medusaransomware | 44d615a792f73ed5620217ed02b0ee085c3ae5f12112abdb3b4bc3fcc64702be

Analysis

max time kernel
20s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/02/2025, 09:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gaze.exe
Size

624KB
MD5

0fbd035c4b9dc78592741178965bb929
SHA1

b7f9af55daa054b26a69a829ec01017cc62fb0d7
SHA256

44d615a792f73ed5620217ed02b0ee085c3ae5f12112abdb3b4bc3fcc64702be
SHA512

3b4fef22bf1038dbad86d5625f00480b1ff11e6992de5283607f22566ef40d53b72e66b4e30ae42099211b5711cdfdd2ae9156421d04c8c2fdaf4353f228f1e4
SSDEEP

12288:ro4G6SXpb0D1eZc8nr7nHytNZSNIxBwUiFuY+0MFgFCUpsmIptTiREdwOI0cBpWE:R2+YJmVSvGWEUnvvqw4jBRsLWPx2g

Score

10^/10

medusaransomware defense_evasion discovery execution impact ransomware

Malware Config

Extracted

Path

F:\!!!READ_ME_MEDUSA!!!.txt

Ransom Note

$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ $$$\ $$$ |$$ _____|$$ __$$\ $$ | $$ |$$ __$$\ $$ __$$\ $$$$\ $$$$ |$$ | $$ | $$ |$$ | $$ |$$ / \__|$$ / $$ | $$\$$\$$ $$ |$$$$$\ $$ | $$ |$$ | $$ |\$$$$$$\ $$$$$$$$ | $$ \$$$ $$ |$$ __| $$ | $$ |$$ | $$ | \____$$\ $$ __$$ | $$ |\$ /$$ |$$ | $$ | $$ |$$ | $$ |$$\ $$ |$$ | $$ | $$ | \_/ $$ |$$$$$$$$\ $$$$$$$ |\$$$$$$ |\$$$$$$ |$$ | $$ | \__| \__|\________|\_______/ \______/ \______/ \__| \__| -----------------------------[ Hello, Safco International Gen Trading !!! ]-------------------------- Sorry to interrupt your busy business. WHAT HAPPEND? ------------------------------------------------------------ 1. We have PENETRATE your network and COPIED data. We have penetrated your entire network and researched all about your data. And we have copied all of your confidential data and uploaded to private storage. * You're running a highly valued business and your data was very crucial. 2. We have ENCRYPTED your files. While you are reading this message, it means your files and data has been ENCRYPTED by world's strongest ransomware. Your files have encrypted with new military-grade encryption algorithm and you can not decrypt your files. But don't worry, we can decrypt your files. There is only one possible way to get back your computers and servers, keep your privacy safe - CONTACT us via LIVE CHAT and pay for the special MEDUSA DECRYPTOR and DECRYPTION KEYs. This MEDUSA DECRYPTOR will restore your entire network within less than 1 business day. WHAT GUARANTEES? --------------------------------------------------------------- We can post all of your critial data to the public and send emails to your competitors. We have professional OSINTs and media team for leak data to telegram, facebook, twitter channels and top news websites. You can easily search about us. You can suffer significant problems due to disastrous consequences, leading to loss of valuable intellectual property and other sensitive information, costly incident response efforts, information misuse/abuse, loss of customer trust, brand and reputational damage, and legal and regulatory issues. After paying for the data breach and decryption, we guarantee that your data will never be leaked and make everything silent, this is also for our reputation. YOU should be AWARE! --------------------------------------------------------------- We will speak only with an authorized person. It can be the CEO, top management etc. In case you ar not such a person - DON'T CONTACT US! Your decisions and action can result in serious harm to your company! Inform your supervisors and stay calm! If you do not contact us within 48 hours, We will start publish your case to our official blog and everybody will start notice your incident! --------------------[ Telegram channel ]-------------------- https://t.me/+lyskiDn9KiYxZjlh --------------------[ Official blog tor address ]-------------------- Using TOR Browser(https://www.torproject.org/download/): http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/ http://s7lmmhlt3iwnwirxvgjidl6omcblvw2rg75txjfduy73kx5brlmiulad.onion/ CONTACT US! ----------------------[ Your company live chat address ]--------------------------- Using TOR Browser(https://www.torproject.org/download/): http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/dbac476f3e0567a12197769669cc2a1b Backup Mirrors: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/dbac476f3e0567a12197769669cc2a1b --------------------[ Or Use Tox Chat Program(https://utox.org/uTox_win64.exe) ]-------------------- Add user with our tox ID : AEA72DFCF492037A6D15755A74645C7D8E674E342BACA9F9070A3FB74117EC3143FD6E29BEAC Our support email: ( [email protected] ) Company identification hash: aa56f51138a92f1923887b7e455ad8c4ad3b88c54b58d25a5766d49bfdbcb39e

Emails

[email protected]

URLs

https://t.me/+lyskiDn9KiYxZjlh

http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/

http://s7lmmhlt3iwnwirxvgjidl6omcblvw2rg75txjfduy73kx5brlmiulad.onion/

http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/dbac476f3e0567a12197769669cc2a1b

http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/dbac476f3e0567a12197769669cc2a1b

