medusaransomware | 078db298573943f3a52a21706f1a5e0bea2a577bd886eef754ae15fb72fe3557

Analysis

max time kernel
94s
max time network
205s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2025, 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
Size

624KB
MD5

a6980e543efa40771ed1dcf84b29d732
SHA1

6586b2155afa5d7cda5cd3f8a7af37c4fe126a1d
SHA256

3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da
SHA512

d1ca8724c8879442907b7e45b59b954100ada37e036aa17496920a9783eb0738ff51831854acc8cafd805c116bfea47a903270fec74949f10b36eddf971ac06f
SSDEEP

12288:/ktG6SXJb0DdQ0k0HGzZbkh0wchQ5HYaIhadnR/t256S5AA2Ltyaxn1gUEEkfTSX:kS9JmVSvGWEAng/qwnYPRslWPLu1

Score

10^/10

medusaransomware credential_access discovery persistence ransomware spyware stealer

Malware Config

Signatures

Medusa Ransomware
Ransomware first identified in 2022 that is distinct from the similarly named ransomware family MedusaLocker.
ransomware medusaransomware
Medusaransomware family
medusaransomware
Renames multiple (8809) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!!!READ_ME_MEDUSA!!!.txt	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!!!READ_ME_MEDUSA!!!.txt	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\!!!READ_ME_MEDUSA!!!.txt	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\!!!READ_ME_MEDUSA!!!.txt	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1121399784-3202166597-3503557106-1000\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Public\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1121399784-3202166597-3503557106-1000\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_2019.305.632.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\!!!READ_ME_MEDUSA!!!.txt	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\es-ES\!!!READ_ME_MEDUSA!!!.txt	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\!!!READ_ME_MEDUSA!!!.txt	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\PowerPointCapabilities.json	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\!!!READ_ME_MEDUSA!!!.txt	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\eu-es\!!!READ_ME_MEDUSA!!!.txt	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg5_thumb.png	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailBadge.scale-100.png	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\es-es\!!!READ_ME_MEDUSA!!!.txt	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-tw\!!!READ_ME_MEDUSA!!!.txt	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Call_Reconnected_Loud.m4a	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\s_empty_folder_state.svg	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected]	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\!!!READ_ME_MEDUSA!!!.txt	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions.png	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\illustrations.png	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Third Party Notices.txt	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorMedTile.contrast-white_scale-200.png	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\as90.xsl	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreSmallTile.scale-200.png	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notetagsUI\main.js	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\!!!READ_ME_MEDUSA!!!.txt	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\!!!READ_ME_MEDUSA!!!.txt	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\cacerts	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\wmpnetwk.exe.mui	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\MediumTile.scale-200_contrast-white.png	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\!!!READ_ME_MEDUSA!!!.txt	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\!!!READ_ME_MEDUSA!!!.txt	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\!!!READ_ME_MEDUSA!!!.txt	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ppd.xrm-ms	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ul-phn.xrm-ms	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-32.png	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ko-kr\!!!READ_ME_MEDUSA!!!.txt	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fi-fi\!!!READ_ME_MEDUSA!!!.txt	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nl-nl\!!!READ_ME_MEDUSA!!!.txt	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\!!!READ_ME_MEDUSA!!!.txt	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSmallTile.scale-200.png	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\sr-latn-cs\mso.acl	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\LASER.WAV	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderSplashScreen.contrast-white_scale-125.png	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\LightTheme.acrotheme	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\ui-strings.js	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-ae\!!!READ_ME_MEDUSA!!!.txt	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\Social.DATA	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\pt-PT.pak	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio_Model_CX.winmd	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-100.png	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\compare.png	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-il\!!!READ_ME_MEDUSA!!!.txt	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-pl.xrm-ms	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files\Mozilla Firefox\update-settings.ini	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\example_icons2x.png	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppxManifest.xml	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\Url.ot	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\nb-no\PlayStore_icon.svg	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7044	872	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5676	cmd.exe
7804	PING.EXE

Kills process with taskkill 44 IoCs

defense_evasion

pid	Process
5860	taskkill.exe
6316	taskkill.exe
7132	taskkill.exe
6216	taskkill.exe
5952	taskkill.exe
5752	taskkill.exe
5612	taskkill.exe
368	taskkill.exe
5620	taskkill.exe
5468	taskkill.exe
5660	taskkill.exe
6368	taskkill.exe
6804	taskkill.exe
7020	taskkill.exe
6184	taskkill.exe
5192	taskkill.exe
5940	taskkill.exe
6424	taskkill.exe
6536	taskkill.exe
5216	taskkill.exe
5996	taskkill.exe
6148	taskkill.exe
6964	taskkill.exe
7076	taskkill.exe
5540	taskkill.exe
5648	taskkill.exe
5348	taskkill.exe
6120	taskkill.exe
6696	taskkill.exe
6748	taskkill.exe
6588	taskkill.exe
6908	taskkill.exe
6056	taskkill.exe
5892	taskkill.exe
6112	taskkill.exe
5672	taskkill.exe
6208	taskkill.exe
6260	taskkill.exe
6336	taskkill.exe
6156	taskkill.exe
6476	taskkill.exe
6640	taskkill.exe
6856	taskkill.exe
6420	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1121399784-3202166597-3503557106-1000\{98A7512F-2DFE-4BA9-A804-8DAC068F50FA}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
7804	PING.EXE

Suspicious use of AdjustPrivilegeToken 56 IoCs

description	pid	Process
Token: SeDebugPrivilege	5952	taskkill.exe
Token: SeDebugPrivilege	5540	taskkill.exe
Token: SeDebugPrivilege	5468	taskkill.exe
Token: SeDebugPrivilege	5860	taskkill.exe
Token: SeDebugPrivilege	5216	taskkill.exe
Token: SeDebugPrivilege	5752	taskkill.exe
Token: SeDebugPrivilege	6056	taskkill.exe
Token: SeDebugPrivilege	5660	taskkill.exe
Token: SeDebugPrivilege	5892	taskkill.exe
Token: SeDebugPrivilege	5648	taskkill.exe
Token: SeDebugPrivilege	5612	taskkill.exe
Token: SeDebugPrivilege	368	taskkill.exe
Token: SeDebugPrivilege	5996	taskkill.exe
Token: SeDebugPrivilege	6112	taskkill.exe
Token: SeDebugPrivilege	5192	taskkill.exe
Token: SeDebugPrivilege	5620	taskkill.exe
Token: SeDebugPrivilege	5672	taskkill.exe
Token: SeDebugPrivilege	5348	taskkill.exe
Token: SeDebugPrivilege	6120	taskkill.exe
Token: SeDebugPrivilege	5940	taskkill.exe
Token: SeDebugPrivilege	6156	taskkill.exe
Token: SeDebugPrivilege	6208	taskkill.exe
Token: SeDebugPrivilege	6260	taskkill.exe
Token: SeDebugPrivilege	6316	taskkill.exe
Token: SeDebugPrivilege	6368	taskkill.exe
Token: SeDebugPrivilege	6424	taskkill.exe
Token: SeDebugPrivilege	6476	taskkill.exe
Token: SeDebugPrivilege	6536	taskkill.exe
Token: SeDebugPrivilege	6588	taskkill.exe
Token: SeDebugPrivilege	6640	taskkill.exe
Token: SeDebugPrivilege	6696	taskkill.exe
Token: SeDebugPrivilege	6748	taskkill.exe
Token: SeDebugPrivilege	6804	taskkill.exe
Token: SeDebugPrivilege	6856	taskkill.exe
Token: SeDebugPrivilege	6908	taskkill.exe
Token: SeDebugPrivilege	6964	taskkill.exe
Token: SeDebugPrivilege	7020	taskkill.exe
Token: SeDebugPrivilege	7076	taskkill.exe
Token: SeDebugPrivilege	7132	taskkill.exe
Token: SeDebugPrivilege	6148	taskkill.exe
Token: SeDebugPrivilege	6184	taskkill.exe
Token: SeDebugPrivilege	6216	taskkill.exe
Token: SeDebugPrivilege	6336	taskkill.exe
Token: SeDebugPrivilege	6420	taskkill.exe
Token: SeShutdownPrivilege	2432	explorer.exe
Token: SeCreatePagefilePrivilege	2432	explorer.exe
Token: SeShutdownPrivilege	2432	explorer.exe
Token: SeCreatePagefilePrivilege	2432	explorer.exe
Token: SeShutdownPrivilege	2432	explorer.exe
Token: SeCreatePagefilePrivilege	2432	explorer.exe
Token: SeShutdownPrivilege	2432	explorer.exe
Token: SeCreatePagefilePrivilege	2432	explorer.exe
Token: SeShutdownPrivilege	2432	explorer.exe
Token: SeCreatePagefilePrivilege	2432	explorer.exe
Token: SeShutdownPrivilege	2432	explorer.exe
Token: SeCreatePagefilePrivilege	2432	explorer.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 4792	872	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe	84
PID 872 wrote to memory of 4792	872	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe	84
PID 872 wrote to memory of 4792	872	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe	84
PID 4792 wrote to memory of 4340	4792	net.exe	86
PID 4792 wrote to memory of 4340	4792	net.exe	86
PID 4792 wrote to memory of 4340	4792	net.exe	86
PID 872 wrote to memory of 4476	872	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe	87
PID 872 wrote to memory of 4476	872	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe	87
PID 872 wrote to memory of 4476	872	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe	87
PID 4476 wrote to memory of 3304	4476	net.exe	89
PID 4476 wrote to memory of 3304	4476	net.exe	89
PID 4476 wrote to memory of 3304	4476	net.exe	89
PID 872 wrote to memory of 4880	872	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe	90
PID 872 wrote to memory of 4880	872	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe	90
PID 872 wrote to memory of 4880	872	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe	90
PID 4880 wrote to memory of 3016	4880	net.exe	92
PID 4880 wrote to memory of 3016	4880	net.exe	92
PID 4880 wrote to memory of 3016	4880	net.exe	92
PID 872 wrote to memory of 3660	872	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe	94
PID 872 wrote to memory of 3660	872	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe	94
PID 872 wrote to memory of 3660	872	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe	94
PID 3660 wrote to memory of 3696	3660	net.exe	96
PID 3660 wrote to memory of 3696	3660	net.exe	96
PID 3660 wrote to memory of 3696	3660	net.exe	96
PID 872 wrote to memory of 4860	872	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe	97
PID 872 wrote to memory of 4860	872	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe	97
PID 872 wrote to memory of 4860	872	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe	97
PID 4860 wrote to memory of 4292	4860	net.exe	99
PID 4860 wrote to memory of 4292	4860	net.exe	99
PID 4860 wrote to memory of 4292	4860	net.exe	99
PID 872 wrote to memory of 2936	872	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe	100
PID 872 wrote to memory of 2936	872	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe	100
PID 872 wrote to memory of 2936	872	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe	100
PID 2936 wrote to memory of 1968	2936	net.exe	102
PID 2936 wrote to memory of 1968	2936	net.exe	102
PID 2936 wrote to memory of 1968	2936	net.exe	102
PID 872 wrote to memory of 4536	872	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe	103
PID 872 wrote to memory of 4536	872	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe	103
PID 872 wrote to memory of 4536	872	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe	103
PID 4536 wrote to memory of 3028	4536	net.exe	105
PID 4536 wrote to memory of 3028	4536	net.exe	105
PID 4536 wrote to memory of 3028	4536	net.exe	105
PID 872 wrote to memory of 1488	872	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe	107
PID 872 wrote to memory of 1488	872	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe	107
PID 872 wrote to memory of 1488	872	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe	107
PID 1488 wrote to memory of 4344	1488	net.exe	109
PID 1488 wrote to memory of 4344	1488	net.exe	109
PID 1488 wrote to memory of 4344	1488	net.exe	109
PID 872 wrote to memory of 64	872	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe	110
PID 872 wrote to memory of 64	872	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe	110
PID 872 wrote to memory of 64	872	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe	110
PID 64 wrote to memory of 1312	64	net.exe	112
PID 64 wrote to memory of 1312	64	net.exe	112
PID 64 wrote to memory of 1312	64	net.exe	112
PID 872 wrote to memory of 452	872	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe	113
PID 872 wrote to memory of 452	872	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe	113
PID 872 wrote to memory of 452	872	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe	113
PID 452 wrote to memory of 832	452	net.exe	115
PID 452 wrote to memory of 832	452	net.exe	115
PID 452 wrote to memory of 832	452	net.exe	115
PID 872 wrote to memory of 1764	872	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe	116
PID 872 wrote to memory of 1764	872	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe	116
PID 872 wrote to memory of 1764	872	3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe	116
PID 1764 wrote to memory of 5096	1764	net.exe	119

C:\Users\Admin\AppData\Local\Temp\3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
"C:\Users\Admin\AppData\Local\Temp\3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:872
- C:\Windows\SysWOW64\net.exe
  net stop "Acronis VSS Provider" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
    3⤵
    PID:4340
- C:\Windows\SysWOW64\net.exe
  net stop "Enterprise Client Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Enterprise Client Service" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3304
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Agent" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Agent" /y
    3⤵
    PID:3016
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos AutoUpdate Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3660
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3696
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Clean Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Clean Service" /y
    3⤵
    PID:4292
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Device Control Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
    3⤵
    PID:1968
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos File Scanner Service" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
    3⤵
    PID:3028
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Health Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Health Service" /y
    3⤵
    PID:4344
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos MCS Agent" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:64
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
    3⤵
    PID:1312
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos MCS Client" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:452
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos MCS Client" /y
    3⤵
    PID:832
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Message Router" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Message Router" /y
    3⤵
    PID:5096
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Safestore Service" /y
  2⤵
  PID:1928
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3540
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos System Protection Service" /y
  2⤵
  PID:1208
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
    3⤵
    PID:2608
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Web Control Service" /y
  2⤵
  PID:4948
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
    3⤵
    PID:1840
- C:\Windows\SysWOW64\net.exe
  net stop "SQLsafe Backup Service" /y
  2⤵
  PID:112
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
    3⤵
    PID:4624
- C:\Windows\SysWOW64\net.exe
  net stop "SQLsafe Filter Service" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4416
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4220
- C:\Windows\SysWOW64\net.exe
  net stop "Symantec System Recovery" /y
  2⤵
  PID:3120
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Symantec System Recovery" /y
    3⤵
    PID:904
- C:\Windows\SysWOW64\net.exe
  net stop "Veeam Backup Catalog Data Service" /y
  2⤵
  PID:5064
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
    3⤵
    PID:1148
- C:\Windows\SysWOW64\net.exe
  net stop "AcronisAgent" /y
  2⤵
  PID:2644
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "AcronisAgent" /y
    3⤵
    PID:1648
- C:\Windows\SysWOW64\net.exe
  net stop "AcrSch2Svc" /y
  2⤵
  PID:2732
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "AcrSch2Svc" /y
    3⤵
    PID:3500
- C:\Windows\SysWOW64\net.exe
  net stop "Antivirus" /y
  2⤵
  PID:2416
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Antivirus" /y
    3⤵
    PID:3856
- C:\Windows\SysWOW64\net.exe
  net stop "ARSM" /y
  2⤵
  PID:1936
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ARSM" /y
    3⤵
    PID:5004
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecAgentAccelerator" /y
  2⤵
  PID:4524
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecAgentAccelerator" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4764
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecAgentBrowser" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4460
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecAgentBrowser" /y
    3⤵
    PID:3124
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecDeviceMediaService" /y
  2⤵
  PID:1864
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecDeviceMediaService" /y
    3⤵
    PID:2188
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecJobEngine" /y
  2⤵
  PID:4760
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecJobEngine" /y
    3⤵
    PID:2784
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecManagementService" /y
  2⤵
  PID:1376
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecManagementService" /y
    3⤵
    PID:3012
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecRPCService" /y
  2⤵
  PID:3392
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecRPCService" /y
    3⤵
    PID:3492
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecVSSProvider" /y
  2⤵
  PID:60
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecVSSProvider" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1124
- C:\Windows\SysWOW64\net.exe
  net stop "bedbg" /y
  2⤵
  PID:3216
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "bedbg" /y
    3⤵
    PID:3268
- C:\Windows\SysWOW64\net.exe
  net stop "DCAgent" /y
  2⤵
  PID:4704
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "DCAgent" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3672
- C:\Windows\SysWOW64\net.exe
  net stop "EPSecurityService" /y
  2⤵
  PID:4068
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "EPSecurityService" /y
    3⤵
    PID:956
- C:\Windows\SysWOW64\net.exe
  net stop "EPUpdateService" /y
  2⤵
  PID:2452
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "EPUpdateService" /y
    3⤵
    PID:4120
- C:\Windows\SysWOW64\net.exe
  net stop "EraserSvc11710" /y
  2⤵
  PID:4984
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "EraserSvc11710" /y
    3⤵
    PID:4028
- C:\Windows\SysWOW64\net.exe
  net stop "EsgShKernel" /y
  2⤵
  PID:1120
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "EsgShKernel" /y
    3⤵
    PID:2768
- C:\Windows\SysWOW64\net.exe
  net stop "FA_Scheduler" /y
  2⤵
  PID:2028
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "FA_Scheduler" /y
    3⤵
    PID:4868
- C:\Windows\SysWOW64\net.exe
  net stop "IISAdmin" /y
  2⤵
  PID:4608
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IISAdmin" /y
    3⤵
    PID:3624
- C:\Windows\SysWOW64\net.exe
  net stop "IMAP4Svc" /y
  2⤵
  PID:3628
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IMAP4Svc" /y
    3⤵
    PID:1076
- C:\Windows\SysWOW64\net.exe
  net stop "macmnsvc" /y
  2⤵
  PID:5000
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "macmnsvc" /y
    3⤵
    PID:2492
- C:\Windows\SysWOW64\net.exe
  net stop "masvc" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4140
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "masvc" /y
    3⤵
    PID:2748
- C:\Windows\SysWOW64\net.exe
  net stop "MBAMService" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2328
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MBAMService" /y
    3⤵
    PID:1672
- C:\Windows\SysWOW64\net.exe
  net stop "MBEndpointAgent" /y
  2⤵
  PID:5068
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MBEndpointAgent" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1216
- C:\Windows\SysWOW64\net.exe
  net stop "McAfeeEngineService" /y
  2⤵
  PID:4348
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "McAfeeEngineService" /y
    3⤵
    PID:4452
- C:\Windows\SysWOW64\net.exe
  net stop "McAfeeFramework" /y
  2⤵
  PID:4440
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "McAfeeFramework" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:612
- C:\Windows\SysWOW64\net.exe
  net stop "McAfeeFrameworkMcAfeeFramework" /y
  2⤵
  PID:2736
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "McAfeeFrameworkMcAfeeFramework" /y
    3⤵
    PID:3152
- C:\Windows\SysWOW64\net.exe
  net stop "McShield" /y
  2⤵
  PID:3724
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "McShield" /y
    3⤵
    PID:4940
- C:\Windows\SysWOW64\net.exe
  net stop "McTaskManager" /y
  2⤵
  PID:2512
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "McTaskManager" /y
    3⤵
    PID:1880
- C:\Windows\SysWOW64\net.exe
  net stop "mfemms" /y
  2⤵
  PID:1048
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mfemms" /y
    3⤵
    PID:4788
- C:\Windows\SysWOW64\net.exe
  net stop "mfevtp" /y
  2⤵
  PID:2256
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mfevtp" /y
    3⤵
    PID:800
- C:\Windows\SysWOW64\net.exe
  net stop "MMS" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3704
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MMS" /y
    3⤵
    PID:5100
- C:\Windows\SysWOW64\net.exe
  net stop "mozyprobackup" /y
  2⤵
  PID:3680
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mozyprobackup" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4800
- C:\Windows\SysWOW64\net.exe
  net stop "MsDtsServer" /y
  2⤵
  PID:5056
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MsDtsServer" /y
    3⤵
    PID:4876
- C:\Windows\SysWOW64\net.exe
  net stop "MsDtsServer100" /y
  2⤵
  PID:3052
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MsDtsServer100" /y
    3⤵
    PID:1824
- C:\Windows\SysWOW64\net.exe
  net stop "MsDtsServer110" /y
  2⤵
  PID:1280
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MsDtsServer110" /y
    3⤵
    PID:3904
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeES" /y
  2⤵
  PID:3620
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeES" /y
    3⤵
    PID:5108
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeIS" /y
  2⤵
  PID:2652
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeIS" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4896
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeMGMT" /y
  2⤵
  PID:2580
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeMGMT" /y
    3⤵
    PID:2904
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeMTA" /y
  2⤵
  PID:4152
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeMTA" /y
    3⤵
    PID:3076
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeSA" /y
  2⤵
  PID:3004
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeSA" /y
    3⤵
    PID:2092
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeSRS" /y
  2⤵
  PID:2320
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeSRS" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3140
- C:\Windows\SysWOW64\net.exe
  net stop "MSOLAP$SQL_2008" /y
  2⤵
  PID:4256
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSOLAP$SQL_2008" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3480
- C:\Windows\SysWOW64\net.exe
  net stop "MSOLAP$SYSTEM_BGC" /y
  2⤵
  PID:552
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC" /y
    3⤵
    PID:5092
- C:\Windows\SysWOW64\net.exe
  net stop "MSOLAP$TPS" /y
  2⤵
  PID:2276
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSOLAP$TPS" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1188
- C:\Windows\SysWOW64\net.exe
  net stop "MSOLAP$TPSAMA" /y
  2⤵
  PID:4156
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSOLAP$TPSAMA" /y
    3⤵
    PID:1600
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$BKUPEXEC" /y
  2⤵
  PID:1980
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$BKUPEXEC" /y
    3⤵
    PID:1724
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$ECWDB2" /y
  2⤵
  PID:4248
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$ECWDB2" /y
    3⤵
    PID:5044
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$PRACTICEMGT" /y
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT" /y
    3⤵
    PID:3404
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$PRACTTICEBGC" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4920
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC" /y
    3⤵
    PID:1644
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$PROFXENGAGEMENT" /y
  2⤵
  PID:4528
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT" /y
    3⤵
    PID:3144
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SBSMONITORING" /y
  2⤵
  PID:2572
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SBSMONITORING" /y
    3⤵
    PID:1240
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SHAREPOINT" /y
  2⤵
  PID:4360
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SHAREPOINT" /y
    3⤵
    PID:1696
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SQL_2008" /y
  2⤵
  PID:856
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SQL_2008" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:804
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SYSTEM_BGC" /y
  2⤵
  PID:4324
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC" /y
    3⤵
    PID:212
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$TPS" /y
  2⤵
  PID:4396
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$TPS" /y
    3⤵
    PID:3204
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$TPSAMA" /y
  2⤵
  PID:3252
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$TPSAMA" /y
    3⤵
    PID:1408
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$VEEAMSQL2008R2" /y
  2⤵
  PID:4720
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2144
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$VEEAMSQL2012" /y
  2⤵
  PID:4804
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012" /y
    3⤵
    PID:644
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher" /y
  2⤵
  PID:5012
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher" /y
    3⤵
    PID:3580
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y
  2⤵
  PID:4976
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y
    3⤵
    PID:2128
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$SBSMONITORING" /y
  2⤵
  PID:2968
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING" /y
    3⤵
    PID:3180
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$SHAREPOINT" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4032
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT" /y
    3⤵
    PID:3716
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$SQL_2008" /y
  2⤵
  PID:1468
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4384
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$SYSTEM_BGC" /y
  2⤵
  PID:4404
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2340
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$TPS" /y
  2⤵
  PID:3536
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS" /y
    3⤵
    PID:4996
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$TPSAMA" /y
  2⤵
  PID:1976
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA" /y
    3⤵
    PID:4712
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLSERVER" /y
  2⤵
  PID:2032
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLSERVER" /y
    3⤵
    PID:4260
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLServerADHelper100" /y
  2⤵
  PID:1204
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLServerADHelper100" /y
    3⤵
    PID:2928
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLServerOLAPService" /y
  2⤵
  PID:4172
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLServerOLAPService" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1448
- C:\Windows\SysWOW64\net.exe
  net stop "MySQL80" /y
  2⤵
  PID:4588
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MySQL80" /y
    3⤵
    PID:5008
- C:\Windows\SysWOW64\net.exe
  net stop "MySQL57" /y
  2⤵
  PID:2688
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MySQL57" /y
    3⤵
    PID:4048
- C:\Windows\SysWOW64\net.exe
  net stop "ntrtscan" /y
  2⤵
  PID:4076
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ntrtscan" /y
    3⤵
    PID:852
- C:\Windows\SysWOW64\net.exe
  net stop "OracleClientCache80" /y
  2⤵
  PID:3988
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "OracleClientCache80" /y
    3⤵
    PID:4864
- C:\Windows\SysWOW64\net.exe
  net stop "PDVFSService" /y
  2⤵
  PID:1996
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "PDVFSService" /y
    3⤵
    PID:404
- C:\Windows\SysWOW64\net.exe
  net stop "POP3Svc" /y
  2⤵
  PID:416
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "POP3Svc" /y
    3⤵
    PID:1292
- C:\Windows\SysWOW64\net.exe
  net stop "ReportServer" /y
  2⤵
  PID:2344
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer" /y
    3⤵
    PID:2176
- C:\Windows\SysWOW64\net.exe
  net stop "ReportServer$SQL_2008" /y
  2⤵
  PID:2036
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer$SQL_2008" /y
    3⤵
    PID:4540
- C:\Windows\SysWOW64\net.exe
  net stop "ReportServer$SYSTEM_BGC" /y
  2⤵
  PID:3592
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC" /y
    3⤵
    PID:3184
- C:\Windows\SysWOW64\net.exe
  net stop "ReportServer$TPS" /y
  2⤵
  PID:1984
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer$TPS" /y
    3⤵
    PID:1932
- C:\Windows\SysWOW64\net.exe
  net stop "ReportServer$TPSAMA" /y
  2⤵
  PID:5020
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer$TPSAMA" /y
    3⤵
    PID:3976
- C:\Windows\SysWOW64\net.exe
  net stop "RESvc" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4836
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "RESvc" /y
    3⤵
    PID:3416
- C:\Windows\SysWOW64\net.exe
  net stop "sacsvr" /y
  2⤵
  PID:4276
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "sacsvr" /y
    3⤵
    PID:4352
- C:\Windows\SysWOW64\net.exe
  net stop "SamSs" /y
  2⤵
  PID:1212
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SamSs" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3280
- C:\Windows\SysWOW64\net.exe
  net stop "SAVAdminService" /y
  2⤵
  PID:2720
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SAVAdminService" /y
    3⤵
    PID:3264
- C:\Windows\SysWOW64\net.exe
  net stop "SAVService" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4472
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SAVService" /y
    3⤵
    PID:3164
- C:\Windows\SysWOW64\net.exe
  net stop "SDRSVC" /y
  2⤵
  PID:4884
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SDRSVC" /y
    3⤵
    PID:1224
- C:\Windows\SysWOW64\net.exe
  net stop "SepMasterService" /y
  2⤵
  PID:4336
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SepMasterService" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2876
- C:\Windows\SysWOW64\net.exe
  net stop "ShMonitor" /y
  2⤵
  PID:3284
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ShMonitor" /y
    3⤵
    PID:2884
- C:\Windows\SysWOW64\net.exe
  net stop "Smcinst" /y
  2⤵
  PID:2548
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Smcinst" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2264
- C:\Windows\SysWOW64\net.exe
  net stop "SmcService" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3428
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SmcService" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2316
- C:\Windows\SysWOW64\net.exe
  net stop "SMTPSvc" /y
  2⤵
  PID:4308
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SMTPSvc" /y
    3⤵
    PID:2192
- C:\Windows\SysWOW64\net.exe
  net stop "SNAC" /y
  2⤵
  PID:4044
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SNAC" /y
    3⤵
    PID:748
- C:\Windows\SysWOW64\net.exe
  net stop "SntpService" /y
  2⤵
  PID:1244
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SntpService" /y
    3⤵
    PID:2992
- C:\Windows\SysWOW64\net.exe
  net stop "sophossps" /y
  2⤵
  PID:4744
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "sophossps" /y
    3⤵
    PID:3328
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$BKUPEXEC" /y
  2⤵
  PID:2892
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC" /y
    3⤵
    PID:4424
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$ECWDB2" /y
  2⤵
  PID:984
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$ECWDB2" /y
    3⤵
    PID:4516
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$PRACTTICEBGC" /y
  2⤵
  PID:1500
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC" /y
    3⤵
    PID:3820
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$PRACTTICEMGT" /y
  2⤵
  PID:2528
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT" /y
    3⤵
    PID:4052
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$PROFXENGAGEMENT" /y
  2⤵
  PID:2908
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT" /y
    3⤵
    PID:2972
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SBSMONITORING" /y
  2⤵
  PID:5132
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING" /y
    3⤵
    PID:5180
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SHAREPOINT" /y
  2⤵
  PID:5196
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT" /y
    3⤵
    PID:5240
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SQL_2008" /y
  2⤵
  PID:5256
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SQL_2008" /y
    3⤵
    PID:5304
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SYSTEM_BGC" /y
  2⤵
  PID:5320
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC" /y
    3⤵
    PID:5368
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$TPS" /y
  2⤵
  PID:5384
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$TPS" /y
    3⤵
    PID:5432
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$TPSAMA" /y
  2⤵
  PID:5448
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$TPSAMA" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5496
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$VEEAMSQL2008R2" /y
  2⤵
  PID:5512
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y
    3⤵
    PID:5560
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$VEEAMSQL2012" /y
  2⤵
  PID:5576
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012" /y
    3⤵
    PID:5624
- C:\Windows\SysWOW64\net.exe
  net stop "SQLBrowser" /y
  2⤵
  PID:5640
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLBrowser" /y
    3⤵
    PID:5692
- C:\Windows\SysWOW64\net.exe
  net stop "SQLSafeOLRService" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5708
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLSafeOLRService" /y
    3⤵
    PID:5756
- C:\Windows\SysWOW64\net.exe
  net stop "SQLSERVERAGENT" /y
  2⤵
  PID:5772
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLSERVERAGENT" /y
    3⤵
    PID:5820
- C:\Windows\SysWOW64\net.exe
  net stop "SQLTELEMETRY" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5836
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLTELEMETRY" /y
    3⤵
    PID:5884
- C:\Windows\SysWOW64\net.exe
  net stop "SQLTELEMETRY$ECWDB2" /y
  2⤵
  PID:5900
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLTELEMETRY$ECWDB2" /y
    3⤵
    PID:5948
- C:\Windows\SysWOW64\net.exe
  net stop "SQLWriter" /y
  2⤵
  PID:5964
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLWriter" /y
    3⤵
    PID:6012
- C:\Windows\SysWOW64\net.exe
  net stop "SstpSvc" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6028
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SstpSvc" /y
    3⤵
    PID:6076
- C:\Windows\SysWOW64\net.exe
  net stop "svcGenericHost" /y
  2⤵
  PID:6096
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "svcGenericHost" /y
    3⤵
    PID:5124
- C:\Windows\SysWOW64\net.exe
  net stop "swi_filter" /y
  2⤵
  PID:1220
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "swi_filter" /y
    3⤵
    PID:5172
- C:\Windows\SysWOW64\net.exe
  net stop "swi_service" /y
  2⤵
  PID:5160
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "swi_service" /y
    3⤵
    PID:5224
- C:\Windows\SysWOW64\net.exe
  net stop "swi_update_64" /y
  2⤵
  PID:5268
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "swi_update_64" /y
    3⤵
    PID:5336
- C:\Windows\SysWOW64\net.exe
  net stop "TmCCSF" /y
  2⤵
  PID:5376
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "TmCCSF" /y
    3⤵
    PID:5396
- C:\Windows\SysWOW64\net.exe
  net stop "tmlisten" /y
  2⤵
  PID:5428
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "tmlisten" /y
    3⤵
    PID:5500
- C:\Windows\SysWOW64\net.exe
  net stop "TrueKey" /y
  2⤵
  PID:5480
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "TrueKey" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5552
- C:\Windows\SysWOW64\net.exe
  net stop "TrueKeyScheduler" /y
  2⤵
  PID:5520
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "TrueKeyScheduler" /y
    3⤵
    PID:5604
- C:\Windows\SysWOW64\net.exe
  net stop "TrueKeyServiceHelper" /y
  2⤵
  PID:5656
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "TrueKeyServiceHelper" /y
    3⤵
    PID:5724
- C:\Windows\SysWOW64\net.exe
  net stop "UI0Detect" /y
  2⤵
  PID:5760
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "UI0Detect" /y
    3⤵
    PID:5832
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamBackupSvc" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5796
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamBackupSvc" /y
    3⤵
    PID:5880
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamBrokerSvc" /y
  2⤵
  PID:5872
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamBrokerSvc" /y
    3⤵
    PID:5932
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamCatalogSvc" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5980
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamCatalogSvc" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5972
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamCloudSvc" /y
  2⤵
  PID:6080
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamCloudSvc" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6116
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamDeploymentService" /y
  2⤵
  PID:5128
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamDeploymentService" /y
    3⤵
    PID:5164
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamDeploySvc" /y
  2⤵
  PID:5148
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamDeploySvc" /y
    3⤵
    PID:5244
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamEnterpriseManagerSvc" /y
  2⤵
  PID:5220
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc" /y
    3⤵
    PID:5292
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamMountSvc" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5352
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamMountSvc" /y
    3⤵
    PID:5420
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamNFSSvc" /y
  2⤵
  PID:5472
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamNFSSvc" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5544
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamRESTSvc" /y
  2⤵
  PID:5564
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamRESTSvc" /y
    3⤵
    PID:5628
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamTransportSvc" /y
  2⤵
  PID:5616
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamTransportSvc" /y
    3⤵
    PID:5680
- C:\Windows\SysWOW64\net.exe
  net stop "W3Svc" /y
  2⤵
  PID:5748
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "W3Svc" /y
    3⤵
    PID:5736
- C:\Windows\SysWOW64\net.exe
  net stop "wbengine" /y
  2⤵
  PID:5808
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "wbengine" /y
    3⤵
    PID:5912
- C:\Windows\SysWOW64\net.exe
  net stop "WRSVC" /y
  2⤵
  PID:5928
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "WRSVC" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6048
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$VEEAMSQL2008R2" /y
  2⤵
  PID:6000
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y
    3⤵
    PID:6036
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$VEEAMSQL2008R2" /y
  2⤵
  PID:6060
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y
    3⤵
    PID:6132
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamHvIntegrationSvc" /y
  2⤵
  PID:5236
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamHvIntegrationSvc" /y
    3⤵
    PID:5300
- C:\Windows\SysWOW64\net.exe
  net stop "swi_update" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5372
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "swi_update" /y
    3⤵
    PID:5488
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$CXDB" /y
  2⤵
  PID:5404
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$CXDB" /y
    3⤵
    PID:5456
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$CITRIX_METAFRAME" /y
  2⤵
  PID:5504
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME" /y
    3⤵
    PID:5588
- C:\Windows\SysWOW64\net.exe
  net stop "SQL Backups" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5668
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQL Backups" /y
    3⤵
    PID:5780
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$PROD" /y
  2⤵
  PID:5784
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$PROD" /y
    3⤵
    PID:5856
- C:\Windows\SysWOW64\net.exe
  net stop "Zoolz 2 Service" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5848
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6024
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLServerADHelper" /y
  2⤵
  PID:5976
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLServerADHelper" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5176
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$PROD" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4484
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$PROD" /y
    3⤵
    PID:5204
- C:\Windows\SysWOW64\net.exe
  net stop "msftesql$PROD" /y
  2⤵
  PID:5296
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "msftesql$PROD" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5328
- C:\Windows\SysWOW64\net.exe
  net stop "NetMsmqActivator" /y
  2⤵
  PID:5360
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "NetMsmqActivator" /y
    3⤵
    PID:5536
- C:\Windows\SysWOW64\net.exe
  net stop "EhttpSrv" /y
  2⤵
  PID:5600
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "EhttpSrv" /y
    3⤵
    PID:5636
- C:\Windows\SysWOW64\net.exe
  net stop "ekrn" /y
  2⤵
  PID:5800
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ekrn" /y
    3⤵
    PID:5824
- C:\Windows\SysWOW64\net.exe
  net stop "ESHASRV" /y
  2⤵
  PID:5852
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ESHASRV" /y
    3⤵
    PID:6072
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SOPHOS" /y
  2⤵
  PID:6020
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SOPHOS" /y
    3⤵
    PID:6068
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SOPHOS" /y
  2⤵
  PID:4116
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SOPHOS" /y
    3⤵
    PID:4168
- C:\Windows\SysWOW64\net.exe
  net stop "AVP" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5272
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "AVP" /y
    3⤵
    PID:5208
- C:\Windows\SysWOW64\net.exe
  net stop "klnagent" /y
  2⤵
  PID:5400
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "klnagent" /y
    3⤵
    PID:5696
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SQLEXPRESS" /y
  2⤵
  PID:5684
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS" /y
    3⤵
    PID:5688
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SQLEXPRESS" /y
  2⤵
  PID:5704
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS" /y
    3⤵
    PID:5924
- C:\Windows\SysWOW64\net.exe
  net stop "wbengine" /y
  2⤵
  PID:6044
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "wbengine" /y
    3⤵
    PID:6064
- C:\Windows\SysWOW64\net.exe
  net stop "kavfsslp" /y
  2⤵
  PID:5152
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "kavfsslp" /y
    3⤵
    PID:6052
- C:\Windows\SysWOW64\net.exe
  net stop "KAVFSGT" /y
  2⤵
  PID:5340
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "KAVFSGT" /y
    3⤵
    PID:5524
- C:\Windows\SysWOW64\net.exe
  net stop "KAVFS" /y
  2⤵
  PID:5532
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "KAVFS" /y
    3⤵
    PID:5816
- C:\Windows\SysWOW64\net.exe
  net stop "mfefire" /y
  2⤵
  PID:5888
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mfefire" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5992
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM zoolz.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5952
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM agntsvc.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5540
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM dbeng50.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5468
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM dbsnmp.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5860
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM encsvc.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5216
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM excel.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5752
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM firefoxconfig.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6056
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM infopath.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5660
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM isqlplussvc.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5892
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM msaccess.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5648
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM msftesql.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5612
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mspub.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:368
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mydesktopqos.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5996
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mydesktopservice.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6112
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mysqld.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5192
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mysqld-nt.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5620
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mysqld-opt.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5672
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM ocautoupds.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5348
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM ocomm.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6120
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM ocssd.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5940
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM onenote.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6156
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM oracle.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6208
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM outlook.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6260
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM powerpnt.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6316
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM sqbcoreservice.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6368
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM sqlagent.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6424
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM sqlbrowser.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6476
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM sqlservr.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6536
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM sqlwriter.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6588
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM steam.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6640
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM synctime.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6696
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM tbirdconfig.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6748
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM thebat.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6804
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM thebat64.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6856
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM thunderbird.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6908
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM visio.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6964
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM winword.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:7020
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM wordpad.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:7076
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM xfssvccon.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:7132
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM tmlisten.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6148
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM PccNTMon.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6184
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM CNTAoSMgr.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6216
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM Ntrtscan.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6336
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mbamtray.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6420
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da.exe
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5676
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 3
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:7804
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 364
  2⤵
  - Program crash
  PID:7044

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 872 -ip 872
1⤵
PID:7756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1121399784-3202166597-3503557106-1000\desktop.ini

Filesize
488B

MD5
aaad78f68399c77df909cfa8a74ce7d2

SHA1
a7f1cbf19eac85a6f8b85b64669b0e62fd24b4cc

SHA256
5bc9784783a2589d06cd9ab0516e42a6dd6d3d531862f55e05cc8789bb2d2725

SHA512
53a8ff0176cf417386c012ce357f71d9a570f3b511bd768c8cbe12876c4beb0814da9b2c990fa21a8f1d543c5cc858edc7d7c7507787a7250dc6c9a196cd9ea3

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.MEDUSA

Filesize
623KB

MD5
0cfb7b3c0a4e4ff21840822989240447

SHA1
0bed3849982128859b903a3715b07e9924a521a3

SHA256
f1862f79ea285967903365096485a17309a5abc231b6598e3489fee704926815

SHA512
442315078c0232bddbb63ee44939a8a9df90bd6d2d40a646f0d5961eff41f51be889628c5df0930e0e0ca7b0be019973003ade8f6b149987c15b4bb877e93d00

Download Submit
F:\!!!READ_ME_MEDUSA!!!.txt

Filesize
3KB

MD5
5403d641e60c7d266a7070be82dba163

SHA1
4362f925483128ee3fc65d1612309c0475b5cd59

SHA256
b60a2235cf8d69a222692ac19230be187e062ab208dbe7ff24027ef47ce0634d

SHA512
a013d8462fe8e039150356ef9773b20114d6ae21d21331bb05db200710f1d3b699234ce51cbade7f3caeec577f520cdcc145d149bebdb552e0ebd90fcc41147d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads