012	taskkill.exe
5124	taskkill.exe
1168	taskkill.exe
5240	taskkill.exe
5652	taskkill.exe
5936	taskkill.exe
5224	taskkill.exe
5852	taskkill.exe
5956	taskkill.exe
5208	taskkill.exe
5144	taskkill.exe
5216	taskkill.exe
5728	taskkill.exe
5268	taskkill.exe
5372	taskkill.exe
5232	taskkill.exe
5640	taskkill.exe
5800	taskkill.exe
6108	taskkill.exe
5460	taskkill.exe
2316	taskkill.exe
5548	taskkill.exe
5692	taskkill.exe
5928	taskkill.exe
5812	taskkill.exe
5404	taskkill.exe
5432	taskkill.exe
5424	taskkill.exe
6092	taskkill.exe
5380	taskkill.exe
5684	taskkill.exe
6104	taskkill.exe
4440	taskkill.exe
5992	taskkill.exe
5628	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2024	powershell.exe
2024	powershell.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	5800	taskkill.exe
Token: SeDebugPrivilege	5936	taskkill.exe
Token: SeDebugPrivilege	6092	taskkill.exe
Token: SeDebugPrivilege	4440	taskkill.exe
Token: SeDebugPrivilege	5224	taskkill.exe
Token: SeDebugPrivilege	5272	taskkill.exe
Token: SeDebugPrivilege	5468	taskkill.exe
Token: SeDebugPrivilege	5608	taskkill.exe
Token: SeDebugPrivilege	5852	taskkill.exe
Token: SeDebugPrivilege	6108	taskkill.exe
Token: SeDebugPrivilege	5124	taskkill.exe
Token: SeDebugPrivilege	5380	taskkill.exe
Token: SeDebugPrivilege	5460	taskkill.exe
Token: SeDebugPrivilege	5684	taskkill.exe
Token: SeDebugPrivilege	5728	taskkill.exe
Token: SeDebugPrivilege	5968	taskkill.exe
Token: SeDebugPrivilege	5928	taskkill.exe
Token: SeDebugPrivilege	5268	taskkill.exe
Token: SeDebugPrivilege	5372	taskkill.exe
Token: SeDebugPrivilege	5688	taskkill.exe
Token: SeDebugPrivilege	5812	taskkill.exe
Token: SeDebugPrivilege	1168	taskkill.exe
Token: SeDebugPrivilege	5232	taskkill.exe
Token: SeDebugPrivilege	5404	taskkill.exe
Token: SeDebugPrivilege	5652	taskkill.exe
Token: SeDebugPrivilege	5240	taskkill.exe
Token: SeDebugPrivilege	5208	taskkill.exe
Token: SeDebugPrivilege	5432	taskkill.exe
Token: SeDebugPrivilege	5424	taskkill.exe
Token: SeDebugPrivilege	5624	taskkill.exe
Token: SeDebugPrivilege	5992	taskkill.exe
Token: SeDebugPrivilege	5144	taskkill.exe
Token: SeDebugPrivilege	3844	taskkill.exe
Token: SeDebugPrivilege	3568	taskkill.exe
Token: SeDebugPrivilege	5564	taskkill.exe
Token: SeDebugPrivilege	5640	taskkill.exe
Token: SeDebugPrivilege	2316	taskkill.exe
Token: SeDebugPrivilege	5548	taskkill.exe
Token: SeDebugPrivilege	5628	taskkill.exe
Token: SeDebugPrivilege	6012	taskkill.exe
Token: SeDebugPrivilege	5216	taskkill.exe
Token: SeDebugPrivilege	5956	taskkill.exe
Token: SeDebugPrivilege	5692	taskkill.exe
Token: SeDebugPrivilege	6104	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3704 wrote to memory of 2024	3704	babylockerkz.exe	80
PID 3704 wrote to memory of 2024	3704	babylockerkz.exe	80
PID 3704 wrote to memory of 2024	3704	babylockerkz.exe	80
PID 3704 wrote to memory of 5080	3704	babylockerkz.exe	83
PID 3704 wrote to memory of 5080	3704	babylockerkz.exe	83
PID 3704 wrote to memory of 5080	3704	babylockerkz.exe	83
PID 5080 wrote to memory of 4616	5080	net.exe	85
PID 5080 wrote to memory of 4616	5080	net.exe	85
PID 5080 wrote to memory of 4616	5080	net.exe	85
PID 3704 wrote to memory of 392	3704	babylockerkz.exe	86
PID 3704 wrote to memory of 392	3704	babylockerkz.exe	86
PID 3704 wrote to memory of 392	3704	babylockerkz.exe	86
PID 392 wrote to memory of 2592	392	net.exe	88
PID 392 wrote to memory of 2592	392	net.exe	88
PID 392 wrote to memory of 2592	392	net.exe	88
PID 3704 wrote to memory of 3400	3704	babylockerkz.exe	89
PID 3704 wrote to memory of 3400	3704	babylockerkz.exe	89
PID 3704 wrote to memory of 3400	3704	babylockerkz.exe	89
PID 3400 wrote to memory of 984	3400	net.exe	91
PID 3400 wrote to memory of 984	3400	net.exe	91
PID 3400 wrote to memory of 984	3400	net.exe	91
PID 3704 wrote to memory of 664	3704	babylockerkz.exe	92
PID 3704 wrote to memory of 664	3704	babylockerkz.exe	92
PID 3704 wrote to memory of 664	3704	babylockerkz.exe	92
PID 664 wrote to memory of 492	664	net.exe	94
PID 664 wrote to memory of 492	664	net.exe	94
PID 664 wrote to memory of 492	664	net.exe	94
PID 3704 wrote to memory of 4656	3704	babylockerkz.exe	95
PID 3704 wrote to memory of 4656	3704	babylockerkz.exe	95
PID 3704 wrote to memory of 4656	3704	babylockerkz.exe	95
PID 4656 wrote to memory of 2140	4656	net.exe	97
PID 4656 wrote to memory of 2140	4656	net.exe	97
PID 4656 wrote to memory of 2140	4656	net.exe	97
PID 3704 wrote to memory of 2260	3704	babylockerkz.exe	98
PID 3704 wrote to memory of 2260	3704	babylockerkz.exe	98
PID 3704 wrote to memory of 2260	3704	babylockerkz.exe	98
PID 2260 wrote to memory of 3160	2260	net.exe	100
PID 2260 wrote to memory of 3160	2260	net.exe	100
PID 2260 wrote to memory of 3160	2260	net.exe	100
PID 3704 wrote to memory of 4388	3704	babylockerkz.exe	101
PID 3704 wrote to memory of 4388	3704	babylockerkz.exe	101
PID 3704 wrote to memory of 4388	3704	babylockerkz.exe	101
PID 4388 wrote to memory of 5052	4388	net.exe	103
PID 4388 wrote to memory of 5052	4388	net.exe	103
PID 4388 wrote to memory of 5052	4388	net.exe	103
PID 3704 wrote to memory of 4696	3704	babylockerkz.exe	104
PID 3704 wrote to memory of 4696	3704	babylockerkz.exe	104
PID 3704 wrote to memory of 4696	3704	babylockerkz.exe	104
PID 4696 wrote to memory of 1824	4696	net.exe	106
PID 4696 wrote to memory of 1824	4696	net.exe	106
PID 4696 wrote to memory of 1824	4696	net.exe	106
PID 3704 wrote to memory of 2408	3704	babylockerkz.exe	107
PID 3704 wrote to memory of 2408	3704	babylockerkz.exe	107
PID 3704 wrote to memory of 2408	3704	babylockerkz.exe	107
PID 2408 wrote to memory of 3724	2408	net.exe	109
PID 2408 wrote to memory of 3724	2408	net.exe	109
PID 2408 wrote to memory of 3724	2408	net.exe	109
PID 3704 wrote to memory of 2568	3704	babylockerkz.exe	110
PID 3704 wrote to memory of 2568	3704	babylockerkz.exe	110
PID 3704 wrote to memory of 2568	3704	babylockerkz.exe	110
PID 2568 wrote to memory of 3944	2568	net.exe	112
PID 2568 wrote to memory of 3944	2568	net.exe	112
PID 2568 wrote to memory of 3944	2568	net.exe	112
PID 3704 wrote to memory of 1076	3704	babylockerkz.exe	113

C:\Users\Admin\AppData\Local\Temp\babylockerkz.exe
"C:\Users\Admin\AppData\Local\Temp\babylockerkz.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "& { }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\SysWOW64\net.exe
  net stop "Acronis VSS Provider" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
    3⤵
    PID:4616
- C:\Windows\SysWOW64\net.exe
  net stop "Enterprise Client Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:392
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Enterprise Client Service" /y
    3⤵
    PID:2592
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Agent" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3400
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Agent" /y
    3⤵
    PID:984
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos AutoUpdate Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:664
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
    3⤵
    PID:492
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Clean Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4656
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Clean Service" /y
    3⤵
    PID:2140
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Device Control Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
    3⤵
    PID:3160
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos File Scanner Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
    3⤵
    PID:5052
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Health Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Health Service" /y
    3⤵
    PID:1824
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos MCS Agent" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3724
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos MCS Client" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos MCS Client" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3944
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Message Router" /y
  2⤵
  PID:1076
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Message Router" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4884
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Safestore Service" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4700
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
    3⤵
    PID:1924
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos System Protection Service" /y
  2⤵
  PID:1896
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1640
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Web Control Service" /y
  2⤵
  PID:3848
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
    3⤵
    PID:1608
- C:\Windows\SysWOW64\net.exe
  net stop "SQLsafe Backup Service" /y
  2⤵
  PID:1464
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1740
- C:\Windows\SysWOW64\net.exe
  net stop "SQLsafe Filter Service" /y
  2⤵
  PID:748
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
    3⤵
    PID:2936
- C:\Windows\SysWOW64\net.exe
  net stop "Symantec System Recovery" /y
  2⤵
  PID:880
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Symantec System Recovery" /y
    3⤵
    PID:2160
- C:\Windows\SysWOW64\net.exe
  net stop "Veeam Backup Catalog Data Service" /y
  2⤵
  PID:1544
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
    3⤵
    PID:1604
- C:\Windows\SysWOW64\net.exe
  net stop "AcronisAgent" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3124
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "AcronisAgent" /y
    3⤵
    PID:2252
- C:\Windows\SysWOW64\net.exe
  net stop "AcrSch2Svc" /y
  2⤵
  PID:3772
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "AcrSch2Svc" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4244
- C:\Windows\SysWOW64\net.exe
  net stop "Antivirus" /y
  2⤵
  PID:4600
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Antivirus" /y
    3⤵
    PID:4548
- C:\Windows\SysWOW64\net.exe
  net stop "ARSM" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1612
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ARSM" /y
    3⤵
    PID:4076
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecAgentAccelerator" /y
  2⤵
  PID:3340
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecAgentAccelerator" /y
    3⤵
    PID:1936
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecAgentBrowser" /y
  2⤵
  PID:2012
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecAgentBrowser" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4632
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecDeviceMediaService" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4608
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecDeviceMediaService" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1112
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecJobEngine" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2720
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecJobEngine" /y
    3⤵
    PID:4044
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecManagementService" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4108
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecManagementService" /y
    3⤵
    PID:1668
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecRPCService" /y
  2⤵
  PID:3980
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecRPCService" /y
    3⤵
    PID:2420
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecVSSProvider" /y
  2⤵
  PID:3908
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecVSSProvider" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1728
- C:\Windows\SysWOW64\net.exe
  net stop "bedbg" /y
  2⤵
  PID:3052
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "bedbg" /y
    3⤵
    PID:4088
- C:\Windows\SysWOW64\net.exe
  net stop "DCAgent" /y
  2⤵
  PID:1864
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "DCAgent" /y
    3⤵
    PID:3088
- C:\Windows\SysWOW64\net.exe
  net stop "EPSecurityService" /y
  2⤵
  PID:2016
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "EPSecurityService" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1468
- C:\Windows\SysWOW64\net.exe
  net stop "EPUpdateService" /y
  2⤵
  PID:3092
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "EPUpdateService" /y
    3⤵
    PID:4428
- C:\Windows\SysWOW64\net.exe
  net stop "EraserSvc11710" /y
  2⤵
  PID:3976
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "EraserSvc11710" /y
    3⤵
    PID:476
- C:\Windows\SysWOW64\net.exe
  net stop "EsgShKernel" /y
  2⤵
  PID:4960
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "EsgShKernel" /y
    3⤵
    PID:4124
- C:\Windows\SysWOW64\net.exe
  net stop "FA_Scheduler" /y
  2⤵
  PID:4796
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "FA_Scheduler" /y
    3⤵
    PID:4832
- C:\Windows\SysWOW64\net.exe
  net stop "IISAdmin" /y
  2⤵
  PID:4900
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IISAdmin" /y
    3⤵
    PID:3576
- C:\Windows\SysWOW64\net.exe
  net stop "IMAP4Svc" /y
  2⤵
  PID:2388
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IMAP4Svc" /y
    3⤵
    PID:3404
- C:\Windows\SysWOW64\net.exe
  net stop "macmnsvc" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4328
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "macmnsvc" /y
    3⤵
    PID:2512
- C:\Windows\SysWOW64\net.exe
  net stop "masvc" /y
  2⤵
  PID:2684
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "masvc" /y
    3⤵
    PID:2900
- C:\Windows\SysWOW64\net.exe
  net stop "MBAMService" /y
  2⤵
  PID:4316
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MBAMService" /y
    3⤵
    PID:2400
- C:\Windows\SysWOW64\net.exe
  net stop "MBEndpointAgent" /y
  2⤵
  PID:1116
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MBEndpointAgent" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3020
- C:\Windows\SysWOW64\net.exe
  net stop "McAfeeEngineService" /y
  2⤵
  PID:3200
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "McAfeeEngineService" /y
    3⤵
    PID:3464
- C:\Windows\SysWOW64\net.exe
  net stop "McAfeeFramework" /y
  2⤵
  PID:4004
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "McAfeeFramework" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1380
- C:\Windows\SysWOW64\net.exe
  net stop "McAfeeFrameworkMcAfeeFramework" /y
  2⤵
  PID:3504
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "McAfeeFrameworkMcAfeeFramework" /y
    3⤵
    PID:3148
- C:\Windows\SysWOW64\net.exe
  net stop "McShield" /y
  2⤵
  PID:2324
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "McShield" /y
    3⤵
    PID:4612
- C:\Windows\SysWOW64\net.exe
  net stop "McTaskManager" /y
  2⤵
  PID:1152
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "McTaskManager" /y
    3⤵
    PID:1572
- C:\Windows\SysWOW64\net.exe
  net stop "mfemms" /y
  2⤵
  PID:732
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mfemms" /y
    3⤵
    PID:4372
- C:\Windows\SysWOW64\net.exe
  net stop "mfevtp" /y
  2⤵
  PID:4940
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mfevtp" /y
    3⤵
    PID:2560
- C:\Windows\SysWOW64\net.exe
  net stop "MMS" /y
  2⤵
  PID:4232
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MMS" /y
    3⤵
    PID:2440
- C:\Windows\SysWOW64\net.exe
  net stop "mozyprobackup" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:252
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mozyprobackup" /y
    3⤵
    PID:4320
- C:\Windows\SysWOW64\net.exe
  net stop "MsDtsServer" /y
  2⤵
  PID:4332
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MsDtsServer" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2848
- C:\Windows\SysWOW64\net.exe
  net stop "MsDtsServer100" /y
  2⤵
  PID:1272
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MsDtsServer100" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8
- C:\Windows\SysWOW64\net.exe
  net stop "MsDtsServer110" /y
  2⤵
  PID:2680
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MsDtsServer110" /y
    3⤵
    PID:1028
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeES" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2896
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeES" /y
    3⤵
    PID:2100
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeIS" /y
  2⤵
  PID:412
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeIS" /y
    3⤵
    PID:2532
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeMGMT" /y
  2⤵
  PID:3904
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeMGMT" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3040
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeMTA" /y
  2⤵
  PID:1704
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeMTA" /y
    3⤵
    PID:5112
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeSA" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2300
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeSA" /y
    3⤵
    PID:2464
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeSRS" /y
  2⤵
  PID:656
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeSRS" /y
    3⤵
    PID:2736
- C:\Windows\SysWOW64\net.exe
  net stop "MSOLAP$SQL_2008" /y
  2⤵
  PID:1140
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSOLAP$SQL_2008" /y
    3⤵
    PID:3308
- C:\Windows\SysWOW64\net.exe
  net stop "MSOLAP$SYSTEM_BGC" /y
  2⤵
  PID:4304
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC" /y
    3⤵
    PID:1360
- C:\Windows\SysWOW64\net.exe
  net stop "MSOLAP$TPS" /y
  2⤵
  PID:3104
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSOLAP$TPS" /y
    3⤵
    PID:5040
- C:\Windows\SysWOW64\net.exe
  net stop "MSOLAP$TPSAMA" /y
  2⤵
  PID:2776
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSOLAP$TPSAMA" /y
    3⤵
    PID:5108
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$BKUPEXEC" /y
  2⤵
  PID:2508
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$BKUPEXEC" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4952
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$ECWDB2" /y
  2⤵
  PID:1456
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$ECWDB2" /y
    3⤵
    PID:3156
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$PRACTICEMGT" /y
  2⤵
  PID:5064
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT" /y
    3⤵
    PID:4652
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$PRACTTICEBGC" /y
  2⤵
  PID:2668
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC" /y
    3⤵
    PID:244
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$PROFXENGAGEMENT" /y
  2⤵
  PID:2644
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2068
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SBSMONITORING" /y
  2⤵
  PID:3080
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SBSMONITORING" /y
    3⤵
    PID:1276
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SHAREPOINT" /y
  2⤵
  PID:1036
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SHAREPOINT" /y
    3⤵
    PID:4992
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SQL_2008" /y
  2⤵
  PID:3580
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SQL_2008" /y
    3⤵
    PID:3856
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SYSTEM_BGC" /y
  2⤵
  PID:1528
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC" /y
    3⤵
    PID:4820
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$TPS" /y
  2⤵
  PID:4792
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$TPS" /y
    3⤵
    PID:4708
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$TPSAMA" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2036
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$TPSAMA" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5008
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$VEEAMSQL2008R2" /y
  2⤵
  PID:1596
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y
    3⤵
    PID:4868
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$VEEAMSQL2012" /y
  2⤵
  PID:4848
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012" /y
    3⤵
    PID:4048
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher" /y
  2⤵
  PID:2944
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher" /y
    3⤵
    PID:5028
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y
  2⤵
  PID:4360
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y
    3⤵
    PID:2412
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$SBSMONITORING" /y
  2⤵
  PID:1628
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING" /y
    3⤵
    PID:968
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$SHAREPOINT" /y
  2⤵
  PID:2056
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4260
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$SQL_2008" /y
  2⤵
  PID:736
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008" /y
    3⤵
    PID:3868
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$SYSTEM_BGC" /y
  2⤵
  PID:4964
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC" /y
    3⤵
    PID:4420
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$TPS" /y
  2⤵
  PID:3384
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS" /y
    3⤵
    PID:1356
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$TPSAMA" /y
  2⤵
  PID:1196
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA" /y
    3⤵
    PID:3004
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLSERVER" /y
  2⤵
  PID:2360
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLSERVER" /y
    3⤵
    PID:3276
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLServerADHelper100" /y
  2⤵
  PID:4804
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLServerADHelper100" /y
    3⤵
    PID:5032
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLServerOLAPService" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2308
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLServerOLAPService" /y
    3⤵
    PID:2916
- C:\Windows\SysWOW64\net.exe
  net stop "MySQL80" /y
  2⤵
  PID:364
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MySQL80" /y
    3⤵
    PID:4276
- C:\Windows\SysWOW64\net.exe
  net stop "MySQL57" /y
  2⤵
  PID:2912
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MySQL57" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1188
- C:\Windows\SysWOW64\net.exe
  net stop "ntrtscan" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3356
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ntrtscan" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1040
- C:\Windows\SysWOW64\net.exe
  net stop "OracleClientCache80" /y
  2⤵
  PID:1176
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "OracleClientCache80" /y
    3⤵
    PID:4084
- C:\Windows\SysWOW64\net.exe
  net stop "PDVFSService" /y
  2⤵
  PID:3428
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "PDVFSService" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4252
- C:\Windows\SysWOW64\net.exe
  net stop "POP3Svc" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4644
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "POP3Svc" /y
    3⤵
    PID:2344
- C:\Windows\SysWOW64\net.exe
  net stop "ReportServer" /y
  2⤵
  PID:5020
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer" /y
    3⤵
    PID:1780
- C:\Windows\SysWOW64\net.exe
  net stop "ReportServer$SQL_2008" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2620
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer$SQL_2008" /y
    3⤵
    PID:112
- C:\Windows\SysWOW64\net.exe
  net stop "ReportServer$SYSTEM_BGC" /y
  2⤵
  PID:3476
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC" /y
    3⤵
    PID:2760
- C:\Windows\SysWOW64\net.exe
  net stop "ReportServer$TPS" /y
  2⤵
  PID:3388
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer$TPS" /y
    3⤵
    PID:812
- C:\Windows\SysWOW64\net.exe
  net stop "ReportServer$TPSAMA" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:764
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer$TPSAMA" /y
    3⤵
    PID:3280
- C:\Windows\SysWOW64\net.exe
  net stop "RESvc" /y
  2⤵
  PID:3448
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "RESvc" /y
    3⤵
    PID:3876
- C:\Windows\SysWOW64\net.exe
  net stop "sacsvr" /y
  2⤵
  PID:2756
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "sacsvr" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2976
- C:\Windows\SysWOW64\net.exe
  net stop "SamSs" /y
  2⤵
  PID:1108
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SamSs" /y
    3⤵
    PID:5060
- C:\Windows\SysWOW64\net.exe
  net stop "SAVAdminService" /y
  2⤵
  PID:3344
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SAVAdminService" /y
    3⤵
    PID:4568
- C:\Windows\SysWOW64\net.exe
  net stop "SAVService" /y
  2⤵
  PID:4784
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SAVService" /y
    3⤵
    PID:4596
- C:\Windows\SysWOW64\net.exe
  net stop "SDRSVC" /y
  2⤵
  PID:3392
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SDRSVC" /y
    3⤵
    PID:3624
- C:\Windows\SysWOW64\net.exe
  net stop "SepMasterService" /y
  2⤵
  PID:3460
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SepMasterService" /y
    3⤵
    PID:2104
- C:\Windows\SysWOW64\net.exe
  net stop "ShMonitor" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1556
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ShMonitor" /y
    3⤵
    PID:2964
- C:\Windows\SysWOW64\net.exe
  net stop "Smcinst" /y
  2⤵
  PID:2880
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Smcinst" /y
    3⤵
    PID:3176
- C:\Windows\SysWOW64\net.exe
  net stop "SmcService" /y
  2⤵
  PID:2268
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SmcService" /y
    3⤵
    PID:2248
- C:\Windows\SysWOW64\net.exe
  net stop "SMTPSvc" /y
  2⤵
  PID:2320
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SMTPSvc" /y
    3⤵
    PID:4680
- C:\Windows\SysWOW64\net.exe
  net stop "SNAC" /y
  2⤵
  PID:4136
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SNAC" /y
    3⤵
    PID:700
- C:\Windows\SysWOW64\net.exe
  net stop "SntpService" /y
  2⤵
  PID:4812
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SntpService" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4896
- C:\Windows\SysWOW64\net.exe
  net stop "sophossps" /y
  2⤵
  PID:3044
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "sophossps" /y
    3⤵
    PID:1920
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$BKUPEXEC" /y
  2⤵
  PID:908
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC" /y
    3⤵
    PID:3140
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$ECWDB2" /y
  2⤵
  PID:3560
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$ECWDB2" /y
    3⤵
    PID:5104
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$PRACTTICEBGC" /y
  2⤵
  PID:652
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC" /y
    3⤵
    PID:4024
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$PRACTTICEMGT" /y
  2⤵
  PID:3740
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2092
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$PROFXENGAGEMENT" /y
  2⤵
  PID:1960
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT" /y
    3⤵
    PID:680
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SBSMONITORING" /y
  2⤵
  PID:4724
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING" /y
    3⤵
    PID:228
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SHAREPOINT" /y
  2⤵
  PID:3640
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT" /y
    3⤵
    PID:3928
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SQL_2008" /y
  2⤵
  PID:2940
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SQL_2008" /y
    3⤵
    PID:2432
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SYSTEM_BGC" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4624
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC" /y
    3⤵
    PID:3604
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$TPS" /y
  2⤵
  PID:4324
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$TPS" /y
    3⤵
    PID:3592
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$TPSAMA" /y
  2⤵
  PID:4384
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$TPSAMA" /y
    3⤵
    PID:4856
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$VEEAMSQL2008R2" /y
  2⤵
  PID:4972
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y
    3⤵
    PID:3064
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$VEEAMSQL2012" /y
  2⤵
  PID:4764
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012" /y
    3⤵
    PID:3512
- C:\Windows\SysWOW64\net.exe
  net stop "SQLBrowser" /y
  2⤵
  PID:4500
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLBrowser" /y
    3⤵
    PID:2172
- C:\Windows\SysWOW64\net.exe
  net stop "SQLSafeOLRService" /y
  2⤵
  PID:3048
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLSafeOLRService" /y
    3⤵
    PID:3144
- C:\Windows\SysWOW64\net.exe
  net stop "SQLSERVERAGENT" /y
  2⤵
  PID:2376
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLSERVERAGENT" /y
    3⤵
    PID:3764
- C:\Windows\SysWOW64\net.exe
  net stop "SQLTELEMETRY" /y
  2⤵
  PID:4392
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLTELEMETRY" /y
    3⤵
    PID:404
- C:\Windows\SysWOW64\net.exe
  net stop "SQLTELEMETRY$ECWDB2" /y
  2⤵
  PID:4308
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLTELEMETRY$ECWDB2" /y
    3⤵
    PID:920
- C:\Windows\SysWOW64\net.exe
  net stop "SQLWriter" /y
  2⤵
  PID:3600
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLWriter" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:496
- C:\Windows\SysWOW64\net.exe
  net stop "SstpSvc" /y
  2⤵
  PID:4040
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SstpSvc" /y
    3⤵
    PID:2812
- C:\Windows\SysWOW64\net.exe
  net stop "svcGenericHost" /y
  2⤵
  PID:3880
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "svcGenericHost" /y
    3⤵
    PID:132
- C:\Windows\SysWOW64\net.exe
  net stop "swi_filter" /y
  2⤵
  PID:1096
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "swi_filter" /y
    3⤵
    PID:2780
- C:\Windows\SysWOW64\net.exe
  net stop "swi_service" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3084
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "swi_service" /y
    3⤵
    PID:3376
- C:\Windows\SysWOW64\net.exe
  net stop "swi_update_64" /y
  2⤵
  PID:4760
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "swi_update_64" /y
    3⤵
    PID:2240
- C:\Windows\SysWOW64\net.exe
  net stop "TmCCSF" /y
  2⤵
  PID:5132
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "TmCCSF" /y
    3⤵
    PID:5180
- C:\Windows\SysWOW64\net.exe
  net stop "tmlisten" /y
  2⤵
  PID:5196
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "tmlisten" /y
    3⤵
    PID:5244
- C:\Windows\SysWOW64\net.exe
  net stop "TrueKey" /y
  2⤵
  PID:5260
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "TrueKey" /y
    3⤵
    PID:5312
- C:\Windows\SysWOW64\net.exe
  net stop "TrueKeyScheduler" /y
  2⤵
  PID:5328
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "TrueKeyScheduler" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5368
- C:\Windows\SysWOW64\net.exe
  net stop "TrueKeyServiceHelper" /y
  2⤵
  PID:5384
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "TrueKeyServiceHelper" /y
    3⤵
    PID:5428
- C:\Windows\SysWOW64\net.exe
  net stop "UI0Detect" /y
  2⤵
  PID:5444
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "UI0Detect" /y
    3⤵
    PID:5488
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamBackupSvc" /y
  2⤵
  PID:5504
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamBackupSvc" /y
    3⤵
    PID:5552
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamBrokerSvc" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5568
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamBrokerSvc" /y
    3⤵
    PID:5616
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamCatalogSvc" /y
  2⤵
  PID:5632
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamCatalogSvc" /y
    3⤵
    PID:5680
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamCloudSvc" /y
  2⤵
  PID:5700
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamCloudSvc" /y
    3⤵
    PID:5748
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamDeploymentService" /y
  2⤵
  PID:5764
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamDeploymentService" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5816
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamDeploySvc" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5832
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamDeploySvc" /y
    3⤵
    PID:5880
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamEnterpriseManagerSvc" /y
  2⤵
  PID:5896
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc" /y
    3⤵
    PID:5944
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamMountSvc" /y
  2⤵
  PID:5960
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamMountSvc" /y
    3⤵
    PID:6008
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamNFSSvc" /y
  2⤵
  PID:6024
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamNFSSvc" /y
    3⤵
    PID:6068
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamRESTSvc" /y
  2⤵
  PID:6084
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamRESTSvc" /y
    3⤵
    PID:6124
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamTransportSvc" /y
  2⤵
  PID:6140
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamTransportSvc" /y
    3⤵
    PID:5152
- C:\Windows\SysWOW64\net.exe
  net stop "W3Svc" /y
  2⤵
  PID:5188
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "W3Svc" /y
    3⤵
    PID:5256
- C:\Windows\SysWOW64\net.exe
  net stop "wbengine" /y
  2⤵
  PID:5220
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "wbengine" /y
    3⤵
    PID:5308
- C:\Windows\SysWOW64\net.exe
  net stop "WRSVC" /y
  2⤵
  PID:5292
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "WRSVC" /y
    3⤵
    PID:5356
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$VEEAMSQL2008R2" /y
  2⤵
  PID:5396
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y
    3⤵
    PID:5456
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$VEEAMSQL2008R2" /y
  2⤵
  PID:5484
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y
    3⤵
    PID:5528
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamHvIntegrationSvc" /y
  2⤵
  PID:5540
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamHvIntegrationSvc" /y
    3⤵
    PID:5592
- C:\Windows\SysWOW64\net.exe
  net stop "swi_update" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5596
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "swi_update" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5664
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$CXDB" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5720
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$CXDB" /y
    3⤵
    PID:5708
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$CITRIX_METAFRAME" /y
  2⤵
  PID:5828
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME" /y
    3⤵
    PID:5848
- C:\Windows\SysWOW64\net.exe
  net stop "SQL Backups" /y
  2⤵
  PID:5884
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQL Backups" /y
    3⤵
    PID:5916
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$PROD" /y
  2⤵
  PID:5952
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$PROD" /y
    3⤵
    PID:6020
- C:\Windows\SysWOW64\net.exe
  net stop "Zoolz 2 Service" /y
  2⤵
  PID:6004
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
    3⤵
    PID:6064
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLServerADHelper" /y
  2⤵
  PID:6044
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLServerADHelper" /y
    3⤵
    PID:6096
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$PROD" /y
  2⤵
  PID:4576
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$PROD" /y
    3⤵
    PID:5164
- C:\Windows\SysWOW64\net.exe
  net stop "msftesql$PROD" /y
  2⤵
  PID:5248
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "msftesql$PROD" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5300
- C:\Windows\SysWOW64\net.exe
  net stop "NetMsmqActivator" /y
  2⤵
  PID:5316
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "NetMsmqActivator" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5336
- C:\Windows\SysWOW64\net.exe
  net stop "EhttpSrv" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5364
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "EhttpSrv" /y
    3⤵
    PID:5420
- C:\Windows\SysWOW64\net.exe
  net stop "ekrn" /y
  2⤵
  PID:5412
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ekrn" /y
    3⤵
    PID:5516
- C:\Windows\SysWOW64\net.exe
  net stop "ESHASRV" /y
  2⤵
  PID:5588
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ESHASRV" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5644
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SOPHOS" /y
  2⤵
  PID:5660
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SOPHOS" /y
    3⤵
    PID:5780
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SOPHOS" /y
  2⤵
  PID:5744
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SOPHOS" /y
    3⤵
    PID:5804
- C:\Windows\SysWOW64\net.exe
  net stop "AVP" /y
  2⤵
  PID:5788
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "AVP" /y
    3⤵
    PID:5856
- C:\Windows\SysWOW64\net.exe
  net stop "klnagent" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6016
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "klnagent" /y
    3⤵
    PID:6056
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SQLEXPRESS" /y
  2⤵
  PID:6048
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6120
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SQLEXPRESS" /y
  2⤵
  PID:6116
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:912
- C:\Windows\SysWOW64\net.exe
  net stop "wbengine" /y
  2⤵
  PID:5140
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "wbengine" /y
    3⤵
    PID:5352
- C:\Windows\SysWOW64\net.exe
  net stop "kavfsslp" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5348
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "kavfsslp" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5392
- C:\Windows\SysWOW64\net.exe
  net stop "KAVFSGT" /y
  2⤵
  PID:5492
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "KAVFSGT" /y
    3⤵
    PID:5560
- C:\Windows\SysWOW64\net.exe
  net stop "KAVFS" /y
  2⤵
  PID:5612
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "KAVFS" /y
    3⤵
    PID:5584
- C:\Windows\SysWOW64\net.exe
  net stop "mfefire" /y
  2⤵
  PID:5676
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mfefire" /y
    3⤵
    PID:5648
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM zoolz.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5800
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM agntsvc.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5936
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM dbeng50.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6092
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM dbsnmp.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4440
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM encsvc.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5224
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM excel.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5272
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM firefoxconfig.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5468
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM infopath.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5608
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM isqlplussvc.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5852
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM msaccess.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6108
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM msftesql.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5124
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mspub.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5380
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mydesktopqos.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5460
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mydesktopservice.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5684
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mysqld.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5728
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mysqld-nt.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5968
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mysqld-opt.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5928
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM ocautoupds.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5268
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM ocomm.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5372
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM ocssd.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5688
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM onenote.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5812
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM oracle.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1168
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM outlook.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5232
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM powerpnt.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5404
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM sqbcoreservice.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5652
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM sqlagent.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5240
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM sqlbrowser.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5208
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM sqlservr.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5432
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM sqlwriter.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5424
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM steam.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5624
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM synctime.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5992
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM tbirdconfig.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5144
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM thebat.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3844
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM thebat64.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3568
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM thunderbird.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5564
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM visio.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5640
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM winword.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM wordpad.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5548
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM xfssvccon.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5628
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM tmlisten.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6012
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM PccNTMon.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5216
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM CNTAoSMgr.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5956
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM Ntrtscan.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5692
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mbamtray.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Share Discovery

T1135

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\!!!READ_ME_MEDUSA!!!.txt

Filesize
3KB

MD5
e2de9175680c4dadde2e1a0dd2af6dbb

SHA1
222b13b47a15385ceffcee517b2bf93c79abee30

SHA256
b68719e7d9c41d456dd605469d2d04ae26795ca7bcd06cc70551c87179e4dcbe

SHA512
2f4aa468f618839097df93aa15972c3e5a4edcdc696f7731c24da63e9a6625fe20989d2c320dccb8bb698ac7c4ba6789b92638705bc59b14f36af5709736e233

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jmlsfqne.b5t.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2024-3-0x0000000005470000-0x0000000005A9A000-memory.dmp

Filesize
6.2MB

Download
memory/2024-0-0x0000000074BEE000-0x0000000074BEF000-memory.dmp

Filesize
4KB

Download
memory/2024-4-0x00000000053E0000-0x0000000005402000-memory.dmp

Filesize
136KB

Download
memory/2024-5-0x0000000074BE0000-0x0000000075391000-memory.dmp

Filesize
7.7MB

Download
memory/2024-2-0x0000000074BE0000-0x0000000075391000-memory.dmp

Filesize
7.7MB

Download
memory/2024-7-0x0000000005B80000-0x0000000005BE6000-memory.dmp

Filesize
408KB

Download
memory/2024-6-0x0000000005B10000-0x0000000005B76000-memory.dmp

Filesize
408KB

Download
memory/2024-16-0x0000000005DB0000-0x0000000006107000-memory.dmp

Filesize
3.3MB

Download
memory/2024-17-0x00000000062A0000-0x00000000062BE000-memory.dmp

Filesize
120KB

Download
memory/2024-18-0x00000000062F0000-0x000000000633C000-memory.dmp

Filesize
304KB

Download
memory/2024-21-0x0000000074BE0000-0x0000000075391000-memory.dmp

Filesize
7.7MB

Download
memory/2024-1-0x0000000004E00000-0x0000000004E36000-memory.dmp

Filesize
216KB

Download