Signatures

Medusa Ransomware
Ransomware first identified in 2022 that is distinct from the similarly named ransomware family MedusaLocker.
ransomware medusaransomware
Medusaransomware family
medusaransomware
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (4565) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops desktop.ini file(s) 13 IoCs

description	ioc	Process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini	gaze.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini	gaze.exe
File opened for modification	C:\Program Files\desktop.ini	gaze.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	gaze.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	gaze.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	gaze.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	gaze.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	gaze.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	gaze.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	gaze.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	gaze.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	gaze.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	gaze.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\library.js	gaze.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf	gaze.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\!!!READ_ME_MEDUSA!!!.txt	gaze.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01657_.WMF	gaze.exe
File created	C:\Program Files\Common Files\System\it-IT\!!!READ_ME_MEDUSA!!!.txt	gaze.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\!!!READ_ME_MEDUSA!!!.txt	gaze.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\sandbox.luac	gaze.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\README.txt	gaze.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lord_Howe	gaze.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-highlight.png	gaze.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveDrop32x32.gif	gaze.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\tipresx.dll.mui	gaze.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\!!!READ_ME_MEDUSA!!!.txt	gaze.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiling.xml	gaze.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\VSTARemotingServer.tlb	gaze.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings_0.10.200.v20140424-2042.jar	gaze.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\currency.html	gaze.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\!!!READ_ME_MEDUSA!!!.txt	gaze.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200163.WMF	gaze.exe
File created	C:\Program Files\Common Files\System\!!!READ_ME_MEDUSA!!!.txt	gaze.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ko\!!!READ_ME_MEDUSA!!!.txt	gaze.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\BLENDS.INF	gaze.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\!!!READ_ME_MEDUSA!!!.txt	gaze.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif	gaze.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387882.JPG	gaze.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\NPAUTHZ.DLL	gaze.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\!!!READ_ME_MEDUSA!!!.txt	gaze.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Algiers	gaze.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\!!!READ_ME_MEDUSA!!!.txt	gaze.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\jfluid-server-15.jar	gaze.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_zh_CN.jar	gaze.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ko.properties	gaze.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\!!!READ_ME_MEDUSA!!!.txt	gaze.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	gaze.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state_1.0.1.v20140709-1414.jar	gaze.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-settings.xml	gaze.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\vlc.mo	gaze.exe
File opened for modification	C:\Program Files\VideoLAN\!!!READ_ME_MEDUSA!!!.txt	gaze.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152432.WMF	gaze.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\rtscom.dll.mui	gaze.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse_1.1.200.v20140414-0825.jar	gaze.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-queries.jar	gaze.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\fr-FR\!!!READ_ME_MEDUSA!!!.txt	gaze.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tt\!!!READ_ME_MEDUSA!!!.txt	gaze.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui	gaze.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double_orange.png	gaze.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\alertIcon.png	gaze.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml	gaze.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialoccasion.png	gaze.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_zh_CN.jar	gaze.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-text.jar	gaze.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\settings.css	gaze.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui	gaze.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx	gaze.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106124.WMF	gaze.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\!!!READ_ME_MEDUSA!!!.txt	gaze.exe
File opened for modification	C:\Program Files\Common Files\!!!READ_ME_MEDUSA!!!.txt	gaze.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\!!!READ_ME_MEDUSA!!!.txt	gaze.exe
File opened for modification	C:\Program Files\Windows Media Player\mpvis.DLL	gaze.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\COMPASS.ELM	gaze.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ja-JP\wab32res.dll.mui	gaze.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099152.JPG	gaze.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_it.properties	gaze.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Guyana	gaze.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Interacts with shadow copies 3 TTPs 6 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
4632	vssadmin.exe
4696	vssadmin.exe
4792	vssadmin.exe
4816	vssadmin.exe
4852	vssadmin.exe
4928	vssadmin.exe

Kills process with taskkill 44 IoCs

defense_evasion

pid	Process
4184	taskkill.exe
4556	taskkill.exe
4796	taskkill.exe
4224	taskkill.exe
4420	taskkill.exe
3344	taskkill.exe
4144	taskkill.exe
4596	taskkill.exe
4956	taskkill.exe
4352	taskkill.exe
4516	taskkill.exe
4228	taskkill.exe
4636	taskkill.exe
4836	taskkill.exe
5076	taskkill.exe
4116	taskkill.exe
4300	taskkill.exe
3648	taskkill.exe
3540	taskkill.exe
4364	taskkill.exe
4500	taskkill.exe
3536	taskkill.exe
4312	taskkill.exe
4524	taskkill.exe
3208	taskkill.exe
4016	taskkill.exe
4392	taskkill.exe
4476	taskkill.exe
4716	taskkill.exe
3960	taskkill.exe
4268	taskkill.exe
4104	taskkill.exe
4756	taskkill.exe
4996	taskkill.exe
3396	taskkill.exe
3316	taskkill.exe
4452	taskkill.exe
4084	taskkill.exe
4432	taskkill.exe
4876	taskkill.exe
4916	taskkill.exe
5036	taskkill.exe
3132	taskkill.exe
4676	taskkill.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	3396	taskkill.exe
Token: SeDebugPrivilege	3960	taskkill.exe
Token: SeDebugPrivilege	3208	taskkill.exe
Token: SeDebugPrivilege	3648	taskkill.exe
Token: SeDebugPrivilege	3132	taskkill.exe
Token: SeDebugPrivilege	3344	taskkill.exe
Token: SeDebugPrivilege	4016	taskkill.exe
Token: SeDebugPrivilege	4084	taskkill.exe
Token: SeDebugPrivilege	3540	taskkill.exe
Token: SeDebugPrivilege	3536	taskkill.exe
Token: SeDebugPrivilege	3316	taskkill.exe
Token: SeDebugPrivilege	4104	taskkill.exe
Token: SeDebugPrivilege	4144	taskkill.exe
Token: SeDebugPrivilege	4184	taskkill.exe
Token: SeDebugPrivilege	4228	taskkill.exe
Token: SeDebugPrivilege	4268	taskkill.exe
Token: SeDebugPrivilege	4312	taskkill.exe
Token: SeDebugPrivilege	4352	taskkill.exe
Token: SeDebugPrivilege	4392	taskkill.exe
Token: SeDebugPrivilege	4432	taskkill.exe
Token: SeDebugPrivilege	4476	taskkill.exe
Token: SeDebugPrivilege	4516	taskkill.exe
Token: SeDebugPrivilege	4556	taskkill.exe
Token: SeDebugPrivilege	4596	taskkill.exe
Token: SeDebugPrivilege	4636	taskkill.exe
Token: SeDebugPrivilege	4676	taskkill.exe
Token: SeDebugPrivilege	4716	taskkill.exe
Token: SeDebugPrivilege	4756	taskkill.exe
Token: SeDebugPrivilege	4796	taskkill.exe
Token: SeDebugPrivilege	4836	taskkill.exe
Token: SeDebugPrivilege	4876	taskkill.exe
Token: SeDebugPrivilege	4916	taskkill.exe
Token: SeDebugPrivilege	4956	taskkill.exe
Token: SeDebugPrivilege	4996	taskkill.exe
Token: SeDebugPrivilege	5036	taskkill.exe
Token: SeDebugPrivilege	5076	taskkill.exe
Token: SeDebugPrivilege	4116	taskkill.exe
Token: SeDebugPrivilege	4224	taskkill.exe
Token: SeDebugPrivilege	4300	taskkill.exe
Token: SeDebugPrivilege	4364	taskkill.exe
Token: SeDebugPrivilege	4420	taskkill.exe
Token: SeDebugPrivilege	4452	taskkill.exe
Token: SeDebugPrivilege	4500	taskkill.exe
Token: SeDebugPrivilege	4524	taskkill.exe
Token: SeBackupPrivilege	4668	vssvc.exe
Token: SeRestorePrivilege	4668	vssvc.exe
Token: SeAuditPrivilege	4668	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 1508	2700	gaze.exe	31
PID 2700 wrote to memory of 1508	2700	gaze.exe	31
PID 2700 wrote to memory of 1508	2700	gaze.exe	31
PID 2700 wrote to memory of 1508	2700	gaze.exe	31
PID 1508 wrote to memory of 2728	1508	net.exe	33
PID 1508 wrote to memory of 2728	1508	net.exe	33
PID 1508 wrote to memory of 2728	1508	net.exe	33
PID 1508 wrote to memory of 2728	1508	net.exe	33
PID 2700 wrote to memory of 2796	2700	gaze.exe	34
PID 2700 wrote to memory of 2796	2700	gaze.exe	34
PID 2700 wrote to memory of 2796	2700	gaze.exe	34
PID 2700 wrote to memory of 2796	2700	gaze.exe	34
PID 2796 wrote to memory of 2820	2796	net.exe	36
PID 2796 wrote to memory of 2820	2796	net.exe	36
PID 2796 wrote to memory of 2820	2796	net.exe	36
PID 2796 wrote to memory of 2820	2796	net.exe	36
PID 2700 wrote to memory of 2944	2700	gaze.exe	37
PID 2700 wrote to memory of 2944	2700	gaze.exe	37
PID 2700 wrote to memory of 2944	2700	gaze.exe	37
PID 2700 wrote to memory of 2944	2700	gaze.exe	37
PID 2944 wrote to memory of 2600	2944	net.exe	39
PID 2944 wrote to memory of 2600	2944	net.exe	39
PID 2944 wrote to memory of 2600	2944	net.exe	39
PID 2944 wrote to memory of 2600	2944	net.exe	39
PID 2700 wrote to memory of 2868	2700	gaze.exe	40
PID 2700 wrote to memory of 2868	2700	gaze.exe	40
PID 2700 wrote to memory of 2868	2700	gaze.exe	40
PID 2700 wrote to memory of 2868	2700	gaze.exe	40
PID 2868 wrote to memory of 2884	2868	net.exe	42
PID 2868 wrote to memory of 2884	2868	net.exe	42
PID 2868 wrote to memory of 2884	2868	net.exe	42
PID 2868 wrote to memory of 2884	2868	net.exe	42
PID 2700 wrote to memory of 2792	2700	gaze.exe	43
PID 2700 wrote to memory of 2792	2700	gaze.exe	43
PID 2700 wrote to memory of 2792	2700	gaze.exe	43
PID 2700 wrote to memory of 2792	2700	gaze.exe	43
PID 2792 wrote to memory of 2572	2792	net.exe	45
PID 2792 wrote to memory of 2572	2792	net.exe	45
PID 2792 wrote to memory of 2572	2792	net.exe	45
PID 2792 wrote to memory of 2572	2792	net.exe	45
PID 2700 wrote to memory of 2580	2700	gaze.exe	46
PID 2700 wrote to memory of 2580	2700	gaze.exe	46
PID 2700 wrote to memory of 2580	2700	gaze.exe	46
PID 2700 wrote to memory of 2580	2700	gaze.exe	46
PID 2580 wrote to memory of 2640	2580	net.exe	48
PID 2580 wrote to memory of 2640	2580	net.exe	48
PID 2580 wrote to memory of 2640	2580	net.exe	48
PID 2580 wrote to memory of 2640	2580	net.exe	48
PID 2700 wrote to memory of 2736	2700	gaze.exe	49
PID 2700 wrote to memory of 2736	2700	gaze.exe	49
PID 2700 wrote to memory of 2736	2700	gaze.exe	49
PID 2700 wrote to memory of 2736	2700	gaze.exe	49
PID 2736 wrote to memory of 2608	2736	net.exe	51
PID 2736 wrote to memory of 2608	2736	net.exe	51
PID 2736 wrote to memory of 2608	2736	net.exe	51
PID 2736 wrote to memory of 2608	2736	net.exe	51
PID 2700 wrote to memory of 2364	2700	gaze.exe	52
PID 2700 wrote to memory of 2364	2700	gaze.exe	52
PID 2700 wrote to memory of 2364	2700	gaze.exe	52
PID 2700 wrote to memory of 2364	2700	gaze.exe	52
PID 2364 wrote to memory of 1732	2364	net.exe	54
PID 2364 wrote to memory of 1732	2364	net.exe	54
PID 2364 wrote to memory of 1732	2364	net.exe	54
PID 2364 wrote to memory of 1732	2364	net.exe	54

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\gaze.exe
"C:\Users\Admin\AppData\Local\Temp\gaze.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\net.exe
  net stop "Acronis VSS Provider" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
    3⤵
    PID:2728
- C:\Windows\SysWOW64\net.exe
  net stop "Enterprise Client Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Enterprise Client Service" /y
    3⤵
    PID:2820
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Agent" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Agent" /y
    3⤵
    PID:2600
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos AutoUpdate Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
    3⤵
    PID:2884
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Clean Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Clean Service" /y
    3⤵
    PID:2572
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Device Control Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
    3⤵
    PID:2640
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos File Scanner Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
    3⤵
    PID:2608
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Health Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Health Service" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1732
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos MCS Agent" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2000
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1664
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos MCS Client" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2228
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos MCS Client" /y
    3⤵
    PID:1816
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Message Router" /y
  2⤵
  PID:1152
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Message Router" /y
    3⤵
    PID:1680
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Safestore Service" /y
  2⤵
  PID:2284
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
    3⤵
    PID:1904
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos System Protection Service" /y
  2⤵
  PID:2292
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
    3⤵
    PID:1248
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Web Control Service" /y
  2⤵
  PID:1040
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
    3⤵
    PID:1316
- C:\Windows\SysWOW64\net.exe
  net stop "SQLsafe Backup Service" /y
  2⤵
  PID:2804
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
    3⤵
    PID:936
- C:\Windows\SysWOW64\net.exe
  net stop "SQLsafe Filter Service" /y
  2⤵
  PID:288
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
    3⤵
    PID:2252
- C:\Windows\SysWOW64\net.exe
  net stop "Symantec System Recovery" /y
  2⤵
  PID:624
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Symantec System Recovery" /y
    3⤵
    PID:592
- C:\Windows\SysWOW64\net.exe
  net stop "Veeam Backup Catalog Data Service" /y
  2⤵
  PID:2192
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
    3⤵
    PID:1096
- C:\Windows\SysWOW64\net.exe
  net stop "AcronisAgent" /y
  2⤵
  PID:796
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "AcronisAgent" /y
    3⤵
    PID:2028
- C:\Windows\SysWOW64\net.exe
  net stop "AcrSch2Svc" /y
  2⤵
  PID:1764
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "AcrSch2Svc" /y
    3⤵
    PID:2136
- C:\Windows\SysWOW64\net.exe
  net stop "Antivirus" /y
  2⤵
  PID:2412
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Antivirus" /y
    3⤵
    PID:2224
- C:\Windows\SysWOW64\net.exe
  net stop "ARSM" /y
  2⤵
  PID:1640
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ARSM" /y
    3⤵
    PID:2416
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecAgentAccelerator" /y
  2⤵
  PID:2180
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecAgentAccelerator" /y
    3⤵
    PID:2368
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecAgentBrowser" /y
  2⤵
  PID:2116
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecAgentBrowser" /y
    3⤵
    PID:1232
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecDeviceMediaService" /y
  2⤵
  PID:632
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecDeviceMediaService" /y
    3⤵
    PID:2932
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecJobEngine" /y
  2⤵
  PID:2964
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecJobEngine" /y
    3⤵
    PID:404
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecManagementService" /y
  2⤵
  PID:1836
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecManagementService" /y
    3⤵
    PID:272
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecRPCService" /y
  2⤵
  PID:2384
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecRPCService" /y
    3⤵
    PID:1708
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecVSSProvider" /y
  2⤵
  PID:1620
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecVSSProvider" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:352
- C:\Windows\SysWOW64\net.exe
  net stop "bedbg" /y
  2⤵
  PID:1604
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "bedbg" /y
    3⤵
    PID:1868
- C:\Windows\SysWOW64\net.exe
  net stop "DCAgent" /y
  2⤵
  PID:2604
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "DCAgent" /y
    3⤵
    PID:888
- C:\Windows\SysWOW64\net.exe
  net stop "EPSecurityService" /y
  2⤵
  PID:828
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "EPSecurityService" /y
    3⤵
    PID:1080
- C:\Windows\SysWOW64\net.exe
  net stop "EPUpdateService" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3036
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "EPUpdateService" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1520
- C:\Windows\SysWOW64\net.exe
  net stop "EraserSvc11710" /y
  2⤵
  PID:2396
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "EraserSvc11710" /y
    3⤵
    PID:1784
- C:\Windows\SysWOW64\net.exe
  net stop "EsgShKernel" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1676
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "EsgShKernel" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1756
- C:\Windows\SysWOW64\net.exe
  net stop "FA_Scheduler" /y
  2⤵
  PID:2992
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "FA_Scheduler" /y
    3⤵
    PID:1884
- C:\Windows\SysWOW64\net.exe
  net stop "IISAdmin" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1712
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IISAdmin" /y
    3⤵
    PID:1880
- C:\Windows\SysWOW64\net.exe
  net stop "IMAP4Svc" /y
  2⤵
  PID:2500
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IMAP4Svc" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2076
- C:\Windows\SysWOW64\net.exe
  net stop "macmnsvc" /y
  2⤵
  PID:2220
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "macmnsvc" /y
    3⤵
    PID:2356
- C:\Windows\SysWOW64\net.exe
  net stop "masvc" /y
  2⤵
  PID:2336
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "masvc" /y
    3⤵
    PID:1856
- C:\Windows\SysWOW64\net.exe
  net stop "MBAMService" /y
  2⤵
  PID:1752
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MBAMService" /y
    3⤵
    PID:1976
- C:\Windows\SysWOW64\net.exe
  net stop "MBEndpointAgent" /y
  2⤵
  PID:308
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MBEndpointAgent" /y
    3⤵
    PID:1044
- C:\Windows\SysWOW64\net.exe
  net stop "McAfeeEngineService" /y
  2⤵
  PID:1476
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "McAfeeEngineService" /y
    3⤵
    PID:2436
- C:\Windows\SysWOW64\net.exe
  net stop "McAfeeFramework" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1072
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "McAfeeFramework" /y
    3⤵
    PID:1064
- C:\Windows\SysWOW64\net.exe
  net stop "McAfeeFrameworkMcAfeeFramework" /y
  2⤵
  PID:1600
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "McAfeeFrameworkMcAfeeFramework" /y
    3⤵
    PID:1636
- C:\Windows\SysWOW64\net.exe
  net stop "McShield" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1892
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "McShield" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2752
- C:\Windows\SysWOW64\net.exe
  net stop "McTaskManager" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1688
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "McTaskManager" /y
    3⤵
    PID:1176
- C:\Windows\SysWOW64\net.exe
  net stop "mfemms" /y
  2⤵
  PID:1596
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mfemms" /y
    3⤵
    PID:2876
- C:\Windows\SysWOW64\net.exe
  net stop "mfevtp" /y
  2⤵
  PID:2892
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mfevtp" /y
    3⤵
    PID:2800
- C:\Windows\SysWOW64\net.exe
  net stop "MMS" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2708
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MMS" /y
    3⤵
    PID:2620
- C:\Windows\SysWOW64\net.exe
  net stop "mozyprobackup" /y
  2⤵
  PID:2564
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mozyprobackup" /y
    3⤵
    PID:2684
- C:\Windows\SysWOW64\net.exe
  net stop "MsDtsServer" /y
  2⤵
  PID:2628
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MsDtsServer" /y
    3⤵
    PID:2072
- C:\Windows\SysWOW64\net.exe
  net stop "MsDtsServer100" /y
  2⤵
  PID:2308
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MsDtsServer100" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:392
- C:\Windows\SysWOW64\net.exe
  net stop "MsDtsServer110" /y
  2⤵
  PID:2304
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MsDtsServer110" /y
    3⤵
    PID:1984
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeES" /y
  2⤵
  PID:2060
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeES" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2248
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeIS" /y
  2⤵
  PID:2268
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeIS" /y
    3⤵
    PID:580
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeMGMT" /y
  2⤵
  PID:3040
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeMGMT" /y
    3⤵
    PID:2256
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeMTA" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:836
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeMTA" /y
    3⤵
    PID:2204
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeSA" /y
  2⤵
  PID:480
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeSA" /y
    3⤵
    PID:2052
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeSRS" /y
  2⤵
  PID:2140
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeSRS" /y
    3⤵
    PID:1956
- C:\Windows\SysWOW64\net.exe
  net stop "MSOLAP$SQL_2008" /y
  2⤵
  PID:1864
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSOLAP$SQL_2008" /y
    3⤵
    PID:3024
- C:\Windows\SysWOW64\net.exe
  net stop "MSOLAP$SYSTEM_BGC" /y
  2⤵
  PID:2420
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC" /y
    3⤵
    PID:1056
- C:\Windows\SysWOW64\net.exe
  net stop "MSOLAP$TPS" /y
  2⤵
  PID:1076
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSOLAP$TPS" /y
    3⤵
    PID:2940
- C:\Windows\SysWOW64\net.exe
  net stop "MSOLAP$TPSAMA" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:292
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSOLAP$TPSAMA" /y
    3⤵
    PID:2004
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$BKUPEXEC" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1280
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$BKUPEXEC" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1840
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$ECWDB2" /y
  2⤵
  PID:764
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$ECWDB2" /y
    3⤵
    PID:2712
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$PRACTICEMGT" /y
  2⤵
  PID:684
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT" /y
    3⤵
    PID:1000
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$PRACTTICEBGC" /y
  2⤵
  PID:1532
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2392
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$PROFXENGAGEMENT" /y
  2⤵
  PID:1696
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT" /y
    3⤵
    PID:1060
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SBSMONITORING" /y
  2⤵
  PID:608
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SBSMONITORING" /y
    3⤵
    PID:1212
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SHAREPOINT" /y
  2⤵
  PID:2332
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SHAREPOINT" /y
    3⤵
    PID:2324
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SQL_2008" /y
  2⤵
  PID:1848
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SQL_2008" /y
    3⤵
    PID:1760
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SYSTEM_BGC" /y
  2⤵
  PID:1192
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC" /y
    3⤵
    PID:1776
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$TPS" /y
  2⤵
  PID:1084
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$TPS" /y
    3⤵
    PID:872
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$TPSAMA" /y
  2⤵
  PID:868
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$TPSAMA" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1728
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$VEEAMSQL2008R2" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1548
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y
    3⤵
    PID:2588
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$VEEAMSQL2012" /y
  2⤵
  PID:2872
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2584
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher" /y
  2⤵
  PID:2636
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher" /y
    3⤵
    PID:2084
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1716
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y
    3⤵
    PID:2064
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$SBSMONITORING" /y
  2⤵
  PID:2164
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING" /y
    3⤵
    PID:1468
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$SHAREPOINT" /y
  2⤵
  PID:2548
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT" /y
    3⤵
    PID:2260
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$SQL_2008" /y
  2⤵
  PID:1160
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008" /y
    3⤵
    PID:2024
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$SYSTEM_BGC" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2148
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC" /y
    3⤵
    PID:1308
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$TPS" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2216
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS" /y
    3⤵
    PID:444
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$TPSAMA" /y
  2⤵
  PID:2928
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA" /y
    3⤵
    PID:1644
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLSERVER" /y
  2⤵
  PID:960
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLSERVER" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2100
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLServerADHelper100" /y
  2⤵
  PID:1376
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLServerADHelper100" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2520
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLServerOLAPService" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1536
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLServerOLAPService" /y
    3⤵
    PID:1564
- C:\Windows\SysWOW64\net.exe
  net stop "MySQL80" /y
  2⤵
  PID:1960
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MySQL80" /y
    3⤵
    PID:2400
- C:\Windows\SysWOW64\net.exe
  net stop "MySQL57" /y
  2⤵
  PID:1700
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MySQL57" /y
    3⤵
    PID:2156
- C:\Windows\SysWOW64\net.exe
  net stop "ntrtscan" /y
  2⤵
  PID:1368
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ntrtscan" /y
    3⤵
    PID:1584
- C:\Windows\SysWOW64\net.exe
  net stop "OracleClientCache80" /y
  2⤵
  PID:1412
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "OracleClientCache80" /y
    3⤵
    PID:2612
- C:\Windows\SysWOW64\net.exe
  net stop "PDVFSService" /y
  2⤵
  PID:2444
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "PDVFSService" /y
    3⤵
    PID:2556
- C:\Windows\SysWOW64\net.exe
  net stop "POP3Svc" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:556
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "POP3Svc" /y
    3⤵
    PID:1808
- C:\Windows\SysWOW64\net.exe
  net stop "ReportServer" /y
  2⤵
  PID:2088
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer" /y
    3⤵
    PID:2120
- C:\Windows\SysWOW64\net.exe
  net stop "ReportServer$SQL_2008" /y
  2⤵
  PID:968
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer$SQL_2008" /y
    3⤵
    PID:2404
- C:\Windows\SysWOW64\net.exe
  net stop "ReportServer$SYSTEM_BGC" /y
  2⤵
  PID:2692
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2984
- C:\Windows\SysWOW64\net.exe
  net stop "ReportServer$TPS" /y
  2⤵
  PID:876
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer$TPS" /y
    3⤵
    PID:3056
- C:\Windows\SysWOW64\net.exe
  net stop "ReportServer$TPSAMA" /y
  2⤵
  PID:636
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer$TPSAMA" /y
    3⤵
    PID:2456
- C:\Windows\SysWOW64\net.exe
  net stop "RESvc" /y
  2⤵
  PID:2056
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "RESvc" /y
    3⤵
    PID:984
- C:\Windows\SysWOW64\net.exe
  net stop "sacsvr" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2496
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "sacsvr" /y
    3⤵
    PID:2760
- C:\Windows\SysWOW64\net.exe
  net stop "SamSs" /y
  2⤵
  PID:2816
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SamSs" /y
    3⤵
    PID:2924
- C:\Windows\SysWOW64\net.exe
  net stop "SAVAdminService" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1632
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SAVAdminService" /y
    3⤵
    PID:1648
- C:\Windows\SysWOW64\net.exe
  net stop "SAVService" /y
  2⤵
  PID:2172
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SAVService" /y
    3⤵
    PID:2212
- C:\Windows\SysWOW64\net.exe
  net stop "SDRSVC" /y
  2⤵
  PID:1992
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SDRSVC" /y
    3⤵
    PID:1720
- C:\Windows\SysWOW64\net.exe
  net stop "SepMasterService" /y
  2⤵
  PID:1860
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SepMasterService" /y
    3⤵
    PID:2680
- C:\Windows\SysWOW64\net.exe
  net stop "ShMonitor" /y
  2⤵
  PID:2632
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ShMonitor" /y
    3⤵
    PID:2376
- C:\Windows\SysWOW64\net.exe
  net stop "Smcinst" /y
  2⤵
  PID:772
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Smcinst" /y
    3⤵
    PID:2240
- C:\Windows\SysWOW64\net.exe
  net stop "SmcService" /y
  2⤵
  PID:1936
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SmcService" /y
    3⤵
    PID:748
- C:\Windows\SysWOW64\net.exe
  net stop "SMTPSvc" /y
  2⤵
  PID:1876
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SMTPSvc" /y
    3⤵
    PID:2300
- C:\Windows\SysWOW64\net.exe
  net stop "SNAC" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1588
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SNAC" /y
    3⤵
    PID:3064
- C:\Windows\SysWOW64\net.exe
  net stop "SntpService" /y
  2⤵
  PID:2296
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SntpService" /y
    3⤵
    PID:2948
- C:\Windows\SysWOW64\net.exe
  net stop "sophossps" /y
  2⤵
  PID:3080
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "sophossps" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3100
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$BKUPEXEC" /y
  2⤵
  PID:3108
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC" /y
    3⤵
    PID:3128
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$ECWDB2" /y
  2⤵
  PID:3136
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$ECWDB2" /y
    3⤵
    PID:3156
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$PRACTTICEBGC" /y
  2⤵
  PID:3164
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC" /y
    3⤵
    PID:3184
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$PRACTTICEMGT" /y
  2⤵
  PID:3192
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT" /y
    3⤵
    PID:3212
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$PROFXENGAGEMENT" /y
  2⤵
  PID:3220
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT" /y
    3⤵
    PID:3240
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SBSMONITORING" /y
  2⤵
  PID:3248
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3268
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SHAREPOINT" /y
  2⤵
  PID:3276
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT" /y
    3⤵
    PID:3296
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SQL_2008" /y
  2⤵
  PID:3304
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SQL_2008" /y
    3⤵
    PID:3324
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SYSTEM_BGC" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3332
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC" /y
    3⤵
    PID:3352
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$TPS" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3360
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$TPS" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3380
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$TPSAMA" /y
  2⤵
  PID:3388
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$TPSAMA" /y
    3⤵
    PID:3408
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$VEEAMSQL2008R2" /y
  2⤵
  PID:3416
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y
    3⤵
    PID:3436
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$VEEAMSQL2012" /y
  2⤵
  PID:3444
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012" /y
    3⤵
    PID:3464
- C:\Windows\SysWOW64\net.exe
  net stop "SQLBrowser" /y
  2⤵
  PID:3472
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLBrowser" /y
    3⤵
    PID:3492
- C:\Windows\SysWOW64\net.exe
  net stop "SQLSafeOLRService" /y
  2⤵
  PID:3500
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLSafeOLRService" /y
    3⤵
    PID:3520
- C:\Windows\SysWOW64\net.exe
  net stop "SQLSERVERAGENT" /y
  2⤵
  PID:3528
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLSERVERAGENT" /y
    3⤵
    PID:3548
- C:\Windows\SysWOW64\net.exe
  net stop "SQLTELEMETRY" /y
  2⤵
  PID:3556
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLTELEMETRY" /y
    3⤵
    PID:3576
- C:\Windows\SysWOW64\net.exe
  net stop "SQLTELEMETRY$ECWDB2" /y
  2⤵
  PID:3584
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLTELEMETRY$ECWDB2" /y
    3⤵
    PID:3604
- C:\Windows\SysWOW64\net.exe
  net stop "SQLWriter" /y
  2⤵
  PID:3612
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLWriter" /y
    3⤵
    PID:3632
- C:\Windows\SysWOW64\net.exe
  net stop "SstpSvc" /y
  2⤵
  PID:3640
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SstpSvc" /y
    3⤵
    PID:3660
- C:\Windows\SysWOW64\net.exe
  net stop "svcGenericHost" /y
  2⤵
  PID:3668
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "svcGenericHost" /y
    3⤵
    PID:3688
- C:\Windows\SysWOW64\net.exe
  net stop "swi_filter" /y
  2⤵
  PID:3696
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "swi_filter" /y
    3⤵
    PID:3716
- C:\Windows\SysWOW64\net.exe
  net stop "swi_service" /y
  2⤵
  PID:3724
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "swi_service" /y
    3⤵
    PID:3744
- C:\Windows\SysWOW64\net.exe
  net stop "swi_update_64" /y
  2⤵
  PID:3752
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "swi_update_64" /y
    3⤵
    PID:3772
- C:\Windows\SysWOW64\net.exe
  net stop "TmCCSF" /y
  2⤵
  PID:3780
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "TmCCSF" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3800
- C:\Windows\SysWOW64\net.exe
  net stop "tmlisten" /y
  2⤵
  PID:3808
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "tmlisten" /y
    3⤵
    PID:3828
- C:\Windows\SysWOW64\net.exe
  net stop "TrueKey" /y
  2⤵
  PID:3836
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "TrueKey" /y
    3⤵
    PID:3856
- C:\Windows\SysWOW64\net.exe
  net stop "TrueKeyScheduler" /y
  2⤵
  PID:3864
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "TrueKeyScheduler" /y
    3⤵
    PID:3884
- C:\Windows\SysWOW64\net.exe
  net stop "TrueKeyServiceHelper" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3892
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "TrueKeyServiceHelper" /y
    3⤵
    PID:3912
- C:\Windows\SysWOW64\net.exe
  net stop "UI0Detect" /y
  2⤵
  PID:3920
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "UI0Detect" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3940
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamBackupSvc" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3948
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamBackupSvc" /y
    3⤵
    PID:3968
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamBrokerSvc" /y
  2⤵
  PID:3976
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamBrokerSvc" /y
    3⤵
    PID:3996
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamCatalogSvc" /y
  2⤵
  PID:4004
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamCatalogSvc" /y
    3⤵
    PID:4024
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamCloudSvc" /y
  2⤵
  PID:4032
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamCloudSvc" /y
    3⤵
    PID:4052
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamDeploymentService" /y
  2⤵
  PID:4060
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamDeploymentService" /y
    3⤵
    PID:4080
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamDeploySvc" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4088
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamDeploySvc" /y
    3⤵
    PID:3092
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamEnterpriseManagerSvc" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3096
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc" /y
    3⤵
    PID:3116
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamMountSvc" /y
  2⤵
  PID:3160
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamMountSvc" /y
    3⤵
    PID:3180
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamNFSSvc" /y
  2⤵
  PID:3204
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamNFSSvc" /y
    3⤵
    PID:3244
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamRESTSvc" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3228
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamRESTSvc" /y
    3⤵
    PID:3288
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamTransportSvc" /y
  2⤵
  PID:3292
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamTransportSvc" /y
    3⤵
    PID:3312
- C:\Windows\SysWOW64\net.exe
  net stop "W3Svc" /y
  2⤵
  PID:3356
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "W3Svc" /y
    3⤵
    PID:3376
- C:\Windows\SysWOW64\net.exe
  net stop "wbengine" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3400
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "wbengine" /y
    3⤵
    PID:3440
- C:\Windows\SysWOW64\net.exe
  net stop "WRSVC" /y
  2⤵
  PID:3424
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "WRSVC" /y
    3⤵
    PID:3484
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$VEEAMSQL2008R2" /y
  2⤵
  PID:3488
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y
    3⤵
    PID:3508
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$VEEAMSQL2008R2" /y
  2⤵
  PID:3552
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y
    3⤵
    PID:3572
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamHvIntegrationSvc" /y
  2⤵
  PID:3596
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamHvIntegrationSvc" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3636
- C:\Windows\SysWOW64\net.exe
  net stop "swi_update" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3620
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "swi_update" /y
    3⤵
    PID:3680
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$CXDB" /y
  2⤵
  PID:3684
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$CXDB" /y
    3⤵
    PID:3704
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$CITRIX_METAFRAME" /y
  2⤵
  PID:3748
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME" /y
    3⤵
    PID:3768
- C:\Windows\SysWOW64\net.exe
  net stop "SQL Backups" /y
  2⤵
  PID:3792
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQL Backups" /y
    3⤵
    PID:3832
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$PROD" /y
  2⤵
  PID:3816
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$PROD" /y
    3⤵
    PID:3876
- C:\Windows\SysWOW64\net.exe
  net stop "Zoolz 2 Service" /y
  2⤵
  PID:3880
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
    3⤵
    PID:3900
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLServerADHelper" /y
  2⤵
  PID:3944
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLServerADHelper" /y
    3⤵
    PID:3964
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$PROD" /y
  2⤵
  PID:3988
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$PROD" /y
    3⤵
    PID:4028
- C:\Windows\SysWOW64\net.exe
  net stop "msftesql$PROD" /y
  2⤵
  PID:4012
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "msftesql$PROD" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4072
- C:\Windows\SysWOW64\net.exe
  net stop "NetMsmqActivator" /y
  2⤵
  PID:4076
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "NetMsmqActivator" /y
    3⤵
    PID:3076
- C:\Windows\SysWOW64\net.exe
  net stop "EhttpSrv" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3148
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "EhttpSrv" /y
    3⤵
    PID:3188
- C:\Windows\SysWOW64\net.exe
  net stop "ekrn" /y
  2⤵
  PID:3200
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ekrn" /y
    3⤵
    PID:3300
- C:\Windows\SysWOW64\net.exe
  net stop "ESHASRV" /y
  2⤵
  PID:3272
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ESHASRV" /y
    3⤵
    PID:3372
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SOPHOS" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3384
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SOPHOS" /y
    3⤵
    PID:3404
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SOPHOS" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3496
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SOPHOS" /y
    3⤵
    PID:3516
- C:\Windows\SysWOW64\net.exe
  net stop "AVP" /y
  2⤵
  PID:3568
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "AVP" /y
    3⤵
    PID:3628
- C:\Windows\SysWOW64\net.exe
  net stop "klnagent" /y
  2⤵
  PID:3600
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "klnagent" /y
    3⤵
    PID:3720
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SQLEXPRESS" /y
  2⤵
  PID:3712
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3732
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SQLEXPRESS" /y
  2⤵
  PID:3824
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3844
- C:\Windows\SysWOW64\net.exe
  net stop "wbengine" /y
  2⤵
  PID:3916
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "wbengine" /y
    3⤵
    PID:3956
- C:\Windows\SysWOW64\net.exe
  net stop "kavfsslp" /y
  2⤵
  PID:3928
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "kavfsslp" /y
    3⤵
    PID:4048
- C:\Windows\SysWOW64\net.exe
  net stop "KAVFSGT" /y
  2⤵
  PID:4040
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "KAVFSGT" /y
    3⤵
    PID:2888
- C:\Windows\SysWOW64\net.exe
  net stop "KAVFS" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3144
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "KAVFS" /y
    3⤵
    PID:3264
- C:\Windows\SysWOW64\net.exe
  net stop "mfefire" /y
  2⤵
  PID:3320
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mfefire" /y
    3⤵
    PID:3460
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM zoolz.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3396
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM agntsvc.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3960
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM dbeng50.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3208
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM dbsnmp.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3648
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM encsvc.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3132
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM excel.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3344
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM firefoxconfig.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4016
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM infopath.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4084
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM isqlplussvc.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3540
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM msaccess.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3536
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM msftesql.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3316
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mspub.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4104
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mydesktopqos.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4144
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mydesktopservice.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4184
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mysqld.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4228
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mysqld-nt.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4268
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mysqld-opt.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4312
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM ocautoupds.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4352
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM ocomm.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4392
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM ocssd.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4432
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM onenote.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4476
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM oracle.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4516
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM outlook.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4556
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM powerpnt.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4596
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM sqbcoreservice.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4636
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM sqlagent.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4676
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM sqlbrowser.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4716
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM sqlservr.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4756
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM sqlwriter.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4796
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM steam.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4836
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM synctime.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4876
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM tbirdconfig.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4916
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM thebat.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4956
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM thebat64.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4996
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM thunderbird.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5036
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM visio.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5076
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM winword.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4116
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM wordpad.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4224
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM xfssvccon.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4300
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM tmlisten.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4364
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM PccNTMon.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4420
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM CNTAoSMgr.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4452
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM Ntrtscan.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4500
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mbamtray.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4524
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:4632
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:4696
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:4792
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=F: /on=F: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Interacts with shadow copies
  PID:4816
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin resize shadowstorage /for=F: /on=F: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:4852
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:4928

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:5100

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact